K8s ecological weekly | cilium 1.6 releases 100% alternatives to Kube proxy

Time:2019-11-16

The content of k8s ecological weekly mainly includes some recommended information about k8s ecology that I have been exposed to every week. Welcome to the k8s ecology column.

King (kubernetes in docker) v0.5.1 officially released

Kind (kubernetes in docker) has been widely used in the CI environment of kubernetes upstream and related projects. As a personal and local test environment, it is also very convenient. It is recommended to try.

In this release, the default kubernetes version is updated to v1.15.3, which supports port forwarding of UDP and SCTP protocols, optimizes the construction of node image to make it faster, and adds limited support to arm32.

This paper improves the kind load image, from the original judgment of image name and tag to the addition of hash value verification; corrects the problem that some services may be affected by proxy when using proxy (friendly to domestic users).

For more information about this release, please refer to ReleaseNote, welcome to use and feedback.

Kubernetes is affected by go’s net / HTTP security vulnerability

Kubernetes recently released v1.15.3, v1.14.6 and v1.13.10. It’s only two weeks since the last collective update was released. For the last explanation, please refer to the k8s ecological weekly two weeks ago. However, the root cause of the vulnerability is not in the functional logic of kubernetes, but also in the go language it usesnet/httpSecurity vulnerabilities cve-2019-9512 and cve-2019-9514 in the library.

For information about this vulnerability, please refer to golang / go_. In addition, go has recently released several versions. It is recommended that you upgrade to v1.12.9.

As a standard library, the impact is relatively large. Recently, k8s has been upgraded from 1.12.6 to 1.12.9 one after another. Of course, the docker team has also been updated.

Finally, it is recommended to upgrade as soon as possible.

Kubernetes v1.16.0-beta.1 release

The development progress of this time is basically in accordance with the expectation. This week, v1.16.0-beta.1 was released. It is believed that the official version will be released soon.

The content of this update will not be expanded for the moment. For interested friends, please refer to the ReleaseNote directly

Flux produced by weaworks becomes CNCF sandbox project

Flux successfully joined CNCF as kubernetes gitops operator.

At first, it was generated in order to speed up the development workflow in weaves, but in the later stage, it is relatively independent, and the project planning is relatively mature, so now it is hosted in CNCF.

Flux ensures that the configuration of the cluster matches the content in the GIT repository, while automating your deployment. In fact, it is a very good tool set, because in fact, it can basically meet the application scenarios of most people.

K8s ecological weekly | cilium 1.6 releases 100% alternatives to Kube proxy

Please check the official blog of CNCF sandbox project

Cilium 1.6 releases 100% alternatives to Kube proxy

Released in cilium 1.6, the biggest news this time is that it has completed the last two core requirements. When using cilium successfully, it can no longer need Kube proxy, that is, it can replace Kube proxy 100%.

Here is a basic introduction to cilium, which is a network and API connection based on ebpf that can be used to transparently provide and protect application services deployed by container management platforms such as kubernetes and docker.

It’s a bit tricky to say that straight white dot is a super powerful network component based on ebpf. As for its ability, the following picture is relatively clear. Friends who are interested in research recommend reading its official documents.

K8s ecological weekly | cilium 1.6 releases 100% alternatives to Kube proxy

As an important component of kubernetes cluster, the performance of Kube proxy is often mentioned. In fact, its performance is very good for most companies / scenarios, but the pursuit of perfection is the driving force. Now cilium releases version 1.6. The biggest news is that it can replace the Kube proxy 100%. The performance test is as follows:

K8s ecological weekly | cilium 1.6 releases 100% alternatives to Kube proxy

Here is my opinion on cilium:

  • Is it fierce? Fierce.
  • Is it worth studying? Worth.
  • Will you replace Kube proxy in your own cluster? No, at least not now.

If you want to study ebpf or XDP through cilium, I suggest you take a look. It’s a very good project, and through this project, you can deepen the understanding of many aspects of the network. Let’s say that if the source code and related principles of cilium are thoroughly studied, it will be very powerful.

As for whether to replace the Kube proxy, in my opinion, at least for the moment, I will not do so. There are many ways to solve the problem, but replacing a core component is not necessarily the most worthwhile choice.

For this performance test, please refer to its official blog


I can subscribe to my public address by the following two-dimensional code, MoeLove, and reply to k8s in the background of public address.

K8s ecological weekly | cilium 1.6 releases 100% alternatives to Kube proxy

Recommended Today

Java security framework

The article is mainly divided into three parts1. The architecture and core components of spring security are as follows: (1) authentication; (2) authority interception; (3) database management; (4) authority caching; (5) custom decision making; and;2. To build and use the environment, the current popular spring boot is used to build the environment, and the actual […]