“K8S Ecology Weekly” mainly contains some recommended weekly information related to K8S ecology that I have come into contact with. Welcome to subscribe zhihu column “K8S Ecology”.
Istio is about to release a major security update that affects several versions
The Istio Product Security Working Group recently identified a number of security vulnerabilities in Istio, the highest level of which is rated as high severity. Due to Istio’s current vulnerability disclosure policy, we will not disclose specific vulnerability details at this time.
A week later, on February 22, Istio v1.11.7, V1.12.3 and V1.13.1 will be released to fix these vulnerabilities. Details of the bug will be updated at that time.
Please refer to the official circular
In addition, Istio released v1.13.0 this week. I do not recommend upgrading your Istio to V1.13.0 until V1.13.1 is released.
While it’s not recommended to upgrade now, we can take a look at some of the noteworthy changes v1.13.0 brings:
V1.13.0 provides host name-based multi-network gateway support for east-west traffic. The host name can be resolved in the control plane, and the resolved record can be used as an endpoint. If you do not need this behavior or want to revert to the default behavior in previous versions, you can configure RESOLVE_HOSTNAME_GATEWAYS=false for IStiod.
In addition, it supports rewriting gRPC probes, provides rebalancing between Envoy worker threads via proxyMetadata, and improves probing for IStio-Agent health checks by learning from Kubernetes’ probing behavior so that it does not reuse connections. Please refer to #36390.
We’ll also see a lot more support for the Telemetry API in this release, especially support for the Common Expression Language (CEL) filter for Access Logs. If you think you had some strange CEL, so you can see my previous article “K8S ecological weekly | Kubernetes v1.23.0 release, new features in”, which is introduced to in Kubernetes v1.23 in support for CEL. (So it looks like CEL reserves are correct)
Finally, Istio has removed the hard-coding of port 22 from the iptables processing code and can be configured using ISTIO_LOCAL_EXCLUDE_PORTS. This code has actually been around for a long time, and Istio added it specifically for compatibility with use cases on virtual machine VMS.
For more information about Istio V1.13.0, refer to its ReleaseNote
Kyverno V1.6.0 is released
Kyverno is a native strategy engine on Kubernetes. Its main implementation principle is to use the Admission Controller mechanism provided by Kubernetes. For more information on the Kubernetes Admission Controller mechanism, see my previous article “Understanding Kubernetes Admission Controller”.
This release offers a lot of interesting features, but LET me pick a few that are particularly noteworthy:
- The sigStore CoSign-based mirror validation policy rules are in beta. For more information on how to use Cosign, see my previous article on Container image Security in the Cloud Native era (part 1).
Keyless, annotations, and other enhancements have been added in this release, and this feature is very convenient;
- You can now use OCI container image-related meta information directly in the Kyverno policy, such as checking the image’s label, attaching volumes, and other configurations.
For example, a common usage scenario is that we want container images not to be too large, so the following policy file can be used to limit the use of oversized container images in the cluster.
The following policy file indicates that only containers smaller than 2Gi are allowed to be mirrored. If the image size is too large, it is directly rejected.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: images
spec:
validationFailureAction: enforce
rules:
- name: only-allow-small-images
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
validate:
message: "images with size greater than 2Gi not allowed"
foreach:
- list: "request.object.spec.containers"
context:
- name: imageSize
imageRegistry:
reference: "{{ element.image }}"
# Note that we need to use `to_string` here to allow kyverno to treat it like a resource quantity of type memory
# the total size of an image as calculated by docker is the total sum of its layer sizes
jmesPath: "to_string(sum(manifest.layers[*].size))"
deny:
conditions:
all:
- key: "2Gi"
operator: LessThan
value: "{{imageSize}}"
Copy the codeIn addition, this release has added many useful functions for data processing.
See ReleaseNote for more details
Trivy V0.23.0 is officially released
Trivy is an easy-to-use vulnerability scanning tool that I’ve written about many times before, so I won’t go into details here. It recently released v0.23.0, which has a few things to watch out for:
-
Trivy DB was originally created by using github.com/aquasecurit… GitHub Release of the project for download, but currently, if a large number of repeated downloads occur, GitHub’s traffic limiting policy will be triggered. So now you have chosen to switch Trivy DB to hosting using GitHub Container Registry. In this way, on the one hand, GitHub traffic limiting problem can be avoided, and on the other hand, data analysis tools provided by GHcr. IO can be used. It is important to note that this is a disruptive change.
-
Trivy can now download and scan images directly from Azure’s ACR, eliminating the need to install AZ tools or pre-download images;
See ReleaseNote for more details
Progress in the upstream
-
This PR is actually a modification to the Kubelet managed Static Pod lifecycle part. We all know that the life cycle of Static pods is not affected by Kube-Apiserver and is managed by Kubelet. However, the previous several related issues and PR did not cover the need to restart the Pod with the same name. The logic has been modified in this PR to add the full name of Pod;
-
107775 · kubernetes/kubernetes If the Pod preemption fails during scheduling, add details about it in the Event. This is very helpful for us to debug the problem;
-
The code of in-tree dockershim component in Kubernetes repository has been removed, and other related components such as Kubelet have also been cleaned. This PR completes kubeadm support and logic for removing in-tree Dockershim, mainly changing the default container runtime configuration, access address, etc. Kubernetes removes in-tree Dockershim from in-tree dockershim. Kubernetes removes in-tree Dockershim from in-tree . I will also do a live broadcast on Friday evening (February 18th), talking with two SUSE Rancher friends about how enterprise users are dealing with the removal of Dockershim by Kubernetes.
digression
I have not been updated recently, thank you for your attention. This period of time is mainly due to two reasons, on the one hand, I am taking a personal rest, on the other hand, I have many things to do.
However, starting with this post, K8S Ecology Weekly will resume its regular weekly updates. Hope more!
Please feel free to subscribe to my official account [MoeLove]
