InfoQ

The Software Architects' Newsletter
October 2018
View in browser

In our fifteenth issue of the Architects' Newsletter we are exploring container orchestration and scheduling. With the increasing uptake of public cloud across the IT landscape, combined with the emergence of additional "cloud native" architecture patterns and technologies like containers, it is fast becoming essential for architects to gain a better understanding of this space.

News

It's 2018; Are My Containers Secure Yet?

In this video recording of the DevOps Pro Vilnius talk, "It's 2018; Are My Containers Secure Yet?", Phil Estes, Senior Technical Staff Member at IBM, examines the topic of container security. Estes begins with a deep-dive exploration of what container technology actually is, and then explores what engineers require in regard to security from both the implementation and supporting toolchain. He also enumerates and evaluates the current strengths and weaknesses of the container technology landscape.

The key takeaway is that although container security has improved dramatically over the past five years, engineers must still be aware of the current limitations, and act (and test) accordingly.

Introduction to gVisor: Sandboxed Linux Container Runtime

In this video recording from the recent QCon New York conference, Emma Haruka Iwao, senior developer advocate for Google Cloud Platform, discusses "gVisor", a new kind of sandbox that can be used to provide secure isolation for containers which is less resource intensive than running a full virtual machine (VM).

At its core, gVisor is an open source user-space kernel that implements a substantial portion of the Linux system surface. It is written in Go and designed with different trade-offs than existing container technology. The project includes an Open Container Initiative (OCI) runtime called "runsc" that integrates with Docker and Kubernetes.

Running Linux Containers as Non-Root with Podman

Podman is a container runtime from the containers organisation that provides very similar features as Docker, but does not require running a local daemon as root to build or execute. In this recent post, Adam Samalik explores the container build process and provides instructions for readers interested in experimenting with the tool.

Under the hood Podman uses another tool called Buildah to build a container, the details of which can be found in a recent post within the Fedora Magazine about building container images with Buildah. Podman is available as the default container runtime on Silverblue - a "new generation" of Linux Workstation for container-based workflows.

AWS Containers with Deepak Singh

In a recent Software Engineering Daily podcast Deepak Singh discussed the history of containers at Amazon, and argued that developer preferences are "changing towards managed services". Additional topics covered include how AWS is continually building upon previous generations of its own tooling with the goal of delivering increasingly higher level services for developers.

A Brief Overview of Monitoring Containers in Azure

In a brief article on the Azure website Matt Goedtel, Senior Content Developer at Azure, provides an overview of container management and monitoring capabilities within the cloud platform.

For engineers using the Azure Kubernetes Service (AKS), the Azure Monitor for containers service enables the viewing of the performance and health of Linux container infrastructure. The telemetry is stored in a Log Analytics workspace and integrated in the Azure portal. For engineers running containers outside of AKS, the Log Analytics Windows and Docker Container solution enables the viewing and management of Windows and Docker container hosts.

Securing Kubernetes with Google GKE and Sysdig Falco

In a recent Google Cloud Blog post, Michael Ducy, Director of Community and Evangelism at Sysdig, and Andy Tzou, responsible for Kubernetes Strategic Tech Partnerships at Google, discussed how securing your open-source Kubernetes environment can be a daunting task.

Ducy and Tzou argued that Google Kubernetes Engine (GKE) can simplify the implementation of appropriate security measures by providing sensible defaults and additional options to enhance the security of a Kubernetes cluster. The post also explores using Sysdig Falco, an open source project that is focused on runtime security and provides "visibility into the behavior of your containers and applications".

AWS Service Operator for Kubernetes Now Available

The AWS Service Operator is an open source project in developer preview that allows an engineer to manage AWS resources directly from Kubernetes using the standard Kubernetes kubectl CLI.

According to the post by Chris Hein, a Partner Solutions Architect for the Amazon Partner Network, it does this by modeling AWS Services as Custom Resource Definitions (CRDs) in Kubernetes and applying those definitions to a cluster. This means that engineer can "model their entire application architecture from container to ingress to AWS services" using a single YAML manifest.

 

Case Study

Kubernetes 1.12 Brings Volume Snapshots, TLS Improvements, and More

The Cloud Native Community Foundation (CNFC) has announced the release of Kubernetes 1.12. This version brings snapshot and restore volumes, improvements to Transport Layer Security (TLS), Horizontal Pod Autoscaler (HPA), topology-aware dynamic provisioning, Advanced Auditing, topology support for the Container Storage Interface (CSI) plugin, and more. A recent InfoQ news post by Diogo Carleto examined the headline features included in this release.

The TLS implementation on Kubernetes has received several improvements in version 1.12. Kubelet TLS Bootstrap, which has been graduated to general availability, enables a kubelet primary node agent to bootstrap itself into a TLS-secured cluster by generating a private key and a Certificate Signing Request (CSR) for submission to a cluster-level certificate signing process. Furthermore, the kubelet server certificate bootstrap and rotation has moved to beta. This feature introduces a process for generating a key locally and then issuing a CSR to the cluster API server to get an associated certificate signed by the cluster's root certificate authority.

The Horizontal Pod Autoscaler (HPA) is a feature implemented as a Kubernetes API resource and controller, and has been designed to automatically scale the number of pods in a replication controller, deployment, or replica set based on observed CPU utilization. The HPA algorithm has been improved in order to make the system much more responsive scaling up/down with fewer spikes. Additionally, the support for custom metrics has been augmented.

Kubernetes 1.12 introduces topology-aware dynamic provisioning in beta, which aims to improve the regional cluster experience for stateful workloads. It means that Kubernetes now understands the inherent zonal restrictions of Compute Engine Persistent Disks (PDs) and Regional PD, and provisions them in the zone that is best suited to run the pod. Another addition in this space is the Container Storage Interface (CSI) plugin, which is intended to make it easier for third party developers to write and deploy volume plugins exposing new storage systems in Kubernetes.

Another headline feature introduced in Kubernetes 1.12 is volume snapshot and restore. This feature, released in alpha, enables engineers to create and delete volume snapshots and create a new volume from snapshots using the Kubernetes API. Furthermore, snapshot operations can be incorporated into automated processes in a "cluster agnostic way"..

The complete post on InfoQ includes an overview of all of the features within the latest Kubernetes 1.12 release.

To get notifications when InfoQ publishes content on this topic follow Containers on InfoQ.

Missed a newsletter? You can find all of the previous issues on InfoQ.

This edition of The Software Architects' Newsletter is brought to you by:

QCon SF

Learn about the challenges encountered when running a stateful system in a container from @CockroachDB’s Alex Robinson. Apply engineering control theory to key container management scenarios with @Checkfront’s Vallery Lancey. Discover the benefits of using Chaos Engineering to make your container infrastructure more reliable with @Gremlin’s Ana Medina. Take a look at all the QCon SF talks on this topic.

Join these experts and register using the code INFOQSF18 to get an extra $100 off!

 

InfoQ strives to facilitate the spread of knowledge and innovation within this space, and in this newsletter we aim to curate and summarise key learnings from news items, articles and presentations created by industry peers, both on InfoQ and across the web. We aim to keep readers informed and educated about emerging trends, peer-validated early adoption of technologies, and architectural best practices, and are always keen to receive feedback from our readers. We hope you find it useful, but if not you can unsubscribe using the link below.

Unsubscribe

Forwarded email? Subscribe and get your own copy.

Subscribe

Follow InfoQ.com on

Twitter Facebook LinkedIn Youtube

You have received this email because you subscribed to "The Architects' Newsletter". To stop receiving the Architects' Newsletter, please click the following link: Unsubscribe

- - -
C4Media Inc. (InfoQ.com), 2275 Lake Shore Boulevard West, Suite #325,
Toronto, Ontario, Canada, M8V 3Y3