May is already here, so it’s time for our April DevOps digest! Our team continues to collect the latest DevOps news to share with everyone who loves DevOps and works on DevOps projects. If you’ve missed any of our DevOps news and updates, here’s our latest digest for the DevOps & CloudOps community. Get ready for our next episode of DevOps info and read on. We’re sure you’ll find some helpful ideas here today.

1. AWS Lambda Function URLs is generally available

AWS Lambda is widely used to build applications that are reliable and scalable. In building their applications, users can leverage multiple serverless functions that implement the business logic. This process has now become even easier. AWS announced the general availability of Lambda Function URLs, a cool new feature that allows users to add HTTPS endpoints to any Lambda function and configure Cross-Origin Resource Sharing (CORS) headers if needed.

AWS Lambda Function URLs take care of configuring and monitoring an HTTPS service, leaving developers free to focus on improving the product or other critical tasks. To see how AWS Lambda Function URLs works, check this AWS blog post.

2. HashiCorp Consul 1.12 to improve security on Kubernetes

HashiCorp Consul 1.12 is yet another significant update in the cloud architecture world. This release lowers Consul secrets sprawl and automates the rotation of Consul server TLS certificates by using HashiCorp Vault, another solution from the company. Consul 1.12 also helps users understand their Consul data center status and evaluate control list (ACL) system behavior. The solution could be helpful for anyone who wants to build a zero-trust security architecture. For more detail, read the HashiCorp post.

3. Limiting access to Kubernetes resources with RBAC

Here’s another helpful tutorial for Kubernetes users. As the number of applications and actors increases in a cluster, you may find it necessary to review and restrict the actions they can take. This is where the Role-Based Access Control (RBAC) framework in Kubernetes can be helpful. Here is a comprehensive guide on how to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ClusterRoles, ServiceAccounts, RoleBindings, and ClusterRoleBindings.

4. The API Traffic Viewer for Kubernetes

Another useful tip for all Kubernetes users — an API traffic viewer for Kubernetes can make your life easier. This simple-yet-powerful solution helps troubleshoot and debug APIs in a convenient way and view all communication between microservices, including API payloads in real-time. In addition to all the benefits mentioned, the tool is lightweight, supports modern applications, and requires no code instrumentation. View the documentation for more details here.

5. Kubernetes 1.24 is here

Although the Kubernetes 1.24 release date has been rescheduled from April 19th to May 3rd, we decided to include it in this digest. The release comes with 46 enhancements, on par with the 45 in Kubernetes 1.23 and the 56 in Kubernetes 1.22. Of those 46 changes, 14 enhancements have graduated to stable, 15 are moving to beta, and 13 are entering alpha. Also, two features have been deprecated, and two features have been removed.

Here are some of the most important enhancements:

  • the removal of Dockershim
  • beta APIs off by default
  • storage capacity and volume expansion are generally available
  • gRPC probes graduated to beta

Check the Kubernetes page for more details and enjoy!

6. That sweet word ‘automation’

Automation is what DevOps has been about and automating everything is the fundamental principle of DevOps. Automate, automate, automate — but could we be wrong here? And what should we do to better understand this automation trend? Kelsey Hightower’s answers to these questions draw attention to the importance of understanding what we are going to automate and how to go about it. Check his valuable piece of writing here.

7. Have you heard about  Kyverno?

Kyverno is a powerful policy engine created specifically for Kubernetes. Kyverno allows users to manage policies as Kubernetes resources without requiring any new language to write policies. This also means that familiar tools such as kubectl, git, and kustomize can be used to manage policies. Here is a guide on how to get started with Kyverno and reap its benefits in practice.

8. Introducing EKS Blueprints

During April, AWS introduced a new open-source project called EKS Blueprints that aims to accelerate and simplify Amazon EKS adoption. EKS Blueprints is a set of Infrastructure as Code (IaC) modules to help users configure and deploy consistent and reliable EKS clusters across accounts and regions. EKS Blueprints can be used to bootstrap an EKS cluster with Amazon EKS add-ons as well as a broad array of open-source add-ons, including Prometheus, Karpenter, Nginx, Traefik, AWS Load Balancer Controller, Fluent Bit, Keda, Argo CD, and more. Read more about this project here.

9. Amazon Aurora Serverless v2 is generally available

AWS announced that the next version of Aurora Serverless is generally available. Amazon Aurora Serverless v2 allows automatic capacity scaling to support demanding applications, which should help to reduce cloud costs and achieve best performance. With Aurora Serverless v2 you don’t pay for computer resources you don’t use.

Amazon Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora. It automatically starts up, shuts down, and adjusts capacity to your application’s needs. Aurora Serverless v2 provides the full array of Amazon Aurora capabilities, including Multi-AZ support, Global Database, and read replicas, making it the perfect choice for various applications. To delve deeper into Amazon Aurora Serverless v2, check the documentation.

10. Datadog Application Security Monitoring (ASM) for more protection

Cloud security is nowadays one of the most discussed topics in the cloud community. Data breaches, misconfigurations, insider threats, and insufficient access management control can lead to serious cloud issues and financial damage. At the end of April, Datadog introduced its solution for security management. They announce the general availability of Datadog Application Security Monitoring (ASM), a new offering within the Cloud Security Platform that allows security, operations, and development teams to design, build and run secure and reliable applications. For more info about the solution, read an official post on the Datadog site.

11. GitLab adds fourth DORA metric API to CI/CD platform 

The recent update to GitLab’s CI/CD platform has brought more than 25 improvements, including the addition of support for the application programming interface (API) for measuring change failure rates. This release supports the fourth metric as defined in the DevOps Research and Assessment (DORA) framework. In addition, GitLab 14.10 extended the GitLab Runner Operator for Kubernetes to any distribution of the open-source platform and made it possible to manually trigger incident responses when needed. Check for more details here.

12. New releases of Calico, Cilium, Kuma and Istio

April brought us a lot of exciting news and releases. We’ve already mentioned Kubernetes 1.24, but there are many more updates of which you should be aware. Calico v3.20.5 was introduced, and Cilium v1.11.4 became available with numerous improvements, including two minor changes, 16 bug fixes, five CI changes and 24 miscellaneous changes.

Kuma also announced the release of Kuma 1.6.0, packed with cool features and improvements. Kuma 1.6.0 comes with:

  • Kubernetes Gateway API support
  • ZoneEgress improvements
  • many improvements to the Helm charts
  • a new metric to see how long configuration changes take to propagate to data plane proxies

Last but not least, there is Istio 1.13.3. This patch release includes bug fixes to improve robustness and some additional configuration support.

 13. AWS IAM for better resource management  

AWS Identity and Access Management (IAM) added a new capability for better resource management — now users can control access to their resources based on the account, Organizational Unit (OU) or organization in AWS Organizations that contains those resources.

AWS generally recommend using multiple accounts when workloads grow as they allow setting up flexible security controls for specific workloads or applications. This new IAM capability helps to control access to resources as users can design IAM policies to enable the principals to access only resources inside specific AWS accounts, OUs, or organizations. Read the AWS post to learn more about this update.

 14. LemonDuck bot targets Docker cloud instances to mine cryptocurrency

The CrowdStrike Cloud Threat Research team found the well-known cryptomining bot LemonDuck targeting Docker cloud instances for cryptomining operations. It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses.

LemonDuck is a cryptomining botnet involved in targeting Microsoft Exchange servers via ProxyLogon and the use of EternalBlue and BlueKeep to mine cryptocurrency. But now, Docker cloud instances are at risk. As Docker usually runs container workloads in the cloud, a misconfigured cloud instance could expose a Docker API to the internet. This API could then be exploited to run a cryptocurrency miner inside a container. For more details, read the CrowdStrike report on this case.

 The bottom line

The Profisea team is constantly on the lookout for the latest DevOps and Cloud news to share with you.

Don’t hesitate to contact us and tell us what you would like to see in our next digests and what topics we need to feature.

Our experts are constantly busy preparing new items of useful info for you.

And, of course, if your business requires any DevOps services, we are here to lend you a helping hand as we always have the best DevOps and CloudOps practices at our fingertips.