Language Selection

English French German Italian Portuguese Spanish

Kubernetes and Containers Leftovers

Filed under
Server
OSS
Security
  • Production-Ready Kubernetes Cluster Creation with kubeadm

    kubeadm is a tool that enables Kubernetes administrators to quickly and easily bootstrap minimum viable clusters that are fully compliant with Certified Kubernetes guidelines. It’s been under active development by SIG Cluster Lifecycle since 2016 and we’re excited to announce that it has now graduated from beta to stable and generally available (GA)!

    This GA release of kubeadm is an important event in the progression of the Kubernetes ecosystem, bringing stability to an area where stability is paramount.

    The goal of kubeadm is to provide a foundational implementation for Kubernetes cluster setup and administration. kubeadm ships with best-practice defaults but can also be customized to support other ecosystem requirements or vendor-specific approaches. kubeadm is designed to be easy to integrate into larger deployment systems and tools.

  • Docker Looks to Improve Container Development With Enterprise Desktop

    Docker CEO Steve Singh kicked off DockerCon Europe 2018 here with a bold statement: Companies need to transform, or risk becoming irrelevant.

    According to Singh, Docker is a key tool for enabling organizations to transform their businesses. To date for enterprises, the core Docker Enterprise Platform has been largely focused on operations and deployment, with the community Docker Desktop project available for developers to build applications. That's now changing with the announcement at DockerCon Europe of the new Docker Desktop Enterprise, adding new commercially supported developer capabilities to help corporate developers fully benefit from Docker.

    "Our commitment is to provide a development experience that makes it easy to build applications with one platform, upon which you can build, ship and run any application on any infrastructure," Singh said.

  • Canonical publishes auto-apply vulnerability patch for Kubernetes
  • Critical Kubernetes privilege escalation disclosed

    A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3)

Why Docker Swarm Remains Important

  • Why Docker Swarm Remains Important

    Docker Swarm remains a core element of Docker Inc's plans and that's not going to change anytime soon. That's the strong message coming from Docker CEO Steve Singh, during a briefing with press and analysts at the Dockercon Europe 2018 event here.

    A year ago, in October 2017 at the last Dockercon Europe event, Docker announced that it would be support the erstwhile rival Kubernetes container orchestration system. At the time, Docker's management committed to continuing to support Swarm and now a year later, they are still on that same path. Docker has been developing its own Swarm system since December 2014.

    "We have many clients that continue to run Docker Swarm in production," Singh said. "Swarm continues to be a very well adopted container orchestration tool, in large part, honestly because it's ridiculously simple to use."

By Steven J. Vaughan-Nichols

  • ​Kubernetes' first major security hole discovered

    Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole.

    With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials.

Critical Kubernetes Bug

  • Kubernetes Discloses Major Security Flaw

    Kubernetes disclosed a critical security flaw — the container orchestration tool’s first major vulnerability to date — and released Kubernetes 1.13.

    But first: the security flaw. It affects all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.

    As Red Hat’s Ashesh Badani wrote, “This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

  • Critical Kubernetes Bug Gives Anyone Full Admin Privileges [Ed: No, not everyone. Only those who already have access to that particular system.]

What does the Kubernetes privilege escalation flaw mean

Article by Lucian Constantin

  • Critical Vulnerability Allows Kubernetes Node Hacking

    Kubernetes has received fixes for one of the most serious vulnerabilities ever found in the project to date. If left unpatched, the flaw could allow attackers to take over entire compute nodes.

    “With a specially crafted request, users that are allowed to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” the Kubernetes developers said in an advisory.

More on Kubernetes Security Flaw

  • Before Patched, Kubernetes Security Flaw Spread to OpenShift

    A security flaw discovered in the de facto standard Kubernetes cloud container orchestrator allowed unauthorized users access to Kubernetes clusters and the data they contain.

    The “privilege escalation vulnerability” announced Monday (Dec. 3) by developers affects versions 1.0 and higher of the Kubernetes orchestrator along with Red Hat OpenShift container platform. Red Hat rated the vulnerability as “critical,” denoting its potential impact on production operations.

  • Upgrades Recommended To Address Critical Kubernetes Flaws

    The flaws are associated with privilege "abuse," but there's also a problem with being able to exploit calls to Kubernetes API servers. Default Kubernetes configurations permit "all users (authenticated and unauthenticated)" to make such API server calls, according to the announcement, so it's a wide-open issue. Attacks can get initiated by a "specially crafted request" sent to the back end server, according to the Kubernetes announcement, which omitted the details.

Kubernetes hit by major security flaw

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Games: Retro Gaming and Vambrace: Cold Soul Coming to GNU/Linux

  • Raspberry Pi and Retro Gaming | Choose Linux 3
    Jason finally discovers the bottomless well of potential that is the Raspberry Pi, and talks about his first experience with Raspbian. Then Joe and Jason take a nostalgic deep dive into retro gaming on both the Raspberry Pi and the Pinebook.
  • Vambrace: Cold Soul, the next title from Devespresso Games will support Linux
    Devespresso Games (The Coma) are working on a new game called Vambrace: Cold Soul, a narrative-driven fantasy adventure that will support Linux. It's inspired by games like Darkest Dungeon, Castlevania and more it certainly looks good. I've had access to it for a while to do some pre-release Linux testing for the studio and I've been pretty impressed with it. The developer has also been very responsive to feedback and so far the Linux version seems pretty solid. The inspiration from Darkest Dungeon is pretty clear, with the turn-based battles and graphical style of the characters as well as the atmosphere being all quite familiar. Very much its own game though, the narrative focus of it along with the town exploration is certainly very different.

Python: Pyro Probabilistic Programming Language and More

  • Pyro Probabilistic Programming Language Becomes Newest LF Deep Learning Project
    The LF Deep Learning Foundation (LF DL), a Linux Foundation project that supports and sustains open source innovation in artificial intelligence (AI), machine learning (ML), and deep learning (DL), announces the Pyro project, started by Uber, as its newest incubation project. Built on top of the PyTorch framework, Pyro is a deep probabilistic programming framework that facilitates large-scale exploration of AI models, making deep learning model development and testing quicker and more seamless. This is the second project LF DL has voted in from Uber, following last December’s Horovod announcement. Pyro is used by large companies like Siemens, IBM, and Uber, and startups like Noodle.AI, in addition to Harvard University, MIT, Stanford University, University of Oxford, University of Cambridge, and The Broad Institute. At Uber, Pyro solves a range of problems including sensor fusion, time series forecasting, ad campaign optimization and data augmentation for deep image understanding.
  • Converting Python Scripts to Executable Files
    In this tutorial, we will explore the conversion of Python scripts to Windows executable files in four simple steps. Although there are many ways to do it, we'll be covering, according to popular opinion, the simplest one so far. This tutorial has been designed after reviewing many common errors that people face while performing this task, and hence contains detailed information to install and set up all the dependencies as well. Feel free to skip any step, if you already have those dependencies installed. Without any further ado, let's start.
  • Python Performance Optimization
    Resources are never sufficient to meet growing needs in most industries, and now especially in technology as it carves its way deeper into our lives. Technology makes life easier and more convenient and it is able to evolve and become better over time. This increased reliance on technology has come at the expense of the computing resources available. As a result, more powerful computers are being developed and the optimization of code has never been more crucial. Application performance requirements are rising more than our hardware can keep up with. To combat this, people have come up with many strategies to utilize resources more efficiently – Containerizing, Reactive (Asynchronous) Applications, etc.
  • Webinar Recording: “Demystifying Python’s async and await Keywords” with Michael Kennedy
    Yesterday we hosted a webinar with Michael Kennedy from Talk Python To Me podcasts and training presenting Demystifying Python’s async and await Keywords. Turned out to be the highest-rated webinar in 7 years of JetBrains’ webinars. Thanks Michael! The webinar recording is now available, as well as a repository with the Python code he showed and the slides he used.
  • Skipping tests depending on the Python version
    Sometimes we want to run certain tests only on a specific version of Python. Suppose you are migrating a large project from Python 2 to Python 3 and you know in advance that certain tests won't run under Python 3. Chances are that during the migration you are already using the six library. The six libraries have two boolean properties which are initialised to True depending on the Python version which is being used: PY2 when running under Python 2 and PY3 when running under Python 3.

Linux Foundation launches ELISA, an open source project for building safety-critical systems

Machines have a trust problem — particularly autonomous machines deployed in safety-critical scenarios, like industrial robots and driverless cars. In a pair of surveys published by the American Automobile Association last January and by Gallup in May, 63 percent of people reported feeling afraid to ride in a fully self-driving vehicle and more than half said they’d never choose to ride in one. Moreover, in a report published by analysts at Pew in 2017, 70 percent of Americans said they were concerned about robots performing tasks currently handled by humans. In an effort to allay those fears, the Linux Foundation today launched Enabling Linux in Safety Applications (ELISA), an open source project comprising tools intended to help companies build and certify Linux-based systems whose failure could result in loss of human life, significant property damage, or environmental damage. In partnership with British chip designer Arm, BMW, autonomous platforms company Kuka, Linutronix, and Toyota, ELISA will work with certification and standardization bodies in “multiple industries” to establish ways Linux can form the foundation of safety-critical systems across industries. ELISA’s launch follows last year’s rollout of Automotive Grade Linux (AGL) 5.0, the newest version of a Linux Foundation project aimed at bringing open source technology to the automotive industry. Previous releases focused mainly on infotainment systems, but 5.0 introduced telematics and mapping solutions that allow OEMs to share mapping data generated by autonomous cars, in addition to offering improved security and a functional safety platform. Toyota and Amazon expressed early support; the former is using AGL in its 2018 Camry. Read more Slashdot: Linux Foundation Launches ELISA, an Open Source Project For Building Safety-Critical Systems

Security Password Managers, Updates, Intel/Linux, 5 Antivirus for Android Devices and Cisco

  • Your Password Manager Has A Severe Flaw — But You Should Still Use One [Ed: Yet worse: 1) people putting password managers on platforms with back doors from Apple and Microsoft. 2) people putting all their password "in the cloud".]
    If you are an avid user of password managers, you might just be in for a surprise. A recent study by researchers at the Independent Security Evaluators found that a number of popular password managers were storing master passwords as plain text within the main memory of devices. To an expert hacker, this vulnerability is equivalent to getting the keys to multiple accounts as a text document on your computer. The master key of any password manager can be used to gain access to all usernames and passwords being managed by it.
  • Security updates for Thursday
  • Fun Little Tidbits in a Howling Storm (Re: Intel Security Holes)
    Some kernel developers recently have been trying to work around the massive, horrifying, long-term security holes that have recently been discovered in Intel hardware. In the course of doing so, there were some interesting comments about coding practices. Christoph Hellwig and Jesper Dangaard Brouer were working on mitigating some of the giant speed sacrifices needed to avoid Intel's gaping security holes. And, Christoph said that one such patch would increase the networking throughput from 7.5 million packets per second to 9.5 million—a 25% speedup. To do this, the patch would check the kernel's "fast path" for any instances of dma_direct_ops and replace them with a simple direct call. Linus Torvalds liked the code, but he noticed that Jesper and Christoph's code sometimes would perform certain tests before testing the fast path. But if the kernel actually were taking the fast path, those tests would not be needed. Linus said, "you made the fast case unnecessarily slow."
  • 5 Antivirus for Android Devices That You Should Have in 2019
  • Duo Security Digs Into Chrome Extension Security With CRXcavator