Radio Cloud Native - Week of August 3, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week they discussed:

• Lens 6 is here!

• Kubernetes Gateway API graduates to beta

• Go 1.19 released

• Security issues with common Atlassian tools

• And much more on the podcast, including the NIST post-quantum competition, the CHIPS Act, and more

You can download the podcast from Apple Podcasts, Spotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of the next broadcast.

Nick: It’s been an incredibly busy couple of weeks at Mirantis, so while we don’t like to make too much of a habit of shameless self-promotion on Radio Cloud Native, this is the second week in a row where we have a big announcement to discuss. On the last show we talked about Mirantis’ acquisition of amazee.io, which helps bring streamlined ZeroOps application deployment to developers. Once your app or service is deployed, you’re going to want to be able to easily observe and manage the deployment on your cluster, and that’s where Lens comes in. Last week, the Lens team released Lens 6, which brings new features and a new subscription model.

Features include: 

• Built-in container image scanning

• Built-in one-click local Kubernetes

• Built-in support chat functionality

Lens 6 is a big turning point, with the introduction of a new subscription model. Lens Personal subscriptions are for personal use, education, and startups (less than $10 million in annual revenue or funding). They are free of charge. Lens Pro subscriptions are required for professional use in larger businesses. The pricing is $19.90 per user / month or $199 per user / year. There’s a FAQ available on the Mirantis blog, and you can purchase a subscription from the Lens site at k8slens.dev.

Eric: Last month saw the Kubernetes Gateway API graduating to beta with its 0.5.0 release. This is a big one, bringing some long-awaited functionality one step closer to practical usage. Originally conceived as a successor to the Ingress API, the Kubernetes SIG group now describes Gateway API as a “superset of Ingress functionality,” adding more sophisticated options. 

But okay, what exactly does that mean? What kind of options? Like Ingress, Gateway is a resource you can use to provide standardized specifications for a vendor-provided gateway component. So the Gateway implementation itself might come from a cloud provider, you might use Cilium or Istio or Traefik or Consul, but ultimately what’s happening is it’s sitting at the gate of your cluster and routing requests from outside to the appropriate destination inside. Okay, so far, sounds a lot like Ingress, but where it builds on Ingress is its standardization and its expressivity. Previously, things like weighted traffic routing or routing across namespaces required heavy annotation and custom solutions—with Gateway, you can be a lot more standard and portable about it. On top of that, Gateway explicitly supports HTTP, TLS, TCP, and UDP, where Ingress by default really only plays nice with HTTP. 

So if you’re a developer, this is all good news, since it gives you some new tools and means that, ideally, you can utilized more standardized routes, literally defined now through a Route object, without having to worry as much about the particularities of the gateway or ingress configuration. And here’s the final piece of excitement – the components graduating to beta here are the Gateway, GatewayClass, and HTTPRoute resources. So that means we have all the puzzle pieces to put an experimental implementation in play–the Gateway and GatewayClass gives us the infrastructure, and the HTTPRoute gives us a tool for HTTP, at least, on the dev side. Notably, the TCPRoute, TLSRoute, and UDPRoute resources are still in alpha.

In other new releases, Go 1.19 dropped on August 2nd, bringing a set of refinements and performance enhancements after the massive 1.18 release, which brought generics to Go. The Go blog boasts performance improvements of up to 20% on some generic programs, expanded Doc functionality (including links), adjustments to the memory model, and:

a wide variety of performance and implementation improvements, including dynamic sizing of initial goroutine stacks to reduce stack copying, automatic use of additional file descriptors on most Unix systems, jump tables for large switch statements on x86-64 and ARM64, support for debugger-injected function calls on ARM64, register ABI support on RISC-V, and experimental support for Linux running on Loongson 64-bit architecture LoongArch (GOARCH=loong64)

Nick: Users of Atlassian—that is, the company behind Confluence (in other words, you're probably using it)—were hit with a trio of security vulnerabilities in the last couple of weeks. The most widely publicized has to do with a hard-coded password that comes with the Questions for Confluence app.  Unfortunately, simply uninstalling the app does not solve the problem, so you will need to either delete or disable the offending user.  Specifically, look for an active user with a username of "disabled system user" and an email of "don't-delete-this-user at email.com." Specifically, ignore that advice, and either disable or delete the user.  

You can also see if your system has been potentially compromised by checking for the last time that user authenticated to the system, as unless you have used it to migrate data, there is no reason for anybody to have used it.

The other vulnerabilities are less flamboyant, as they require specially crafted HTTP requests to execute, but they're no less dangerous, so you'll want to go ahead and make sure that you've upgraded to the latest versions of whatever systems you are using.

Check out the podcast for more of this week's stories.