One of the great things about Kubernetes is that it completely separates authentication and authorization. Authentication (Authn) meaning the act of identifying who the user is and authorization (Authz) meaning the act of working out if they’re allowed to perform some action. This can be thought of in terms of a Passport and a Visa.
The open source revolution is back in full swing with the rise of Kubernetes. Flexibility and agility are the key factors to making the most of the cloud, multicloud, or hybrid cloud era. Kubernetes makes that easier by granting DevOps teams greater control across their infrastructure. But easier does not necessarily mean easy — there are still hurdles to overcome.
We are excited about Calico v3.5 release. This release provides more control and allows much finer-grained dynamic IP management vs the static allocation of a fixed set of addresses to each node in native Kubernetes. Here are the details.
One of the key Kubernetes security concepts is that workload identity is tied back to information that the orchestrator has. The orchestrator is actually the authoritative entity for what the actual workloads are in the platform. Kubernetes uses labels to select objects and to identify collections of objects that satisfy certain conditions. We, and others in the Kubernetes networking space, often talk about using Kubernetes ‘labels’ as identity bearers.
Kubernetes is a fantastic tool for building large containerised software systems in a manner that is both resilient and scalable. But the architecture and design of Kubernetes has evolved over time, and there are some areas that could do with tweaking or rethinking. This post digs into some issues related to how image tags are handled in Kubernetes and how they are treated differently in plain Docker.
I am embracing managed Kubernetes services and here’s my journey. While I attended KubeCon 2018 ready to soak up all I could about Kubernetes and the cloud-native ecosystem, I sought to learn as much as I could to aid me in running my clusters day to day. More importantly, though, I experienced a fundamental shift in what I see as the future of Kubernetes, and what getting started in Kubernetes looks like for companies today.
In this post, I’m going to cover some of the fundamentals of how Calico works. I really don’t like the idea that with these Kubernetes deployments, you simply grab a yaml file and deploy it, sometimes with little to no explanation of what’s actually happening. Hopefully, this post will servce to better understand what’s going on.
A Docker image contains an application and all its dependencies. As it also contains the numerous binaries and libraries of an OS, it’s important to make sure no vulnerabilities exist in its root filesystem, or at least no critical or major ones. Scanning an image within a CI/CD pipeline can ensure this additional level of security.
With the start of the new year, it is a good time to look at what changes have happened in our industry over the last 12 months. With the help of a few recent industry surveys and some of our own perspective, I’d like to summarize some of the key trends that we are seeing.
I talk a lot about containerd. I write blog posts about it, speak at conferences about it, give introductory presentations internally at IBM about it and tweet (maybe too much) about it. Due to my role at IBM, I’ve helped IBM’s public cloud Kubernetes service, IKS, start a migration to use containerd as the CRI runtime in recent releases and similarly helped IBM Cloud Private (our on-premises cloud offering) offer containerd as a tech preview in the past two releases.
