K8s ecological weekly | tuf officially graduated from CNCF

Time:2019-12-29

The content of k8s ecological weekly mainly includes some recommended information about k8s ecology that I have been exposed to every week. Welcome to the k8s ecology column.

Tuf graduated from CNCF

This week, the update framework (tuf) officially graduated from CNCF. Now, the official Python implementation of tuf has 954 stars, 142 forks, 43 contributors and 3525 commit records.

Tuf is the ninth project formally graduated from CNCF. If you remember correctly, it is also the only one that has graduated officially before the number of stars is thousands. However, the tuf project itself is different from other projects, and the number of stars does not indicate the project status.

Maybe many people feel that the existence of tuf project is very low, or they have not understood or used the tuf project. Let me introduce it.

The tuf project started about ten years ago and started hosting in CNCF in 2017. Its main goal is to provide a framework for updating as its name, but its more important point is its security design.

It takes full account of the possible attacks in all aspects. It can protect the existing program or verify the security and reliability of the version to be updated while providing the update function. You may want to ask how it does this. In fact, it mainly provides a set of standard specifications, and adds more metadata and related checks in each link, including signature information, file hash, metadata signature and expiration time.

As for its sense of existence, I don’t know if you have used the functions related to docker content trust (DCT). In short, you can regard it asdocker trustSome of the related functions are built on docker academy, and docker academy uses tuf as its basic security framework. (PS: docker Inc has also donated docker notary to CNCF)

Now when most public clouds (such as IBM, azure, etc.) provide trusted image warehouse services, they basically rely on docker notary and tuf indirectly, which is also the widely used aspect of tuf. In addition to container ecology, package managers of some languages are also exploring the implementation of security updates based on tuf, including pip of python, hackage of Haskell and OPAM of Ocaml.

However, the relevant extended content is not the focus of this article, so let’s skip it for now. Finally, congratulations on tuf’s successful graduation!

Linkerd v2.6.1 release

Linkerd released v2.6.1 this week, a very small bugfix. The reason mentioned here is that this small version is mainly to improve the stability of the proxy. By fixing the proxy, it may stop receiving service discovery updates, resulting in 503 bug.

For those interested in this problem, please refer to the updated records of linker2 proxy.

Upstream progress

Kubernetes v1.17 has been released, and now the upstream is in the development phase of v1.18. This week, v1.18.0-alpha.1 was released, with a very useful change.

kubectl drainstay--dry-runIt can be shown that it will be expelledpodInformation. An example is as follows:

# kubectl v1.18.0-alpha.1
(MoeLove) ➜  bin ./kubectl.v1.18  drain --dry-run=true  10.19.47.253 
node/10.19.47.253 cordoned (dry run)
evicting pod infra/redis-7c647bfd97-fdk2r (dry run)
evicting pod kube-system/coredns-65b546d87d-6jmfp (dry run)
evicting pod kube-system/coredns-65b546d87d-pwqvh (dry run)
node/10.19.47.253 drained (dry run)

In the previous version, it was not shown that it was expelledpodInformation:

# kubectl below v1.18.0-alpha.1
(MoeLove) ➜  bin ./kubectl.v1.17  drain --dry-run=true  10.19.47.253                                   
node/10.19.47.253 cordoned (dry run)
node/10.19.47.253 drained (dry run)

I can subscribe to my public address by the following two-dimensional code, MoeLove, and reply to k8s in the background of public address.

K8s ecological weekly | tuf officially graduated from CNCF