Cloud Native weekly highlights:

  • Cilium became the CNCF incubator program
  • Argo Rollouts V1.1 is released
  • Cloud native security micro survey results announced
  • IBM introduced CPU Namespace to the Linux kernel
  • BFE Ingress Controller is released
  • Open Source Project Recommendation
  • The article recommended

If you feel lost in the process of learning DevOps, take a look at an open source DevOps knowledge graph by an engineer from abroad. This map contains a very clear learning path and a variety of optional tools for different scenarios.

If you want to get the full hd picture, you can follow the public account “KubeSphere cloud native”, and the public account can be obtained by sending the secret code Devops behind the background.

If you prefer domestic courses, you can pay attention to the “Cloud native Practice” series of courses released by KubeSphere open source community and Silicon Valley. This course not only contains DevOps, but also gives a comprehensive explanation of the cloud native technology stack. The courses and materials can be obtained and learned for free.

Cloud native dynamics

Cilium became the CNCF incubator program

Recently, CNCF’s Technical Oversight Committee (TOC) voted to accept Cilium as an incubator project for CNCF.

Cilium enhances the network layer by acting as CNI and Kubernetes using eBPF to provide networking, security and observability for the cloud native environment.

The Cilium project consists of multiple components and layers that can be used independently of each other. This allows users to select specific functions or to run Cilium in combination with other CNIS.

  • Agents: Agents run on all Kubernetes work nodes and other servers that host the workload. It provides the core eBPF platform and is the foundation for all other Cilium components.
  • Networking Plug-in (CNI) : The CNI plug-in enables organizations to use Cilium to provide network connectivity to Kubernetes clusters and other orchestration systems that rely on the CNI specification.
  • Hubble: Hubble is the observable part of Cilium. It provides network and security logging, metrics, tracking data, and several graphical user interfaces.
  • ClusterMesh: ClusterMesh implements a network or service grid that spans multiple clusters and external workloads running on external virtual machines or bare-metal servers. It provides connectivity, service discovery, network security, and observability across clusters and workloads.
  • Load balancer: Load balancers can run in a cluster to implement Kubernetes service, or can run independently in front of a Kubernetes cluster to provide north-south load balancing.

As a CNCF incubation project, Cilium has mapped out a complete roadmap and is actively adding new functions and features. The team will add new service grid capabilities on top of existing Envoy Proxy integration, including support for the OpenTelemetry project and L7 load balancing control. They will also include additional features for local deployment, including advanced IPAM mode, multi-hosting, service changes, and enhanced support for external workloads. Finally, the team will focus on security features by adding further identity integration, deeper workload visibility, and a continued focus on identity-based implementation.

see

Argo Rollouts V1.1 is released

Argo Rollouts V1.1 has been released. Argo Rollouts is a Kubernetes progressive delivery operator offering advanced blue-green and Canary deployment strategies with automatic promotion, rollback and metric analysis capabilities. Although only a “small” release, v1.1 is the largest version of Argo Rollout ever, and contains more than a dozen important features:

  • Notification services are fully supported
  • Dynamic scaling of stable replica sets
  • Automatic rollback without analysis
  • Kustomize open API architecture
  • Launch dashboard as a service
  • Control curtailment behavior during suspension
  • .

Rollouts V1.1 is a dynamic version that addresses many popular enhancement requests and usability suggestions from the community. You can download the version on the GitHub page.

see

Cloud Native Security Microsurvey: More than 80% of organizations want to use open source software to build modern security systems

With the help of the CNCF Security Technology Advisory Group (TAG), CNCF recently conducted a micro survey of the community to understand how organizations manage cloud native security.

Overall, the report shows that organizations recognize the difference between traditional and modern security in cloud native architectures and see value in modern cloud native security. Eighty-five percent of respondents said security modernization is important to their organization’s cloud-native deployment. And no one is suggesting it doesn’t matter.

Click here to see the full results of the micro-survey. The report contains more detailed information on the organization’s biggest concerns, challenges and failures, as well as the native security status of the edge cloud.

see

IBM introduced CPU Namespace to the Linux kernel

IBM engineer Pratik Sampat published an early prototype of the CPU Namespace interface for the Linux kernel. This CPU Namespace is designed to address the consistency of the current approach to viewing available CPU resources, as well as security issues that may arise from knowing resource access/location on the system.

The IBM-led CPU Namespace proposal pursued the following design:

  • This prototype patch set introduces a new kernel Namespace mechanism, CPU Namespace.

  • CPU Namespace Virtualizes logical CPU ids and creates the same scrambled virtual CPU mapping to isolate CPU information. It locks onto a task_struct and is designed as a flat hierarchy of CPU transformations, meaning that the CPU of each virtual Namespace maps to the physical CPU when the Namespace is created. The advantage of a flat hierarchy is that the translation is O(1) and the children do not need to traverse the tree to retrieve the translation.

  • This Namespace then allows both control and display interfaces to be aware of the CPU Namespace context, so that tasks within a Namespace can only obtain views through virtual CPU mappings and therefore control their available CPU resources and view CPU resources.

see

BFE Ingress Controller is released

BFE Ingress Controller is a Kubernetes Ingress Controller based on BFE implementation. It is used to support Kubernetes using Ingress to expose services and load balancing, SSL termination, etc. It has been officially released and can be downloaded for use. The BFE Ingress Controller uses the Apache-2.0 License.

BFE Ingress Controller implements the functions of Kubernetes native Ingress, and based on BFE capabilities, extends the ability of routing rule description and traffic scheduling between services. The main features include:

  • HTTP/HTTPS traffic routing
    • Supports routing requests based on Host, Path, Header, and Cookie
    • Supports exact Path matching and prefix matching
    • Supports exact Host matching and wildcard matching
  • Load balancing among multiple services
    • Supports load-balancing by weight among multiple services that provide the same Service
  • The TLS end
  • Gray released
    • Supports gray-scale publishing of services based on HTTP headers or cookies

For more information, see the documentation for BFE Ingress Controller.

see

Open Source Project Recommendation

Parca

Parca is a Prometheus project that continuously analyzes CPU and memory usage over time for applications and infrastructure, down to rows, to help us save infrastructure costs, improve performance, and increase reliability.

Its configuration format almost completely mimics Prometheus and is very easy to get started with. Such as:

debug_info:
  bucket:
    type: "FILESYSTEM"
    config:
      directory: "/tmp"
  cache:
    type: "FILESYSTEM"
    config:
      directory: "/tmp"

scrape_configs:
  - job_name: "default"
    scrape_interval: "1s"
    static_configs:
      - targets: ["127.0.0.1:7070"]
Copy the code

Inspektor Gadget

Inspektor Gadget is a Kubectl plug-in for debugging and checking applications in a Kubernetes cluster. Although it was originally designed for Kinvolk’s open-source Kubernetes release, Lokomotive, it is also available on other Kubernetes releases.

StackGres

StackGres is a PostgreSQL family bucket that runs on Top of Kubernetes. It is easy to deploy enterprise-class Postgres and its surrounding components using the Operator in minutes.

The article recommended

CNCF Operator White paper

With the growing popularity of the Kubernetes Operator pattern, the CNCF Operator Working Group (TAG Application Delivery) has created a white paper to help end users and software vendors adopt Operators to simplify application delivery and operations.

The goal of the white paper is to provide a clearly defined and comprehensive guide to operators for cloud native applications in the context of Kubernetes and other container scheduling frameworks. It Outlines:

  • Operator design patterns and future emerging patterns.
  • This section describes the recommended configuration, implementation, and use cases of Operator application management system.
  • Best practices, including observability and security, technical implementation, and code samples maintained by CNCF.
  • Recommendations for organizations that wish to design their own operators.

Use eBPF to prevent data leakage

Security is not just about preventing intrusions, it’s also about preventing data from escaping, and with proper security, even if an attacker gains access to a server, data won’t flow to unauthorized locations. This paper discusses how to use eBPF to prevent data leakage.

Which version of the JDK should we use?

OpenJDK is an open source reference implementation of the Java SE specification, but it is just the source code. Different vendors provide binary distributions for different platforms, which differ in terms of licenses, commercial support, supported platforms, and update frequency. This article provides detailed suggestions for selecting OpenJDK.

This article is published by OpenWrite!