What’s New in Cloud Native: Kubernetes Security Fixes, Project Updates, and Must‑Read Resources

Industry News

Mesosphere announced its official rebranding to D2iQ, shifting focus to Kubernetes and cloud‑native technologies while retaining the Mesosphere name for product branding.

Kubernetes Security Vulnerabilities

Kubernetes API server CVE‑2019‑11247

The vulnerability allows requests scoped to a specific namespace to access cluster‑level custom resources because the CRD service API does not enforce namespace scope.

Affected versions: 1.7.x‑1.12.x, 1.13.0‑1.13.8, 1.14.0‑1.14.4, 1.15.0‑1.15.1

Impact: Users granted namespace‑scoped permissions can read or modify cluster‑level custom resources.

Remediation: Upgrade to a patched version such as 1.14.5 or 1.15.2. Additionally, clean up RBAC rules that grant resources:[*] or apiGroups:[*] at the namespace level and avoid authorizing cluster‑wide CRDs.

kubectl cp CVE‑2019‑11249

This client‑side vulnerability enables a malicious container to cause kubectl cp to overwrite files outside the intended destination path.

Affected versions: 1.0.x‑1.12.x, 1.13.0‑1.13.8, 1.14.0‑1.14.4, 1.15.0‑1.15.1

Impact: Attackers can replace arbitrary files on the host when kubectl cp is used.

Mitigation: Upgrade the kubectl client to the latest release or refrain from using kubectl cp with untrusted workloads.

Upstream Project Updates

Kubernetes

Admission webhook AdmissionReview type upgraded from v1beta to v1.

kubectl cp CVE fixes merged: v1.13.9 (#80871), v1.14.5 (#80870), v1.15.2 (#80869), master (#80436).

Namespace‑to‑cluster CRD privilege‑escalation fixes merged: v1.13.9 (#80852), v1.14.5 (#80851), v1.15.2 (#80850), master (#80750).

Knative 0.8 Release

Knative Serving adds Target Burst Capacity (TBC) to prevent queue‑proxy overload, reduces readiness‑probe latency, and makes the ready status of routes/services indicate accessibility. Knative Eventing introduces a Choice CRD that enables conditional function execution, providing basic orchestration capabilities.

Open‑Source Project Recommendations

Flux – a GitOps‑based continuous delivery solution for Kubernetes, offering diverse release strategies.

Gubernator – a high‑performance distributed rate‑limiting service that operates without external dependencies such as Redis.

TiDB Operator 1.0 GA – a reference implementation for managing database‑type workloads as Kubernetes operators, usable on Alibaba Cloud ACK and other providers.

Reading Recommendations

“Exploring Multi‑Cluster Architecture in the Cloud‑Native Era” – a historical overview of multi‑cluster challenges and modern solutions.

InfoWorld article “Will complexity kill Kubernetes?” with an exclusive interview of Alibaba senior technologist Zhang Lei discussing Kubernetes complexity versus Hadoop.

Comparative analysis of Helm deployments, highlighting Helm 2 limitations and alternative tools for cloud‑native application management.

CNCF security audit of core Kubernetes components, summarizing major CVEs and recommended usage patterns.

Serverless Series 1: Fundamentals – definitions, use cases, and architectural considerations in the cloud‑native era.

Benchmark report on Apache Kafka running on Istio, evaluating performance across single‑cluster, multi‑cluster, multi‑cloud, and hybrid‑cloud scenarios.

Series on cloud‑native API gateways, starting with Ambassador, examining features such as traffic control, authentication, and observability.

Istio multi‑cluster mesh use cases for disaster recovery and region‑aware load balancing.