The content of “k8s ecological weekly” mainly contains some information about k8s ecology that I have been exposed to and worth recommending every week. Welcome to “k8s ecology” column.
The first official docker GitHub action was released
Since docker sold business related to enterprise services to mirantis last year, docker has focused on helping developers experience, and has made a series of efforts to this end.
This includes the release of docker desktop V2.2 in January, which provides the new architecture of wsl2 and the new interactive desktop dashboard.
The first session of hub / Ci was released this week.
This is actually another way to promote the popularity of dockerhub (a little later than expected). Dockerhub has always had the function of building docker images, but I personally feel that the experience is not good enough. In general, it is not flexible enough. In addition, I feel that its scheduling is a little slow (although it is being optimized now).
However, the docker GitHub action released this time allows users to define their own workflow more flexibly through GitHub action, and push the image to the image warehouse. The image warehouse here is not bound to dockerhub. Users can customize the address of the image warehouse.
The usage example is as follows. For a complete project, please refer to docker GitHub action.
It’s important to note that,If your warehouse is public, please set your user name, password, etc. to secrets. Please refer to the following example to prevent leakage。
- name: Build and push Docker images
uses: docker/[email protected]
with:
# Username used to log in to a Docker registry. If not set then no login will occur
username: ${{ secrets.DOCKER_USERNAME }}
# Password or personal access token used to log in to a Docker registry. If not set then no login will occur
password: ${{ secrets.DOCKER_TOKEN }}
# Docker repository to tag the image with
repository: ${{ secrets.DOCKER_USERNAME }}/${{ secrets.DOCKER_PROJECT }}
# Automatically tags the built image with the git reference as per the readme
tag_with_ref: true
# Automatically tags the built image with the git short SHA as per the readme
tag_with_sha: true
# Path to run docker build from
path: .
# Name of the Dockerfile (Default is 'path/Dockerfile')
dockerfile: Dockerfile
# Always attempt to pull a newer version of the image
always_pull: true
# Adds labels with git repository information to the built image
add_git_labels: true
# Whether to push the image
push: trueIn addition, visual studio code docker extension 1.0 was released this week! It is said that it is easier to use than the previous version, so the VSC partners can try it.
Etcd v3.4.5 release
The v3.4.5 release of etcd this week includes some:
- #11704 is recorded in the server log
/healthThe main purpose of this study is to analyze the root cause of etcd failure; - #11694 fixed a possible exception in handling metrics;
For other changes, please refer to its ReleaseNote
Trivy license agreement changed to apache-2.0
Aqua security open source trivy is a security scanner for mirror vulnerabilities, which is friendly to CI.
Maybe some of the partners don’t know Aqua security, but most of them have more or less used or known some of its open source projects
- kubectl-who-can
- kube-bench
- kube-hunter
Recently, trivy’s license agreement fromAGPL v3Changed toApache-2.0The significance of this matter is that more manufacturers or companies can integrate and use trivy in their own products or environments without worrying about trivy’s own license agreement!
Currently, harbor, docker and mirantis docker enterprises are using or will use trivy as their default image security scanning tool.
However, it should be noted that some of the data sources used by trivy are still prohibited from commercial use.
Recommended reading: comprehensive and easy to use image vulnerability detection tool: trivy
Upstream progress
- This is a fix for kubernetes v1.16, which combines a series of mainline fixes into v1.16. It is specially mentioned here because if many nodes in your cluster become notready, the control plane may be overloaded and unavailable. The main modifications are all on nodepllifecycle controller. It is recommended that users who want to use or are in v1.16 pay attention to this problem (if the cluster size is small, it is less likely to be affected by this problem). For details, please refer to
Project recommendation
Reloader is a kubernetes controller that will watchConfigMaporSecretsAnd then perform a rolling upgrade on the pods that use these resources.
Note that it is only compatible with kubernetes v1.9 and above. If there are relevant needs of small partners can try.
Welcome to subscribe my official account number [MoeLove].
