Cloud Native Computing Foundation (CNCF) is an open-source software collective that aims at making the adoption of cloud-native computing universal. CNCF is driven by a community of developers, end-users, and IT service providers that collaborate to create open-source, vendor-neutral tools. CNCF creates tools for projects that help boost the adoption of cloud-native computing. One such tool is Kubernetes that has singlehandedly changed the way workloads are hosted in the cloud. Kubernetes, which started as a project by Google, is now an official part of CNCF’s impressive and ever-growing cloud-native landscape. These projects are usually hosted on GitHub and help enterprises go cloud-native with ease. CNCF projects go through three phases under CNCF; Sandbox, Incubating, and Graduation. Let’s take a close look at five new CNCF tools that you should consider adding to your application stack.
Harbor is an open-source container image registry initiative that was initially developed by VMware and is now a part of CNCF. Harbor has recently entered the incubating state of the CNCF project lifecycle. Public image registries can help enterprises get to work quickly, however, they are extremely vulnerable and can be tampered with. Harbor is a private, on-premises registry that helps organizations that don’t want to use public or cloud-based repositories. Harbor is easy to install and can be deployed as a standalone registry by using Docker Compose script or you can use Helm charts to deployit to your Kubernetes platform. Once deployed, Harbor lets you isolate your container images easily in logical groups called projects to make image lifecycle management easier. Users can then be provided role-based access to these projects to ensure security. Harbor also scans your images for vulnerabilities. Vulnerability scanning is done by Clair at rest using a configurable set of sources to identify vulnerabilities. Vulnerability scanning can be done manually or can be automated based on a set frequency or based on policies.
Harbor uses a clean web-based UI that makes browsing repositories and images quite efficient. Other features include Webhook notifications that can be used to quickly integrate the registry with CI/CD tools. Projects can be replicated between registries of major cloud vendors making Harbor truly vendor-agnostic. With Harbor, you can apply exceptions so that developers can continue using containers with a known bug without any interruptions. Users can set a limit on how many tags a project can contain. Project quota can also be set to allow a specific storage capacity for each project. Default quotas can be applied globally or to each project based on requirements. Although this tool is still in the incubating stage, enterprises that are going cloud-native should consider making Harbor a part of their applications stack.
2. The Update Framework
The Update Framework (TUF) is the latest in the line of graduated CNCF projects. It’s one of the first security-related projects to have gotten CNCF’s blessing. Updating applications, library packages, and system packages are important to keep adding new features and addressing old vulnerabilities. Software update systems are responsible for identifying, locating, and then downloading updates regularly. However, the repositories that host these updates keep getting newer updates frequently, which makes it easy for attackers to launch a hidden attack leveraging an update. Attackers can trick update systems into downloading an older, less-secure version or a tampered update thereby giving attackers a way into your systems. TUF provides a framework that can be used to secure these updates and defend against attacks. TUF protects you from a wide range of attacks and update vulnerabilities. TUF does so by adding a verifiable record about the state of repository or application.
The metadata includes the following information:
- Metadata version number
- Date of expiration of the metadata
- Signatures on the metadata
- Hashes of the files
- Trusted signing keys
This record is then used to verify the authenticity of an update. TUF downloads updates with their respective repository metadata verifies the updates, and only if the updates are trusted, hands them to the update system of your choice. This way software update systems never have to deal with the additional metadata.
Vitess is a cloud-native database system that sped through CNCF hoops and became its eighth graduated project. Vitess was initially developed by YouTube in 2010 to scale its storage. Vitess is a database clustering system that combines important SQL features with the scalability of NoSQL and scales horizontally. Vitess can deploy, scale, and manage large clusters of open-source instances with ease regardless of whether it’s hosted on private or public clouds or on-premises. Vitess helps organizations scale their database storage without affecting performance. MySQL doesn’t natively support sharding, however, and as your database grows, you’ll want it. With Vitess, you get this feature without having to add the sharding logic to your application ensuring that application changes remain minimal.
Vitess handles database performance in several ways. With Vitess, you can limit the maximum number of parallel transactions that can run at any given time. Vitess rewrites problematic queries and also uses a caching mechanism to handle duplicate queries. Vitess can automatically terminate queries after a specified time if they are unable to fetch results. Vitess also monitors and analyses your database to ensure optimum performance. With Vitess, you can deploy and manage a myriad of SQL database instances without any hassle. Vitess also allows you to manage access control lists (ACLs) for your tables to give appropriate access to the connected users.
Falco is CNCF’s first runtime security project in incubation. Falco was initially developed by Sysdig as an open-source initiative to monitor container runtime. For cloud-native workloads, security is extremely vital. And even though there are several processes in place that take care of security over the application, container, and network levels, some risks can still go unnoticed. Runtime security acts as the last line of action when all other security processes fail. Falco provides an unmatched runtime detection by alerting users of any event or activity that is considered unexpected. Falco can be easily deployed as a long-running daemon or as a Debian/rpm package. Falco can be configured using a rule file that specifies what events to look out for. Once Falco encounters the specified events, it sends out alerts to notify users. Falco uses Linux kernel modules to provide all-round runtime security.
Not all VM-based workloads can be containerized and this fact is becoming more and more apparent as enterprises venture on migration projects. However, KubeVirt provides an excellent solution to this dilemma. With KubeVirt, you can run your containerized and virtualized workloads through a unified platform that helps bridge the gap between the traditional and modern application development approaches. This allows developers to keep developing newer applications while slowly migrating virtualized components at their own pace. KubeVirt allows developers to manage VMs using Kubernetes. It does so by adding virtualized resource types to Kubernetes using K8 custom resource definition API along with additional controllers and agents that run alongside your K8 cluster. KubeVirt is backed by Red Hat and is one of the latest additions to CNCF’s portfolio.
CNCF tools for a cloud-native future
CNCF landscape is teeming with promising new tools and technologies that you should consider adding to your application stack to accelerate your journey toward a cloud-native future.
Featured image: Shutterstock