EKS News 032

  • SBOM Facts: Know what’s in your software to fend off supply chain attacks
    • SBOMs enable those who are dependent on software to understand what exactly is in the applications they’re using. This gives both software developers and users a better sense of the risks associated with their applications.
    • An SBOM is a list of third party software, open source software, statically linked packages, and other application dependencies.
    • A good SBOM will hold software development organizations accountable for tracking and documenting exactly how an application has been made. It should also include a risk analysis of each component so security teams scan understand how their software supply chain contributes to their applications’ risk profile.
  • Writing a Go service in Kubernetes
  • Kubernetes Ephemeral Containers and kubectl debug Command
    • An article from May covering the use of ephemeral containers and kubectl debug. Ephemeral containers are useful for debugging containers that lack debugging tools, e.g. Distroless, and for diagnosing crash loops.
  • Securing Kubernetes cluster using Kubescape and kube-bench
    • Reviews 2 tools you can use to perform vulnerability assessment scans of your Kubernetes clusters: kube-bench and Kubescape
    • kube-bench gives you very precise instructions regarding ownership and permissions for configuration files as well as for flags and arguments that are wrongly configured.
    • Kubescape uses the NSA/MITRE/ArmoBest/DevOpsBest guidelines to evaluate the cluster or pipeline being scanned.
  • Application Performance Monitoring vs. Application Performance Observability
    • Traditional monitoring tools rarely include contextual information that would help you answer questions like “what changed” “why” “who’s affected”. Observability solutions are meant to answer questions like “show me all users that had response times over our SLA threshold at any time this month”.
    • Implementing standards, cross language, and cross platform is a must for Observability in that you must be able to issue a query to answer your Observability questions across all languages you run in production, and know that the context is applied and located in the same place across your applications.
    • Observability needs to be baked into your own code and stack intentionally. OpenTelemetry is the new ‘lingua franca’ for Observability, allowing the full stack to speak the same language, gather data in the same format, and ultimately transport that data for processing.
  • The Oberservability Newsletter, curated by Michael Hausenblas
  • Official CVE Feed for Kubernetes
    • A community maintained list of official CVEs announced by the Kubernetes Security Response Committee.
  • Introducing Ambient Mesh: Istio without Sidecars
    • A new Istio data plane mode that’s designed for simplified operations, broader application compatibility, and reduced infrastructure cost. Ambient mesh gives users the option to forgo sidecar proxies in favor of a mesh data plane that’s integrated into their infrastructure
  • Addressing Bandwidth Exhaustion with Cilium Bandwidth Manager
    • Besides CPU and memory, it’s important to consider the impact bandwidth consumption can have on overall pod performance.
    • Cilium’s Bandwidth Manager implements pod network rate-limiting by putting Earliest Departure Time (EDT) timestamps on each packet (depending on the policy and rate) and sending out packets based on the timestamp which peforms better (4x reduction of p99 latency) when compared with traditional queuing models.
  • HOL: eBPF - An Overview
    • BumbleBee helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs.
  • HOL: How does Kubernetes assign QoS class to pods through OOM score?
  • Protect the pipe! Secure CI/CD pipelines with a policy-based approach using Tekton and Kyverno Policies
    • CI/CD pipelines also have their own life cycle that includes stages like pipeline composition, configuration, invocation, execution, and completion. For comprehensive coverage, security controls need to be embedded and exercised across all these defined stages of the pipeline.
    • This blog illustrates how Kyverno can be be used to improve the overall security posture of our CI/CD pipelines, specifically Tekton piplines. For example, you can use Kyverno to require that all Tekton bundles must be signed using a trusted authority.
  • Automate All the Boring Kubernetes Operations with Python
    • Includes sample code for scaling a deployment, execing into a pod, tainting a node, monitoring cluster resource utilization, and exporting and backing up k8s objects
  • On Amazon EKS and Fault Injection Service
    • This blog explores the possibilities of using AWS FIS to consolidate and coordinate experimentation across different layers of the stack and shows how you can streamline experimentation with AWS FIS across AWS Services and cloud-native chaos engineering projects.
  • Troubleshooting namespaces stuck in a terminating state
  • Remote debugging of Java apps in Kubernetes
  • KWOK
    • Simulate thousands of Kubelets on a laptop with KWOK
  • kube-shell
  • kube-router
    • Kube-router provides a cohesive yet lean and powerful alternative to several network components you would use with Kubernetes
    • Documentation