Language Selection

English French German Italian Portuguese Spanish

Kubernetes and Containers Leftovers

Filed under
Server
OSS
Security
  • Production-Ready Kubernetes Cluster Creation with kubeadm

    kubeadm is a tool that enables Kubernetes administrators to quickly and easily bootstrap minimum viable clusters that are fully compliant with Certified Kubernetes guidelines. It’s been under active development by SIG Cluster Lifecycle since 2016 and we’re excited to announce that it has now graduated from beta to stable and generally available (GA)!

    This GA release of kubeadm is an important event in the progression of the Kubernetes ecosystem, bringing stability to an area where stability is paramount.

    The goal of kubeadm is to provide a foundational implementation for Kubernetes cluster setup and administration. kubeadm ships with best-practice defaults but can also be customized to support other ecosystem requirements or vendor-specific approaches. kubeadm is designed to be easy to integrate into larger deployment systems and tools.

  • Docker Looks to Improve Container Development With Enterprise Desktop

    Docker CEO Steve Singh kicked off DockerCon Europe 2018 here with a bold statement: Companies need to transform, or risk becoming irrelevant.

    According to Singh, Docker is a key tool for enabling organizations to transform their businesses. To date for enterprises, the core Docker Enterprise Platform has been largely focused on operations and deployment, with the community Docker Desktop project available for developers to build applications. That's now changing with the announcement at DockerCon Europe of the new Docker Desktop Enterprise, adding new commercially supported developer capabilities to help corporate developers fully benefit from Docker.

    "Our commitment is to provide a development experience that makes it easy to build applications with one platform, upon which you can build, ship and run any application on any infrastructure," Singh said.

  • Canonical publishes auto-apply vulnerability patch for Kubernetes
  • Critical Kubernetes privilege escalation disclosed

    A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3)

Why Docker Swarm Remains Important

  • Why Docker Swarm Remains Important

    Docker Swarm remains a core element of Docker Inc's plans and that's not going to change anytime soon. That's the strong message coming from Docker CEO Steve Singh, during a briefing with press and analysts at the Dockercon Europe 2018 event here.

    A year ago, in October 2017 at the last Dockercon Europe event, Docker announced that it would be support the erstwhile rival Kubernetes container orchestration system. At the time, Docker's management committed to continuing to support Swarm and now a year later, they are still on that same path. Docker has been developing its own Swarm system since December 2014.

    "We have many clients that continue to run Docker Swarm in production," Singh said. "Swarm continues to be a very well adopted container orchestration tool, in large part, honestly because it's ridiculously simple to use."

By Steven J. Vaughan-Nichols

  • ​Kubernetes' first major security hole discovered

    Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole.

    With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials.

Critical Kubernetes Bug

  • Kubernetes Discloses Major Security Flaw

    Kubernetes disclosed a critical security flaw — the container orchestration tool’s first major vulnerability to date — and released Kubernetes 1.13.

    But first: the security flaw. It affects all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.

    As Red Hat’s Ashesh Badani wrote, “This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

  • Critical Kubernetes Bug Gives Anyone Full Admin Privileges [Ed: No, not everyone. Only those who already have access to that particular system.]

What does the Kubernetes privilege escalation flaw mean

Article by Lucian Constantin

  • Critical Vulnerability Allows Kubernetes Node Hacking

    Kubernetes has received fixes for one of the most serious vulnerabilities ever found in the project to date. If left unpatched, the flaw could allow attackers to take over entire compute nodes.

    “With a specially crafted request, users that are allowed to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” the Kubernetes developers said in an advisory.

More on Kubernetes Security Flaw

  • Before Patched, Kubernetes Security Flaw Spread to OpenShift

    A security flaw discovered in the de facto standard Kubernetes cloud container orchestrator allowed unauthorized users access to Kubernetes clusters and the data they contain.

    The “privilege escalation vulnerability” announced Monday (Dec. 3) by developers affects versions 1.0 and higher of the Kubernetes orchestrator along with Red Hat OpenShift container platform. Red Hat rated the vulnerability as “critical,” denoting its potential impact on production operations.

  • Upgrades Recommended To Address Critical Kubernetes Flaws

    The flaws are associated with privilege "abuse," but there's also a problem with being able to exploit calls to Kubernetes API servers. Default Kubernetes configurations permit "all users (authenticated and unauthenticated)" to make such API server calls, according to the announcement, so it's a wide-open issue. Attacks can get initiated by a "specially crafted request" sent to the back end server, according to the Kubernetes announcement, which omitted the details.

Kubernetes hit by major security flaw

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Distros: Draco in Sparky, Fedora Issues and Optional Dependencies in Debian

  • Draco Desktop
    There is a new desktop available for Sparkers: Draco
  • Archiving 26 500 community Q&As from Ask Fedora
    Ask Fedora is the Fedora Linux community’s questions-and-answers portal, and it recently transitioned from a forum software called Askbot to Discourse. Changing the underlying forum software doesn’t have to be destructive but Ask Fedora decided to go with a nuke-and-pave migration strategy: They decided to start from scratch instead of copying user accounts and the user-contributed content to the new software. The first time I learned of the migration was a few days after it had happen. I’d run into an issue with my Fedora installation and went online looking for solutions. Every useful search result was from the old Ask Fedora site and every link returned an HTTP 404 Not Found error message as those answers hadn’t been migrated to the new Ask Fedora website.
  • Attention epel6 and epel7 ppc64 users
    If you are a epel6 or epel7 user on the ppc64 platform, I have some sad news for you. If you aren’t feel free to read on for a tale of eol architectures. ppc64 (the big endian version of power) was shipped with RHEL6 and RHEL7 and Fedora until Fedora 28. It’s been replaced by the ppc64le (little endian) version in Fedora and RHEL8.
  • Optional dependencies don’t work
    In the i3 projects, we have always tried hard to avoid optional dependencies. There are a number of reasons behind it, and as I have recently encountered some of the downsides of optional dependencies firsthand, I summarized my thoughts in this article. [...] Software is usually not built by end users, but by packagers, at least when we are talking about Open Source. Hence, end users don’t see the knob for the optional dependency, they are just presented with the fait accompli: their version of the software behaves differently than other versions of the same software. Depending on the kind of software, this situation can be made obvious to the user: for example, if the optional dependency is needed to print documents, the program can produce an appropriate error message when the user tries to print a document. Sometimes, this isn’t possible: when i3 introduced an optional dependency on cairo and pangocairo, the behavior itself (rendering window titles) worked in all configurations, but non-ASCII characters might break depending on whether i3 was compiled with cairo. For users, it is frustrating to only discover in conversation that a program has a feature that the user is interested in, but it’s not available on their computer. For support, this situation can be hard to detect, and even harder to resolve to the user’s satisfaction.

Servers: Kubernetes, Microservices, Containers and SUSE's Enterprise Storage 6

  • Is bare Kubernetes still too messy for enterprises?
    Kubernetes is touted as a computing cure-all, fixing up multicloud networking to data mobility. The open-source platform for orchestrating containers (a virtualized method for running distributed applications) may or may not be the panacea it’s hyped up to be. What is certain is that user-ready Kubernetes isn’t as easy as it sounds, so customers should shop carefully for a provider. Enterprise users of Kubernetes and containers may not guess just how many moving parts are under the covers. There are a ton of tiny pieces that have to line up just so in order for them to work, according to Mark Shuttleworth (pictured), founder and chief executive officer of Canonical Ltd. He likens these technologies to carefully constructed “fictions.”
  • Data as a microservice: Distributed data-focused integration
    Microservices is the architecture design favored in new software projects; however, getting the most from this type of approach requires overcoming several previous requirements. As the evolution from a monolithic to a distributed system takes place not only in the application space but also at the data store, managing your data becomes one of the hardest challenges. This article examines some of the considerations for implementing data as a service.
  • Container Adoption Shoots Up Among Enterprises In 2019: Survey
    Majority of IT professionals now run container technologies, with 90 percent of those running in production and 7 in 10 running at least 40 percent of their application portfolio in containers — an impressive increase from two years ago, when just 67 percent of teams were running container technologies in production. According to the joint 2019 Annual Container Adoption Survey released by Portworx and Aqua Security, enterprises have started making bigger investments in containers. In 2019, nearly one in five organizations is found to be spending over $1 million annually on containers (17%) as compared to just four percent in 2016.
  • SUSE Rolls Out Enterprise Storage 6
    SUSE has announced the latest version of its software-defined storage solution powered by Ceph technology. With SUSE Enterprise Storage 6, IT organizations can adapt to changing business demands. They may also reduce IT operational expense with new features focused on containerized and cloud workload support, improved integration with public cloud, and enhanced data protection capabilities, SUSE said.

OSS: 3scale, Wikipedia Edit-a-thon, LibreOffice Conference 2020, DataStax Openwashing and IGEL

  • Red Hat completes open sourcing of 3scale code
    At Red Hat we have always been proud of our open source heritage and commitment. We are delighted that more of the industry now shares our viewpoint, and more companies are looking to promote their open source bona fides of late. Open source software energizes developers and teams of committed developers working in parallel can outproduce the large development hierarchies of the last generation. We believe working upstream with open source communities is an important innovation strategy. Occasionally, however, innovation does originate in traditional commercial organizations under a proprietary development model. Three years ago, Red Hat discovered just such a company that was doing exciting things in the API economy.
  • Enbies and women in FOSS Wikipedia edit-a-thon
    To be brief, I’ll be hosting a Wikipedia edit-a-thon on enbies and women in free and open source software, on June 2nd, from 16:00 – 19:00 EDT. I’d love remote participants, but if you’re in the Boston area you are more than welcome over to my place for pancakes and collaboration times.
  • LibreOffice Conference 2020, it could be in your city
    LibreOffice Conference 2020 will be an event to remember, for a couple of reasons: it will be the 10th of a series of successful conferences, and it will celebrate the 10th anniversary of the LibreOffice project and the 20th of the FOSS office suite. In 2020, The Document Foundation will be on stage at many FOSS events around the world, and the LibreOffice Conference will be the most important of the year. Organizing this conference is a unique opportunity for FOSS communities, because the event will make the history of free open source software.
  • DataStax and the Modern Commercial Open Source Business
    One month ago, Google announced a set of partnerships with seven commercial open source providers. Among those announced was DataStax, which held its annual conference this year and, for the first time, an analyst day. While DataStax and the open source project it is based on, Cassandra, are differentiated on a technical basis, the company also represents an interesting contrast with its peers directionally both among the newly minted Google partners and more broadly. Of the seven commercial open source partners Google announced, for example, DataStax is one of two along with InfluxData that has not introduced a non-open source, hybrid license as a means of protecting itself from competition from the cloud providers. This is not, notably, because the company doesn’t seem them as a threat; asked about who the competition was in the analyst sessions, the CEO of DataStax candidly acknowledged that the company’s primary competitive focus was not on premise competition such as Oracle, but cloud-based managed services offerings.
  • IGEL Developing Linux Distro For Windows Virtual Desktop Users [Ed: IGEL used to support #GNU/Linux and now it's just helping Microsoft enslave GNU/Linux insider Windows with NSA back doors.]

Linux Mint Turns Cinnamon Experience Bittersweet

Linux Mint no longer may be an ideal choice for above-par performance out of the box, but it still can serve diehard users well with the right amount of post-installation tinkering. The Linux Mint distro clearly is the gold standard for measuring Cinnamon desktop integration. Linux Mint's developers turned the GNOME desktop alternative into one of the best Linux desktop choices. Linux Mint Cinnamon, however, may have lost some of its fresh minty flavor. The gold standard for version 19.1 Tessa seems to be a bit tarnished when compared to some other distros offering a Cinnamon environment. Given that the current Linux Mint version was released at the end of last December, it may be a bit odd for me to focus on a review some five months later. Linux Mint is my primary driver, though, so at long last I am getting around to sharing my lukewarm experiences. I have run Linux Mint Cinnamon on three primary work and testing computers since parting company with Ubuntu Linux Unity and several other Ubuntu flavors many years ago. I have recommended Linux Mint enthusiastically to associates and readers in my personal and professional roles. Read more