Cloud Native Weekly: CNCF Announces KubeEdge Graduation
Open Source project recommendations
Watchtower
Watchtower is a project that can automatically monitor and update running Docker containers. It regularly checks for and pulls the latest image versions from Docker Hub or private image repositories, and automatically restarts the containers. It is suitable for development, testing, and personal use scenarios, but is not recommended for use in production environments.
Vulhub
Vulhub is an open-source vulnerability environment collection for the public. The project includes over 180 rich and realistic vulnerabilities along with their corresponding environments. Without needing Docker knowledge, users can run a complete application with a certain vulnerability through a simple command.
Kratos
Kratos is a set of Go microservices frameworks and tools open-sourced by Bilibili. It solves some of Gin’s adaptations in microservices scenarios and a series of microservices ecosystems.
OpenHands
OpenHands is an AI-powered intelligent assistant for software development, formerly known as OpenDevin, aiming to create an open-source alternative to Devin. It is equipped with an intuitive and user-friendly interface, allowing users to easily complete various software development tasks through natural language instructions, including project cloning, code modification, command execution, API calls, and code submission. Additionally, OpenHands supports running in Docker environments and is compatible with various AI model interfaces, providing users with an efficient and flexible software development experience.
Technical recommendations
Kubernetes Image Builder Exposes Severe Vulnerability, Risking Root Access to Nodes
This article introduces a recently disclosed critical security vulnerability (CVE-2024–9486, CVSS score: 9.8) affecting Kubernetes Image Builder. If successfully exploited, this vulnerability could grant root access in specific scenarios. The vulnerability involves enabling default credentials during the image building process, and virtual machine images built using the Proxmox provider do not disable these default credentials.
The Kubernetes team has fixed this vulnerability in version 0.1.38 by replacing default credentials with randomly generated passwords and disabling the build account at the end of image construction. Furthermore, this version also addresses issues related to default credentials when using Nutanix, OVA, QEMU, or raw providers (CVE-2024–9594, CVSS score: 6.3).
WebAssembly: The Potential Evolutionary Choice for Containers
At the inaugural InfoQ DevSummit in Munich, Danielle Lancashire, Chief Software Engineer at Fermyon, hinted that WebAssembly containers, as a more environmentally friendly alternative, could be a potential evolution from the current container-based serverless computing methods. Lancashire first discussed the carbon efficiency of software by referencing the Software Carbon Intensity (SCI) standard of the Green Software Foundation. She pointed out that while using efficient programming languages is important, improving computational density is often more crucial than the efficiency of a single application.
Lancashire believes that the current containerization methods, including the evolution from bare metal to virtual machines to containers, still have room for improvement. Due to its small size, portability, fast start-up and shutdown speeds, and high security, WebAssembly can be used as a deployable unit on the server side through the implementation of the WebAssembly System Interface (Wasi). Lancashire believes that adopting a serverless architecture on top of WebAssembly units will enable organizations to have faster and cheaper (in terms of both finance and carbon emissions) infrastructure. Therefore, WebAssembly deployable units may be a potential evolutionary step beyond containers.
Statement and Solution for KubeSphere IDOR Security Vulnerability CVE-2024–46528
The article discusses a security vulnerability (CVE-2024–46528) in KubeSphere, affecting versions 3.4.1 and 4.1.1. This Insecure Direct Object Reference (IDOR) vulnerability allows low-privileged authenticated users to access sensitive resources without proper authorization. A workaround is provided, recommending the removal of non-essential resource authorizations for the authenticated role. A fix is planned for the upcoming KubeSphere version 4.1.3, expected in January 2025. The KubeSphere team emphasizes their commitment to user security and thanks the discoverer of the vulnerability.
What’s new in cloud native
CNCF Announces KubeEdge Graduation
KubeEdge, an open-source edge computing project based on Kubernetes, officially graduated from the Cloud Native Computing Foundation (CNCF) on October 15, 2024. Since its open-sourcing by Huawei Cloud in 2018, KubeEdge has expanded into a large community with 15 maintainer organizations and over 1,600 contributors from 110 organizations in 35 countries.
It extends Kubernetes’ functionalities to the edge, widely used in industries such as CDN and intelligent transportation, and has received widespread industry recognition. In the future, KubeEdge will continue to maintain open governance and collaboration, explore new areas, and provide users with more reliable and stable services.
Backward Compatibility in Keycloak Versions
Keycloak will adjust its release strategy to alleviate the burden of deployment updates: the server will release four minor versions each year, with a major version every 2–3 years. The client library will be released separately and support all currently supported server versions. New features and improvements will be introduced in a backward-compatible manner. Disruptive changes in minor versions will be optional and implemented through version control, allowing for the gradual introduction of new features or API versions.
About KubeSphere
KubeSphere is an open source container platform built on top Kubernetes with applications at its core. It provides full-stack IT automated operation and streamlined DevOps workflows.
KubeSphere has been adopted by thousands of enterprises across the globe, such as Aqara, Sina, Benlai, China Taiping, Huaxia Bank, Sinopharm, WeBank, Geko Cloud, VNG Corporation and Radore. KubeSphere offers wizard interfaces and various enterprise-grade features for operation and maintenance, including Kubernetes resource management, DevOps (CI/CD), application lifecycle management, service mesh, multi-tenant management, monitoring, logging, alerting, notification, storage and network management, and GPU support. With KubeSphere, enterprises are able to quickly establish a strong and feature-rich container platform.
To stay updated, visit our official website or follow us on Twitter.