Here are two other great resources related to the Kubernetes 10th anniversary we'd like to recommend:

1. KuberTENes Birthday Bash is a 3.5h video of the official celebration. It features Kelsey Hightower as a host and Chris Aniszczyk, Chen Goldberg, Craig McLuckie, Ville Aikas, Eric Brewer, Solomon Hykes, Dawn Chen, Tim Hockin, Kit Merker, Brian Grant, Alex Polvi, Sarah Novotny, Josh Berkus, Paris Pittman, Lachlan Evenson, Aparna Sinha, Bob Wise, Ian Coldwater, and Janet Kuo as speakers.

2. 10 Years of Kubernetes is an excellent post on the Kubernetes blog that overviews the project's history, milestones, and stats.

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. OpenTelemetry Collector v0.101.0 and v0.102.0 were released with numerous features, including a new container parser that auto-detects the log format for parsing, early implementation of the AWS S3 receiver, new metrics for SQL Server, introduction of the GeoIP processor, and more.

2. With Dex v2.40.0, this OIDC identity provider migrated to log/slog for structured logging, got support for OAuth 2.0 Token Introspection (RFC7662) and configurable prompt type for Google Connector.

3. Argo Image Updater, a companion controller to Argo CD, got its v0.13 with 5 new features, such as support for Argo CD multi-source applications, an annotation for write-back Git repository (for Helm charts outside of Git), and support for separate GitHub credentials.

4. mariadb-operator, which allows you to manage MariaDB databases in Kubernetes declaratively via CRDs, released v0.0.29 with a new role-aware update strategy (ReplicasFirstPrimaryLast) and mutable my.cnf configuration.

#news #releases

RBAC Wizard is a simple web UI that visualises your RBAC configurations in Kubernetes. Here’s what this tool offers:

* See all your RBACs listed in a table with customisable columns.
* Search your objects by typing their names and filter them by kind; view a manifest you need.
* Navigate through a map of your existing RBAC resources.
* Install it via Homebrew or go install.
* Be ready for the new features ahead since this project is ultimately new, with its v0.0.1 released just last month.

▶️ GitHub repo: https://github.com/pehlicd/rbac-wizard

#tools #security

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. Apache SkyWalking 10 was released last month. Written in Java, it is an APM (Application Performance Monitor) tool for distributed systems with a focus on microservices, containers, and cloud native apps. This latest release brings numerous new features, including the ability to monitor the Kubernetes network traffic by using eBPF.

2. Istio v1.22 is another noticeable release from May. Istio APIs are promoted to v1, Gateway API became stable for service mesh, and Delta xDS was enabled by default. Find a more detailed overview of the latest changes in this recent blog post.

3. k0smotron 1.0 was released by Mirantis last week. This Open Source tool helps you to manage Kubernetes clusters using k0s, the company’s distribution focused on edge and IoT. The new version brings remote machine support, improves the control plane’s high availability, enables updates-in-place, and adds support for clusterctl CLI.

4. Kargo v0.7.0 was released by Akuity last week. This project is described as “a next-generation continuous delivery and application lifecycle orchestration platform,” which aims to “provide an intuitive and flexible layer above existing GitOps tooling.” Its latest version got improvements for ECR and Google Artifact Registry, better artifact discovery, and manual “freight” assembly.

#news #releases

Another bunch of interesting articles recently spotted online:

1. “Two-node HA Kubernetes for edge computing cost savings” by Tyler Gillson, Spectro Cloud.

"[..] three node Kubernetes clusters provide stronger guarantees with arguably less architectural complexity, yet they impose massive capital expenditure at scale, not only in the cost of the boxes themselves, but cabling, shipping, software, power consumption and other factors. If you’re looking to optimize costs or an edge compute use case, a two node solution can instantly cut costs and materialize serious savings.”

2. “Load balancing and scaling long-lived connections in Kubernetes” by Daniele Polencic, Learnk8s.

“Kubernetes doesn't load balance long-lived connections, and some Pods might receive more requests than others. Consider client-side load balancing or a proxy if you're using HTTP/2, gRPC, RSockets, AMQP, or any other long-lived database connection.”

3. “Learned it the hard way: Don’t use Cilium’s default Pod CIDR” by Isala Piyarisi, WSO2.

“Despite extensive testing, complex systems like Cilium, with nearly 2000 configurable values, can still allow misconfigurations to slip though which could lead to unexpected failures. This incident taught us the importance of methodically troubleshooting network issues and understanding low-level networking infrastructure and skills, often taken away by cloud abstractions.”

4. “Optimizing Application Resilience: A Deep Dive into Kubernetes Pod Disruption Budgets and Rollout Strategies” by Nicolas Labrot, ARHS Spikeseed.

“By effectively implementing both PDBs and rollout strategies, you can enhance the resilience and reliability of your Kubernetes-managed applications, ensuring they remain stable and available even during disruption and updates.”

5. “From Fragile to Faultless: Kubernetes Self-Healing In Practice” by City Storage Systems.

“In this blog we share our experience illustrating how minor glitches, if left unattended, could quickly escalate and impact business continuity. Rather than engaging in constant firefighting we designed a self-healing framework, often implementing automations with a turnaround time of as little as 1 day. [..] While our journey began with a focus on AKS, this framework is a general-purpose pattern to improve resilience of any Kubernetes platform.”

#articles

Have you heard of a new tool that automates right-sizing your resources for Kubernetes and dares to be “the best VPA not to waste memory”? Meet Kondense:

* It auto-scales pods based on memory pressure, meaning all cold/unused memory pages are continuously removed.
* Technically, it runs as a sidecar and resizes containers in its pod to facilitate the required memory pressure. Every second, all unused memory is taken away while preventing out-of-memory errors.
* This tool's memory resize algorithm is based on Meta's Transparent Memory Offloading (TMO).
* While it’s focused on memory, CPU resources are resized, too (based on CPU usage).
* It works for Kubernetes clusters that run on Linux only; containerd version should be 1.6.9+, and the container’s Linux kernel should be 4.20+.

➡️ GitHub repo
📣 Reddit announcement

#tools

Another bunch of interesting articles recently spotted online:

1. “Driving etcd Stability and Kubernetes Success” by Marek Siarkowicz, Google.

“... just as a backbone connects to every other part of the body, etcd facilitates communication and coordination between all the components of Kubernetes, allowing it to move, adapt, and thrive in the dynamic world of distributed systems.”

2. “Kubernetes: The Road to 1.0” by Brian Grant, original lead architect of Kubernetes.

“I started an R&D project in 2010 called Omega to redesign Borg for how it was being used and to better support the ecosystem around Borg. In many ways, Kubernetes is more “open-source Omega” than “open-source Borg”, but it benefited from the lessons learned from both Borg and Omega.”

3. “Falco from A to Y” by Quentin Joly, SRE at French government.

“In this article, we will explore what Falco is and how to be alerted of abnormal events on our servers, as well as how to set it up in a Kubernetes environment.”

4. “My Recommended Kubernetes Resources for Newbies” by Marcus Noble, CNCF Ambassador.

“Recently, a friend of mine asked me what resources I'd recommend to start learning about Kubernetes. He was a victim of the layoffs that seem to be so prevalent right now and has experience as a classic SysOps / SysAdmin engineer but no expose to Kubernetes yet and wanted to learn to help improve his job-hunting prospects.”

#articles

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. Harbor 2.11 was released earlier this month, bringing various updates to this cloud native registry. They include SBOM generation and management, OCI Distribution Specification v1.1.0 support, Volcengine Registry integration, and better performance.

2. Perses is an observability visualisation project, which aims to become a standard dashboard visualisation tool for Prometheus and other data sources. Its recent v0.46 release added a full-screen view for panels and instant query table view, added tracing support and introduced Graph tab in Explorer, made Explorer sharable, and introduced a dedicated config for the frontend.

3. Kubecost was updated to v2.3, introducing an efficiency dashboard (pinpointing your main sources of wasting computing resources), accelerated data ingestion, new PostgreSQL integration, and enhanced anomaly detection.

4. Glasskube, dubbed “the next generation package manager for Kubernetes”, has got its v0.10.0 release. It added package scopes (packages can be cluster-scoped or namespace-scoped now) and two new commands (purge and repo update).

#news #releases

Using lots of kubectl commands daily? Here’s another helpful tool to simplify context and namespace switching, prompt modification, and more!

Kubie, called “a more powerful alternative to kubectx and kubens,” enhances your CLI experience even further with extra features. Here’s what it offers:

- Context and namespace switching with selectable menus and quick commands.
- Spawning a shell or recursive shell in the given context, namespace, context + namespace.
- Executing shell commands in the given context + namespace or namespace + contexts matched by the wildcard (without spawning a shell);
- Configurable prompt.
- Checking your Kubernetes configuration files for issues.
- Support for bash, dash, fish, xonsh, and zsh. Autocompletion for bash and fish.
- Written in Rust. Installable via a binary for Linux and macOS, Cargo, Homebrew, MacPorts, Nix, pacman (Arch Linux).

▶️ GitHub repo

#tools #CLI

Hi everyone! Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. “Kubernetes: containers, and the “lost” SIGTERM signals” by Arseny Zinchenko.

“We have an API service with Gunicorn in Kubernetes that periodically returns 502, 503, 504 errors. I started debugging it, and found a weird thing: there were no messages in the logs about the received SIGTERM, so I first went to deal with Kubernetes - why doesn't it send it?”

2. “Stateful apps in Kubernetes. From history and fundamentals to operators” by Palark.

“In this article, we will explore how stateful apps work in Kubernetes and what you should consider before and while running your stateful components in K8s. To make it even more practical, we will cover several well-known K8s operators to tackle your ClickHouse, Redis, Kafka, PostgreSQL, and MySQL instances.”

3. “Understanding DNS in Kubernetes” by Povilas Versockas.

“In this post, we will cover the following: Overview of DNS Resolution and CoreDNS, the default DNS provider in Kubernetes; Kubernetes DNS policies, such as ClusterFirst, Default, and None, and their effects on pod DNS configurations. Differences between The GNU C Library (glibc) and musl libraries.”

4. ArgoCD Series by Maryam Tavakkoli, a CNCF Ambassador. “Part 1: Terminologies and Architecture" and “Part 2: (Basic) Core Concepts”.

“In this ArgoCD series, I aim to explain its concepts and terminologies from the beginning and provide a detailed technical guide on using it, all with declarative approaches.”

#articles

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. Traefik 3.0 was released two months ago, but it’s an essential update we missed in our digests before. New features for this Cloud Native application proxy include support for WebAssembly, OpenTelemetry, Kubernetes Gateway API, SPIFFE, gRPC-Web, and production-ready HTTP/3.

2. Vitess, a Cloud Native database solution for horizontal scaling of MySQL, was updated to version 20. It brought automated and scheduled backups, enhanced DML support, and experimental multi-tenant imports in VReplication.

3. Coroot v1.3.0 was released. This Open Source APM & observability tool got support for monitoring MySQL and memcached, an automated discovery for database monitoring, an AWS integration, external calls tracing, and more.

4. Podman Desktop 1.11 has got an experimental light mode (which is called the most-requested feature), upgraded UI, node and volume listings in the Kubernetes functionality, and macOS Rosetta support.

5. Kubewarden, a policy engine for Kubernetes, was updated to 1.14. It comes with a new host capability that allows policies to fetch the container image configuration, a CEL policy capable of running Kubernetes VAP policies without any modifications, and a new CEL Policy on Artifact Hub.

6. KCL v0.9.0 brought several new features to this constraint-based record and functional language for configuration and policy scenarios. They include numerous new language and toolchain features (such as TOML format in kcl run and kcl import, adding dependencies from private third-party OCI Registries and Git repositories in kcl mod add), a new fast runtime mode, optimised performance for KCL IDE, new standard libraries, such as file for file input/output operations and template for writing template configurations, and much, much more.

#news #releases

Looking for a practical way to learn Kubernetes security? You might be interested in this project!

Kubernetes Goat provides you with a cluster that is “vulnerable by design". After deploying it, you’re getting easy-to-use access to 20+ scenarios covering various security aspects. Accompanied by guides, you can follow these scenarios to validate your knowledge and get new practical skills. Here are some of the techniques and technologies they cover:

- DIND exploitation and container escape;
- getting access to internal and non-exposed services;
- exploiting the misconfigured/overly permissive permissions;
- Docker & Kubernetes CIS benchmarks;
- kubeaudit for auditing Kubernetes clusters;
- Falco for detecting security issues;
- Cilium Tetragon for performing runtime security monitoring;
- Kyverno policy engine.

▶️ GitHub repo

#tools #security

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. k8sgpt is a tool bringing AI power to simplify troubleshooting and scanning your Kubernetes clusters. With its most recent 0.3.38 release, it got support for two new AI providers, Ollama and IBM watsonx.ai.

2. Percona Operator for PostgreSQL was updated to v2.4.0, and several new features were introduced. They include fully automated upgrades of PgSQL major versions, support for PgSQL tablespaces, and using AWS IAM roles to access S3 buckets for backups.

3. KWOK (Kubernetes Without Kubelet) is a toolkit for simulating a K8s cluster with thousands of nodes. Its latest release, v0.6.0, brings numerous changes, such as sidecar container support in stage policy, Helm charts support, numerous improvements in Stage API and kwokctl (--all and --force flags for kwokctl delete cluster, nerdctl support, etc.).

4. Harvester, the hyperconverged infrastructure (HCI) solution from SUSE built on Kubernetes, was updated to v1.3.1. New features include support for NVIDIA vGPU, ARM64, HA two-node clusters, devices with frequent power interruptions or relocations (such as edge), managed DHCP, and Fleet integration.

5. KubeBlocks, “a control plane software that runs and manages databases, message queues and other stateful applications on K8s”, has released v0.9.0. Some of its highlights include support for topologies in ClusterDefinition API, managing horizontal scaling of distributed databases, using InstanceSets instead of StatefulSets to manage Pods, PostgreSQL PITR, MySQL Replication mode, Redis Cluster mode support.

#news #releases

Need to validate your Kubernetes configuration and do it fast? Try this tool in your CI or locally.

Kubeconform is a K8s manifest validator inspired by kubeval (which hasn’t been developed for years). It validates your manifests against official Kubernetes OpenAPI specifications and focuses on being highly performant. Here are some of its features:

- Adjustable strictness considering missing schemas, additional properties (not in the schema), and duplicated keys;
- A configurable set of kinds (or GVKs) to ignore or reject, file paths to ignore;
- Schemas caching and adjustable number of concurrent goroutines;
- Various output formats (including text, JSON, and JUnit);
- Support for multiple schema locations to validate CRDs (CustomResourceDefinitions) and OpenShift schemas;
- Ready-to-use CI integrations for GitHub Actions and GitLab;
- Installable via Golang package manager, Homebrew, and winget (Windows). Helm charts are also available.

▶️ GitHub repo

➕ A few related repos from various contributors:
- kubeconform-helm is a set of tools to test Helm chats with kubeconform
- helm-kubeconform is a kubeconform Helm plugin
- helm-kubeconform-action is a GitHub Action to validate Helm charts with kubeconform
- kustomize-plugin-kubeconform is a kubeconform plugin to validate manifests schema within Kusomize

#tools

Do you love Vim and kubectl? There’s something exceptional for you!

kubectl.nvim is a Neovim plugin providing Vim-like navigation for your Kubernetes cluster and familiar key bindings. Here’s what it offers today:

- Navigation through your K8s resources via Vim buffer, with hierarchy awareness (e.g. going through Deployment to a Pod and its container).
- Other UI features include coloured output, sorting by headers, and floating windows for additional data (descriptions, logs).
- Changing contexts and namespaces.
- Running custom kubectl commands.
- Executing into containers.
- Displaying a diff for configurations.

▶️ GitHub repo
📣 Reddit announcement

#tools #CLI

Good Monday, everyone! Here's the latest bunch of interesting Kubernetes-related articles we've seen online:

1. “Kubernetes Storage Performance Comparison Rook Ceph and Piraeus Datastore (LINSTOR)” by Gareth Anderson.

“Understanding Kubernetes storage is crucial for deployments that rely on persistent volumes within K8s. In this article, we’ll explore various software options for K8s storage based on online research [LongHorn, OpenEBS, Vitastor, Rook, Piraeus]. Additionally, we’ll delve into two specific choices that offer replicated block storage: Piraeus Datastore (LINSTOR) and Rook Ceph.”

2. “The Engines that run our Kubernetes Workloads” by Henrik Gerdes.

“Do container engines impact start-up time and memory consumption? Since I didn't find any real up-to-date comparisons, I took a look for myself and ended up comparing these implementations: runc, crun, gvisor/runsc, and youki.”

3. “Self-signed Root CA in Kubernetes with k3s, cert-manager and traefik. Bonus howto on regular certificates” by Remy van Elst.

“In this episode of 'Remy discovers Kubernetes', I'm setting up cert-manager, not with Lets Encrypt, but with a self-signed certificate authority. I'll also show you how to set up a regular certificate, one you've for example bought somewhere. I'll also cover nameConstraints to make the risk of compromise of your trusted root ca lower.”

4. “Istio from A to Y” by Quentin Joly, SRE at French government.

“Istio is an incredibly powerful and complete product, but it’s not without its flaws. It’s very easy to get lost in Istio’s configuration and end up with a mesh that doesn’t work as expected (plus, the logs are not always very explicit). That’s why it’s important to understand Istio’s concepts well before diving into the configuration of your mesh.”

#articles

Open Policy Agent tops the list of the most used Open Source tools for Kubernetes security, according to the 2024 edition of “The state of Kubernetes security report” unveiled by Red Hat last month (source). These results are based on a survey of 600 DevOps, engineering, and security professionals worldwide.

#tools #reports #security

Top 10 CNCF projects by their velocity during the last 12 months:

1. Kubernetes
2. OpenTelemetry
3. Argo
4. Backstage
5. Prometheus
6. gRPC
7. Cilium
8. Envoy
9. Istio
10. Keycloak

Overall, the KCL programming language demonstrated the most impressive growth by moving from 105th place to 67th.

Source: CNCF blog post; full data in Google Sheets.

#news #reports #cncfprojects

Our selection of the latest prominent software updates from the cloud native ecosystem:

1. Testkube, “the Kubernetes-native testing framework made for testers and developers,” announced its v2.0 release. It comes with the general availability of Test Workflows, a new architecture for executing tests that enables the parallelisation and scaling of hundreds to thousands of tests.

2. Dagger 0.12 brings an interactive debugging shell, interactive and much faster TUI, heavily improved Web UI (including local view, CI view, a new flame chart view, etc.), corporate network support, and compatibility mode among numerous new features.

3. Red Hat released OpenShift 4.16. It comes with Kubernetes v1.29, CRI-O v1.29, Admin Network Policy, Cluster Observability Operator v0.3.0, the new oc adm upgrade status command, user-managed load balancers, and many other new features.

4. Traefik v3.1.0 got production-ready Gateway API and improved support for WASM plugins.

5. Seabird, a Kubernetes IDE for the GNOME desktop, reached v0.5. Now, it has easily configurable port forwarding, new properties and columns displayed for various objects, resource navigation status, and a new object dialogue widget (optimised for touch device users).

6. Envoy Gateway has got lots of new features with v1.1. They include support for Zipkin tracing and Wasm extension, mTLS for external clients, numerous improvements in BackendTrafficPolicy, HTTP/2 settings in ClientTrafficPolicy, new Backend and EnvoyExtensionPolicy CRDs, support for Gateway API 1.1.0, and much more.

7. kube-scheduler-wasm-extension is a new project allowing you to extend the kube-scheduler with a custom scheduler plugin compiled to a Wasm binary. Its first version, 0.1.0, was released just yesterday.

P.S. The first beta version of Kubernetes v1.31 was also released last week.

#news #releases

Did you know that Kubernetes v1.31 is around the corner? It will be released in two weeks, and if you also think it’s time to learn about this update, here are helpful resources.

1. The “Kubernetes 1.31 – What’s new?” article from Sysdig lists some of 34(!) new alpha features and 11 enhancements graduating to stable. Particularly, they highlight HonorPVReclaimPolicy being enabled by default and a new custom profile option for kubectl debug.

2. The “Kubernetes Removals and Major Changes In v1.31” post in the Kubernetes blog lists the deprecations and removals in this release. E.g., they include the removal of all in-tree integrations with cloud providers as well as CephFS and Ceph RBD volume plugins.

2. The 1.31 Enhancements Tracking board on GitHub shows all release enhancements with their SIGs, status, and current stage (alpha/beta/stable).

4. “Kubernetes 1.31 Release Information” has a planned release timeline and various related links. According to it, v1.31.0-rc0 will be released tomorrow (July 30th), and v1.31.0 is planned for August 13th.

UPDATE (added on August 14th):
5. “Kubernetes 1.31: a security perspective” from ARMO covers v1.31 enhancements improving security.

6. “What To Expect From Kubernetes 1.31” on Cloud Native Now comes with some comments from the Kubernetes v1.31 release team lead, Sysdig developer leader, and OpenUK's CEO.

#news #releases