Kubernetes 1.22 shipped this week. I suggest you, at a minimum, read the release blog post or take a gander at the CHANGELOG and definitely read the No, really, you MUST read this before you upgrade. Some of the bigger changes:
- Audit log files are created with mode 0600 (owner read-only)
- Rootless mode containers moving to alpha: In my opinion, if you use Podman, you’re used to this. If you’re not, you should be using rootless containers intentionally for security reasons (more on that later).
- Cgroupsv2 moving to alpha
- Pod Security Policy replacement (aka Pod Security Admission Controller): Yes, PSPs are deprecated and being replaced. There are a lot of reasons why.
- LoadBalancer moving to beta
- Enable seccomp by default
- and a whole bunch more
KubeCon NA 2021 acceptances went out this week and the schedule is live. I’m excited to say I’m teaming up with Kaslin Fields, Bart Farrell, Matthew Broberg, and Kunal Kushwaha for a panel talk about what we’ve been doing in the Kubernetes Upstream Marketing Team (which includes the @K8sContributors Twitter handle and so much more).
A note about KubeCon: I want everyone that might be speaking at a Day 0 event or trying to get to KubeCon to know that if anyone needs financial support, please apply for a scholarship, either diversity or needs-based here: https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/attend/scholarships/
People
Apple’s Plan to “Think Different” About Encryption Opens a Backdoor to Your Private Life
Now we enter life with one of the top phone makers having a backdoor into the private lives of its consumers. I can’t wait until pictures of Max in the bathtub somehow leading to a search warrant. I have a feeling this isn’t going to go well at all for any of us.
A Non-Tech Explanation of Containers and Kubernetes
100 Million Downloads and Over 5,000 Ecosystem Add-Ons later, Hashicorp has released the 1.0 version of Terraform. This eBook and audiobook will help you understand the underlying concepts of this infrastructure as a code tool and how it can be a significant resource when your cloud infrastructure hits critical mass. SPONSORED
Study reveals racial bias on GitHub
This should surprise no one. The IEEE breaks it down in a report titled, “On the Relationship Between the Developer’s Perceptible Race and Ethnicity and the Evaluation of Contributions in OSS” [PDF]
Amazon now employs almost 1 million people in the U.S. — or 1 in every 169 workers
This should be a big red flag for regulators to pick at.
DevOps, SRE, and Platform Engineering
Ivan Velichko breaks down what he sees as the differences between Development, DevOps, Site Reliability Engineering (SRE), and Platform Engineering.
How to Talk About Your Mental Health with Your Employer Very, very carefully. I usually bring it up within a month of getting a new boss. Oh… I guess I need to have this conversation again soon.
Zoom will pay $85 million to settle lawsuit over privacy and ‘zoombombing’
Zoom’s market cap at time of writing is $112.989 billion (source CNBC).
We’re in hottest job market for tech workers since dot-com era
If you’re not interviewing right now, you could be missing out.
Playbook to Bust Bureaucracy
This is a delightfully rebellious read.
Why Chinese Big Tech no longer dares say ‘996’
Long overdue. “Over the past two months, at least four Chinese tech giants have announced plans to cancel mandatory overtime; some of the changes are companywide, and others are specific to business units. ByteDance, Kuaishou and Meituan’s group-buying platform announced the end of a policy called ‘Big/Small Week,’ where a six-day workweek is followed by a more moderate schedule. In early June, a game studio owned by Tencent rolled out a policy that mandated employees punch out at 6 p.m. every Wednesday and take the weekends off.”
Process
HTTP/2: The Sequel is Always Worse
All the bad things (so far) about HTTP/2.
Collaboration and Automation for Infrastructure as Code
See how env0 automates and simplifies the provisioning of cloud deployments for Terraform, Terragrunt and GitOps workflows. Variables and Secrets granularity, Full CLI support, integration with OPA, Dymanic RBAC and quality of life features. Free Demo. SPONSORED
NSA, CISA release Kubernetes Hardening Guidance
This is a big deal. The NSA guides are top-notch reference material. What’s one of the first pieces of guidance? Using non-root containers. There are good example YAMLs in the appendix as well. PDF
SolarWinds urges US judge to toss out crap infosec sueball: We got pwned by actual Russia, give us a break
Solarwinds is saying that they’re, “the victim of the most sophisticated cyberattack in history” and shouldn’t be held liable for loss in marker value by its shareholders. It’s a reasonable argument, but this is a pretty big precedent to set too.
The summer Intel fell behind
If you’re a regular reader of this newsletter you knew that Intel’s reckoning was coming. Well this year it finally happened. What comes next could make or break the chip maker.
Tools
Kubernetes CI/CD with Tekton and ArgoCD
Build and deploy with Tekton and ArgoCD with this incredibly detailed article.
Search your code. ALL of it, everywhere.
Imagine if you could search all your code across every repo, every language, every code host. You can with Sourcegraph universal code search. Quickly navigate code with contextual hover tooltips that show definitions, references, and usage examples. Construct complex queries and filter code in ways that IDEs and code hosts can’t. Find and fix code fast, without losing your flow. Sourcegraph universal code search is a dev’s superpower. Get it now. SPONSORED
Docker Compose to Kubernetes: Step-by-Step Migration
I always forget how useful Kompose is at the beginning of a new project. “Kompose is a conversion tool for Docker Compose to container orchestrators such as Kubernetes (or OpenShift).”
Amazon and Google patch major bug in their DNS-as-a-Service platforms
It’s not all DNS’s fault. “What the Wiz team discovered was that several managed DNS providers did not blacklist their own DNS servers inside their backends.” Which means, you could easily hijack Amazon and Google’s DNS servers to do basically anything you wanted to an unknowing victim or adversary. I reported on this last week but, this sheds a little more light on the subject.
Microsoft halts Windows 365 trials after running out of servers
I’m not sure what this says about Windows, but I’m sure it isn’t good.
Hard Drive Reliability: A Look at HDD and SDD Failure Rates
Hard drive reliability is at a new peak. This report is fascinating.
Deployment Strategies In Kubernetes
“Learn what are the different deployment strategies available in Kubernetes and how to use them.”
Postgres.app – the easiest way to get started with PostgreSQL on the Mac
Neat!
A GPSD time warp
If you’re like me and have been a GPS consumer since before consumers got highly accurate GPS data, you probably understand how bad of a problem this is.
New in Git: switch and restoregit switch is my new best friend.
openshift/service-ca-operator
Controller to mint and manage serving certificates for Kubernetes services
myspaghetti/macos-virtualbox
Push-button installer of macOS Catalina, Mojave, and High Sierra guests in Virtualbox for Windows, Linux, and macOS
Tib3rius/AutoRecon
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.
mitmproxy/mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
DevOps’ish Tweet of the Week
I know AWS has a UX team. I don’t know if AWS listens to their UX team though.
Want more? Be sure to check out the notes from this week’s issue to see what didn’t make it to the newsletter but are still worth your time.