Kubernetes adds support for Sidecar containers
News #1: Container security scanning tools, Containers are not VMs, Faster boot with AWS Fargate, Istio graduates within the CNCF
Container security scanning tools
On July 13th, I run a poll on Twitter to ask people what are they using for container security scanning.
Here is the poll with the results.
In the comments, someone mentioned Snyk, which probably contributes to some of the votes for something else.
And the winner was...? Acqua Trivy.
From their official page, you can read, Aqua Trivy:
Scan for private and public registries, local filesystems, and container formats such as tar archives, Podman and Git repositories. Achieve functionality for a variety of execution environments, such as Linux, macOS, FreeBSD, and OpenBSD, with the option to support air-gapped environments as well as distroless images.
Aqua Trivy is not just a security scanner, it is much more than that.
In fact, between the targets, we can find:
Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes
AWS
while the scanners (what Trivy can find there) are:
OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses
I might write an in-depth tutorial on Acqua Trivy if anyone finds it interesting. Let me know in the comments or connect via my social media contacts.
Snyk is quite similar to Acqua Trivy since it is a comprehensive solution that scans both containers, Kubernetes clusters and cloud deployments.
Containers are not VMs
On July 17th, Viktor Farcic released a video named Containers Are Not VMs! Which Base Container (Docker) Images Should We Use? where he explains that using OS as base images for containers is a terrible idea.
I couldn't agree more, in fact, I reached the same conclusion in an article I wrote almost a month ago named Shrink to Secure: Kubernetes and Compact Containers.
In my article, I also provide a couple of different tools that make it easier to create distroless container images. You can find tools like Melange and Apko from Chainguard and Buildpacks.io between my suggestions.
To learn more about how I used Chainguard Apko to build a container image that you can employ as an ephemeral container for debugging purposes, read my article Ep #3 - Containers: Apko from Chainguard.
AWS Fargate Enables Faster Container Startup using Seekable OCI
AWS Fargate announces support for Seekable OCI images.
Today, I’m excited to share that AWS Fargate now supports Seekable OCI (SOCI), which helps applications deploy and scale out faster by enabling containers to start without waiting to download the entire container image.
I believe that this is great news to speed up your application's startup time, but it is not a good reason to create bloated images that include full Operating System base images spanning multiple GBs on disk and requiring lots of bandwidth to be downloaded.
You will better invest your time in creating smaller and more secure images.
The previous section covers exactly this topic.
Kubernetes adds SidecarContainers feature
A couple of weeks ago, a GitHub issue on the Kubernetes repo was merged regarding Sidecar Containers.
The new feature gate "SidecarContainers" is now available. This feature introduces sidecar containers, a new type of init container that starts before other containers but remains running for the full duration of the pod's lifecycle and will not block pod termination.
The fix will be merged into Kubernetes version v1.28 which has not been released yet.
Additional documentation can be found at KEP-753: Sidecar containers. KEP stands for Kubernetes Enhancement Proposal.
Istio graduates within the CNCF
On July 12th, Istio was announced as graduating within the Cloud Native Computing Foundation (CNCF) project. You can find here the announcement.
The next major release v1.19 will support the SidecarContainers feature that we discussed in the previous section above.
Want to connect?
👉 Follow me on LinkedIn and Twitter.
If you need 1-1 mentoring sessions, feel free to check my Mentorcruise profile.