The local volume static provisioner manages PersistentVolume lifecycle for pre-allocated disks by detecting and creating PVs for each local disk on the host, and cleaning up the disks when released.
Originially released in May, this update provides a one-click solution that deploys out-of-the-box Amazon Managed Grafana dashboards, AWS Distro for OpenTelemetry collector to collect metrics, store them on Amazon Managed Service for Prometheus and configure alerts and recording rules
This blog dives into how you can apply zero-trust workload access controls along with microsegmentation for your workloads that run on Amazon EKS, and provides specific examples.
SBOMs enable those who are dependent on software to understand what exactly is in the applications they’re using. This gives both software developers and users a better sense of the risks associated with their applications.
An SBOM is a list of third party software, open source software, statically linked packages, and other application dependencies.
A good SBOM will hold software development organizations accountable for tracking and documenting exactly how an application has been made. It should also include a risk analysis of each component so security teams scan understand how their software supply chain contributes to their applications’ risk profile.
An article from May covering the use of ephemeral containers and kubectl debug. Ephemeral containers are useful for debugging containers that lack debugging tools, e.g. Distroless, and for diagnosing crash loops.
Reviews 2 tools you can use to perform vulnerability assessment scans of your Kubernetes clusters: kube-bench
and Kubescape
kube-bench gives you very precise instructions regarding ownership and permissions for configuration files as well as for flags and arguments that are wrongly configured.
Kubescape uses the NSA/MITRE/ArmoBest/DevOpsBest guidelines to evaluate the cluster or pipeline being scanned.
Traditional monitoring tools rarely include contextual information that would help you answer questions like “what changed” “why” “who’s affected”. Observability solutions are meant to answer questions like “show me all users that had response times over our SLA threshold at any time this month”.
Implementing standards, cross language, and cross platform is a must for Observability in that you must be able to issue a query to answer your Observability questions across all languages you run in production, and know that the context is applied and located in the same place across your applications.
Observability needs to be baked into your own code and stack intentionally. OpenTelemetry is the new ‘lingua franca’ for Observability, allowing the full stack to speak the same language, gather data in the same format, and ultimately transport that data for processing.
A new Istio data plane mode that’s designed for simplified operations, broader application compatibility, and reduced infrastructure cost. Ambient mesh gives users the option to forgo sidecar proxies in favor of a mesh data plane that’s integrated into their infrastructure
Besides CPU and memory, it’s important to consider the impact bandwidth consumption can have on overall pod performance.
Cilium’s Bandwidth Manager implements pod network rate-limiting by putting Earliest Departure Time (EDT) timestamps on each packet (depending on the policy and rate) and sending out packets based on the timestamp which peforms better (4x reduction of p99 latency) when compared with traditional queuing models.
BumbleBee
helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs.
CI/CD pipelines also have their own life cycle that includes stages like pipeline composition, configuration, invocation, execution, and completion. For comprehensive coverage, security controls need to be embedded and exercised across all these defined stages of the pipeline.
This blog illustrates how Kyverno can be be used to improve the overall security posture of our CI/CD pipelines, specifically Tekton piplines. For example, you can use Kyverno to require that all Tekton bundles must be signed using a trusted authority.
Includes sample code for scaling a deployment, execing into a pod, tainting a node, monitoring cluster resource utilization, and exporting and backing up k8s objects
This blog explores the possibilities of using AWS FIS to consolidate and coordinate experimentation across different layers of the stack and shows how you can streamline experimentation with AWS FIS across AWS Services and cloud-native chaos engineering projects.