Break point: Cri-o, Kong, DKP, Log4j, and Happy Holidays from Team DevClass

break point christmas

Red Hat’s implementation of the Kubernetes container runtime interface cri-o has been released in version 1.23, which fits the project with new features such as a TARGET namespace mode to support ephemeral containers, to keep up with the latest orchestrator release. Additional metrics for things like the total number and latency of operations, the option to export OpenTelemetry trace data, and a configuration table for cri-o stats can also be found in the release and should provide more insight into what the tool is doing.

Before updating an installation, note that support for v1alpha2 of the container runtime interface has been dropped with the release and version 1 is needed for the tool to work. Cri-o 1.23 also comes with a couple of new and updated dependencies which could change its behaviour, as well as a variety of bug fixes, details on which are available in the project’s changelog.

Kong Gateway 2.7 gets FIPS compliant encryption library

The team behind Kong Gateway meanwhile pushed version 2.7 of its project into the open. The update seems to be mostly of interest to Enterprise subscribers, as the most exciting enhancements can only be found in this variant of the gateway and include consumer groups, a FIPS compliant cryptographic library, and improvements for OIDC configurations and encryption. 

Teams using the open source version can look forward to performance improvements, response customisation options for the ip-restriction plugin, and a couple of fixes to get rid of Cassandra cluster bootstrapping and booting issues.

D2iQ Kubernetes Platform extends OS support, diggs deeper into security

Kong isn’t the only company that decided to double down on FIPS-compliance in a recent release. Cloud native experts D2iQ for example also took a closer look at the necessary measures, teaching Konvoy 2.1 to validate FIPS 140-2 compliance. The result was shared with D2iQ customers through v2.1 of the D2iQ Kubernetes Platform, DKP for short, which also includes enhanced diagnostic bundles, and improvements for air-gapped installations. An updated version of multi-cluster manager Kommander was also part of the release, and contains new capabilities to provision, spin up, and de-provision EKS and AKS, provision fast data pipelines, continuous delivery and deployment with FluxCD, and single command cluster provisioning. 

Apache Software foundation informs about new Log4j vulnerability

The Log4j team doesn’t get much rest these days, as another high severity vulnerability was discovered in the project. CVE-2021-45105 affects versions 2.0-alpha1 through 2.16.0 of the logging project and can be used to cause denial of service attacks. https://logging.apache.org/log4j/2.x/security.htmlare meant to fix the issue and protect Log4j from uncontrolled recursion from self-referential lookups.

According to a recently released report by Google’s Open Source Insights Team, over 8% of the Java packages on Maven Central have been impacted by the vulnerabilities. Given that they found the average ecosystem impact to hit only 2% this is quite significant. The team however seems slightly hopeful when it comes to fixes, since it needed less than a week for roughly 13% of the affected artifacts to be patched.

Happy Holidays from Team DevClass

And with that, we’re wrapping up the last news roundup of 2021. Thank you so much for your continued interest throughout the year, it really means a lot to us.

We hope you have a nice end-of-year-break and look forward to welcoming you back in January. Take care!