AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover

October 24, 2024 at 11:21AM

via Instapaper

• YouTube

October 24, 2024 at 11:02AM

via Instapaper

Week Ending October 20, 2024

https://lwkd.info/2024/20241022

Developer News

Join other members of your SIG for the Kubernetes SIG Meet & Greet & Lunch & Learn at Kubecon on Nov 14th. Sign up to table for your SIG.

If you are a SIG lead, please also add callouts for the Summit opening session to find new contributors for your SIG.

The Summit Social will be at Flanker and will have the usual fun & games. Unusually, due to Utah law, you will be required to bring an ID/passport. Also, the Summit is still looking for volunteers to help staff.

Release Schedule

Next Deadline: Docs placeholder PRs deadline, October 24

We are now in Enhancements Freeze, and Alpha2 has been released. For those working on 1.32 enhancements and documentation updates, now’s the time to open your PR against dev-1.32 on the kubernetes/website repo. It would be awesome if full docs are ready, but a placeholder PR will keep your contribution on track. Final exceptions for missed Enhancements are due on Monday.

October patch releases were delayed due to Go update issues. They are available now for v1.28.15, v1.29.10, v1.30.6, and v1.31.2.

KEP of the Week

KEP 784: Kube Proxy component configuration graduation

This KEP proposes a plan to graduate kube-proxy’s component configuration to beta, addressing its current complexity. Originally configured via command-line flags, kube-proxy’s config became difficult to manage as new features were added, staying in v1alpha1. The current format is hard to use, with poorly grouped options and inconsistencies, making restructuring and stabilization necessary.

This KEP is tracked for alpha release in the ongoing v1.32 cycle.

Other Merges

scheduler_perf test cases added for NodeUpdate event handling

Apply fsGroup policy for ReadWriteOncePod volumes

Fix AssignedPodUpdated in scheduler to check if the incoming events are scale down events

Removed legacy cloud provider integration code from kube-controller-manager

Fix for 1.31 regression that can crash kube-controller-manager’s service-lb-controller loop

Clarification for API validation error for toleration if operator is Exists and value is not empty

Fix for kubelet wrongly dropping the QOSClass field of the Pod’s status when it rejects a Pod

Image pull error used in messages during back-off

Fix for failing storage e2e test

Improvements to CSILimits plugin accuracy by using VolumeAttachments

Added kubelet support for systemd watchdog integration

More fine-grained QHints for podtopologyspread plugin

Add e2e test for custom profile in kubectl debug

container_aligned_compute_resources_count metric added to kubelet to report containers getting aligned compute resources

corev1.Binding deprecation message removed

kubeadm removes preflight check for existence of conntrack binary

e2e tests added for ClusterTrustBundle to prepare promotion to beta

Fixed issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount

Fine-grained kubelet API authorization checks added for kubelet /configz, /healthz and /pods API

CRI adds field to support CPU affinity on Windows

Refactor for node shutdown manager

Promotions

StructuredAuthorizationConfiguration to GA

ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to GA

AuthorizeNodeWithSelectors and AuthorizeWithSelectors to beta

RelaxedEnvironmentVariableValidation to beta

Deprecated

PostStartHookContext.StopCh removed

Version Updates

publishing-bot rules updated to Go 1.22.8

via Last Week in Kubernetes Development https://lwkd.info/

October 22, 2024 at 12:30PM

octodns/octodns: Tools for managing DNS across multiple providers

DNS as code - Tools for managing DNS across multiple providers In the vein of infrastructure as code octoDNS provides a set of tools & patterns that make it…

October 23, 2024 at 07:26AM

via Instapaper

The Narrows Bridge: From Open Source to AI

October 22, 2024 at 01:56PM

via Instapaper

When Kubernetes and Go don't work well together, with Emin Laletović

https://kube.fm/kubernetes-go-emin

Discover how a seemingly simple 502 error in Kubernetes can uncover complex interactions between Go and containerized environments.

Emin Laletović, a solution architect at Hybird Technologies, shares his experience debugging a production issue in which a specific API endpoint failed due to out-of-memory errors.

He walks through the systematic investigation process, from initial log checks to uncovering the root cause in Go's memory management within Kubernetes.

You will learn:

How Go's garbage collector interacts with Kubernetes resource limits, potentially leading to unexpected OOMKilled errors.

The importance of the GOMEMLIMIT environment variable in Go 1.19+ for managing memory usage in containerized environments.

Debugging techniques for memory-related issues in Kubernetes, including GODEBUG for garbage collector tracing.

Considerations for optimizing Go applications in Kubernetes, balancing performance and resource utilization.

Sponsor

This episode is sponsored by StormForge – Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. Try it for free.

More info

Find all the links and info for this episode here: https://kube.fm/kubernetes-go-emin

Interested in sponsoring an episode? Learn more.

via KubeFM https://kube.fm

October 22, 2024 at 06:00AM

Day 2 Operations Solved for Internal Developer Platforms with Kubernetes and Crossplane

In this video we tackle a major challenge in Internal Developer Platforms built on top of Kubernetes: enabling developers to not only manage their applications and infrastructure but also to observe and troubleshoot them effectively. We demonstrate how to propagate meaningful status information to top-level resources using Crossplane and the Status Transformer Function. Watch as we solve real-world issues, making day 2 operations easier for developers without overwhelming them with low-level details. Learn how to create custom resource definitions (CRDs) and controllers that simplify the developer experience.

IDP #Kubernetes #Crossplane #DeveloperPlatform

Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬ ➡ Transcript and commands: https://devopstoolkit.live/internal-developer-platforms/internal-developer-platform-day-2-operations-solved-with-kubernetes-and-crossplane 🔗 Crossplane: https://crossplane.io 🎬 Status Transformer Crossplane Function: https://github.com/crossplane-contrib/function-status-transformer 🎬 Kubernetes Events Are Broken (If You Are Building a Developer Portal): https://youtu.be/xAl3TAfFE_M

▬▬▬▬▬▬ 💰 Sponsorships 💰 ▬▬▬▬▬▬ If you are interested in sponsoring this channel, please visit https://devopstoolkit.live/sponsor for more information. Alternatively, feel free to contact me over Twitter or LinkedIn (see below).

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬ ➡ Twitter: https://twitter.com/vfarcic ➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬ 🎤 Podcast: https://www.devopsparadox.com/ 💬 Live streams: https://www.youtube.com/c/DevOpsParadox

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬ 00:00 Introduction 02:!3 The Problem In Kubernetes 08:25 The Problem With Custom Resources 12:16 Status Propagation 18:31 How It's Done

via YouTube https://www.youtube.com/watch?v=KLHNrLWmBfw

Introducing Netflix’s TimeSeries Data Abstraction Layer

Written by Netflix Technology Blog 427K Followers ·Editor for Netflix TechBlog Learn more about how Netflix designs, builds, and operates our systems and…

October 21, 2024 at 09:26AM

via Instapaper

Cloud Cost - Feat. OpenCost, StormForge, and CAST AI (You Choose!, Ch. 04, Ep. 07)

Cloud Cost - Choose Your Own Adventure: The Observability Odyssey

In this episode, we'll go through cloud cost and resource optimization. The contestants are OpenCost, StormForge, and CAST AI.

Vote for your choice of a tool for signing artifacts at https://cloud-native.slack.com/archives/C05M2NFNVRN. If you have not already joined CNCF Slack, you can do so from https://slack.cncf.io.

This and all other episodes are available at https://www.youtube.com/playlist?list=PLyicRj904Z9-FzCPvGpVHgRQVYJpVmx3Z.

More information about the "Choose Your Own Adventure" project including the source code and links to all the videos can be found at https://github.com/vfarcic/cncf-demo.

٩( ᐛ )و Whitney's YouTube Channel → https://www.youtube.com/@wiggitywhitney

opencost #stormforge #castai

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬ 🔗 Progressive Delivery: https://github.com/vfarcic/cncf-demo/tree/main/manuscript/cost/README.md

via YouTube https://www.youtube.com/watch?v=5P_6vlmjQm4