Language Selection

English French German Italian Portuguese Spanish

Kubernetes and Containers Leftovers

Filed under
Server
OSS
Security
  • Production-Ready Kubernetes Cluster Creation with kubeadm

    kubeadm is a tool that enables Kubernetes administrators to quickly and easily bootstrap minimum viable clusters that are fully compliant with Certified Kubernetes guidelines. It’s been under active development by SIG Cluster Lifecycle since 2016 and we’re excited to announce that it has now graduated from beta to stable and generally available (GA)!

    This GA release of kubeadm is an important event in the progression of the Kubernetes ecosystem, bringing stability to an area where stability is paramount.

    The goal of kubeadm is to provide a foundational implementation for Kubernetes cluster setup and administration. kubeadm ships with best-practice defaults but can also be customized to support other ecosystem requirements or vendor-specific approaches. kubeadm is designed to be easy to integrate into larger deployment systems and tools.

  • Docker Looks to Improve Container Development With Enterprise Desktop

    Docker CEO Steve Singh kicked off DockerCon Europe 2018 here with a bold statement: Companies need to transform, or risk becoming irrelevant.

    According to Singh, Docker is a key tool for enabling organizations to transform their businesses. To date for enterprises, the core Docker Enterprise Platform has been largely focused on operations and deployment, with the community Docker Desktop project available for developers to build applications. That's now changing with the announcement at DockerCon Europe of the new Docker Desktop Enterprise, adding new commercially supported developer capabilities to help corporate developers fully benefit from Docker.

    "Our commitment is to provide a development experience that makes it easy to build applications with one platform, upon which you can build, ship and run any application on any infrastructure," Singh said.

  • Canonical publishes auto-apply vulnerability patch for Kubernetes
  • Critical Kubernetes privilege escalation disclosed

    A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3)

Why Docker Swarm Remains Important

  • Why Docker Swarm Remains Important

    Docker Swarm remains a core element of Docker Inc's plans and that's not going to change anytime soon. That's the strong message coming from Docker CEO Steve Singh, during a briefing with press and analysts at the Dockercon Europe 2018 event here.

    A year ago, in October 2017 at the last Dockercon Europe event, Docker announced that it would be support the erstwhile rival Kubernetes container orchestration system. At the time, Docker's management committed to continuing to support Swarm and now a year later, they are still on that same path. Docker has been developing its own Swarm system since December 2014.

    "We have many clients that continue to run Docker Swarm in production," Singh said. "Swarm continues to be a very well adopted container orchestration tool, in large part, honestly because it's ridiculously simple to use."

By Steven J. Vaughan-Nichols

  • ​Kubernetes' first major security hole discovered

    Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole.

    With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials.

Critical Kubernetes Bug

  • Kubernetes Discloses Major Security Flaw

    Kubernetes disclosed a critical security flaw — the container orchestration tool’s first major vulnerability to date — and released Kubernetes 1.13.

    But first: the security flaw. It affects all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.

    As Red Hat’s Ashesh Badani wrote, “This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

  • Critical Kubernetes Bug Gives Anyone Full Admin Privileges [Ed: No, not everyone. Only those who already have access to that particular system.]

What does the Kubernetes privilege escalation flaw mean

Article by Lucian Constantin

  • Critical Vulnerability Allows Kubernetes Node Hacking

    Kubernetes has received fixes for one of the most serious vulnerabilities ever found in the project to date. If left unpatched, the flaw could allow attackers to take over entire compute nodes.

    “With a specially crafted request, users that are allowed to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” the Kubernetes developers said in an advisory.

More on Kubernetes Security Flaw

  • Before Patched, Kubernetes Security Flaw Spread to OpenShift

    A security flaw discovered in the de facto standard Kubernetes cloud container orchestrator allowed unauthorized users access to Kubernetes clusters and the data they contain.

    The “privilege escalation vulnerability” announced Monday (Dec. 3) by developers affects versions 1.0 and higher of the Kubernetes orchestrator along with Red Hat OpenShift container platform. Red Hat rated the vulnerability as “critical,” denoting its potential impact on production operations.

  • Upgrades Recommended To Address Critical Kubernetes Flaws

    The flaws are associated with privilege "abuse," but there's also a problem with being able to exploit calls to Kubernetes API servers. Default Kubernetes configurations permit "all users (authenticated and unauthenticated)" to make such API server calls, according to the announcement, so it's a wide-open issue. Attacks can get initiated by a "specially crafted request" sent to the back end server, according to the Kubernetes announcement, which omitted the details.

Kubernetes hit by major security flaw

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

FreeBSD 12.0, FreeNAS 11.2 and DNSSEC enabled in default unbound(8) configuration

Programming: Linux Direct Rendering Manger Subsystem, Python, QtCreator CMake, Rust and More

  • The Linux Direct Rendering Manger Subsystem Poised To Have A Second Maintainer
    For hopefully helping out with code reviews and getting code staged in a timely manner before being upstreamed to the mainline Linux kernel, Daniel Vetter of the Intel Open-Source Technology Center is set to become a co-maintainer.  Daniel Vetter who has been with Intel OTC for a number of years working on their Linux graphics driver has proposed becoming a DRM co-maintainer, "MAINTAINERS: Daniel for drm co-maintainer...lkml and Linus gained a CoC, and it's serious this time. Which means my [number one] reason for declining to officially step up as drm maintainer is gone, and I didn't find any new good excuse."
  • Discovering the pathlib module
    The Python Standard Library is like a gold mine, and the pathlib module is really a gem.
  • QtCreator CMake for Android plugin
    It’s about QtCreator CMake for Android! I know it’s a strange coincidence between this article and The Qt Company’s decision to ditch QBS and use CMake for Qt 6, but I swear I started to work on this project *before* they announced it ! This plugin enables painless experience when you want to create Android apps using Qt, CMake and QtCreator. It’s almost as easy as Android Qmake QtCreator plugin! The user will build, run & debug Qt on Android Apps as easy as it does with Qmake.
  • Testing Your Code with Python's pytest, Part II
  • Top Tips For Aspiring Web Developers
    As we’re a portal geared towards open-source development, we’re naturally going to bang the drum about the benefits of getting involved in open-source projects. There are so many fantastic open-source projects that are still going strong today – WordPress, Android and even Ubuntu/Linux to name but a few. Open source projects will give you direct hands-on experience, allowing you to build your own portfolio of work and network with other like-minded developers too.
  • Announcing Rust 1.31 and Rust 2018
    The Rust team is happy to announce a new version of Rust, 1.31.0, and "Rust 2018" as well. Rust is a programming language that empowers everyone to build reliable and efficient software.
  • A call for Rust 2019 Roadmap blog posts
    It's almost 2019! As such, the Rust team needs to create a roadmap for Rust's development next year.
  • Processing CloudEvents with Eclipse Vert.x
    Our connected world is full of events that are triggered or received by different software services. One of the big issues is that event publishers tend to describe events differently and in ways that are mostly incompatible with each other. To address this, the Serverless Working Group from the Cloud Native Computing Foundation (CNCF) recently announced version 0.2 of the CloudEvents specification. The specification aims to describe event data in a common, standardized way. To some degree, a CloudEvent is an abstract envelope with some specified attributes that describe a concrete event and its data.

Web Browsers: Brave, Firefox,and Chromium

  • HTC Exodus: Open Source Brave to be Blockchain phone’s default web browser
    HTC’s latest release HTC Exodus 1 is set to introduce the free and open source blockchain-backed Brave as its default browser. In a tweet, the CEO & Co-Founder of Brave and Basic Attention Token (BAT) Brendan Eich, shared the development. Brendan said, “We are very happy to have @Brave as default browser & to be working with HTC on their Exodus phone”.
  • Mozilla Firefox 64 Now Available for Download on Windows, Linux, and macOS
    Mozilla has just released Firefox 64 stable for users on Windows, Linux, and macOS, with the Android version likely to be updated in the coming hours. While checking for updates using the built-in update engine may not offer you Firefox version 64, you can download the browser using the links below, as Mozilla has just updated its servers with the new builds. Firefox 64 introduces a series of changes that were previously tested as part of the beta versions, including recommended extensions. This feature is supposed to help improve the experience with the browser by providing suggestions on services that are relevant to your activity.
  • Microsoft vs the web
    I have been saying for a few years now that Chrome is the new IE, and the Google is the new Microsoft (Microsoft being the new IBM). This statement have been somewhat tongue in cheek, but I have always been serious about it not being a joke: history is repeating. I could got at length on all the reasons why I believe this to be true, but I’ll just talk about one new development. Last week, Microsoft announced that they had decided to abandon EdgeHTML, their web browser engine, and move to be using Google’s Chromium as the heart of the web browser offering, Edge. [1] Whether it will be just Blink and V8 (Web rendering and JS engine respectively) or also parts of Chromium is something unclear.
  • What is Chromium and why is Microsoft using it for Edge?

    Chromium is very similar. You can install a standalone application for Windows, macOS and any flavor of Linux named Chromium that's a complete web browser complete with synchronization through Google's could services. But Chromium is also the name of the open-source code project used to make Chromium, as well as the Chrome web browser, Chrome OS, Amazon Silk, and the Android Chrome web-view component companies like Twitter can use to build a browser into an application.

  • How Microsoft Is About to Make Google Chrome Even Better

IBM-Red Hat "Merger" Update

  • Red Hat sets date for stockholders to vote on IBM merger
    Open source solutions provider Red Hat has set a special meeting on 16 January for stockholders to consider and vote on IBM's proposed acquisition of the company. On 28 October, IBM and Red hat announced an agreement and plan of merger which would see IBM acquire Red Hat for $190.00 per share in an all-cash transaction. "The board of directors of Red Hat recommends that stockholders vote in favour of the merger with IBM," the company said in a statement on 11 December.
  • IBM exec: Why buying Red Hat is better than partnership