Kubernetes 1.30 | Security Problems | Conferences

Mar 31, 2024

There is so much happening all around in tech and the tech is moving really really fast. I am back from my conferences drip - WasmIO, Rejekts and KubeCon, yes I feel tired a bit but I have not taken any breaks post that and continuing my work (accelerated actually).

Team Kubesimplify has already shared detailed conference recap post for all three including the sessions we were involved that you can read here.

So Kubernetes 1.30 is around the corner and it is again packed with many features out of which some coming in as alpha, some moving to beta and then some graduating to stable. One thing that came up recently was that the Kubernetes maintainers are not able to get enough feedback on e2e tests, upgrades and testing for all the features which is why I dropped a video on how you can create a Kind Kubernetes cluster from the release 1.30 branch (should work with your own branch as well).

Want to contribute to the community? This can be one way and you can raise issues, give feedback and try out new features. What is your favourite Kubernetes feature you are excited about? I did cover a few of them in the video:

Kubernetes user namespace
Secret sync controller
Image pull secrets
Node log query
Validating admission policy
Structured autorization configuration
recursive read only mounts

The CVE-2024-3094 vulnerability involves a hidden flaw in XZ Utils, specifically in versions 5.6.0 and 5.6.1. Discovered on March 29, 2024, this flaw was sneaked into the software through some tricky coding that wasn't easy to spot. This issue is serious because it messes with how SSHD (a system that lets people remotely access a computer) checks who's trying to log in, potentially letting hackers in regardless of usual safeguards.

The main problem came from a piece of code added to the XZ Utils, which is a program used to compress and decompress files. This code was hidden so well that it passed initial checks and made its way into official versions. As a result, certain Linux distributions like Fedora 41 and Fedora Rawhide, among others, were affected.

In simple terms, imagine if someone managed to make a spare key to your house and could get in without you knowing. This vulnerability was like that spare key for hackers. But thanks to the quick work of cybersecurity experts, people were given ways to change the locks, so to speak, and protect their systems from unauthorised access.

There are a lot of threads on how this actually came into the official release and its concerning to read them tbh. There are also a few GitHub gists regarding the same:

https://x.com/robmen/status/1774067844785086775?s=20

gist

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

Show hidden characters

	There appears to be a string encoded in the binary payload:
	https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115

	Which functions as a killswitch:

	https://piaille.fr/@zeno/112185928685603910

	Thus, one workaround for affected systems might be to add this to `/etc/environment`:

	```
	yolAbejyiejuvnup=Evjtgvsh5okmkAvj
	```

	+ restart ssh and systemd

view raw gistfile1.txt hosted with ❤ by GitHub

A lot needs to be done in the supply chain space and how rules, policies even LAW can be made to prevent such things for happening. Maintainer burnouts are real and how can this process be incentivised for maintainers working on open source. This is not a day’s work its actually years in planning!

What I am upto next?

I wrote a Taskfile as I had a task to accomplish my friend Harsh introduced Taskfile to me and it was easy, yes this could have been a Dagger function as well. BTW want to learn Dagger? You can learn from Solomon Hykes(Founder of Docker) himself next week! I am really excited for that.

KCD Pune - I am giving a Keynote at KCD Pune on Generative AI on Kubernetes, so if you are around lets meet. You can use the discount code SAIYAMKCDPUNE while registering.
I recently talked in a webinar about Multi cluster and demoed Karmada on Civo Kubernetes, you can watch the replay here.
I have an upcoming webinar with Perfectscale where I will be talking WebAssembly on Kubernetes using SpinKube. You can register for thie FREE webinar here.

Let’s enjoy some of the community content now!

Awesome Reads March

Introducing GPTScript ...Officially - GPTScript merges natural language with traditional programming to simplify the creation and linking of tools using AI. This innovative approach allows for easy task automation, data analysis, and application development by writing in English or other native languages, significantly enhancing the programming landscape.

Using Stripe Payments with Rust - Integrating Stripe with Rust allows easy monetization of web services, covering one-off payments, customer management, product and subscription handling, and webhooks. The process begins with obtaining a Stripe API key and adding `async-stripe` to your project. Key steps include creating products and prices on Stripe, setting up and modifying subscriptions, and facilitating transactions through checkout sessions. Stripe also simplifies customer setup and utilizes webhooks for notifications about subscription changes, streamlining the payment process in Rust applications.

Kubernetes is (not) a cost optimization problem - Initially seen as a cost-saver, Kubernetes now incurs higher expenses due to its architecture, including replicas and sidecars that consume extra resources. The solution may lie in adopting serverless computing and WebAssembly, which promise quicker start times and lower resource consumption, pointing towards a shift in deployment practices for better cost management in Kubernetes environments.
CNCF AI whitepaper - The AI Working Group is pleased to announce the AI Working Group’s Cloud Native AI whitepaper, which presents a brief overview of the state-of-the-art AI/ML techniques, followed by what cloud native technologies offer, covering the next challenges and gaps before discussing evolving solutions.
Why the hell is your Kubernetes API public? - Lee Briggs questions the security of publicly accessible Kubernetes APIs, suggesting that private networking and using tools like the Tailscale Kubernetes Operator can significantly enhance control plane security by leveraging VPNs and avoiding direct internet exposure.
SpinKube - the first look at WebAssembly/WASI application (SpinApp) on Kubernetes: Thang Chung introduces SpinKube, showcasing its integration of WebAssembly/WASI applications on Kubernetes, enhancing serverless computing by simplifying deployments and leveraging the OCI standard for publishing wasm files, promising a more efficient multi-language workload management within Kubernetes clusters.
containerd vs. Docker: Understanding Their Relationship and How They Work Together - Nice refresher blogs explains that containerd and Docker work together to streamline container management, with containerd handling the core functionality of running containers and Docker building upon this to enhance the developer experience across the software development lifecycle.

Resources and Awesome Repos

Network scanner Network scanner TUI
Boxer - Build a WebAssembly distribution of your project in a single step.
Claw-lang - The compiler for the Claw language
Kubernetes 2023 conference talks ordered by views
Try / Go in Y minutes

Learn from X platfrom

https://x.com/danielepolencic/status/1767166409396666836?s=20
https://x.com/cognition_labs/status/1767548763134964000?s=20
https://x.com/I_saloni92/status/1771984987413434552?s=20 - Sad to see this happen within the community.

If you like our newsletter, care to share and subscribe for FREE.

Cloud native with Saiyam

Discussion about this post