Brigade launched

Event-driven scripting tool for Kubernetes released by Microsoft
31 October 2017   1387

Microsoft has unveiled its new Open Source development for the needs of DevOps, a Brigade utility designed to run scripts that are executed on a Kubernetes cluster on an event.

The Brigade utility was created by former employees of Deis, a company that Microsoft bought earlier this year. Deis was working on Kubernetes, Helm and Draft. The purpose of Brigade is to "script simple and complex workflows using JavaScript." The solution allows to associate containers by running them sequentially or in parallel and invoking scripts based on time, events in GitHub (also supported by "DockerHub and other popular web services"), push operations in Docker or other triggers. Readme of the project describes it as "a tool for creating pipelines for Kubernetes".

Brigade architecture
Brigade architecture 

Brigade is written in Go and TypeScript / JavaScript, it functions as a service inside Kubernetes. The job (task) in Brigade is a JavaScript script that is interpreted by the product service, which leads to the creation of the necessary resources in Kubernetes. Next, Brigade expects events and performs the corresponding task trigger. It is assumed that the new solution is well suited for the tasks of continuous integration and delivery of applications (CI / CD), tk. simplifies automated testing, assembly of artifacts and releases, management of software deployment.

Check GitHub for more information.

Critical Vulnerability to be Fixed in Kubernetes 1.13

Issue allowed to get full control over the cluster of containers
06 December 2018   112

Kubernetes 1.13 released, in which developers have eliminated the vulnerability of the illegal privilege escalation. The bug allowed to get full control over the cluster of containers.

To exploit the breach, it was necessary to send a specially designed discovery request to the backend API, which left the network connection open. This allowed access to the API server and send arbitrary commands to it. At the same time, the backend perceived requests as being sent by the server.

In addition, all Kubernetes users, including those who failed to authenticate, could use this flaw. As it turned out, the problem "stretches" from version 1.0.

To fix it, you need to update Kubernetes to versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0 or at least block anonymous access to the API using the option --anonymous-auth = false, and also revoke the rights to perform exec operations / attach / portforward.

New Kubernates 1.13 features:

  • The Container Storage interface has been stabilized to create plug-ins for various storage systems. The developers also stabilized a simplified interface for managing the Kubernetes cluster.
  • TAVS container distribution planner, as well as the Kubelet Device Plugin Registration service, which provides access to the Kubelet from plug-ins.
  • An experimental interface for creating plug-ins has been added, which allows integrating third-party monitoring systems into Kubernetes.
  • The status of beta versions was obtained by APIServer DryRun, the Kubectl Diff team and the ability to use local block devices as permanent data stores.
  • The default CoreDNS DNS server is now used.