+++
author = "AWS Kubernetes Developer Advocates"
categories = ["Archive", "2022", "Weekly"]
date = 2022-01-28T08:00:00Z
draft = false
slug = "003"
title = "EKS News 003"
aliases = [
    "/blog/eks-news-003",
    "/archive/eks-news-003"
]
+++
<br/><br/><br/><br/>
Four weeks into this newsletter and things are going well. Tooling choices have been made. The product (newsletter) is starting to hum along. Now is when it’s time to ask, “What would you like to see in the newsletter?” Hit reply and let us know.

This week we’ll touch on the new Amazon VPC IPAM tool, Amazon GuardDuty for EKS, Tekton, and more! Thank you for reading, please forward this to a friend or colleague.

### New and notable blogs

[Managing IP pools across VPCs and Regions using Amazon VPC IP Address Manager | Networking & Content Delivery](https://aws.amazon.com/blogs/networking-and-content-delivery/managing-ip-pools-across-vpcs-and-regions-using-amazon-vpc-ip-address-manager/)

* Amazon simplifies IP address management through the new Amazon VPC IPAM service. IPAM enables you to plan, track, and monitor your IP spaces across your AWS accounts, VPCs, and AWS resources.
* Built to serve as a single source of truth for all IP address-related usage information across all of your AWS accounts
* Ensures that IP planning does not impede your growth goals

[Amazon GuardDuty now protects Amazon Elastic Kubernetes Service clusters](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-guardduty-elastic-kubernetes-service-clusters/)

* Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation
* Continuously monitor and profile cluster activity to identify malicious or suspicious behavior that represents potential threats to container workloads
* At launch, GuardDuty for EKS Protection includes [27 new GuardDuty finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html)

[Cloud Native CI/CD with Tekton and ArgoCD on AWS](https://aws.amazon.com/blogs/containers/cloud-native-ci-cd-with-tekton-and-argocd-on-aws/)

* A quick introduction about Tekton and an explanation of some key concepts
* Practical example to build and deploy a Spring Boot-based web application with a Tekton native CI/CD Pipeline
* Demo code is [here](https://github.com/aws-samples/aws-pipeline-demo-with-tekton) if you want to tinker

### Ecosystem News

[CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes](https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes)

* Nicknamed: [PwnKit](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
* This vulnerability provides an opportunity for an attacker who has access to a system as an unprivileged user to escalate those rights to root
* Updated AMIs [have been released](https://github.com/awslabs/amazon-eks-ami/releases/tag/v20220123) to mitigate CVE-2022-0185 on EKS
* Check your Linux distribution's updates for patches

[Announcing 100% Cloud Service Coverage for Crossplane](https://blog.upbound.io/cloud-service-coverage/)

* Crossplane now has 100% coverage for major cloud services
* New providers: provider-jet-aws, provider-jet-azure, and provider-jet-gcp
* Introducing Terrajet, a code generation pipeline for creating Crossplane providers

[New sync and diff strategies in ArgoCD](https://blog.argoproj.io/new-sync-and-diff-strategies-in-argocd-44195d3f8b8c)

* New experimental sync option
* Will verify diffing customizations while preparing the patch to be applied in the cluster
* Useful for resources that are incompatible with GitOps because a field value is required during resource creation and is also mutated by controllers after being applied to the cluster

[Cracking Kubernetes Network Policy](https://arthurchiao.art/blog/cracking-k8s-network-policy/)

* Digs into the Kubernetes `NetworkPolicy` model
* Design a policy enforcer based on the technical requirements
* Implement it with less than 100 lines of eBPF code
* Get a deeper understanding on how network policies are enforced

[Two reasons Kubernetes is so complex](https://buttondown.email/nelhage/archive/two-reasons-kubernetes-is-so-complex/)

* Kubernetes is a cluster operating system
* Everything in Kubernetes is a control loop
* Some finer points: “Errors are delayed,” “all configuration is declarative,” and “how pluggable and configurable Kubernetes is.”
{{< eo >}}