Date: Mon, 17 Dec 2018 12:23:33 +0000
<p><a href="https://kubernetespodcast.com/about">Adam and Craig</a> end the year by talking to <a href="https://twitter.com/liggitt">Jordan Liggitt</a>, the member of the Kubernetes Product Security Team who fixed the recent critical security vulnerability in the Kubernetes API server. We also take a look at the news from KubeCon.</p> <p>This is our last episode for 2018. Thank you for your support this year, and we’ll be back on the 8th of January!</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://www.cncf.io/blog/2018/12/11/cncf-to-host-etcd/">etcd donated to the CNCF</a> <ul> <li><a href="http://static.googleusercontent.com/media/research.google.com/en//archive/chubby-osdi06.pdf"> Chubby paper</a></li> <li><a href="https://raft.github.io/raft.pdf">Raft paper</a></li> <li><a href="https://kubernetes.io/blog/2018/12/11/etcd-current-status-and-future-roadmap/"> Blog post on the relationship between Kubernetes and etcd</a> by Gyuho Lee and Joe Betz</li> </ul> </li> <li>Istio: <ul> <li><a href="https://www.geekwire.com/2018/kubecon-week-istio-become-new-cloud-native-darling/"> Geekwire: Has Istio become the new cloud-native darling?</a></li> <li><a href="https://blogs.oracle.com/cloudnative/announcing-oracle-cloud-native-framework-at-kubecon-north-america-2018"> Google launches Istio on GKE</a></li> <li><a href="https://blogs.vmware.com/networkvirtualization/2018/12/nsx-service-mesh.html/"> VMware NSX Service Mesh</a></li> <li><a href="https://aspenmesh.io/2018/12/aspen-mesh-open-beta-makes-istio-enterprise-ready/"> Aspen Mesh open beta</a></li> <li>In other service mesh news: <a href="https://www.a10networks.com/press-releases/networks-introduces-multi-cloud-secure-service-mesh-solution-applications-deployed-kubernetes"> A10 Secure Service Mesh</a></li> </ul> </li> <li>Knative: <ul> <li><a href="https://cloud.google.com/blog/products/containers-kubernetes/knative-bringing-serverless-to-kubernetes-everywhere"> Knative: bringing serverless to Kubernetes everywhere</a></li> <li><a href="https://blogs.sap.com/2018/12/10/kubernetes-sap-cloud-platform-extension-factory-extensibility-on-a-cloud-native-open-source-stack/"> SAP: Extensibility on cloud-native stack</a></li> <li><a href="https://www.redhat.com/en/blog/red-hat-collaborates-google-and-others-knative-deliver-hybrid-serverless-workloads-enterprise"> Red Hat to deliver hybrid serverless workloads to the enterprise</a></li> <li><a href="https://content.pivotal.io/blog/the-first-open-multi-cloud-serverless-platform-for-the-enterprise-is-here-try-out-pivotal-function-service-today"> Pivotal launches Function Service</a></li> <li><a href="https://about.gitlab.com/press/releases/2018-12-11-gitlab-and-triggermesh-announce-gitlab-serverless.html"> GitLab and TriggerMesh announce GitLab Serverless</a></li> </ul> </li> <li><a href="https://blogs.oracle.com/cloudnative/announcing-oracle-cloud-native-framework-at-kubecon-north-america-2018"> Oracle Cloud Native Framework</a></li> <li>Microsoft: <ul> <li><a href="https://github.com/deislabs/osiris">Osiris</a></li> <li><a href="https://azure.microsoft.com/en-us/blog/azure-monitor-for-containers-now-generally-available/"> Azure Monitor for Containers is GA</a></li> <li><a href="https://azure.microsoft.com/mediahandler/files/resourcefiles/phippy-goes-to-the-zoo/Phippy%20Goes%20To%20The%20Zoo_MSFTonline.pdf"> Phippy Goes To The Zoo</a></li> <li><a href="https://www.cncf.io/blog/2018/12/11/phippy-comes-to-cncf/">Phippy, Captain Kube and friends now in the CNCF</a></li> </ul> </li> <li><a href="https://blog.digitalocean.com/digitalocean-releases-k8s-as-a-service/"> Digital Ocean Kubernetes now open to everyone</a></li> <li><a href="https://developers.linode.com/kubernetes/">Linode Kubernetes CLI</a> <ul> <li><a href="https://github.com/linode/terraform-linode-k8s">Terraform scripts</a></li> </ul> </li> <li><a href="https://blogs.vmware.com/cloudnative/2018/12/11/heptio-close/">VMware closes its acquisition of Heptio</a> <ul> <li>For <a href="https://seekingalpha.com/filing/4264907#eolPage29">$550M</a></li> <li><a href="https://www.anandtech.com/show/13710/dell-to-be-public-company-again"> Dell will go public again</a></li> </ul> </li> <li>Quickfire Kubernetes security news <ul> <li><a href="https://neuvector.com/container-security/kubecon-containerd-crio/"> NeuVector announced containerd and CRI-O runtime support in their container firewall</a></li> <li><a href="https://www.aquasec.com/news/aqua-awarded-cis-security-certification/"> Aqua’s Container Security Platform is now certified to cover the Kubernetes CIS benchmarks</a></li> <li><a href="https://www.lacework.com/lacework-announces-kubernetes-support-in-end-to-end-cloud-security-platform/"> Lacework announced their configuration scanning platform covers Kubernetes</a></li> <li><a href="https://sysdig.com/blog/sysdig-secure-2-2/">Sysdig released Sysdig Secure 2.2, which adds Kubernetes audit events, and the ability to block deployments using Kubernetes admission controllers</a></li> <li><a href="https://www.twistlock.com/2018/12/10/twistlock-18-11-release-notes/"> Twistlock released 18.11, which “introduces security visualization for Kubernetes, and compliance and security configuration checks for Istio, including new alerting integrations with PagerDuty, and cloud services</a></li> </ul> </li> <li><a href="https://github.com/grafana/loki">Grafana Loki</a> <ul> <li><a href="https://improbable.io/games/blog/thanos-prometheus-at-scale">Thanos: Prometheus at scale</a></li> </ul> </li> <li><a href="https://mesosphere.com/blog/announcing-maestro-a-declarative-no-code-approach-to-kubernetes-day-2-operators/"> Maestro – A declarative, no-code approach to Kubernetes Day 2 Operators</a></li> <li><a href="https://github.com/cruise-automation/rbacsync">rbacsync</a></li> <li><a href="https://planetscale.com/news/sharding-for-everyone">PlanetScale announces funding</a> <ul> <li><a href="https://techcrunch.com/2018/12/13/planetscale/">TechCrunch article</a></li> </ul> </li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li>Jordan’s suggested KubeCon talks to watch: <ul> <li><a href="https://www.youtube.com/watch?v=oNa3xK2GFKY">Kelsey Hightower’s keynote, “Kubernetes and the path to serverless”</a></li> <li><a href="https://www.youtube.com/watch?v=obB2IvCv-K0">Julia Evans’ keynote, “High Reliability Infrastructure Migrations”</a></li> </ul> </li> <li><a href="https://blog.openshift.com/announcing-openshift-enterprise-20/">OpenShift before Kubernetes</a> in 2014</li> <li><a href="https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#product-security-team-pst"> Kubernetes Product Security Team</a></li> <li><a href="https://github.com/kubernetes/kubernetes/issues/71411">CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections</a> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1002105">Listing in the National Vulnerability Database</a></li> <li><a href="https://github.com/rancher/rancher/issues/14931">Originally filed as a bug against Rancher</a> <ul> <li><a href="https://rancher.com/blog/2018/2018-12-04-k8s-cve/">Rancher blog post</a></li> </ul> </li> <li><a href="https://kubernetes.io/docs/reference/issues-security/security/">How to report a vulnerability</a></li> <li><a href="https://github.com/evict/poc_CVE-2018-1002105">Proof of concept (third party)</a></li> <li><a href="https://github.com/kubernetes/kubernetes/pull/71412/files">How it was fixed</a></li> <li><a href="https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#private-distributors-list"> Distributor’s list</a></li> <li><a href="https://github.com/kubernetes/kubernetes/issues/34517">Client certificate vulnerability in Kubernetes in 2016</a></li> </ul> </li> <li><a href="https://stackoverflow.com/users/54696/jordan-liggitt?tab=answers&sort=newest"> Answering questions on Stack Overflow</a></li> <li>Jordan Liggitt on <a href="https://twitter.com/liggitt">Twitter</a>, <a href="https://github.com/liggitt">GitHub</a>, <a href="http://slack.kubernetes.io/">Slack</a> or <a href="https://stackoverflow.com/users/54696/jordan-liggitt">Stack Overflow</a></li> </ul>