K8s ecological weekly | first official docker action released


The content of “k8s ecological weekly” mainly contains some information about k8s ecology that I have been exposed to and worth recommending every week. Welcome to “k8s ecology” column.

The first official docker GitHub action was released

Since docker sold business related to enterprise services to mirantis last year, docker has focused on helping developers experience, and has made a series of efforts to this end.
This includes the release of docker desktop V2.2 in January, which provides the new architecture of wsl2 and the new interactive desktop dashboard.

The first session of hub / Ci was released this week.

This is actually another way to promote the popularity of dockerhub (a little later than expected). Dockerhub has always had the function of building docker images, but I personally feel that the experience is not good enough. In general, it is not flexible enough. In addition, I feel that its scheduling is a little slow (although it is being optimized now).

However, the docker GitHub action released this time allows users to define their own workflow more flexibly through GitHub action, and push the image to the image warehouse. The image warehouse here is not bound to dockerhub. Users can customize the address of the image warehouse.

The usage example is as follows. For a complete project, please refer to docker GitHub action.
It’s important to note that,If your warehouse is public, please set your user name, password, etc. to secrets. Please refer to the following example to prevent leakage

- name: Build and push Docker images
  uses: docker/[email protected]
    # Username used to log in to a Docker registry. If not set then no login will occur
    username: ${{ secrets.DOCKER_USERNAME }}  
    # Password or personal access token used to log in to a Docker registry. If not set then no login will occur
    password: ${{ secrets.DOCKER_TOKEN }}
    # Docker repository to tag the image with
    repository: ${{ secrets.DOCKER_USERNAME }}/${{ secrets.DOCKER_PROJECT }}
    # Automatically tags the built image with the git reference as per the readme
    tag_with_ref: true
    # Automatically tags the built image with the git short SHA as per the readme
    tag_with_sha: true
    # Path to run docker build from
    path: .
    # Name of the Dockerfile (Default is 'path/Dockerfile')
    dockerfile: Dockerfile
    # Always attempt to pull a newer version of the image
    always_pull: true
    # Adds labels with git repository information to the built image
    add_git_labels: true
    # Whether to push the image
    push: true

In addition, visual studio code docker extension 1.0 was released this week! It is said that it is easier to use than the previous version, so the VSC partners can try it.

Etcd v3.4.5 release

The v3.4.5 release of etcd this week includes some:

  • #11704 is recorded in the server log/healthThe main purpose of this study is to analyze the root cause of etcd failure;
  • #11694 fixed a possible exception in handling metrics;

For other changes, please refer to its ReleaseNote

Trivy license agreement changed to apache-2.0

Aqua security open source trivy is a security scanner for mirror vulnerabilities, which is friendly to CI.

Maybe some of the partners don’t know Aqua security, but most of them have more or less used or known some of its open source projects

  • kubectl-who-can
  • kube-bench
  • kube-hunter

Recently, trivy’s license agreement fromAGPL v3Changed toApache-2.0The significance of this matter is that more manufacturers or companies can integrate and use trivy in their own products or environments without worrying about trivy’s own license agreement!

Currently, harbor, docker and mirantis docker enterprises are using or will use trivy as their default image security scanning tool.

However, it should be noted that some of the data sources used by trivy are still prohibited from commercial use.

Recommended reading: comprehensive and easy to use image vulnerability detection tool: trivy

Upstream progress

  • This is a fix for kubernetes v1.16, which combines a series of mainline fixes into v1.16. It is specially mentioned here because if many nodes in your cluster become notready, the control plane may be overloaded and unavailable. The main modifications are all on nodepllifecycle controller. It is recommended that users who want to use or are in v1.16 pay attention to this problem (if the cluster size is small, it is less likely to be affected by this problem). For details, please refer to

Project recommendation

Reloader is a kubernetes controller that will watchConfigMaporSecretsAnd then perform a rolling upgrade on the pods that use these resources.

Note that it is only compatible with kubernetes v1.9 and above. If there are relevant needs of small partners can try.

Welcome to subscribe my official account number [MoeLove].

K8s ecological weekly | first official docker action released