Posts in 2023
-
Confidential Kubernetes: Use Confidential Virtual Machines and Enclaves to improve your cluster security
By Fabian Kammel (Edgeless Systems), Mikko Ylinen (Intel), Tobin Feldman-Fitzthum (IBM) | Thursday, July 06, 2023 in Blog
In this blog post, we will introduce the concept of Confidential Computing (CC) to improve any computing environment's security and privacy properties. Further, we will show how the Cloud-Native ecosystem, particularly Kubernetes, can benefit from …
-
Verifying Container Image Signatures Within CRI Runtimes
By Sascha Grunert | Thursday, June 29, 2023 in Blog
The Kubernetes community has been signing their container image-based artifacts since release v1.24. While the graduation of the corresponding enhancement from alpha to beta in v1.26 introduced signatures for the binary artifacts, other projects …
-
dl.k8s.io to adopt a Content Delivery Network
By Arnaud Meukam (VMware), Hannah Aubry (Fastly), Frederico Muñoz (SAS Institute) | Friday, June 09, 2023 in Blog
We're happy to announce that dl.k8s.io, home of the official Kubernetes binaries, will soon be powered by Fastly. Fastly is known for its high-performance content delivery network (CDN) designed to deliver content quickly and reliably around the …
-
Using OCI artifacts to distribute security profiles for seccomp, SELinux and AppArmor
By Sascha Grunert | Wednesday, May 24, 2023 in Blog
The Security Profiles Operator (SPO) makes managing seccomp, SELinux and AppArmor profiles within Kubernetes easier than ever. It allows cluster administrators to define the profiles in a predefined custom resource YAML, which then gets distributed …
-
Having fun with seccomp profiles on the edge
By Sascha Grunert | Thursday, May 18, 2023 in Blog
The Security Profiles Operator (SPO) is a feature-rich operator for Kubernetes to make managing seccomp, SELinux and AppArmor profiles easier than ever. Recording those profiles from scratch is one of the key features of this operator, which usually …
-
Kubernetes 1.27: KMS V2 Moves to Beta
By Anish Ramasekar, Mo Khan, Rita Zhang (Microsoft) | Tuesday, May 16, 2023 in Blog
With Kubernetes 1.27, we (SIG Auth) are moving Key Management Service (KMS) v2 API to beta. What is KMS? One of the first things to consider when securing a Kubernetes cluster is encrypting etcd data at rest. KMS provides an interface for a provider …
-
Kubernetes 1.27: updates on speeding up Pod startup
By Paco Xu (DaoCloud), Sergey Kanzhelev (Google), Ruiwen Zhao (Google) | Monday, May 15, 2023 in Blog
How can Pod start-up be accelerated on nodes in large clusters? This is a common issue that cluster administrators may face. This blog post focuses on methods to speed up pod start-up from the kubelet side. It does not involve the creation time of …
-
Kubernetes 1.27: In-place Resource Resize for Kubernetes Pods (alpha)
By Vinay Kulkarni (Kubescaler Labs) | Friday, May 12, 2023 in Blog
If you have deployed Kubernetes pods with CPU and/or memory resources specified, you may have noticed that changing the resource values involves restarting the pod. This has been a disruptive operation for running workloads... until now. In …
-
Kubernetes 1.27: Avoid Collisions Assigning Ports to NodePort Services
By Xu Zhenglun (Alibaba) | Thursday, May 11, 2023 in Blog
In Kubernetes, a Service can be used to provide a unified traffic endpoint for applications running on a set of Pods. Clients can use the virtual IP address (or VIP) provided by the Service for access, and Kubernetes provides load balancing for …
-
Kubernetes 1.27: Safer, More Performant Pruning in kubectl apply
By Katrina Verey (independent), Justin Santa Barbara (Google) | Tuesday, May 09, 2023 in Blog
Declarative configuration management with the kubectl apply command is the gold standard approach to creating or modifying Kubernetes resources. However, one challenge it presents is the deletion of resources that are no longer needed. In Kubernetes …