KubeCon Concluded in Austin, Texas

Kubernetes has become the Linux of the cloud. It has seen massive adoption in the last three years. The first release of Kubernetes was announced in 2014. All three major cloud providers, including Google (the creator of Kubernetes), Microsoft, and AWS now support Kubernetes. Even Docker started offering Kubernetes as an orchestrator along with its own orchestrator Swarm. Cloud Foundry has adopted Kubernetes as Cloud Foundry Container Runtime, and OpenStack vendors have already adopted Kubernetes to deploy OpenStack as an application. All major Linux vendors, including Red Hat, SUSE, and Canonical offer Kubernetes distributions.

The adoption and growth of Kubernetes was the theme of KubeCon, the Kubernetes conference that was held between December 6 and 8 in Austin, Texas. During the conference, Oracle open sourced its Kubernetes tools for serverless deployment and multicloud management.

Microsoft announced that Azure would bring new serverless and DevOps capabilities to the Kubernetes community, and Bitnami launched a new in-cluster Kubernetes Application Consol.

The Kubernetes community announced the 1.0 release of CoreDNS, a cluster DNS for Kubernetes. JFrog and Baidu joined Cloud Native Computing Foundation (CNCF), the home of Kubernetes, as Gold members.

Dell to Disable Intel's Insecure ME

The Intel vPro Management Engine (ME) came under fire recently when security researchers found serious bugs that allowed a remote attacker to take control of the affected systems.

"The exploitation allows an attacker to get full control over business computers, even if they are turned off (but still plugged into an outlet). We really hope by bringing this to light, it will raise awareness about security issues in firmware and avoid possible issues in the future," wrote Embedi, the security firm that discovered the bug.

Intel doesn't share any information about these "secretive" ME technologies. ME modules sit above the operating systems and users have no access or control over the technology. Organizations like Electronic Frontier Foundation (EFF) are calling for more transparency around ME modules. EFF asked Intel to "Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret."

Because Intel doesn't provide any such information, PC vendors and users don't have any means to audit or fix such vulnerabilities. Now one PC vendor has taken steps to protect its users. Dell is now disabling Intel ME in all new systems, and users will have to pay to enable the service.

In a statement to ExtremeTech, Dell said, "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro – ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality, it was not previously made available to the general public."

PC vendors, especially those selling Linux preloaded systems, are following suite and disabling ME by default. Dell is the biggest PC vendor, and if other vendors start disabling the engine, Intel might be compelled to either open source the technology or offer more transparency around it.

Linus Torvalds' Precious Advice to Security Experts

Linus Torvalds, the creator of the Linux kernel, is no fan of the security community. In his opinion security is just bugs that get exploited. "I don't trust security people to do sane things," said Torvalds, responding to a merge request by one of the top kernel developers Kees Cook.

What ticked Torvalds off this time was that Kees' patch had the potential to break things, and he added a fallback mode. Kees wrote, "This has lived in -next for quite some time without major problems, but there were some late-discovered missing whitelists, so a fallback mode was added just to make sure we don't break anything. I expect to remove the fallback mode in a release or two."

Torvalds refused to merge and said, "If you can make a smaller pull request that introduces the infrastructure, but that _obviously_ cannot actually break anything, that would be more likely to be palatable."

To which Kees responded, "This is why I introduced the fallback mode: with both kvm and sctp (ipv6) not noticed until late in the development cycle, I became much less satisfied it had gotten sufficient testing. I wanted to make sure there was a way for the series to land without actually breaking things due to any missed whitelists."

Torvalds said, "I'm not at all interested in killing processes. The only process I'm interested in is the _development_ process, where we find bugs and fix them."

But this time Torvalds has a valuable piece of advice for security people. He said that the primary focus should be "debugging" and making sure the kernel released in a year is better than the one released today. He dismissed the popular notion of kill processes for bugs. "… the hardening efforts should instead _start_ from the standpoint of 'let's warn about what looks dangerous, and maybe in a _year_ when we've warned for a long time, and we are confident that we've actually caught all the normal cases, _then_ we can start taking more drastic measures'," said Torvalds, "Stop this idiotic 'kill on sight, ask questions later'."