Enhancements Alternatives

enhancements reviews and mentions

• Missing ServiceAccount token
  2 projects | reddit.com/r/kubernetes | 17 May 2022

  Starting with Kubernetes 1.24, secrets are no longer automatically generated as part of an effort to shift users to the new short-lived TokenRequest APIs. If you do need a long-lived token, you can create a secret manually.

• Launch HN: Infra (YC W21) – Open-source access management for Kubernetes
  4 projects | news.ycombinator.com | 17 May 2022

  Thanks! Curious, where did HTTP+JSON break down for you? Was it specifically around audit/event streaming? This would be helpful as we consider building out future updates to Infra, especially considering tools like Kubernetes have put HTTP+JSON APIs the test (at least in their user-facing APIs)

  Indeed! EKS + others don't allow custom authentication methods or allow you to use an external CA for the cluster. Running a proxy agent in each cluster makes sense and is similar to how Infra approaches it: I hadn't seen that configuration in your architecture pages!

  Have you considered distributing certificates signed by the cluster CA itself (to avoid proxies altogether)? In 1.22 onwards there's a new ExpirationSeconds field when creating a certificate signing request: https://github.com/kubernetes/enhancements/issues/2784 . I imagine this will be supported by all the hosted Kubernetes services - we've been watching this closely.

• Kubernetes 1.24 Released: What’s New?
  3 projects | dev.to | 11 May 2022

  New beta APIs are no longer enabled by default in Kubernetes. However, existing beta APIs and the new versions of existing beta APIs will still be on board by default. More on this topic can be found on GitHub.

• In defense of swap: common misconceptions
  2 projects | news.ycombinator.com | 20 Apr 2022

  I’m a little confused by your #1; I was under the impression that each container had its own cgroup.

  Note that Kubernetes now has code to work with swap, although some work remains. Tracking issue: https://github.com/kubernetes/enhancements/issues/2400

  There is a lengthy conversation in this issue, with some deep insights (and a lot of misconceptions).

  https://github.com/kubernetes/kubernetes/issues/53533

• Pod Security Context
  1 project | reddit.com/r/kubernetes | 4 Feb 2022

  It doesn't look like kubernetes supports user namespaces yet; this article explains this way better than I can: https://kinvolk.io/blog/2020/12/improving-kubernetes-and-container-security-with-user-namespaces/

• How To Use Pre-existing Disk as a K8s Persistent Volume for a GKE Cluster
  1 project | dev.to | 12 Dec 2021

  A PersistentVolumeClaim (PVC) is a request for storage by a user. It is similar to a pod. Pods consume node resources and PVCs consume PV resources. From K8s version 1.11b PersistentVolumes can be even configured to be expandable.

• Using Kubernetes Ephemeral Containers for Troubleshooting
  1 project | reddit.com/r/kubernetes | 2 Dec 2021

  Cool article. Could be worth adding to it that ephemeral containers is scheduled to hit beta in next week's 1.23 release (https://github.com/kubernetes/enhancements/issues/277), so will be enabled by default from then on .

• MetalLB: Pile up services of various ports on a single IP? Or different IPs?
  1 project | reddit.com/r/kubernetes | 26 Nov 2021

  It's moving into beta, hopefully https://github.com/kubernetes/enhancements/issues/1435

• Container security best practices: Comprehensive guide
  17 projects | dev.to | 16 Nov 2021

  Effective user: Don’t run the container as root. Even better, use randomized UIDs (like Openshift) that don’t map to real users in the host, or use the user namespace feature in Docker and in Kubernetes when ready (not available at time of publish).

• load balancer to a Kubernetes cluster as a proper ingress
  1 project | reddit.com/r/kubernetes | 13 Sep 2021

  See KEP-1435: different protocols in the same service definition with type=loadbalancer.

• Feedback wanted on pod resource metrics before GA promotion
  2 projects | reddit.com/r/kubernetes | 2 Sep 2021
• We Run Data Pipelines as Containers
  1 project | news.ycombinator.com | 20 Aug 2021

  Make sure you are at least using user namespaces which drop the mknod cap by their nature, or better yet in rootless mode.

  I have filed several bugs that I know can result in breakout but as I can't make myself disclose vulnerabilities I have no stick to get them to change their 'wont fix' decisions.

  k8s doesn't support user namespaces let alone user mount namespaces.

  Here is the open issue.

  https://github.com/kubernetes/enhancements/issues/127

  The point being that for k8s and docker, any role that allows you to create pods/containers or to compromise such a role with any hop number should be considered as having root permissions.

  While I won't share any non-privileged breakouts, here is an example of how easy it is with the --privileged flag.

  https://stackoverflow.com/questions/36425230/privileged-cont...

  While I am not recommending it in general, AppArmor is fairly easy to develop CI friendly restrictions with and I would strongly suggest you protect the directory space and devices that you don't use with it.

  Not perfect but it typically can help prevent leaks caused by adding features or configuration errors.

  Runc using seccomp to make a container process make the one-way transition into a "secure" state and through dropped capabilities is what provides additional security.

  Hiding pids doesn't matter when any container can list /dev or look through /sys and /proc to find device major and minor numbers or to modify kernel parameters or files that are mistakenly given write access.

  The overwriting of the runc executable CVE that recently happened will give an actual case there.

  Namespaces are more about decoupling and avoiding pollution than security.

  Just like chroot, the shared kernel instance has a large attack surface, especially if you don't leverage all of the tools provided.

  As you are effectively running arbitrary code from users, I would highly suggest you look into non container runtime protection.

  It can be made reasonably safe but an overconfidence in containers being inherently secure will make you a target.

  If you are on k8s you should be using anti-affinity or taints to make sure containers running external user code is not running on the same nodes as other containers or better than that have a dedicated k8s for that need.

  Especially if you have persistent storage as user mount point namespaces are new in the kernel and default mounts typically are implemented by granting CAP_SYS_ADMIN capabilities(7)

• Stack Overflow Developer Survey 2021: "Rust reigns supreme as most loved. Python and Typescript are the languages developers want to work with most if they aren’t already doing so."
  6 projects | reddit.com/r/programming | 2 Aug 2021

  Swap support is being introduced as an alpha feature in the upcoming Kubernetes 1.22 release: https://github.com/kubernetes/enhancements/issues/2400

• A Deep Dive Into Kubernetes Schema Validation
  7 projects | dev.to | 1 Jun 2021

  Verifying the state of Kubernetes manifests may seem like a trivial task, because the Kubernetes CLI (kubectl) has the ability to verify resources before they’re applied to a cluster. You can verify the schema by using the dry-run flag (--dry-run=client/server) when specifying the kubectl create or kubectl apply commands, which will perform the validation without applying Kubernetes resources to the cluster.

• Should swap be disabled with K3s as it's required to do with standard Kubernetes?
  1 project | reddit.com/r/k3s | 23 May 2021

  KEP-2400: Node system swap support