Here comes our newest (and the last one for 2024) digest of the prominent software updates in the Cloud Native ecosystem!
Release Spotlight: Open Policy Agent 1.0
OPA is a general-purpose policy engine that graduated from CNCF in 2021 and has been under development for almost 10 years. Its 1.0 release is said to “consolidate an improved developer experience for the future of Policy as Code.”
It came with numerous changes to the defaults in Rego (OPA’s native query language) v1, such as the mandatory use of
Other noticeable updates in the Cloud Native space:
1. KAITO, the Kubernetes AI Toolchain Operator that has been recently accepted to the CNCF Sandbox, released its v0.4.0 with numerous new features. They include the addition of RAGEngine CRD, support for vLLM runtime deployments, support for support adaptive
2. Talos, “Linux designed for Kubernetes,” was updated to 1.9.0, introducing systemd-udevd (instead of eudev), a local image cache for container images, custom DNS search domains, device selectors (matching on MAC address of the network interfaces), new experimental
3. Logging Operator, a CNCF Sandbox project leveraging Fluent Bit and Fluentd (or syslog-ng) to manage your Kubernetes logging pipeline, has seen the 5.0.0 release. It got the CRD's subchart provided as an OCI artifact, a new option to ensure resource deletion, a Telemetry Controller migration option, support for rdkafka2 options, and IPv6 support.
4. Rook (a CNCF Graduated project) released v1.16, focused on expanding its capabilities for advanced object store use cases. It resulted in an ability to configure multiple object stores to be backed by the same pools, a bucket policy for S3 buckets, two new mechanisms for advanced configuration of Rook’s RGW daemons, improved RGW operation logging, and more.
5. CloudNativePG 1.25.0 was announced with several prominent features, such as a new
Have a wonderful festive time, and see you next year! 🙌
#news #releases
Release Spotlight: Open Policy Agent 1.0
OPA is a general-purpose policy engine that graduated from CNCF in 2021 and has been under development for almost 10 years. Its 1.0 release is said to “consolidate an improved developer experience for the future of Policy as Code.”
It came with numerous changes to the defaults in Rego (OPA’s native query language) v1, such as the mandatory use of
if for all rule definitions and contains for multi-value rules, new keywords (every, in) being available without any imports, and mandatory requirements that were previously applicable to the strict mode only (e.g., opa check --strict). OPA 1.0 also brought improvements to memory allocations, SDK, scientific notation parsing, and test suite performance.Other noticeable updates in the Cloud Native space:
1. KAITO, the Kubernetes AI Toolchain Operator that has been recently accepted to the CNCF Sandbox, released its v0.4.0 with numerous new features. They include the addition of RAGEngine CRD, support for vLLM runtime deployments, support for support adaptive
max_model_len, and options for building and running private/custom models.2. Talos, “Linux designed for Kubernetes,” was updated to 1.9.0, introducing systemd-udevd (instead of eudev), a local image cache for container images, custom DNS search domains, device selectors (matching on MAC address of the network interfaces), new experimental
NodeAddress address sort algorithm, new talosctl cgroups command, Kubernetes API server authorization config, and an ability to run Kubernetes Pods with user namespaces enabled.3. Logging Operator, a CNCF Sandbox project leveraging Fluent Bit and Fluentd (or syslog-ng) to manage your Kubernetes logging pipeline, has seen the 5.0.0 release. It got the CRD's subchart provided as an OCI artifact, a new option to ensure resource deletion, a Telemetry Controller migration option, support for rdkafka2 options, and IPv6 support.
4. Rook (a CNCF Graduated project) released v1.16, focused on expanding its capabilities for advanced object store use cases. It resulted in an ability to configure multiple object stores to be backed by the same pools, a bucket policy for S3 buckets, two new mechanisms for advanced configuration of Rook’s RGW daemons, improved RGW operation logging, and more.
5. CloudNativePG 1.25.0 was announced with several prominent features, such as a new
Database CRD for declarative database management, new Publication and Subscription CRDs for managing logical replication, and a new dataDurability option for synchronous replication configuration. It also introduced an experimental CNPG-I interface for extending CNPG with external plugins.Have a wonderful festive time, and see you next year! 🙌
#news #releases
❤8
👋 We're back and happy to present our latest bunch of interesting Kubernetes-related articles recently spotted online:
1. "Linux container from scratch" by Michal Pitr.
2. "Decoding the pod termination lifecycle in Kubernetes: a comprehensive guide" by Rohit Raveendran, Facets.Cloud.
3. "Getting Started With wasmCloud" by Michael Levan.
4. "How to support a growing Kubernetes cluster with a small etcd" by David M. Lentz, Datadog.
5. "Understanding ReplicaSet vs. StatefulSet vs. DaemonSet vs. Deployments" by Abhisman Sarkar.
6. "Are You Affected by Bitnami LTS and Docker Hub Pull Rate Limits?" by Artem Lajko.
#articles
1. "Linux container from scratch" by Michal Pitr.
I recently built a docker clone from scratch in Go. This made me wonder - how hard would it be to do the same step-by-step in a terminal? Let’s find out!
2. "Decoding the pod termination lifecycle in Kubernetes: a comprehensive guide" by Rohit Raveendran, Facets.Cloud.
This guide examines each lifecycle phase during pod termination, detailing the mechanisms for graceful handling, resource optimization strategies, persistent data management, and troubleshooting techniques for common termination issues. By the end of this blog, you will have a thorough understanding of how to effectively manage pod termination in your Kubernetes environment, ensuring smooth and efficient operations.
3. "Getting Started With wasmCloud" by Michael Levan.
In this blog post, you’ll learn about what wasmCloud is and how to get started with Go (golang). However, if you’re using Rust or TypeScript, wasmCloud supports those languages as well.
4. "How to support a growing Kubernetes cluster with a small etcd" by David M. Lentz, Datadog.
This post explores some best practices that can help you avoid outgrowing your etcd storage, even while your Kubernetes cluster becomes larger and busier. We’ll show you how you can:
- Provision appropriate resources for your etcd cluster
- Manage the amount of data you need etcd to store
- Split data across multiple etcd clusters to manage the performance and size of each one
5. "Understanding ReplicaSet vs. StatefulSet vs. DaemonSet vs. Deployments" by Abhisman Sarkar.
When you begin learning about Kubernetes, you hear about the different types of sets it supports and start wondering about their differences. [..] In this blog, I am going to go over each type and explain the differences between them, so that you can understand how exactly we use each set, how they differ from each other, and the purpose that each serves.
6. "Are You Affected by Bitnami LTS and Docker Hub Pull Rate Limits?" by Artem Lajko.
Bitnami chose the worst possible time to roll out their “Notice about LTS branches and pull rates in Docker Hub”. Originally scheduled for December 10, 2024, the timing — right before Christmas — was far from ideal. The community requested a postponement, and Bitnami/VMware responded by delaying the permanent change to Monday, January 6, 2025. [..] But what exactly does the change mean and how does it affect you or your company? Let’s take a look at what has changed in the first place.
#articles
👍4
InGate is a new project developed within the Kubernetes SIG to replace a well-known Ingress NGINX Controller for Kubernetes (ingress-nginx).
As its official description says, InGate is “an Ingress and Gateway API Controller for Kubernetes.” The idea is to have a traditional ingress controller that provides more flexibility in traffic routing, load balancing, etc., thanks to the Gateway API implementation under the hood. At the same time, it should not be difficult for those using ingress-nginx to adapt.
You can learn more about this project from the “Securing the Future of Ingress-Nginx” talk (starting from 13:13) presented by James Strong, Isovalent & Marco Ebert, Giant Swarm during KubeCon NA 2024.
P.S. Thanks to Trenton VanderWert for bringing this news to our attention.
#news #networking
As its official description says, InGate is “an Ingress and Gateway API Controller for Kubernetes.” The idea is to have a traditional ingress controller that provides more flexibility in traffic routing, load balancing, etc., thanks to the Gateway API implementation under the hood. At the same time, it should not be difficult for those using ingress-nginx to adapt.
You can learn more about this project from the “Securing the Future of Ingress-Nginx” talk (starting from 13:13) presented by James Strong, Isovalent & Marco Ebert, Giant Swarm during KubeCon NA 2024.
P.S. Thanks to Trenton VanderWert for bringing this news to our attention.
#news #networking
❤1🔥1
Common Expression Language (CEL) is getting increasingly popular in the Kubernetes community. This project leverages it to validate your Helm values.
Helm CEL is a plugin that allows you to write validation rules for Helm charts in CEL (via
- Automatic generation of rules based on your Helm values file;
- An ability to organise your validation rules into multiple files;
- Two severity levels (errors and warnings) and reusable expressions for rules.
Language: Go | License: MIT | 62 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
Helm CEL is a plugin that allows you to write validation rules for Helm charts in CEL (via
values.cel.yaml) instead of JSON schema (values.schema.json). Its features include:- Automatic generation of rules based on your Helm values file;
- An ability to organise your validation rules into multiple files;
- Two severity levels (errors and warnings) and reusable expressions for rules.
Language: Go | License: MIT | 62 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
👍2❤1
Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!
1. MetalLB, a load-balancer implementation for bare metal Kubernetes clusters (a CNCF Sandbox project), released its v0.14.9 at the end of December. It added support for dual-stack IP assignment (via
2. Argo CD (a CNCF Graduated project) got the release candidates for its v2.14 (rc5 was out last week) with numerous new features. They include global sync timeout for applications, accidental resource deletion protection with new sync options, abilities to disable SSA (server-side apply) on individual resources and disable writing Kubernetes events, configurable batches for massive application refreshes, and upgrading to Helm 3.16.
3. Dragonfly, a P2P-based file distribution and image acceleration system (a CNCF Incubating project; not to be confused with the namesake database), was updated to v2.2.0 and brought many significant changes. Its client was rewritten in Rust and got support for leeching and bandwidth rate limiting for prefetching; the P2P transfer protocol was updated to V2; Web Console got a redesigned UI; Harbor integration was improved; gRPC calls between services are now using mTLS.
4. WasmCloud, a CNCF Incubating project for building, managing, and scaling apps across clouds, Kubernetes, or edge, released v1.5.0. It came with built-in NATS and HTTP server providers, health checks and boolean flags to gate experimental features in the host, enabled HTTP keepalives by default, added support for expanded wkg configuration and other improvements for wash-cli.
5. Inspektor Gadget, a set of tools and framework for inspecting Kubernetes clusters and Linux hosts using eBPF (a CNCF Sandbox project), has seen its v0.36.0, featuring support for the OpenTelemetry logs via OTLP protocol and uniform filtering capabilities in the gadgets.
6. kubespray v2.27.0 was released switching to CRI-O (instead of runc) as the default container runtime and Kubernetes v1.31.4 as the default K8s version. It also added support for kubeadm v1beta4, numerous Cilium features (Host Firewall and PolicyAuditMode, disabling Hubble UI, partial support for Cilium v1.16+), ntpsec, network isolation configuration in Multus, an ability to skip network configuration, support for Fedora 39 and 40, and more.
#news #releases
1. MetalLB, a load-balancer implementation for bare metal Kubernetes clusters (a CNCF Sandbox project), released its v0.14.9 at the end of December. It added support for dual-stack IP assignment (via
prefer-dual-stack in IPFamilyPolicy), the DynamicASN field to detect the AS number for BGPPeers, and updated Prometheus rules.2. Argo CD (a CNCF Graduated project) got the release candidates for its v2.14 (rc5 was out last week) with numerous new features. They include global sync timeout for applications, accidental resource deletion protection with new sync options, abilities to disable SSA (server-side apply) on individual resources and disable writing Kubernetes events, configurable batches for massive application refreshes, and upgrading to Helm 3.16.
3. Dragonfly, a P2P-based file distribution and image acceleration system (a CNCF Incubating project; not to be confused with the namesake database), was updated to v2.2.0 and brought many significant changes. Its client was rewritten in Rust and got support for leeching and bandwidth rate limiting for prefetching; the P2P transfer protocol was updated to V2; Web Console got a redesigned UI; Harbor integration was improved; gRPC calls between services are now using mTLS.
4. WasmCloud, a CNCF Incubating project for building, managing, and scaling apps across clouds, Kubernetes, or edge, released v1.5.0. It came with built-in NATS and HTTP server providers, health checks and boolean flags to gate experimental features in the host, enabled HTTP keepalives by default, added support for expanded wkg configuration and other improvements for wash-cli.
5. Inspektor Gadget, a set of tools and framework for inspecting Kubernetes clusters and Linux hosts using eBPF (a CNCF Sandbox project), has seen its v0.36.0, featuring support for the OpenTelemetry logs via OTLP protocol and uniform filtering capabilities in the gadgets.
6. kubespray v2.27.0 was released switching to CRI-O (instead of runc) as the default container runtime and Kubernetes v1.31.4 as the default K8s version. It also added support for kubeadm v1beta4, numerous Cilium features (Host Firewall and PolicyAuditMode, disabling Hubble UI, partial support for Cilium v1.16+), ntpsec, network isolation configuration in Multus, an ability to skip network configuration, support for Fedora 39 and 40, and more.
#news #releases
👍3🔥3
This visualisation tool for Kubernetes differentiates from other GUIs by aiming to provide helpful insights about your clusters.
Karpor, dubbed “Intelligence for Kubernetes,” implements a clean web UI with three major features: cluster management, insights, and search. Here’s what it offers:
- Managing multiple K8s clusters from a single UI;
- Aggregated resource view and resource topology view;
- Inspecting specific resources and resource groups;
- Summary cards for clusters, resources, namespace, and resource groups;
- Compliance reports, highlighting existing risks according to the
- Finding resources via SQL-style queries;
- AI-assisted insights and diagnostics (PR #707).
Language: Go | License: Apache 2.0 | 858 ⭐️
▶️ GitHub repo
#tools #gui
Karpor, dubbed “Intelligence for Kubernetes,” implements a clean web UI with three major features: cluster management, insights, and search. Here’s what it offers:
- Managing multiple K8s clusters from a single UI;
- Aggregated resource view and resource topology view;
- Inspecting specific resources and resource groups;
- Summary cards for clusters, resources, namespace, and resource groups;
- Compliance reports, highlighting existing risks according to the
kubeaudit output;- Finding resources via SQL-style queries;
- AI-assisted insights and diagnostics (PR #707).
Language: Go | License: Apache 2.0 | 858 ⭐️
▶️ GitHub repo
#tools #gui
👍2
Four small Open Source projects for Kubernetes users and operators that we discovered on GitHub recently:
1. kubesec-diagram provides an excellent overview of security in Kubernetes, from Linux kernel internals to APIs, networking, operators, and more.
2. etcd-k8s-extract extracts Kubernetes resources and writes them to disk in YAML format. It should be helpful if you have an etcd backup only or when debugging Kubernetes clusters in environments with limited access.
3. kube-code-generator generates the Go code you need for Kubernetes controllers and operators. It features a minimal configuration and comes in ready-to-use Docker images.
4. kubesafe safeguards executing various CLI commands against your Kubernetes clusters (
#tools
1. kubesec-diagram provides an excellent overview of security in Kubernetes, from Linux kernel internals to APIs, networking, operators, and more.
2. etcd-k8s-extract extracts Kubernetes resources and writes them to disk in YAML format. It should be helpful if you have an etcd backup only or when debugging Kubernetes clusters in environments with limited access.
3. kube-code-generator generates the Go code you need for Kubernetes controllers and operators. It features a minimal configuration and comes in ready-to-use Docker images.
4. kubesafe safeguards executing various CLI commands against your Kubernetes clusters (
kubectl, helm, etc.) by defining safe contexts and dangerous commands.#tools
👍3
Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:
1. "Kubernetes Homelab Series (Part 1): How I Built My Kubernetes Cluster from Scratch" by Pablo del Arco.
2. "Fuzzing the CNCF landscape in 2024" by Chris Aniszczyk (CNCF), Adam Korczynski (Ada Logics), David Korczynski (Ada Logics).
3. "Exploring the Kubernetes API Server Proxy" by Rory McCune.
4. "Would the Kubernetes CPU limit be an anti-pattern?" by Carlos Alberto Alves Correia.
5. "Cluster API to production: from Cluster API to GitOps with Argo CD and Kyverno" by Lior Friedman.
6. "How to Create a Production-Ready EKS Cluster on AWS Using Terraform (Part 2: EKS Setup)" by Alex Tsvetkov.
#articles
1. "Kubernetes Homelab Series (Part 1): How I Built My Kubernetes Cluster from Scratch" by Pablo del Arco.
In this series, I’ll share my journey of building a Kubernetes homelab from scratch — the tools, the wins, the obstacles, and the lessons — all based on personal, real-world experiences rather than typical tutorials. [..] To kick things off, I started by setting up a K3s cluster — a lightweight Kubernetes distribution perfect for homelabs.
2. "Fuzzing the CNCF landscape in 2024" by Chris Aniszczyk (CNCF), Adam Korczynski (Ada Logics), David Korczynski (Ada Logics).
CNCF maintains a high level of security for its projects by way of a series of initiatives such as security auditing, supply-chain assessments and security automation work. In this blogpost we will go over CNCF’s fuzzing initiative and its impact in 2024. Fuzzing a technique for finding security and reliability bugs by way of executing vast amounts of arbitrary inputs against a given API or codebase.
3. "Exploring the Kubernetes API Server Proxy" by Rory McCune.
[..] I thought it’d be interesting to look at a lesser known feature of the Kubernetes API server which has some interesting security implications. The Kubernetes API server can act as an HTTP proxy server, allowing users with the right access to get to applications they might otherwise not be able to reach. This is one of a number of proxies in the Kubernetes world which serve different purposes. The proxy can be used to access pods, services, and nodes in the cluster, we’ll focus on pods and nodes for this post.
4. "Would the Kubernetes CPU limit be an anti-pattern?" by Carlos Alberto Alves Correia.
Most of the time, when you ask a DevOps engineer if it is good practice to set the limit for deployments, 99% of them will say YES. I see that there is a consensus among professionals that it is good to block resources to prevent a hungry application from consuming all the resources of the cluster. Part of this is true, but not for the CPU and I will explain why.
5. "Cluster API to production: from Cluster API to GitOps with Argo CD and Kyverno" by Lior Friedman.
For Argo CD to deploy resources in tenant clusters we first need to configure the clusters in Argo CD. This guide goes over automatically generating Argo CD cluster credentials secrets using Kyverno. By the end of this guide, we will be able to deploy addons to Cluster API tenant clusters with Argo CD from the management cluster.
6. "How to Create a Production-Ready EKS Cluster on AWS Using Terraform (Part 2: EKS Setup)" by Alex Tsvetkov.
In Part 2, we’ll cover configuring the EKS cluster with Terraform, setting up managed node groups, and integrating IAM roles and policies for secure and efficient cluster operations.
#articles
👍3
This year’s first batch of Open Source projects accepted to the CNCF Sandbox has just arrived! Let’s welcome them:
1. Spin, a framework for building and running fast, secure, and composable cloud microservices with WebAssembly, and SpinKube, a platform for efficiently running containerless Spin-based Wasm applications on Kubernetes. See their Sandbox application issues for more details: [#116] [#90]
2. container2wasm, a tool to run containers on Wasm-enabled environments. [#123]
3. SlimFaas, a small proxy implementing simple FaaS (Function as a Service) in Kubernetes. [#119]
4. Tratteria, a Kubernetes-native framework designed to facilitate the adoption of TraTs (Transaction Tokens) in existing applications to secure their call chains. [#115]
5. k0s, a lightweight Kubernetes distribution with zero dependencies. [#125]
6. Runme Notebooks, a toolchain that turns Markdown into interactive, Cloud Native, runnable Notebook experiences for DevOps. [#127]
7. KubeFleet, a multi-cluster solution that enables users to manage their applications running in a fleet of Kubernetes clusters. [#307]
8. CloudNativePG, a Kubernetes-native database platform for PostgreSQL. [#128]
9. Podman Desktop, a user-friendly tool for developers to build, manage, and deploy containers and Kubernetes — all from the desktop. [#308]
10. Podman Container Tools, a set of tools (notably, Podman, Buildah, and Skopeo) to manage containers and images, volumes mounted into those containers, and pods made from groups of containers. [#309]
11. bootc, transactional, in-place operating system images and updates using OCI/Docker container images. [#310]
12. composefs, several underlying Linux kernel features to provide a flexible mechanism that supports read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem. [#311]
In related news, CubeFS, a Cloud Native distributed storage system, became a CNCF Graduated project.
UPDATE: On January 26th, one more project was accepted:
13. Drasi, a data processing platform that tracks system logs and change feeds for specific events, evaluates them, and automatically reacts with relevant actions. [#296]
#news #cncfprojects
1. Spin, a framework for building and running fast, secure, and composable cloud microservices with WebAssembly, and SpinKube, a platform for efficiently running containerless Spin-based Wasm applications on Kubernetes. See their Sandbox application issues for more details: [#116] [#90]
2. container2wasm, a tool to run containers on Wasm-enabled environments. [#123]
3. SlimFaas, a small proxy implementing simple FaaS (Function as a Service) in Kubernetes. [#119]
4. Tratteria, a Kubernetes-native framework designed to facilitate the adoption of TraTs (Transaction Tokens) in existing applications to secure their call chains. [#115]
5. k0s, a lightweight Kubernetes distribution with zero dependencies. [#125]
6. Runme Notebooks, a toolchain that turns Markdown into interactive, Cloud Native, runnable Notebook experiences for DevOps. [#127]
7. KubeFleet, a multi-cluster solution that enables users to manage their applications running in a fleet of Kubernetes clusters. [#307]
8. CloudNativePG, a Kubernetes-native database platform for PostgreSQL. [#128]
9. Podman Desktop, a user-friendly tool for developers to build, manage, and deploy containers and Kubernetes — all from the desktop. [#308]
10. Podman Container Tools, a set of tools (notably, Podman, Buildah, and Skopeo) to manage containers and images, volumes mounted into those containers, and pods made from groups of containers. [#309]
11. bootc, transactional, in-place operating system images and updates using OCI/Docker container images. [#310]
12. composefs, several underlying Linux kernel features to provide a flexible mechanism that supports read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem. [#311]
In related news, CubeFS, a Cloud Native distributed storage system, became a CNCF Graduated project.
UPDATE: On January 26th, one more project was accepted:
13. Drasi, a data processing platform that tracks system logs and change feeds for specific events, evaluates them, and automatically reacts with relevant actions. [#296]
#news #cncfprojects
🔥7👍1
Wireshark Foundation has introduced Stratoshark created by Sysdig and advertised as "Wireshark for the Cloud".
Stratoshark is a tool that provides deep visibility into application-level behaviour by analysing cloud system calls and logs. It is built on the legacy of Wireshark and Falco, designed for Cloud Native environments, and supports the same file format as Falco and Sysdig CLI.
- Website
- LinkedIn announcement
- “Troubleshooting CrashLoopBackOff with Stratoshark”
#news #tools #security #observability
Stratoshark is a tool that provides deep visibility into application-level behaviour by analysing cloud system calls and logs. It is built on the legacy of Wireshark and Falco, designed for Cloud Native environments, and supports the same file format as Falco and Sysdig CLI.
- Website
- LinkedIn announcement
- “Troubleshooting CrashLoopBackOff with Stratoshark”
#news #tools #security #observability
👍5❤4
Our selection of the latest prominent software updates from the cloud native ecosystem:
1. Percona Everest, a Cloud Native database platform for Kubernetes, released its v1.4.0 with numerous new features. Particularly, it got the Helm charts as a new (and recommended) way of installation, Kubernetes namespace management via new
2. Perses, a dashboard specification and tool for Prometheus (a CNCF Sandbox project), was updated to 0.50.0. It introduced the status history panel, reordering capability for the table panel, various new CLI commands for plugin development, and dozens of improvements.
3. Envoy Proxy (a CNCF Graduated project) released v1.33.0, featuring new JSON formatter implementation for the access log enabled by default, support for Wasm VM reload and Wasm plugins written in Go, parallel streaming of the shadow requests for HTTP requests, Signed Double-Submit Cookie pattern implementation in OAuth2, Opencensus tracing deprecation, and more.
4. Helm (a CNCF Graduated project) v3.17.0 was released with several new features, such as an ability to pull and install by OCI digest, added annotations and dependencies in the chart metadata output, new
5. VictoriaLogs, a scalable logs solution from the VictoriaMetrics project, has seen three substantial releases in January (1.5.0, 1.6.0, and 1.7.0). They introduced a
6. Argo CD Image Updater, a tool to automatically update the images of K8s workloads managed by Argo CD (a CNCF Graduated project), had its v0.15 release back in October, but it was formally announced just two days ago (perhaps due to the v0.15.2 released two weeks ago). This version comes with support for Argo CD multi-source application sets, updating multiple images when using Helm value files, an ability to work even when auto-sync is disabled, and more.
#news #releases
1. Percona Everest, a Cloud Native database platform for Kubernetes, released its v1.4.0 with numerous new features. Particularly, it got the Helm charts as a new (and recommended) way of installation, Kubernetes namespace management via new
everestctl commands, improved UI, and support for Percona PostgreSQL operator v2.5.0 and PSMDB operator v1.18.0.2. Perses, a dashboard specification and tool for Prometheus (a CNCF Sandbox project), was updated to 0.50.0. It introduced the status history panel, reordering capability for the table panel, various new CLI commands for plugin development, and dozens of improvements.
3. Envoy Proxy (a CNCF Graduated project) released v1.33.0, featuring new JSON formatter implementation for the access log enabled by default, support for Wasm VM reload and Wasm plugins written in Go, parallel streaming of the shadow requests for HTTP requests, Signed Double-Submit Cookie pattern implementation in OAuth2, Opencensus tracing deprecation, and more.
4. Helm (a CNCF Graduated project) v3.17.0 was released with several new features, such as an ability to pull and install by OCI digest, added annotations and dependencies in the chart metadata output, new
--take-ownership flag for install and upgrade commands, and new toYamlPretty template function.5. VictoriaLogs, a scalable logs solution from the VictoriaMetrics project, has seen three substantial releases in January (1.5.0, 1.6.0, and 1.7.0). They introduced a
union pipe and INNER JOINs for join pipes in LogsQL queries, new histogram stats function and value_type filter, numerous web UI improvements (including autocompletion for queries and configuration settings for the grouped view), and better performance.6. Argo CD Image Updater, a tool to automatically update the images of K8s workloads managed by Argo CD (a CNCF Graduated project), had its v0.15 release back in October, but it was formally announced just two days ago (perhaps due to the v0.15.2 released two weeks ago). This version comes with support for Argo CD multi-source application sets, updating multiple images when using Helm value files, an ability to work even when auto-sync is disabled, and more.
#news #releases
👍6❤1
Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:
1. "Kafka vs NATS: A Comparison for Message Processing" by Josson Paul Kalapparambath.
2. "Kubectl-r[ex]ec: A kubectl plugin for auditing kubectl exec commands" by Marton Natko, Adyen.
3. "Kubernetes Best Practices I Wish I Had Known Before" by Engin Diri, Pulumi.
4. "Configuration Management at Ant Group: Generated Manifest & Immutable Desired State" by KusionStack.
5. "So you wanna write Kubernetes controllers?" by Ahmet Alp Balkan.
6. "Kubernetes RBAC: A Comprehensive Guide" by Oshrat Nir.
#articles
1. "Kafka vs NATS: A Comparison for Message Processing" by Josson Paul Kalapparambath.
Kafka and NATS are two popular tools for handling streaming and messaging. They have different architectures and different performance characteristics. They are suitable for specific use cases. In this article, we will compare the features of NATS with Kafka and explain the use cases I addressed at work.
2. "Kubectl-r[ex]ec: A kubectl plugin for auditing kubectl exec commands" by Marton Natko, Adyen.
With this minimalistic application, we can easily audit exec commands, and we only have to install a few manifests on the Kubernetes side while distributing our plugin to our engineers.
3. "Kubernetes Best Practices I Wish I Had Known Before" by Engin Diri, Pulumi.
In this post, I will highlight some crucial Kubernetes best practices. They are from my years of experience with Kubernetes in production. Think of this as the curated “Kubernetes cheat sheet” you wish you had from Day 1. Buckle up; it’s going to be an exciting ride.
4. "Configuration Management at Ant Group: Generated Manifest & Immutable Desired State" by KusionStack.
In this first article, we will examine the specific challenges we encountered over the years, the strategies we devised to address them, and the resulting patterns that have emerged as what we believe to be best practices — Generated Manifest & Immutable Desired State. Through this exploration, we aim to provide valuable insights and practical guidance for navigating the complexities of configuration management in a dynamic and highly regulated environment.
5. "So you wanna write Kubernetes controllers?" by Ahmet Alp Balkan.
Low barrier to entry combined with good intentions and the “illusion of working implementation” is not a recipe for success while developing production-grade controllers. I’ve seen the real-world consequences of controllers developed without adequate understanding of Kubernetes and the controller machinery at multiple large companies. We went back to the drawing board and rewritten nascent controller implementations a few times to observe which mistakes people new to controller development make.
6. "Kubernetes RBAC: A Comprehensive Guide" by Oshrat Nir.
Kubernetes RBAC is a method used to manage user access rights to resources within a Kubernetes cluster. It enables administrators to grant users or applications only the permissions they need to perform their tasks, and no more. RBAC uses authentication and authorization to achieve its purpose by verifying the identity of a user or system trying to access the Kubernetes API server.
#articles
🔥4👍3
There are many ways to run a Kubernetes cluster at home. This project produces a beginner-friendly ISO image loaded with ready-to-use software.
k4all provides a pre-configured Fedora CoreOS image, which you can boot on your home device to install Kubernetes and essential add-ons. Here’s what it offers:
* Fully automated installation process. (Note that it will format your disk.)
* Kubernetes dashboard, metrics server, Calico or Cilium for networking, NGINX Ingress Controller, and TopoLVM (a CSI plugin to use LVM for Kubernetes).
* Optional add-ons: KubeVirt to run virtual machines and Argo CD.
Language: Shell | License: GPL 3.0 | 22 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
k4all provides a pre-configured Fedora CoreOS image, which you can boot on your home device to install Kubernetes and essential add-ons. Here’s what it offers:
* Fully automated installation process. (Note that it will format your disk.)
* Kubernetes dashboard, metrics server, Calico or Cilium for networking, NGINX Ingress Controller, and TopoLVM (a CSI plugin to use LVM for Kubernetes).
* Optional add-ons: KubeVirt to run virtual machines and Argo CD.
Language: Shell | License: GPL 3.0 | 22 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
🔥2👍1
Kubernetes History Inspector (KHI) from Google Cloud is Open Source now.
As its description states, “KHI transforms vast quantities of logs into an interactive, comprehensive timeline view.” This tool collects the Kubernetes logs and visualises them providing SREs with an interactive Web-based GUI.
KHI displays the status of resources on a timeline, correlates various types of logs (event logs, audit logs, network, etc.) to help you find their relationships and dependencies, and allows you to interactively apply various filters. Currently, the Kubernetes clusters in Google Cloud (i.e. GKE) are supported only, with more options to follow.
▶️ GitHub repo
#tools #GCP #observability #news
As its description states, “KHI transforms vast quantities of logs into an interactive, comprehensive timeline view.” This tool collects the Kubernetes logs and visualises them providing SREs with an interactive Web-based GUI.
KHI displays the status of resources on a timeline, correlates various types of logs (event logs, audit logs, network, etc.) to help you find their relationships and dependencies, and allows you to interactively apply various filters. Currently, the Kubernetes clusters in Google Cloud (i.e. GKE) are supported only, with more options to follow.
▶️ GitHub repo
#tools #GCP #observability #news
👍3
Our selection of the latest prominent software updates from the Cloud Native ecosystem:
1. Kargo, an application lifecycle orchestration platform for Kubernetes, was updated to v1.2.0, featuring Promotion Tasks to define reusable sets of specific actions across multiple Promotion Templates. It also introduced the soak time for Stages to wait for a certain period of time before any Freight is promoted, as well as new Promotion Steps and improvements in UI and charts.
2. KitOps, a DevOps tool for packaging and versioning AI/ML models, datasets, code, and configuration into reproducible artifacts, has reached its v1.0.0. It came with a new
3. Coroot, an Open Source APM & observability tool, has released its v1.7 and v1.8 versions, which added support for ClickHouse and ZooKeeper, enabled API keys configuration for projects, introduced its own configuration file and a new dashboard displaying security risks.
4. Falco, a Cloud Native runtime security tool (a CNCF Graduated project), received a major update with 0.40.0, which merged 50+ pull requests. It came with streamlined Docker images (less image size, optimised layers, and enhanced security), numerous new process filters (including
5. MariaDB Operator 0.37.0 was released, introducing the TLS support (enabled by default), native integration with cert-manager, and automatic updates when Galera options are changed.
6. Grafana 11.5 brought an improved sharing experience for dashboards (including a new Export option) and panel images (including a new Panel preview section), Private Data Source Connect (PDC), redesigned ad-hoc filters for dashboards, Elasticsearch’s cross-cluster search feature in the relevant data source plugin, and RBAC improvements (support for notification policies and alerting notifications).
7. Argo Rollouts, a Kubernetes controller with advanced deployment capabilities (a part of Argo, a CNCF Graduated project), released its 1.8. New features include Canary step plugins (to create a plugin and execute customised steps during the canary analysis), analysis consecutive success limit, full annotations support for nginx canary ingresses, and
#news #releases
1. Kargo, an application lifecycle orchestration platform for Kubernetes, was updated to v1.2.0, featuring Promotion Tasks to define reusable sets of specific actions across multiple Promotion Templates. It also introduced the soak time for Stages to wait for a certain period of time before any Freight is promoted, as well as new Promotion Steps and improvements in UI and charts.
2. KitOps, a DevOps tool for packaging and versioning AI/ML models, datasets, code, and configuration into reproducible artifacts, has reached its v1.0.0. It came with a new
kit import command to import models from Huggingface and a new kit init command to automatically generate Kitfiles.3. Coroot, an Open Source APM & observability tool, has released its v1.7 and v1.8 versions, which added support for ClickHouse and ZooKeeper, enabled API keys configuration for projects, introduced its own configuration file and a new dashboard displaying security risks.
4. Falco, a Cloud Native runtime security tool (a CNCF Graduated project), received a major update with 0.40.0, which merged 50+ pull requests. It came with streamlined Docker images (less image size, optimised layers, and enhanced security), numerous new process filters (including
proc.pgid), support for sendmmsg and recvmmsg syscalls parameters, and suggested output fields in plugins.5. MariaDB Operator 0.37.0 was released, introducing the TLS support (enabled by default), native integration with cert-manager, and automatic updates when Galera options are changed.
6. Grafana 11.5 brought an improved sharing experience for dashboards (including a new Export option) and panel images (including a new Panel preview section), Private Data Source Connect (PDC), redesigned ad-hoc filters for dashboards, Elasticsearch’s cross-cluster search feature in the relevant data source plugin, and RBAC improvements (support for notification policies and alerting notifications).
7. Argo Rollouts, a Kubernetes controller with advanced deployment capabilities (a part of Argo, a CNCF Graduated project), released its 1.8. New features include Canary step plugins (to create a plugin and execute customised steps during the canary analysis), analysis consecutive success limit, full annotations support for nginx canary ingresses, and
pprof profiling support.#news #releases
🔥5
Whether you're exploring your current Kubernetes environment or some new third-party software, you can benefit from having a quick diagram visualising all K8s resources. This new tool does just that.
KubeDiagrams generates architecture diagrams presenting Kubernetes resources, their interrelationships, and the relevant higher-level layers (namespaces, applications, etc.). The tool’s highlights include:
- Support for manifest files, Helm charts, Kustomization files, and actual cluster state.
- Support for 42 resource types and any custom resources.
- Grouping resources based on namespaces and labels (e.g.,
- Various output formats, including PNG, SVG, PDF, etc.
Language: Python | License: GPL 3.0 | 43 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
KubeDiagrams generates architecture diagrams presenting Kubernetes resources, their interrelationships, and the relevant higher-level layers (namespaces, applications, etc.). The tool’s highlights include:
- Support for manifest files, Helm charts, Kustomization files, and actual cluster state.
- Support for 42 resource types and any custom resources.
- Grouping resources based on namespaces and labels (e.g.,
app.kubernetes.io/name or helm.sh/chart).- Various output formats, including PNG, SVG, PDF, etc.
Language: Python | License: GPL 3.0 | 43 ⭐️
▶️ GitHub repo
📢 Reddit announcement
#tools
👍2
Weave GitOps is a Flux-based developer platform that simplifies continuous delivery adoption and scaling and provides insights into application deployments. It’s an Open Source project created in Weaveworks, the company that shut down in February 2024.
It hasn’t seen any releases since December 2023, but now the community formed from the Weaveworks ex-staff members and other users is reviving Weave GitOps. Just 9 hours ago, a 0.39.0-rc.1 release landed in the project’s GitHub repo. It brings numerous improvements, including support for Flux 2.4.0, updated UI and dependencies, enabled OpenTofu compatibility, and a new domain with the project’s documentation.
Find more details about this release here and the project’s documentation here.
P.S. Weave GitOps Enterprise, an enterprise solution based on Weave GitOps, became Open Source in April 2024.
#news #releases #gitops
It hasn’t seen any releases since December 2023, but now the community formed from the Weaveworks ex-staff members and other users is reviving Weave GitOps. Just 9 hours ago, a 0.39.0-rc.1 release landed in the project’s GitHub repo. It brings numerous improvements, including support for Flux 2.4.0, updated UI and dependencies, enabled OpenTofu compatibility, and a new domain with the project’s documentation.
Find more details about this release here and the project’s documentation here.
P.S. Weave GitOps Enterprise, an enterprise solution based on Weave GitOps, became Open Source in April 2024.
#news #releases #gitops
❤2
Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:
1. "How I Supercharged My Local Kubernetes Setup" by Joseph Whiteaker.
2. "Vulnerability management in the microservice era: From zero to hero" by Nigel Douglas, Sysdig.
3. "OpenTelemetry Collector deployment modes in Kubernetes" by Reese Lee & Brad Schmitt, New Relic.
4. "Cluster API + Talos + Proxmox = ❤️" by Quentin Joly.
5. "OpenTelemetry: A Guide to Observability with Go" by Luca Cavallin, a CNCF Ambassador.
6. "How to Build a Multi-Tenancy Internal Developer Platform with GitOps and vCluster" by Artem Lajko.
#articles
1. "How I Supercharged My Local Kubernetes Setup" by Joseph Whiteaker.
Setting up a local Kubernetes cluster with Kind, MetalLB, and Istio takes some effort, but the payoff is a highly flexible, production-like environment that runs entirely on your local machine. Through this process, I’ve explored custom networking, pull-through registries, certificate management, and domain-based routing — all things that bring local Kubernetes closer to how real-world clusters operate.
2. "Vulnerability management in the microservice era: From zero to hero" by Nigel Douglas, Sysdig.
Kubernetes vulnerability scanning is the process of systematically inspecting a Kubernetes cluster, including its container images and configurations, to detect security misconfigurations or vulnerabilities that could compromise the platform’s security posture. It’s an essential practice for organizations to maintain a strong security posture and it offers several critical benefits.
3. "OpenTelemetry Collector deployment modes in Kubernetes" by Reese Lee & Brad Schmitt, New Relic.
A good way to simplify this process [deploying the OpenTelemetry Collector] is to familiarize yourself with "Collector deployment modes"—the various methods for setting up and managing the Collector to gather, process, and export application and system data within Kubernetes. It’s important to note that “deployment modes” differ from “deployment patterns,” a distinction that can be confusing. This blog post guides you through these key concepts so you’ll have the foundational knowledge you need to choose the right deployment mode for your observability strategy.
4. "Cluster API + Talos + Proxmox = ❤️" by Quentin Joly.
Today, I am tackling another aspect of Talos: provisioning Kubernetes clusters on Proxmox VMs via the Cluster API. I do not have the expertise to write a comprehensive article on the Cluster API, nor have I tested multiple providers or clouds. In this article, I will instead present my journey to deploy a Talos cluster on Proxmox via the Cluster API, detailing the steps, encountered issues, and solutions found.
5. "OpenTelemetry: A Guide to Observability with Go" by Luca Cavallin, a CNCF Ambassador.
In this post, I'll walk through how to integrate OpenTelemetry in a Go application. By the end, you'll have a reusable telemetry package that sets up logging, metrics, and tracing - all without cluttering your application code! I've published the package, complete with tests and examples, on GitHub: gotel. Feel free to use it as a starting point for your own projects.
6. "How to Build a Multi-Tenancy Internal Developer Platform with GitOps and vCluster" by Artem Lajko.
Here’s what you can expect from this blog:
- Introduction to Kubernetes and Internal Developer Platforms
- The Role of Platform Engineering in Building and Managing an IDP
- Implementing GitOps with Argo CD to Manage Your IDP Seamlessly
- Cost-Efficient Strategies for Multi-Tenant IDPs
- Hands-On Guide and GitHub Resources
#articles
👍3
Do you validate your Prometheus and other observability-related rules? Sometimes, you want to check them thoroughly and reviewing their syntax is not enough. Here’s when this tool comes in handy.
Promruval (Prometheus Rule Validator) validates rules metadata and expression properties against your actual setup and requirements. To benefit from it, you’ll need to create a YAML configuration defining allowed values, limits, and other constraints and then invoke
- Support for Prometheus, Thanos, Mimir, and Loki rules formats.
- Support for rule files in YAML and Jsonnet formats.
- A huge list of available validators, which cover rule groups, labels, PromQL & LogQL expressions, and more.
- An ability to have multiple configuration files.
Language: Go | License: Apache 2.0 | 140 ⭐️
▶️ GitHub repo
#tools #observability
Promruval (Prometheus Rule Validator) validates rules metadata and expression properties against your actual setup and requirements. To benefit from it, you’ll need to create a YAML configuration defining allowed values, limits, and other constraints and then invoke
promruval validate in your CI pipeline. Some of the tool’s highlights are:- Support for Prometheus, Thanos, Mimir, and Loki rules formats.
- Support for rule files in YAML and Jsonnet formats.
- A huge list of available validators, which cover rule groups, labels, PromQL & LogQL expressions, and more.
- An ability to have multiple configuration files.
Language: Go | License: Apache 2.0 | 140 ⭐️
▶️ GitHub repo
#tools #observability
👍3
Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!
Release Spotlight: Cilium 1.17.0
Last week, a new Cilium release arrived, 1.17.0, accumulating an impressive number of 2700+ commits. They resulted in many changes in the project, improving its networking, security, and observability features, as well as scalability.
Some highlights of this release are: protocol differentiation (UDP, TCP) for services, per-service load balancing algorithm selection, Multi-Cluster Service API controller, Pod-level networking QoS classes support, improved network policy performance, ability to select CIDRs by labels, static addresses for gateways, dynamic Hubble metrics and numerous new metrics, rate limiting for eBPF events against CPU usage, and Gateway API 1.2.1 support.
Other noticeable updates in the Cloud Native space:
1. KubeArmor, a Cloud Native runtime security enforcement system (a CNCF Sandbox project), released its v1.5.0 (and subsequent v1.5.x fixes) with several new features. They include support for rules for SCTP protocol, all protocols with raw network socket/domain, and specifying
2. Skaffold, a CLI tool for continuous development of applications for Kubernetes, has introduced v2.14.0 (and subsequent v2.14.1 fix), bringing various updates. It got Helm dependencies and concurrency support, faster
3. External Secrets Operator, a Kubernetes operator that integrates external secret management systems (a CNCF Sandbox project), reached v0.14.0 (and subsequent v0.14.x fixes) introducing stateful generators, with a new Grafana ServiceAccounts generator as its first implementation. Now, ESO can manage user or system accounts for database systems, message brokers, managed service providers, etc.
4. Falco Talon, a no-code solution for a customisable response engine working with Falco (a CNCF Graduated project), was updated to v0.3.0. It features a new actionner called
5. Crossplane, a framework for building Cloud Native control planes (a CNCF Incubating project), released v1.19.0 just yesterday. It comes with Usage API and Claim server-side apply promoted to Beta (enabled by default now), customisable ports for Crossplane, auto-downgrading feature for packages in the automatic dependency management (Alpha), support for private repositories in the CLI commands downloading Crossplane packages (
#news #releases
Release Spotlight: Cilium 1.17.0
Last week, a new Cilium release arrived, 1.17.0, accumulating an impressive number of 2700+ commits. They resulted in many changes in the project, improving its networking, security, and observability features, as well as scalability.
Some highlights of this release are: protocol differentiation (UDP, TCP) for services, per-service load balancing algorithm selection, Multi-Cluster Service API controller, Pod-level networking QoS classes support, improved network policy performance, ability to select CIDRs by labels, static addresses for gateways, dynamic Hubble metrics and numerous new metrics, rate limiting for eBPF events against CPU usage, and Gateway API 1.2.1 support.
Other noticeable updates in the Cloud Native space:
1. KubeArmor, a Cloud Native runtime security enforcement system (a CNCF Sandbox project), released its v1.5.0 (and subsequent v1.5.x fixes) with several new features. They include support for rules for SCTP protocol, all protocols with raw network socket/domain, and specifying
protocol: all for network rules, configurable Docker imagePullSecrets, and special preset rules to handle fileless process execution.2. Skaffold, a CLI tool for continuous development of applications for Kubernetes, has introduced v2.14.0 (and subsequent v2.14.1 fix), bringing various updates. It got Helm dependencies and concurrency support, faster
helm install (by using goroutines), optimised Kaniko builds (by using compression) and imagePullSecret support in Kaniko, as well as a new GCS (Google Cloud Storage) client.3. External Secrets Operator, a Kubernetes operator that integrates external secret management systems (a CNCF Sandbox project), reached v0.14.0 (and subsequent v0.14.x fixes) introducing stateful generators, with a new Grafana ServiceAccounts generator as its first implementation. Now, ESO can manage user or system accounts for database systems, message brokers, managed service providers, etc.
4. Falco Talon, a no-code solution for a customisable response engine working with Falco (a CNCF Graduated project), was updated to v0.3.0. It features a new actionner called
kubernetes:sysdig: when a suspicious event occurs in a Pod, Talon triggers a capture and exports the created artifact to AWS S3 or Minio, which you can later explore via sysdig CLI tool.5. Crossplane, a framework for building Cloud Native control planes (a CNCF Incubating project), released v1.19.0 just yesterday. It comes with Usage API and Claim server-side apply promoted to Beta (enabled by default now), customisable ports for Crossplane, auto-downgrading feature for packages in the automatic dependency management (Alpha), support for private repositories in the CLI commands downloading Crossplane packages (
render, validate), and an API promotion policy.#news #releases
❤3
Have you heard of kgateway? 🤔
It’s a new name for the Gloo Gateway Open Source project. Gloo Gateway is a flexible Kubernetes-native ingress controller and API gateway built on top of Envoy proxy and the Kubernetes Gateway API. Solo.io, the company behind it, decided to make it an independent project by introducing vendor-neutral governance, renaming it, and donating to CNCF.
Find more details about kgateway and its future in the CNCF blog, related CNCF Sandbox application request, and new GitHub repo.
#news #tools #networking #cncfprojects
It’s a new name for the Gloo Gateway Open Source project. Gloo Gateway is a flexible Kubernetes-native ingress controller and API gateway built on top of Envoy proxy and the Kubernetes Gateway API. Solo.io, the company behind it, decided to make it an independent project by introducing vendor-neutral governance, renaming it, and donating to CNCF.
Find more details about kgateway and its future in the CNCF blog, related CNCF Sandbox application request, and new GitHub repo.
#news #tools #networking #cncfprojects
👍4