We are happy to announce our amazing Product Team at SIGHUP has just released v1.1 for Kubernetes Fury Distribution. This update comes with a ton of changes - for which you can check out the official release page on GitHub, linked above, but here is an highlight of our biggest core changes.

Addition of the OPA module

We don't take production-readiness for granted. We make it happen. KFD v1.1 adds the possibility to decrease attack vectors, increase resilience and stability as simple as activating the OPA module. The Gatekeeper project uses the Open Policy Agent to deny or allow deployments in base some simple rules.

Using the Admission Controller Webhooks, the Gatekeeper intercepts and API request to apply the defined rules.

The OPA module has some useful predefined rules for Gatekeeper like:

  • denial of docker images with latest tag
  • denial of pods that have no limit declared (both CPU and Memory)
  • denial of pods that allow privilege escalation explicitly
  • denial of pods that run as root
  • denial of pods that do not declare livenessProbe and readinessProbe
  • denial of duplicated ingresses

Network shaping

From the previous version of KFD, we not only keep the commitment to be compatible with 3 consecutive Kubernetes versions, but also we made a step further in reliability, providing a straightforward way to limit the network budget of the pods. We limit the bandwidth each pod can consume, to ensure the reliability of the services in the cluster.

So you can add the kubernetes.io/ingress-bandwidth and kubernetes.io/egress-bandwidth annotations to your pod as follows:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubernetes.io/ingress-bandwidth: 1M
    kubernetes.io/egress-bandwidth: 1M
...

Cert-manager

If we can agree on something about Kubernetes maintenance is that certificates rotation is not something easy nor pleasant to do manually. But you know, if it's hard -> do it daily, if it's a nightmare -> automate it so we heavily rely on Jetstack cert-manager to fully automate certificates lifecycle.

Smooth Operations

Moving into the cluster with minimum waste and maximum joy is crucial in our battle-tested Fury Distribution. For the v1.1 we added some interesting features like ensuring that kubectl top {pod,node} work in all the supported kubernetes versions, so inspectability is on the point.

Also, reproducibility is increased with the automated detection for some common pitfalls like reusing the machine-id which is some common bug with AMIs or prebuilt on-premise images. We got you covered by introducing a set of alerts covering this scenario.

Finally we do a huge third party for our networking, monitoring, ingress and disaster recovery core modules.

Communication is key - Announcing our Documentation Portal

If a tree falls in a forest and no one is around to hear it, does it make a sound? Sure it does (we know science), but surely it won't have any impact. This is why we are happy to announce the Kubernetes Fury Documentation Portal with insights and useful tutorials for KFD v1.1. And this is just the beginning.

📦 Wrapping it up

You can find the complete changelog here, you can find us in sighup.io creating battle-tested awesome products like this, among others. You can check it up at the CNCF landscape, for example.