Airship 1.0 steers towards secure cloud provisioning

Airship 1.0

The community behind OpenStack Foundation supported Airship, a collection of tools for configuring, deploying, and maintaining Kubernetes environments, has released its first major version. Airship 1.0 features security and resiliency improvements over earlier versions, with additional continuous integration and tooling enhancements.

In the last couple of months, Airship has been fitted with etcd backup functionality and better liveness and readiness probes, which are meant – along with additions to MaaS services and networking – to improve the system’s resiliency. Chart linting gates and automation to uplift Airship and OSH components in versions.yaml to the latest master have been included to facilitate a smoother continuous integration process.

The containerisation community’s growing focus on security hasn’t gone unnoticed either, which is why the platform now comes with Kubernetes audit logging and user context tracing, and support for etcd encryption. Airship now also leverages OpenStack-Helm network policy primitives, Kubernetes PodSecurityPolicy admission controllers, and Linux capabilities and pod security contexts for privileged operations.

Moreover it implements admission controller best practices, while HTTP security headers have found their way into the Shipyard API, and document aggregator Pegleg now sports support for YAML encryption at rest in Git repos and random secret/PKI generation amongst other security related enhancements.

To make the adoption of the project easier, the Airship team added a simple definition for getting started, expanded the documentation for individual Airship projects, and added ops-focused guides for configuration updates and troubleshooting.

Meanwhile learning development and gating environment Airskiff’s development and test environments have been aligned with the Treasuremap globals, which should give devs a leg-up when starting off with Airship.

Airship has been an OpenStack Foundation pilot project since May 2018, with the team actively working on getting a production-ready version together for about the same time. It is currently made up of twelve components, and specifically focuses on an implementation of OpenStack on Kubernetes.

The Airship code is protected under the Apache License Version 2.0 and can be found on repository management platform OpenDev.