Kubernetes

Kubernetes is an open source project designed to manage a cluster of Linux containers as a single system in a microservice architecture.  Kubernetes manages and runs Docker containers on a large number of hosts, as well as enables the sharing and replication of a large number of containers. The project was started by Google, and then many large IT companies connected to it, including Microsoft, Red Hat, IBM and Docker.

2022

Kubernetes 1.26

In early December 2022, an updated version of Kubernetes was presented - 1.26. Kubernetes (or K8s for short) is open source software for orchestrating containerized applications, automating their deployment, scaling and management in a cluster. In this version, the functionality proposed and implemented by Flant appeared - it was adopted by the platform developers as Kubernetes Enhancement Proposal (KEP). This was announced on December 26, 2022 by the Flant company.

Kubernetes

According to the company, the architect of the Kubernetes platform Deckhouse of Flant Maxim Nabokikh pointed out to the developers K8s the missing functionality in the project API, which would largely optimize the receipt of information about which authenticator is used and what access rights will be issued to the user. Maxim's proposal, especially relevant in cases of applying a complex authentication process in Kubernetes clusters, received support among those responsible for the direction of authentication and authorization in the Kubernetes project. Subsequently, it was implemented by his own forces and presented in the status of an alpha version in the Kubernetes 1.26 release.

Since Kubernetes is an Open Source project, as of December 2022, the entire world community is involved in its development. Among the companies that are making changes to the Kubernetes codebase are IT corporations such as Google, Red Hat, VMware, Microsoft, IBM and many others. In order for the change at Kubernetes to be accepted, it must be approved by the technical committee responsible for the specific components of the project. When a change becomes significant enough, it must be documented in the form of KEP, which describes and agrees on the details of why the proposed changes are needed, what problems they solve and what approach is adopted during implementation.

Each Kubernetes release includes a number of fixes to older functionality and updated features documented in KEP. The changes first appear in Alpha status so that all Kubenetes users can test them in their installations and make sure that they work correctly. The level of stability of these functions is gradually increased (to Beta, and then to GA) with subsequent releases of the project.

The main Kubernetes distribution, which is developing as an Open Source project with official releases from the world community, is called "vanilla" - in other words, original, i.e. without any specific functionality from vendors, but only with functions approved by the entire community. Then, on the basis of vanilla Kubernetes, vendors create their own Kubernetes platforms.

How to get started with Kubernetes

Kubernetes (or K8s as it is often called) is a popular container management system that facilitates the deployment, scaling, and management of containerized applications. This powerful tool helps organizations simplify infrastructure management and improve application reliability. In this article , we will look at the steps required to get started with Kubernetes. Read more here.

More than 380,000 Kubernetes API servers are not sufficiently protected

On May 18, 2022, it became known that more than 380,000 servers API Kubernetes were not sufficiently protected.

Most of the vulnerable servers are located in the United States, the rest in Western Europe, Southeast Asia and Australia.

After another daily scan of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with the status HTTP 200 OK, ShadowServer found 381,645 instances of the Kubernetes API that answered "200 OK," which indicates that the request was successful. This does not indicate a complete lack of protection for servers, but the organization believes that they represent an unjustifiably open surface for attackers to attack.

The organization's scan also showed the Kubernetes version (the most popular were versions 1.17 to 1.22) and the platform (LinuxAMD64 the vast majority of open copies).

Users who subscribe to the ShadowServer newsletter will receive data on open instances of Kubernetes on their network absolutely free of charge. For subscribers who have received notifications about open instances of the API, experts recommend that you familiarize yourself with the official guide for ensuring security of access to the Kubernetes^[1] API^[2].

Output Kubernetes 1.24

On May 5, 2022, it became known that the release of the Kubernetes 1.24 container orchestration platform was available, which allows managing a cluster of isolated ones as a whole containers and provides mechanisms for deploying, maintaining and scaling applications executed in containers. The project was originally created by the company, Google but then transferred to an independent site supervised by the organization. Linux Foundation The platform is positioned as a community-developed, universal solution that is not tied to individual systems and can work with any application in any cloudy environment. The Kubernetes code is written in the language Go and distributed under 2.0. license Apache

Functions for deploying and managing infrastructure are provided, such as maintaining a DNS database, load balancing, distributing containers to cluster nodes (migrating containers depending on load changes and service needs), application-level health checks, account management, updating and dynamically scaling the working cluster, without stopping it. It is possible to deploy container groups with update and undo operations for the entire group at once, as well as logical division of the cluster into parts with the division of resources. There is support for dynamic migration of applications where both local storage and networked storage can be used to store data.

Key changes in this release:

• Storage Capacity Tracking tools have been stabilized to monitor free space in partitions and transmit data to the control node to prevent running pods on nodes that do not have enough free space.
• The ability to expand storage partitions has been stabilized. The user can resize existing partitions, and Kubernetes will automatically expand the partition and its associated file system without stopping.
• The delivery of runtime Dockershim, which was positioned as a temporary solution for using Docker in Kubernetes, which is not compatible with the standard CRI (container runtime interface) interface and leads to additional complication of kubelet, has been discontinued. To manage isolated containers, use a runtime that supports a CRI interface such as containerd and CRI-O, or use the cri-dockerd binding that implements the CRI interface over the Docker Engine API.
• Experimental support was provided for verifying container images using digital signatures the Sigstore service, which conducts a public log for authentication (transparency log). To prevent supply chain attacks and component substitution, digital signatures of release-related artifacts, including all executable files Kubernetes, are also provided.
• By default, clusters have stopped enabling APIs in the beta state (the test APIs added in previous releases are saved, the change only applies to the current APIs).
• Test support for the OpenAPI v3 format has been implemented.
• An initiative to transfer storage plugins to the unified CSI (Container Storage Interface) is presented, while maintaining compatibility at the API level. The Azure Disk and OpenStack Cinder plugins have been transferred to CSI.
• Kubelet Credential Provider has been transferred to the beta testing stage, which allows you to dynamically extract credentials for the container image repository through running plugins, without storing credentials in the node's file system.
• It is possible to reserve a range of IP addresses for assignment to services. When this option is enabled, the cluster will automatically assign only IP addresses to services from the pool pre-allocated for each service, which avoids collisions when issuing free addresses from the common set.^[3]

2019

Commvault introduced a container service - Metallic BaaS for Kubernetes

On November 18, 2020, Commvault, an enterprise-class data management software company in cloud and on-premises environments, announced the availability of the Metallic BaaS service for Kubernetes. Read more here.

HPE unveils Kubernetes-based container platform

In November 2019, Hewlett Packard Enterprise (HPE) introduced, as the company claims, the first enterprise-class container platform on the market based on Kubernetes. The solution was called HPE Container Platform. Read more here.

The power of Open Source: How Kubernetes forced VMware to change the architecture of its flagship product

In November 2019, VMware announced the release of a beta version of its new project, Project Pacific, which the company had been working on for about three years. It offers a suite of tools to transform vSphere - VMware's flagship product - into a native platform for Kubernetes clusters. While Project Pacific is open to a limited number of customers. Later, it should become available to a wider range of customers, and then - appear in new releases of vSphere. Read more here.

Windows Support

At the end of March 2019, Kubernetes 1.14 was released, which introduced full support for Windows containers. Previously, such a function was available only in test mode.

Kubernetes now officially supports adding Windows nodes as work nodes and scheduling Windows containers, allowing a vast ecosystem of Windows applications to take advantage of the capabilities of our platform, the Kubernetes developers said in a statement.

Support for Windows appeared in the platform for Kubernetes applications

Thanks to the innovation, companies with applications running on both Linux and Windows no longer need to install and manage individual orchestrators to manage workloads. Until now, the project was focused only on Linux.

Red Hat called official support for Windows "the culmination of a huge amount of work over the past year."

In addition to supporting Windows nodes, the platform for automating deployment, scaling and managing containerized applications has received about three dozen more new features. Among the most important, it is worth noting that dynamic Kubernetes failover clusters can now be created using the familiar (in the context of single-node clusters ) kubeadm (init  and join) commands. Other changes:

• For Windows installations, an alpha version of  gMSA (Group Managed Service Account) support has appeared - special accounts in Active Directory that can be used by containers.

• Official CoreDNS support

• Support for large pages 

• Updated kubectl logo and its documentation 

• kubectl was taught how to copy files selected using a wild card.

Kubernetes remains one of the most popular projects on GitHub, with more than 6,500 members (at the end of March 2019). The popularity of the platform is due to the growing interest of companies in microservice architecture. Against the background of high demand, Windows support was a matter of time.^[4]

2018

Exploits for vulnerability in Kubernetes

On December 11, 2018, Securitylab reported that news of a newly discovered vulnerability in Kubernetes had seriously stirred up the information security community. On December 11, 2018, a number of demo exploits for her appeared in conjunction with the available instructions.

The vulnerability allows an unauthorized user to elevate their privileges and run commands to gain full control over the node. With the help of specially configured requests, an attacker can establish communication with the target server through the Kubernetes API server. The default system settings allow any user, both authorized and unauthorized, to send API discovery requests, which greatly facilitates the task for attackers.

A fix for the vulnerability exists, however, as noted by Twistlock researcher Ariel Zelivansky, it "cannot be applied without breaking something in the cluster." The only reliable way to protect against attacks is to upgrade Kubernetes to version 1.10.11, 1.11.5, 1.12.3 or 1.13.0-rc.1.

Shortly after discovering the vulnerability, Zelivanski wrote a simple Ruby script to attack the metrics-server aggregator used to monitor the CPU and RAM resources of the container (metrics-server uses the extensions function for the API server). The video he published shows how the exploit allows you to get information about modules from all namespaces in the cluster. The script can be executed from any module and works subject to the deployment of metrics-server and default configuration.

On December 5, just two days after the vulnerability was revealed, Gravitational published its PoC exploit on GitHub. The tool is a utility for checking for a vulnerability in the Kubernetes cluster. However, as the developers warned, the utility may produce "incorrect results under certain circumstances."

The third exploit was presented by a Twitter user under the pseudonym Vincent. Initially, with its help, an unauthorized user could steal information from the etcd-kubernetes module, where critical data is stored by default. ^[5].

The first serious vulnerability

In December 2018, it became known about the first serious vulnerability of Kubernetes. Since this container orchestration platform has become popular, the appearance of "holes" in its defense was a matter of time, notes the ZDNet portal.

The severity of the vulnerability, designated CVE-2018-1002105, was estimated at 9.8 points out of 10 possible on the CVSS scale. Using this flaw, hackers could establish a connection to the backend API using a specially prepared network request, and then send arbitrary requests to the backend itself. Vulnerable Kubernetes installations allowed all this to be done using TLS credentials for the API server. This problem was reported by Rancher Labs, which offers a solution of the form "Kubernetes as a Service" (Kubernetes-as-a-Service).

First serious vulnerability found in Kubernetes

According to experts, unauthorized requests over an established connection are indistinguishable from those authorized in server logs, so there is no easy way to check: whether someone is exploiting this vulnerability. Through it, you can inject malicious code or steal sensitive data, as well as undermine the work of applications and services of enterprises protected by a firewall.

To fix, you need to upgrade Kubernetes to versions 1.10.11, 1.11.5, 1.12.3, and 1.13.0, or at least block anonymous access to the API using the anonymous-auth  = false option , and revoke the rights to perform  exec/attach/portforward operations^[6]

Notes