At Twistlock, we’re proud to support the container and cloud native ecosystem, especially when it comes to security. Kubernetes recently announced version 1.8, their third release this year. In this post, I’ll review major security and API improvements.
Outbound traffic filtering is in beta
Kubernetes 1.7 introduced inbound traffic filtering, which provided a solid way to harden inter-container traffic. Kubernetes 1.8 adds outbound traffic filtering to improve hardening of pods’ traffic. Another important feature that has been added offers users the ability to configure the filtering for specific CIDR subnets.
TLS certificates rotation is in beta stage now
The connection between kubelet and the API server is encrypted with TLS. Certificates are issued with a one year expiration date by default.
Kubernetes 1.8 promoted the TLS certificates rotation of both the kubelet and the api server to beta.
Role Based Access Control (RBAC) has grown to stable
RBAC was promoted from beta to stable. No API changes were introduced. RBAC allows cluster administrators to define roles to enforce access policies using the Kubernetes API. RBAC is not a new feature, but now that it’s moved to stable stage, it’s recommended to be used in production. I won’t elaborate more on RBAC here as the Kubernetes documentation is quite thorough.
Beta support of Workload APIs
The workload APIs, which includes the Deployment, DaemonSet, ReplicaSet and StatefulSet kinds, have also been promoted to beta.
These APIs provide a stable ground to migrate existing infrastructures to Kubernetes and develop cloud native applications that are targeted towards Kubernetes.
The most interesting new API in beta is CronJobs, which is almost the same as the cron daemon on Linux. CronJobs allows you to run a container at specific intervals. This is useful for backup tasks, log rotation, disk cleaning and other kinds of periodic tasks.
ContainerD support grown into beta
ContainerD is a fully functional container daemon, similar to Docker, that supports storage, image distribution and runtime.
Kubernetes developed the Container Runtime Interface (CRI) to allow support for runtimes other than Docker. Now the support for cri-containerd, the containerd implementation of CRI protocol for Kubernetes, has grown into beta stage.
This allows Kubernetes to communicate with containerD instead of Docker Daemon.
Docker has posted a detailed review of cri-containerd.
Other interesting features
- Volume snapshots can be created using the API (pre-alpha), this wasn’t merged into Kubernetes yet and can be found here
- A lot of new flags were introduced in kubectl commandline tool
- kubectl can be extended using plugins to support custom commands
There are some issues which you need to be aware of before upgrading; they’re listed on the Kubernetes github.
Kubernetes 1.8 introduces a lot of new features as the project is moving fast forward.
To me, the most interesting features are the alpha support for ContainerD, RBAC which is now stable and can be used in production, and outbound traffic filtering functionality which can make things harder for data exfiltration and allows for the ability to harden the network activity.
Breaking out of Docker via runC – Explaining CVE-2019-5736Read the Blog
T19 Challenge – Twistlock Lab’s first security challenge summary and solutionsRead the Blog
Kubernetes emergency survival: Hotfix patching running podsRead the Blog
Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)Read the Blog