EKS News 024

While it’s been a relatively quiet week newswise, there are a few interesting blogs in this edition including blog authored by TheFork on how they upgrade their EKS clusters.

Please Subscribe to Containers from the Couch

  • Managing Kubernetes without losing your cool

    • 11 tips for managing Kubernetes environments
    • Tip #0 is to pay someone else to do it!
    • #4 recommends k9s but you might also want to consider Lens
    • #6 recommends kubectl debug for debugging distroless containers and crash loops; this feature will be included in EKS v1.23
    • #8 if you’re going to use admission webhooks to do “substractive access control”, be sure to configure short timeouts to avoid overwhelming the API server and always fail open
  • New Vulnerabilities in the Kubernetes NGINX Ingress Controller

    • NGINX ingress is a popular target for hackers because it is commonly used (50% of Kubernetes clusters) and has high permissions (has a service account with permissions such as the ability to read all secrets within a cluster), making it easier for an attacker to move laterally within the environment
    • NGINX has undergone significant improvements since the latest vulnerabilities were discovered
    • Ultimately, the maintainers plan to fully separate the control plane from the data plane which should prevent lateral movements in the future
    • Upgrade to the latest version!