Confidential Kubernetes, distroless images, and phishing galore

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news on the Radio Cloud Native podcast.

This week, John Jainschigg stepped in for Nick, and John and Eric discussed:

• Mirantis Kubernetes Engine recognition by G2

• The recently open sourced "Confidential" Kubernetes distribution Constellation

• Wolfi, a new open source Linux "undistro" for container images

• Phishing scheme targets GitHub accounts with fake CircleCI notifications

• And more on the podcast, including a 15 year old Python bug and the endgame for floppy disks

You can watch the entire episode below or download the podcast from Apple Podcasts, Spotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of the next broadcast.

John: This week G2, the world’s leading business solutions review website, recognized Mirantis Kubernetes Engine (MKE) as a leader in the Container Orchestration category across its Overall and Mid-Market Grid Report.

G2 Grid Reports use validated reviews on G2 and market presence scores to compare products. In this latest report, Mirantis ranks higher than some of the most prominent players in the industry, including Red Hat and Amazon Web Services (AWS).

The G2 report includes quotes from users, and we’ll share just one: “The main advantage of MKE is we can deploy it anywhere like Virtual server, Cloud, etc. As a project lead, it is my responsibility to make available nodes to users easily. And also manage all nodes' performance, mainly worker nodes. After deploying MKE on our premises, my work becomes very easy. Now, all nodes at one place. Easy to manage and track. Easy to deploy using launchpad CLI. I've successfully deployed it on our virtual Linux server. Installation link having clear instructions to install MKE. Now all performance, updates are happening in one place.”

If you’d like to check out the G2 report, you can see that here.

Eric: Edgeless Systems announced the open sourcing of their Kubernetes distribution called Constellation, which they bill as “Confidential Kubernetes.” This security-centric distro is wrapped in a runtime-encrypted VM, with the idea being that all activity inside the cluster is encrypted against everyone outside, including the cloud provider. Among other things, this provides encryption at runtime and remote attestation, or verification using cryptographic certificates. 

Now, all this encryption comes with a performance cost that some benchmarks estimate could fall between 2 and 8%, so the question for enterprises here is exactly where they want to land on the security-performance continuum.

You can check out the project on GitHub.

Eric: Elsewhere in security-conscious tooling, Chainguard announced Wolfi, what they’re calling a Linux “undistro” intended to serve as a slim and secure base for container images. That’s W-O-L-F-I—it sounds lupine but it actually refers to the smallest known species of octopus.

Chainguard calls Wolfi an “undistro” because it doesn’t actually include the Linux kernel—it assumes it’s running in a container and using the host kernel. It’s similar in concept to Google’s distroless base, paring down packages in the base to an absolute minimum—and really it’s more than similar, it seems to be a pretty direct evolution of that project, while also taking some inspiration from Alpine Linux. Wolfi features include:

• SBOM generation at build time

• Minimized dependencies in the base

• Daily builds for the base image to keep components up-to-date

• Support for glibc and musl

Using Wolfi as a base, Chainguard says their images for Go, PHP, and nginx each contain zero CVEs, compared to counts in the hundreds for the standard versions of those images. 

If you’re interested in how Wolfi differs from the distroless base, it uses Chainguard-developed tools called melange and apko to build images from apk packages (without actually including a package manager like apk or apt in the base) and doesn’t draw on upstream Debian like distroless.

You can check out Wolfi on GitHub at https://github.com/chainguard-dev/wolfi-os.

Eric: A recent phishing scheme targets GitHub accounts with fake CircleCI notifications. According to GitHub, this campaign began on September 16th. The false message claims that users need to log in to accept modified privacy policies and terms of use.

The phishers use a variety of fake domains, including:

• circle-ci[.]com

• emails-circleci[.]com

• circle-cl[.]com

• email-circleci[.]com

According to CircleCI themselves, legitimate addresses will only ever be at circleci.com or a subdomain. 

Multi-factor authentication with hardware security keys mitigates these attacks. If you’re concerned that you’ve already been hit, CircleCI recommends rotating your credentials for both CircleCI and GitHub and performing a system audit. You also want to watch out for new users and new SSH keys created within potentially compromised systems—these are strategies phishers use to maintain access even if you’ve changed your passwords.

Check out the podcast for more of this week's stories.