Authors: Adrian Reber (Red Hat) Forensic container checkpointing is based on Checkpoint/Restore In Userspace (CRIU) and allows the creation of stateful copies of a running container without the container knowing that it is being checkpointed. The copy of the container can be analyzed and restored in a sandbox environment multiple times without the original container Read more about Blog: Forensic container checkpointing in Kubernetes[…]

Author: Frederico Muñoz (SAS) Change is an integral part of the Kubernetes life-cycle: as Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. For Kubernetes v1.26 there are several planned: this article identifies and describes some of them, based on the information available at this Read more about Blog: Kubernetes Removals, Deprecations, and Major Changes in 1.26[…]

Authors (in alphabetical order): Cailyn Edwards (Shopify), Pushkar Joglekar (VMware), Rey Lejano (SUSE) and Rory McCune (DataDog) We expect the brand new Third Party Security Audit of Kubernetes will be published later this month (Oct 2022). In preparation for that, let’s look at the state of findings that were made public as part of the Read more about Blog: Current State: 2019 Third Party Security Audit of Kubernetes[…]

Authors: Rodrigo Campos (Microsoft), Giuseppe Scrivano (Red Hat) Kubernetes v1.25 introduces the support for user namespaces. This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from Read more about Blog: Kubernetes 1.25: alpha support for running Pods with user namespaces[…]

Author: Jiawei Wang (Google) The Kubernetes in-tree storage plugin to Container Storage Interface (CSI) migration infrastructure has already been beta since v1.17. CSI migration was introduced as alpha in Kubernetes v1.14. Since then, SIG Storage and other Kubernetes special interest groups are working to ensure feature stability and compatibility in preparation for CSI Migration feature Read more about Blog: Kubernetes 1.25: Kubernetes In-Tree to CSI Volume Migration Status Update[…]

Authors: Joe Betz (Google), Cici Huang (Google), Kermit Alexander (Google) In Kubernetes 1.25, Validation rules for CustomResourceDefinitions (CRDs) have graduated to Beta! Validation rules make it possible to declare how custom resources are validated using the Common Expression Language (CEL). For example: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition … openAPIV3Schema: type: object properties: spec: type: object x-kubernetes-validations: Read more about Blog: Kubernetes 1.25: CustomResourceDefinition Validation Rules Graduate to Beta[…]

Author: Humble Chirammal (Red Hat), Louis Koo (deeproute.ai) Kubernetes v1.25, released earlier this month, introduced a new feature that lets your cluster expand storage volumes, even when access to those volumes requires a secret (for example: a credential for accessing a SAN fabric) to perform node expand operation. This new behavior is in alpha and Read more about Blog: Kubernetes 1.25: Use Secrets for Node-Driven Expansion of CSI Volumes[…]

Author: Jing Xu (Google) Local ephemeral storage capacity isolation was introduced as a alpha feature in Kubernetes 1.7 and it went beta in 1.9. With Kubernetes 1.25 we are excited to announce general availability(GA) of this feature. Pods use ephemeral local storage for scratch space, caching, and logs. The lifetime of local ephemeral storage does Read more about Blog: Kubernetes 1.25: Local Storage Capacity Isolation Reaches GA[…]