What is Skaffold?

Skaffold provides easy and repeatable Kubernetes development
10 July 2018   988

Skaffold is a command line tool that facilitates continuous development for Kubernetes applications. You can iterate on your application source code locally then deploy to local or remote Kubernetes clusters. Skaffold handles the workflow for building, pushing and deploying your application. It can also be used in an automated context such as a CI/CD pipeline to leverage the same workflow and tooling when moving applications to production.

Features

  • No server-side component. No overhead to your cluster.
  • Detect changes in your source code and automatically build/push/deploy.
  • Image tag management. Stop worrying about updating the image tags in Kubernetes manifests to push out changes during development.
  • Supports existing tooling and workflows. Build and deploy APIs make each implementation composable to support many different workflows.
  • Support for multiple application components. Build and deploy only the pieces of your stack that have changed.
  • Deploy regularly when saving files or run one off deployments using the same configuration.

Skaffold
Skaffold 

Skaffold has a pluggable architecture that allows you to choose the tools in the developer workflow that work best for you.

Get more info at GitHub.

Critical Vulnerability to be Fixed in Kubernetes 1.13

Issue allowed to get full control over the cluster of containers
06 December 2018   111

Kubernetes 1.13 released, in which developers have eliminated the vulnerability of the illegal privilege escalation. The bug allowed to get full control over the cluster of containers.

To exploit the breach, it was necessary to send a specially designed discovery request to the backend API, which left the network connection open. This allowed access to the API server and send arbitrary commands to it. At the same time, the backend perceived requests as being sent by the server.

In addition, all Kubernetes users, including those who failed to authenticate, could use this flaw. As it turned out, the problem "stretches" from version 1.0.

To fix it, you need to update Kubernetes to versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0 or at least block anonymous access to the API using the option --anonymous-auth = false, and also revoke the rights to perform exec operations / attach / portforward.

New Kubernates 1.13 features:

  • The Container Storage interface has been stabilized to create plug-ins for various storage systems. The developers also stabilized a simplified interface for managing the Kubernetes cluster.
  • TAVS container distribution planner, as well as the Kubelet Device Plugin Registration service, which provides access to the Kubelet from plug-ins.
  • An experimental interface for creating plug-ins has been added, which allows integrating third-party monitoring systems into Kubernetes.
  • The status of beta versions was obtained by APIServer DryRun, the Kubectl Diff team and the ability to use local block devices as permanent data stores.
  • The default CoreDNS DNS server is now used.