Kubernetes namespaces - they’re an essential feature for building modern cloud architectures. Namespaces let you split up a single cluster into multiple “virtual clusters”. Resources like pods, replicasets, and deployments all live in namespaces. You can think of a namespace as being a resource’s last name - it specifies which family the resource is part of - and normal resources can have one and only one namespace (There are exceptions like the Node resource which is cluster-wide and doesn’t belong to any namespace). If you don’t think you’re using namespaces on your cluster then you’re wrong. You’re actually just putting everything into the default namespace.
A security issue was discovered in the kube-apiserver that could enable a privilege escalation from a compromised node.
Vulnerability Description and Impact
Automate Kubernetes Analytics and Forensics with Alcide kAudit
Policies are a critical foundation to successfully build and operate Kubernetes based applications. Rather than making assumptions on how workloads and applications components should work, we can define policies that will govern and enforce the way those workloads and applications components must work.
Alcide Logs and Coralogix
Ingress APIs manage external access to the services in a cluster, typically HTTP. This would generally be implemented as an API Gateway style of traffic routers that relay traffic to proxied services through a common entry point. The user would be left to control when and how to publish a service by using a declarative definition of the desired behavior (with YAML/JSON file).
The recent MiTM attack disclosed was a very unusual one in the Container Security world. All at the same time, Kubernetes, Docker, and Calico announced security bulletins related to IPv6 Rogue Router Advertisements. There are several security bulletins here because this isn’t a single vulnerability in one product - rather, multiple independent CNIs are all vulnerable. IPv6 Router Advertisements are a fairly obscure topic, yet this vulnerability is definitely worth understanding.