clair
istio
Our great sponsors
clair | istio | |
---|---|---|
21 | 87 | |
10,019 | 34,896 | |
0.8% | 1.2% | |
9.2 | 10.0 | |
5 days ago | 5 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
clair
-
I looked through attacks in my access logs. Here's what I found
Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.
-
General Docker Troubleshooting, Best Practices & Where to Go From Here
Clair. Vulnerability Static Analysis for Containers.
-
Open source container scanning tool to find vulnerabilities and suggest best practice improvements?
https://github.com/quay/clair 9.4k stars, updated 17 hours ago
-
Postgres: The Graph Database You Didn't Know You Had
It scaled well compared to a naive graph abstraction implemented outside the database, but when performance wasn't great, it REALLY wasn't great. We ended up throwing it out in later versions to try and get more consistent performance.
I've since worked on SpiceDB[1] which takes the traditional design approach for graph databases and simply treating Postgres as triple-store and that scales far better. IME, if you need a graph, you probably want to use a database optimized for graph access patterns. Most general-purpose graph databases are just bags of optimizations for common traversals.
-
Implement DevSecOps to Secure your CI/CD pipeline
Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.
-
Sublime Music - A FLOSS desktop client for Subsonic API servers (Airsonic, Navidrome, Gonic, etc)
Testing the image with github.com/fullhunt/log4j-scan and https://github.com/quay/clair shows no vulnerabilities
-
Automatically tag your Docker images as vulnerable in ECR
Amazon Elastic Container Registry is a fully-managed Docker container registry. It makes it easy for developers to store and manage Docker images inside their AWS environment. ECR supports two types of image scanning. Enhanced image scanning requires an integration with Amazon Inspector. It will scan your repositories continuously. Basic image scanning will use the Common Vulnerabilities and Exposures (CVEs) database (open-source Clair) to find vulnerabilities in your images. You can trigger scans on image push or manually.
-
SaaS Startup Security 101 - A quick guide for building secure SaaS
Klair: Scan your containersJust like external dependencies can contain security flaws, container images also can contain outdated programs and dependencies subject to security issues. Klair is an open-source tool that can help you find outdated dependencies and security flaws in your docker images.
-
How to leverage image vulnerability scanning on AWS ECR using a fully automated solution
AWS Elastic Container Registry has been able to support the scanning of images for vulnerabilities using the open source project Clair for quite some time now. Clair is an open source project used for the static analysis of vulnerabilities in application containers (currently including OCI and Docker). Made available by AWS directly and implemented into ECR, it is a very useful feature to minimize the risk of using endangered software - and stay compliant. The scanning for vulnerabilities should be a good standard in any Dockerized scenario as public images and their heirs can contain many security risks (Top-ten-docker-images) - which might be overlooked while developing applications that are constantly changed and improved - and new versions of images are pushed to your ECR many times a day.
-
Hosting my own docker registry, any recommendations on UI and authentication service?
I use Quay and quite like it. It's a lot more flexible to deploy than Harbor. It has a web UI and connects to LDAP or OIDC. You can also add vulnerability scanning to it as well with Clair. The one downside is that it doesn't support a pull-through cache system like Harbor does (to my knowledge), though you can explicitly mirror containers from another source.
istio
-
Optimal JMX Exposure Strategy for Kubernetes Multi-Node Architecture
Leverage a service mesh like Istio or Linkerd to manage communication between microservices within the Kubernetes cluster. These service meshes can be configured to intercept JMX traffic and enforce access control policies. Benefits:
-
Open Source Ascendant: The Transformation of Software Development in 2024
Open Source and Cloud Computing: A Match Made in Heaven The cloud is accelerating OSS adoption. Cloud-native technologies like Kubernetes [https://kubernetes.io/] and Istio [https://istio.io/], both open-source projects, are revolutionizing how applications are built and deployed across cloud platforms.
-
Delving Deeper: Enriching Microservices with Golang with CloudWeGo
Consider the case of Bookinfo, a sample application provided by Istio, rewritten using CloudWeGo's Kitex for superior performance and extensibility.
-
How to Build & Deploy Scalable Microservices with NodeJS, TypeScript and Docker || A Comprehesive Guide
It is a dedicated infrastructure layer that manages service-to-service communication, providing features like load balancing, encryption, authentication, and monitoring. Istio deploys sidecar proxies alongside each microservice instance. These proxies handle communication, providing features like load balancing, service discovery, encryption, monitoring and authentication.
-
Caddy for Certs and Istio for Reverse Proxy
5Y old post that sounds like they've done similar here: Caddy Issue Istio Issue but doesn't cover much of the implementation
-
Developer’s Guide to Building Kubernetes Cloud Apps ☁️🚀
In a production environment there will be a load balancer setup with an Ingress Controller, Service Mesh or some type of Custom Router. This allows all traffic to be sent to the single load balancer IP address and then route the traffic to a service based on the Domain name or subpath. We are using a NGINX ingress controller but service meshes like Istio have been becoming the most popular solution to use as they offer more segmentation, security and granular control.
-
Progressive Delivery on AKS: A Step-by-Step Guide using Flagger with Istio and FluxCD
Flagger is a progressive delivery tool that enables a Kubernetes operator to automate the promotion or rollback of deployments based on metrics analysis. It supports a variety of metrics including Prometheus, Datadog, and New Relic to name a few. It also works well with Istio service mesh, and can implement progressive traffic splitting between primary and canary releases.
-
Implementing TLS in Kubernetes
End-to-end data encryption with a service mesh: Using an end-to-end data encryption mechanism with a service mesh like Istio, TLS can secure communication between different microservices within a Kubernetes cluster. This is a popular approach for modern, distributed microservice architectures.
-
Ultimate EKS Baseline Cluster: Part 1 - Provision EKS
From here, we can explore other developments and tutorials on Kubernetes, such as o11y or observability (PLG, ELK, ELF, TICK, Jaeger, Pyroscope), service mesh (Linkerd, Istio, NSM, Consul Connect, Cillium), and progressive delivery (ArgoCD, FluxCD, Spinnaker).
-
Istio moved to CNCF Graduation stage
If something doesn't play nice try the Istio slack or file an issue on the main repo: https://github.com/istio/istio
What are some alternatives?
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
osm - Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
grype - A vulnerability scanner for container images and filesystems
keda - KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
anthos-service-mesh-packages - Packaged configuration for setting up a Kubernetes cluster with Anthos Service Mesh features enabled
crossplane - The Cloud Native Control Plane
falco - Cloud Native Runtime Security
kratos - Your ultimate Go microservices framework for the cloud-native era.
syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems
thanos - Highly available Prometheus setup with long term storage capabilities. A CNCF Incubating project.
helm - The Kubernetes Package Manager
Harbor - An open source trusted cloud native registry project that stores, signs, and scans content.