Latest Cloud Native Updates: Kubernetes Security Audit, Ephemeral Containers, New Projects

Industry News

The CNCF published a security audit covering Kubernetes, CoreDNS, Envoy, Prometheus and other projects. The audit aggregates community‑reported issues ranging from low‑severity weaknesses to critical vulnerabilities, provides remediation guidance and best‑practice recommendations. Reference: https://www.cncf.io/blog/2019/08/06/open-sourcing-the-kubernetes-security-audit/ and https://github.com/kubernetes/community/blob/master/wg-security-audit/findings

The Technical Oversight Committee voted to archive the rkt container runtime. Although rkt was created in 2014 and graduated to CNCF in 2017, adoption has declined sharply as users migrate to containerd, CRI‑O and other runtimes.

Upstream Project Highlights

Kubernetes

Readonly network interface support – An enhancement (https://github.com/kubernetes/enhancements/issues/1208) allows a pod’s readOnly network interface to be bound to a specific NIC, improving network isolation for multi‑NIC nodes.

Ephemeral containers for debugging – A new EphemeralContainers field lets users inject a temporary container into a running pod without rebuilding the pod image. The container shares the pod’s process namespace, can be attached automatically, and is useful in four scenarios:

Operations: run lightweight debug containers instead of shipping full‑size images.

Debugging: recover from a hung container when kubectl exec fails.

Automation: auditors can run one‑off checks on selected pods.

Technical support: multi‑tenant clusters can be diagnosed without node‑admin privileges.

Example command to add an ephemeral container (run as root on the client):

kubectl debug -it my-pod --image=busybox --target=main-container

Namespace‑switching plugin for kubectl – A sample plugin (https://github.com/kubernetes/sample-cli-plugin) adds a kubectl ns command to change the current namespace context, simplifying multi‑namespace workflows.

NUMA‑aware Memory Manager – A proposed kubelet component (https://github.com/kubernetes/enhancements/pull/1203) will manage regular memory and hugepages with NUMA awareness, enabling workloads to request memory on specific NUMA nodes for better performance.

kustomize as a kubectl sub‑command – Kustomize is now integrated directly into kubectl (https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/kustomize-subcommand-integration.md), allowing users to run kubectl kustomize without installing a separate binary.

Istio

A joint disclosure by Netflix’s security team, Google and CERT/CC identified a DDoS‑style vulnerability in HTTP/2 implementations used by many middleware services. Both Envoy and Istio are affected. Alibaba Cloud’s ACK‑based Istio service released patches that harden the control plane and provide full console support for creating, deleting and upgrading Istio gateways and virtual services. See the console link for details: https://cs.console.aliyun.com/#/k8s/istio/lifecycle

Knative

Knative v0.8.0 introduced three notable features:

Target Burst Capacity (TBC) – Services can declare a maximum request burst, allowing the system to absorb traffic spikes without queuing excessive requests.

Route readiness tied to Istio ingress – A Knative route is reported as ready only when it is reachable through the Istio ingress gateway, improving observability of actual service availability.

Queue‑proxy sidecar enhancements – The sidecar now performs configurable readiness probes and fast‑scale‑to‑zero with a zero‑second grace period, supporting millisecond‑level health checks.

Open‑Source Project Recommendations

krew – kubectl plugin manager

krew provides a package‑manager‑like experience for discovering, installing, uninstalling and listing kubectl plugins, similar to apt, dnf or brew. Plugin developers can publish binaries to the krew-index repository (https://github.com/kubernetes-sigs/krew-index) and users install them with a single command: kubectl krew install <em>PLUGIN_NAME</em> Architecture details are documented at https://github.com/kubernetes-sigs/krew/blob/master/docs/KREW_ARCHITECTURE.md.

Alluxio – Distributed Memory File System

Alluxio is an open‑source, memory‑centric distributed file system that decouples storage and compute. It enables independent scaling of storage back‑ends (e.g., S3, HDFS) and compute clusters (e.g., Spark, Presto). Key characteristics:

Data is cached in RAM for ultra‑low latency access.

Supports tiered storage to spill to SSD or HDD when memory is insufficient.

Provides a unified namespace across heterogeneous storage systems.

Project repository: https://github.com/Alluxio/alluxio.