Mirantis has released k0s 1.27 as the latest and greatest version of its open-source Kubernetes distribution. With this release, the focus seems to be on security.
Mirantis, the company that bought Docker Enterprise in 2019 and several releases later renamed it Mirantis Kubernetes Engine, announced on Thursday the release of k0s 1.27, the company’s own branded (but still open source) version of Kubernetes. As the release number implies, this new release adds compatibility with Kubernetes 1.27, the Cloud Native Computing Foundation’s flagship project’s latest and greatest. It includes some improvements and bug fixes as well.
Most of all, however, it pushes security. It’s more secure than upstream Kubernetes, the company says, which should make it attractive to enterprise customers in this age when enterprise security has become “job one” in the technology arena, via a direct edict from the Biden administration.
“We’ve hardened Kubernetes security with this release of k0s…by shipping core system images that are managed and built by the k0s team at Mirantis,” Miska Kaipiainen, Mirantis’s VP of engineering, product strategy, and open source said in a statement. “This provides users with improved security posture of clusters and decreases the attack surface.”
In a blog post published last week, before the official release, Kaipiainen described the work the Mirantis team has put into hardening this release.
“Before 1.27, k0s relied on system images published by various upstream projects,” he said. “This has worked pretty well, but there are some downsides. For one thing, it’s understood (sadly) that most upstream system images used by Kubernetes contain CVEs.”
Scan an upstream image of Kubernetes, he said, and you’ll find a dozen or more vulnerabilities. Most will be irrelevant, but others, “pose risks and might let knowledgeable bad actors succeed in attacking clusters. It also looks scary: you definitely don’t want to see a ton of red flags on the pods and images powering functionality at the heart of your Kubernetes cluster.”
Kaipiainen’s pitch is that you won’t find these red flags if you scan the latest kOs, which he says they’ve managed to do without resorting to custom forks of the code, which could pose a problem for DevOps teams.
“Starting with this 1.27 release, k0s will run all system components with images that we build ourselves,” he said. “We still use pure upstream functionality and do not use any custom forks of project components. Essentially what we do is take the upstream components as-is and rebuild the images in a way that mitigates as many known CVEs as possible. This way, we are not at the mercy of upstream projects, for whom mitigating non-essential fixes in their images is probably not a top priority.”
“[S]ystem images shipping with k0s 1.27 come with zero…known vulnerabilities,” he added. “We have daily scanning in place which lets us keep track of vulnerabilities as they pop up, and mitigate them super-quickly.”
This new Kubernetes distribution isn’t only about security, of course. There are improvements to make life easier for both sides of the DevOps teams working with the software.
There are improvements to simplify the installation and management of Kubernetes clusters, which include support for containerd plug-ins that simplify running WASM and gVisor container sandboxes, which makes it easier to extend clusters with additional container runtimes, for example.
k0s is a CNCF-certified Kubernetes distribution that can be used for large-scale data center deployments, as well as in smaller, lightweight edge clusters — or on laptops or Raspberry Pis. It’s distributed as a single binary, and installed on any node from the internet with one command. Platform deployment and scaling is managed locally via the k0s command line interface, or remotely (using configuration files) via the k0sctl utility. Updates are managed automatically using the software’s built-in Autopilot. Operators can access k0s clusters via kubectl, Lens Desktop, and other standard Kubernetes CLIs and dashboards.
If you want to take it for a test drive, you can download it from Mirantis’s website, which also contains a Quick Start Guide, complete instructions, and links to tutorials.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux