This Week’s Cloud‑Native Highlights: Docker Breach, Java 8 in Containers, Kubernetes Updates & More

Docker Hub security incident

On 25 April Docker reported unauthorized access to a Hub database. Approximately 190 000 usernames, hashed passwords, and GitHub/Bitbucket tokens used for automated builds were exposed. Docker recommends that all users change their Docker Hub passwords and, for workloads running on public clouds, update Docker login credentials stored in container services or Kubernetes secrets.

Java 8 container support

The OpenJDK image openjdk:8u212-jdk was released with proper support for container‑level resource limits. Java 8 applications now receive correct CPU quotas and heap size allocations when run inside Linux containers, eliminating the long‑standing mismatch between cgroup limits and JVM resource management.

Snyk 2019 container security report

Snyk’s 2019 report highlights a rapid rise in container‑related threats as container adoption surged. The report urges enterprises to treat container image security as a top operational priority. Full report: https://snyk.io/opensourcesecurity-2019/

Kubernetes upstream progress

Kubernetes Federation v1 deprecated. The community is transitioning to Federation v2, a control‑plane‑centric multi‑cluster management solution driven by Red Hat, CoreOS, Google and others.

Kubernetes 1.15 release schedule. Code freeze is set for 30 May 2019; only non‑feature changes will be accepted after that date.

Ephemeral Containers KEP merged. The feature allows temporary containers to be launched inside a Pod for debugging, accessible via kubectl debug . This provides a “no‑SSH” troubleshooting model aligned with immutable infrastructure principles.

Knative project updates

Build component deprecation. Knative Serving v1beta1 removes the Build dependency; Tekton Pipelines now handles builds. The community is finalizing the migration plan.

Advanced event filtering. A proposal to use CEL (Common Expression Language) for richer Trigger filtering is under discussion. The Trigger spec will gain a filter field that accepts CEL expressions.

Istio and Envoy enhancements

Istio 1.1.4 release. Introduces the environment variable PILOT_ENABLE_FALLTHROUGH_ROUTE , allowing Envoy to forward traffic to services not defined in the mesh.

Envoy ORCA project. Aims to improve load‑balancing precision by exposing richer metrics (CPU, memory, custom application metrics) via a universal data‑plane API.

Envoy VHDS support. Virtual Host Discovery Service reduces the granularity of dynamic route updates, sending only changed virtual‑host configurations instead of full listener data.

containerd non‑root execution effort

The containerd community is experimenting with running the daemon without root privileges. Users can provide a pre‑built root filesystem, but the daemon currently attempts to unmount it during cleanup, which fails without root. Engineers are working on a solution to enable true non‑root operation for improved cloud security.

Open‑source project recommendation: kubeCDN

kubeCDN is a self‑hosted CDN built on Kubernetes. Deploying kubeCDN across multiple regional clusters creates a cross‑region content‑distribution network without relying on third‑party CDNs, giving operators full control over data flow.

Related links

https://github.com/kubernetes-sigs/federation-v2

https://github.com/kubernetes/sig-release/tree/master/releases/release-1.15

https://github.com/kubernetes/enhancements/pull/958

https://github.com/knative/eventing/issues/930

https://github.com/google/cel-spec/blob/master/doc/intro.md

https://istio.io/about/notes/1.1.4/

https://github.com/envoyproxy/envoy/issues/6614

https://github.com/envoyproxy/envoy/pull/5910

https://github.com/envoyproxy/envoy/pull/6552

https://github.com/containerd/containerd/pull/3148

https://github.com/ilhaan/kubeCDN