Posts in 2022
Finding suspicious syscalls with the seccomp notifier
By Sascha Grunert | Friday, December 02, 2022 in Blog
Debugging software in production is one of the biggest challenges we have to face in our containerized environments. Being able to understand the impact of the available security options, especially when it comes to configuring our deployments, is …
Boosting Kubernetes container runtime observability with OpenTelemetry
By Sascha Grunert | Thursday, December 01, 2022 in Blog
When speaking about observability in the cloud native space, then probably everyone will mention OpenTelemetry (OTEL) at some point in the conversation. That's great, because the community needs standards to rely on for developing all cluster …
registry.k8s.io: faster, cheaper and Generally Available (GA)
By Adolfo García Veytia (Chainguard), Bob Killen (Google) | Monday, November 28, 2022 in Blog
Starting with Kubernetes 1.25, our container image registry has changed from k8s.gcr.io to registry.k8s.io. This new registry spreads the load across multiple Cloud Providers & Regions, functioning as a sort of content delivery network (CDN) for …
Kubernetes Removals, Deprecations, and Major Changes in 1.26
By Frederico Muñoz (SAS) | Friday, November 18, 2022 in Blog
Change is an integral part of the Kubernetes life-cycle: as Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. For Kubernetes v1.26 there are several planned: this article …
Live and let live with Kluctl and Server Side Apply
By Alexander Block | Friday, November 04, 2022 in Blog
This blog post was inspired by a previous Kubernetes blog post about Advanced Server Side Apply. The author of said blog post listed multiple benefits for applications and controllers when switching to server-side apply (from now on abbreviated with …
Server Side Apply Is Great And You Should Be Using It
By Daniel Smith (Google) | Thursday, October 20, 2022 in Blog
Server-side apply (SSA) has now been GA for a few releases, and I have found myself in a number of conversations, recommending that people / teams in various situations use it. So I’d like to write down some of those reasons. Obvious (and …
Current State: 2019 Third Party Security Audit of Kubernetes
By Cailyn Edwards (Shopify), Pushkar Joglekar (VMware), Rey Lejano (SUSE), Rory McCune (DataDog) | Wednesday, October 05, 2022 in Blog
We expect the brand new Third Party Security Audit of Kubernetes will be published later this month (Oct 2022). In preparation for that, let's look at the state of findings that were made public as part of the last third party security audit of 2019 …
Introducing Kueue
By Abdullah Gharaibeh (Google), Aldo Culquicondor (Google) | Tuesday, October 04, 2022 in Blog
Whether on-premises or in the cloud, clusters face real constraints for resource usage, quota, and cost management reasons. Regardless of the autoscalling capabilities, clusters have finite capacity. As a result, users want an easy way to fairly and …
Kubernetes 1.25: alpha support for running Pods with user namespaces
By Rodrigo Campos (Microsoft), Giuseppe Scrivano (Red Hat) | Monday, October 03, 2022 in Blog
Kubernetes v1.25 introduces the support for user namespaces. This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new …
Enforce CRD Immutability with CEL Transition Rules
By Alexander Zielenski (Google) | Thursday, September 29, 2022 in Blog
Immutable fields can be found in a few places in the built-in Kubernetes types. For example, you can't change the .metadata.name of an object. Specific objects have fields where changes to existing objects are constrained; for example, the …