 Okay, and I'm back interesting not sure what happened there Was the audio with us the whole time or did you own or did you lose video and audio the whole time? I'm not sure exactly when I dropped out there Anybody have feedback for me on that? Not sure what caused that drop. All right. Well, I'm gonna keep it on it now I have my window over here on the side. So thank you for letting me know Looks like we're back All right, moving forward. So there was a CVE this week for the CVE 2021 25 736 For a cube proxy load balancer contention. This is actually for Window if you're running Kubernetes on Windows, this is this this may affect you. It's a medium version and I think it's looks out like The balancer does not set loaded balancer ingress IP field clusters where load balancer controllers that's the are unaffected Unexpected processes listening on the same port by the load balancer service could indicate Exploitation of this issue. It should be investigated. So in this way I think you're able to like take over or maybe impersonate the correct endpoint and then you would actually Be able to attract traffic to your to your your hijacked load balancers. So that should be interesting It seems like it only affects windows The next one up is a security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a node Kubernetes already prevents creation of endpoint IPs in localhost or link local range But some but the same validation was not performed on endpoint slices And so this is actually I think a defect in endpoint slices specifically Fixed versions are already out to mitigate this vulnerability without upgrading the Kubernetes API server You can create a validating admission web hook that prevents endpoint slices with endpoint addresses in the 127 or 169 254 ranges and presumably that's the filter that has been patched So that's an interesting one because it means that you basically be able to un override the endpoint slice object and redirect traffic To localhost or to some other local addressing Anytime anytime they put this stuff up I think this is an important point right if you find evidence of this vulnerability that has has been exploited please contact us So that's an interesting one. The next one in our list is a security issue was discovered in the Kubernetes Java client library So if you're using the Java client, it would it could give you the ability to Kind of manipulate the inputs This was reported by Jordy verse mason through our bug party bug bounty program very cool So it looks like they've already got a fish. I've already got fixed version out And it looks like if so if you're using the Java client, there may be a CBE that or there is a series that could actually That isn't sanitizing inputs correctly. That's my that's from was posted by Tim. That's an interesting one The last one you're probably gonna hear me talk about this one a little bit more. I think this one's interesting What this one is about. Oh, wow, that's still empty. Let's see if I can find so this is a run C vulnerability that enables a Time to time to check to time to first use attack And so it's a timing attack and it lets you effectively use run C to Do a sim link traversal into And and change what has been mounted from when it was originally first checked So I'm gonna do a whole episode. I think on this particular CVE, but it won't be until Probably maybe the next episode or possibly the episode after that But this one is a really important one And what I will say is that it is actually pretty darn important that you go ahead and patch run C If you're using it to a version forward of our C95 I think it's really important that people patch this stuff And I think that and there'll be a blog post a Kubernetes blog post coming out and lots of other information about this coming up soon But suffice to say because of this run C CVE if you're using Container D as your container runtime or if you're using Docker as your container runtime It may definitely be who view to go ahead and patch Whatever it is that's providing one C and get that Fixed up pretty quick. So definitely an important one CNCF things what's coming in the CNCF? We've got a few different sessions coming up this week I should I should actually change this. This will just be a summary and it won't be weekly It'll be every two weeks and maybe I'll actually include programs that have passed and also the ones that are coming up and so some of the CNCF online programs that are coming up are Matt Stratton from Pulumi talking about using your favorite programming language to build your dream cloud native in platform We have tackling customer issues in cloud-based environments by Eleanor Sperry from Workout cloud-native policy enforcement with open policy agent from Anders Eckert and the Styra and Persist your data in ephemeral Kubernetes ecosystem with Eric Sightlow and Maya data if you're interested in any of these online programs Definitely just click through and go be a part of them Lots of interesting stuff there If I click on one of them, you can see basically what this does it takes me to the CNCF community groups page and This one is already recorded. It looks like and see be able to watch that live on YouTube and if you have questions the person to reach out to for those sorts of things It's definitely the person that I've linked here So in this case you could reach out to Matt Stratton or any of the other folks in those in those lists so That is what's happening in cloud native this week. That was a lot of data I hope that some of it showed up I know that I know that I was like frozen for a little while and I'm not sure what happened there That was kind of weird But it's like we're back in play here so this Wednesday, I'll be participating at the Austin Kubernetes meetup with crutch and My friend Jason did a virus. So we're gonna get to see two awful geeks Possibly more than two awful geeks talking about different things and that that meetup I'll be presenting like how to use QBDM to do to as a playground for studying for the CKX Certificates so definitely check that out That'll be a fun one. I'll be doing more talks coming up as well. And then the next thing That we're going to dig into today is A an open-source project of some kind and so today I'm actually going to dig into minicube because and I'll tell you why This is actually kind of an interesting thing. So I've been working at ISOvalent And that means I'm working on a CNI that's called Silium if you haven't checked out Silium definitely do so. It's a very cool CNI Silium is because Silium operates it like the ebpf layer It means that it's probably better for us to make sure that we have a Linux kernel for each of your Kubernetes nodes and that means that for my particular environments I've been trying to figure out, you know, kind of a reasonable way to create a multi node cluster where each node has its own kernel Typically what I've been doing normally what I've been doing is actually leveraging Kind, which is a really great open-source project. And if you haven't heard of kind definitely check that out. I'll bring it up here kind That's sigs.k8.io This is the kind project and kind is really really great But it but one of the challenges that I ran into is that kind Shares the same Linux kernel for each node. It means that however many nodes you make in a kind cluster they are all going to get the same Linux kernel because kind nodes run as Docker containers Which is actually kind of interesting and super awesome and super handy and there's a still a lot about the kind project that I'm going to use every day Especially if I'm trying to like patch or modify or play with the Kubernetes code base or if I'm trying to actually do You know Kubernetes and CI like having Kubernetes run in Docker containers means that Doing CI tests like that scheme of validation that we talked about earlier super way way easier in kinds that it would be in Perhaps like a virtualized environment But for my own purposes right now What I have been doing lately is using this project and I have to tell you it's been a while it's been a while since I actually took a look at Minikube and this is actually why I kind of highlighted it in this session because I think it's definitely worth highlighting Minikube as an open source project or you know as part of the This stuff has actually come Really quite far since the last time I looked at it The last time I looked at it It didn't actually I think it was actually already using QBDM as a bootstrapper But they were a lot of other things that it did not do for example It couldn't give you multiple nodes and I don't think at the time we even had the idea of profiles, right? So you couldn't create multiple clusters. So there was lots of stuff for example that I didn't do So I'm going to show you my my flow We're going to work through my flow for spinning up a company this cluster with Cillium And we're going to play with that a little bit to kind of show that off and show like what you can actually do With Minikube now because I've been incredibly impressed So I've got Minikube running I'm running version 1.21.0, which might be the most recent Looks like maybe I just recently built it or something but config So I'm using so these are things that you can actually specify with Minikube which are actually pretty neat So if I have to do Minikube start for example, and then help These are all the different lines of configuration that you can specify and for each of these things you can actually set a Particular configuration for it to to be operated on by default, right? And so in my when I do Minikube config view if you do Minikube config you you'll be able to see like what has been specified By default for all Minikube clusters that you might create So in my particular case I'm actually gonna go ahead and we'll change that memory setting because that's too low It has to be at least 1900. I think it is so we'll do Minikube config Set memory 1900 And if we do Minikube config view we can see that it's 1900 now and that stands. It'll be megabytes I'm actually also using the KVM driver And this is because I'm actually using KVM as my virtualization on my Linux laptop here And then bootstrapper there's actually a few different bootstrapers And I think it might be worth checking out if you are unaware of this this actually kind of impressed me So on the bootstrapper side Minikube config Bootstrapper bootstrapper Nope. Now, you know, I'm probably doing this the wrong way. So let's do this way. I'll just go back to the docs Bootstrapper So default is QBADM, but there are other bootstrapers And I wanted to show you that I think I saw Well, it will use QBADM by default, but I am under the impression that you have other options for a bootstrapper and I wanted to show you what those were But I don't think I'm gonna be able to get to that because I don't see a way to show you that in the output And that's okay So let's so for the for my purposes, it's going to be QBADM. It's actually gonna be kind of neat so Let's do Minikube config view again So we're using the KVM driver. You can use virtual box. You can use docker There's a bunch of different drivers that you can use for this stuff We're gonna use the QBADM bootstrapper and then for the container D run for the container runtime We can actually specify whether to use docker container D pod man There's a variety of different container runtimes you can use in the image. So let's go ahead and check this out So let's do Minikube Start and then this was something I learned So if you do dash P you can specify a profile and that gives you the ability to name the cluster Whatever you want, right? So we'll call this one C1 and Then the other thing that blew my mind lately is that you can actually also specify how many nodes So I'm gonna create two nodes here I'm gonna give two CPUs to each one of them and I'm gonna give them their own name I'm gonna give this guy its own named network that I'm gonna share with another cluster. So we'll call it Mesh, I want to do one more thing there dash dash CNI Goals So I want to bring up a cluster with no CNI. It looks like we're missing an image here. So we're gonna let that download Shouldn't be too long Fast internet at home. I love it. Thank you for telling me that for for letting me know that you're you're happy to see me streaming again I'm I'm happy to be streaming again. I know that it's gonna be a really fun thing to kind of explore with y'all So creating our two node cluster This is an output from the setup Because I'm using container D It was trying to stop the Docker service inside of that VM But apparently like it doesn't come with it turned on so it was just giving me some erroneous error there I'll be not too big a deal Now let's go on through the QBDM steps for creating certificates and keys, booting up the control plane, configuring RBAC Doing some add-ons Now we're creating the second VM in our cluster. We'll see what we see here. There we go And I hope we do Qtl get nodes You can see we have two nodes and we have a status of not ready And that's because I said don't use any CNI now. There's an interesting bug in in mini cube right now where Because of the way that podman is installed if you even if you say CNI not a false It will install that podman CNI configuration to disk and it'll be sitting in Etsy It's just SSH in here, and I can show you what I'm talking about dashpc1 So now I'm on one of the one of the nodes in the cluster. I believe it's the root one So if I do Etsy CNI You can see that there's this file called 87 podman Conflist and right now it's empty And I'll tell you how I emptied it here in a second But the fact that this file exists in here at all means that this will be what is used for the CNI Configuration and I wanted there to be no CNI configuration So I had to empty that file out because it was actually being put in there by default by the install of the podman Bits for mini cube. So when mini cube like bundles podman as part of a possible as a possible containerizer It also included this like default configuration for the podman bridge, and I did not want that I wanted it to be empty. I wanted there not to be anything in there. So how did I fix it? You say this is actually pretty neat so pot so mini cube has this idea of syncing files into the virtual machine and the way that it does that is If you go into your dot mini cube directory And you go into files Etsy Underneath that files path you can specify things that are going to be you or that are going to be synced into the cluster And so all I really cared about was emptying that podman bridge Conflist file out So this is the only file I'm syncing in and if we look at Etsy CNI At the 87 podman, it's empty And so what I'm doing is I'm overriding that file with an empty file to make it so that no CNI is installed or inferred in my mini cube cluster before I install one I wanted to do that install myself not to let anything else do it so That's what we've got here, right? We've got a silly and we have a Cluster ready for a CNI nothing is running CNI wise at the moment If we do keep kettle get pods dash a We can see for example that core DNS is Pending and it will remain pending Until it is until there is a CNI and that's because the core DNS is part of the it's part of the It's part of your pod network. It's not part of your host network, right? all the rest of these are actually running as As a As part of the host network, okay, they're basically running as host net true, right? It means that if I look at the IP addresses for example dash Oh wide I can see that many of them have conflicting IP addresses, right? There's a 109 109 109 This person cube proxy is running over here on 136 and if I do keep kettle get nodes dash Oh, wide you can see those IP addresses, right? Are the host IP addresses? So these are IP addresses of the virtual machines that are running Not of the pods that are running the pods are just using the network stack of the underlying host But that's not true for core DNS core DNS. He's using a pod IP But since there's no CNI it can't come up because there's no product. There's no CNI currently So let's go ahead and install one. How many is a? Sillium CLI for this You could use calico flannel whatever you want and actually there's a bunch of built-in CNIs in minicube So if you don't want to explore like some other CNI, this is just important to me for my work But if you wanted to use like flannel or calico or any or even Sillium You can actually just specify dash dash CNI and then the name of the CNI you want it to come up with and Minicube will configure all of that for you pretty cool But for my purposes I wanted to kind of like bring this up so that I could kind of explore my own dev environment Without a CNI installed and this is why I'm showing you this pretty neat stuff now. We can see The Sillium bits are starting to come up We have one of our Sillium pods another Sillium pod and then the Sillium operator all being deployed And if you do Sillium status you can see that it's up and running and then if I do keep kettle Get pods dash a again. I'll be able to see but now that I have a CNI installed Core DNS is running and if I do keep kettle get nodes I Have my nodes specifying that they are in a ready state So that is pretty neat, you know, and then the other thing I was talking about was that dash dash network flag, right? so if I did control our This this this dash dash network flag If I do IP link or actually, let's see it would be your CTL show So it'll create a bridge and it'll give that bridge a name although it's not giving it a name in this case the RBI It's not super easy for you to see that. So let's do Wonder how I can get that name for you IP link. The name doesn't carry down into the bridge let's see See what I do Do the first list. There we go. So this is the bridge If I do net show that info There we go. So this is using KVM again So I'm using the verse command line to kind of interact with the KVM configuration of things and I've done a list I've tried to got I've told it to give me the network information for the network that is named mesh and In this output, I can see that it's the bridge associated with that mesh network is VR VR VR 1 and then I should be able to do things like the VR CTL show VIR VR 1 And we can see we have a couple of different interfaces associated with it and that is the bridge Right because we have two VMs and each of the VMs is going to have an interface associated with that bridge And that bridge takes care of like how we're actually getting traffic in and out of those VMs Pretty cool Well, yeah so that's Some of the stuff I've learned about mini cube this week and I think it's actually pretty neat. So there's a couple of other things See one and then you can actually give it a name of the node that you want to jump into And so if you wanted to SSH into different nodes, if you just like don't specify one It'll still work. You'll be able to jump in and you'll be on the the control plane node and if you wanted to jump into the Worker node you can actually specify the name of that worker node If I go back up here to node list, that's C1 MO 2 So this gives me a ability to kind of jump into either of my two nodes Each of my nodes has its own kernel because it's actually running as a virtual machine So I don't have to worry about that part of it Gives you quite a lot of configurability now resource wise It's not going to be nearly as efficient as something like kind where where these are just where all of the kubernetes All of the processes running inside of a kubernetes cluster are running inside of a container, right? We have one Linux kernel all those processors are basically just namespaced But at the same time if what you're trying to troubleshoot or interact with requires things like You know has some requirement where? Each of the nodes have their own representation of a Linux kernel Then this is a way of doing that right some other examples of why you might want that like I want that for psyllium But other ways other reasons you might want that is for for things like If you're doing SE Linux testing or any sort of like Enforcement at that point if you're doing App armor testing things that actually require like a kernel layer kind of abstraction That sort of stuff that'll be where it really comes in that you really want like your own kernel for it But yeah That is what I had for you today So I look forward to seeing you again in two weeks definitely come check it out and hang with me again in two weeks Again, there's so much great content coming out this week There's a new show every day. There's been a lot of really great content already on Cloud native TV and a lot of those recordings are up So if you want to check them out definitely do so I realize that I have to fix this problem like I have definitely got a CSS issue because I can't see your text Inside of the chat there but yeah Thank you for joining me and if you if you have content that you would like me to talk about in Two weeks at the at the next version of this particular show Definitely like I said, just jump into hack Md.io slash at TW ICN And you'll be able to see next week's notes or the next shows notes the 003's notes And you'll be able to add links and that sort of stuff that you want me to talk about and so feel free to Go ahead and do that Otherwise you could just reach out to me on Twitter Just at me in a in an article or a stream or a thread or anything else like that that you find that Catches your interest and that you think would be a would good would be a good addition to the show Definitely, let me know keep me in the loop. I'm happy to talk about that stuff and Enjoy your incredible week. Thank you all so much for tuning in and I'll see you and I'll see you in two weeks and Make sure you subscribe. Yeah subscribe to cloud native TV So, you know those things are coming so thanks again, and I'll see you next time