跳到主要内容

· 阅读需 2 分钟
Vincent Lin

As the first cloud-native edge computing community, KubeEdge provides solutions for cloud-edge synergy and has been widely adopted in industries including Transportation, Energy, Internet, CDN, Manufacturing, Smart campus, etc. With the accelerated deployment of KubeEdge in this area based on cloud-edge synergy, the community will improve the security of KubeEdge continuously in cloud-native edge computing scenarios.

The KubeEdge community attaches great importance to security and has set up Sig Security and Security Team to design KubeEdge system security and quickly respond to and handle security vulnerabilities. To conduct a more comprehensive security assessment of the KubeEdge project, the KubeEdge community cooperates with Ada Logics Ltd. and The Open Source Technology Improvement Fund performed a holistic security audit of KubeEdge and output a security auditing report, including the security threat model and security issues related to the KubeEdge project. Thank you to experts Adam Korczynski and David Korczynski of Ada Logics for their professional and comprehensive evaluation of the KubeEdge project, which has important guiding significance for the security protection of the KubeEdge project. Thank you Amir Montazery and Derek Zimmer of OSTIF and Cloud Native Computing Foundation (CNCF) who helped with this engagement.

The discovered security issues have been fixed and patched to the latest three minor release versions (v1.11.1, v1.10.2, v1.9.4) by KubeEdge maintainers according to the kubeedge security policy. Security advisories have been published here.

For more details of the threat model and the mitigations, Please check KubeEdge Threat Model And Security Protection Analysis: https://github.com/kubeedge/community/tree/master/sig-security/sig-security-audit/KubeEdge-threat-model-and-security-protection-analysis.md.

References:

Audit report: https://github.com/kubeedge/community/tree/master/sig-security/sig-security-audit/KubeEdge-security-audit-2022.pdf

OSTIF Blogpost: https://ostif.org/our-audit-of-kubeedge-is-complete-multiple-security-issues-found-and-fixed

CNCF Blogpost:

KubeEdge Threat Model And Security Protection Analysis: https://github.com/kubeedge/community/tree/master/sig-security/sig-security-audit/KubeEdge-threat-model-and-security-protection-analysis.md

· 阅读需 4 分钟
Kevin Wang
Fei Xu

KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. It also supports MQTT and allows developers to author custom logic and enable resource constrained device communication at the Edge.

On December 6th, the KubeEdge community is proud to announce the availability of KubeEdge 1.9. This release includes a major upgrade for Custom HTTP Request Routing from Edge to Cloud through ServiceBus for Applications, CloudCore run independently of the Kubernetes Master host and containerized deployment using Helm, EdgeMesh add tls and encryption security, and compiled into rpm package, which includes:

  • Custom HTTP Request Routing from Edge to Cloud through ServiceBus for Applications

  • CloudCore run independently of the Kubernetes Master host

  • EdgeMesh add tls and encryption security

  • Enhance the ease of use of EdgeMesh

  • Support containerized deployment of CloudCore using Helm

  • Support compiled into rpm package and installed on OS such as openEuler using yum package manager

  • 40+ bug fixes and enhancements.

Please refer to CHANGELOG v1.9 for a full list of features in this release

备注

Release details - Release v1.9

备注

How to set up KubeEdge - Setup

Release Highlights

Support Custom HTTP Request Routing from Edge to Cloud through ServiceBus for Applications

A HTTP server is added to ServiceBus, to support custom http request routing from edge to cloud for applications. This simplifies the rest api access with http server on the cloud while client is in the edge.

Refer to the links for more details. (#3254, #3301)

Support CloudCore to run independently of the Kubernetes Master host

CloudCore now supports to run independently of the Kubernetes Master host, iptablesmanager has been added as an independent component, users only need to deploy the iptablesmanager to Kubernetes Master host, which now can add the iptable rules for Cloud-Edge tunnel automatically

Refer to the links for more details. (#3265)

EdgeMesh add tls and encryption security

EdgeMesh's tunnel module adds tls and encryption security capabilities. These features bring more secure protection measures to the user's edgemesh-server component and reduce the risk of edgemesh-server being attacked.

Refer to the links for more details. (EdgeMesh#127)

Enhanced the ease of use of EdgeMesh

EdgeMesh has many improvements in ease of use. Now users can easily deploy EdgeMesh's server and agent components with a single command of helm. At the same time, the restriction on service port naming is removed, and the docker0 dependency is removed, making it easier for users to use EdgeMesh.

Refer to the links for more details. (EdgeMesh#123, EdgeMesh#126, EdgeMesh#136, EdgeMesh#175)

Support containerized deployment of CloudCore using Helm

CloudCore now supports containerized deployment using Helm, which provides better containerized deployment experience.

Refer to the links for more details. (#3265)

Support compiled into rpm package and installed on OS such as openEuler using yum package manager

KubeEdge now supports compiled into rpm package and installed on OS such as openEuler using yum package manager.

Refer to the links for more details. (#3089, #3171)

In addition to the above new features, KubeEdge v1.9 also includes the following enhancements:

  • Rpminstaller: add support for openEuler (#3089)

  • Replaced 'kubeedge/pause' with multi arch image (#3114)

  • Make meta server addr configurable (#3119)

  • Added iptables to Dockerfile and made cloudcore privileged (#3129)

  • Added CustomInterfaceEnabled and CustomInterfaceName for edgecore (#3130)

  • Add experimental feature (#3131)

  • Feat(edge): node ephemeral storage info (#3157)

  • Support envFrom configmap in edge pods (#3176)

  • Update golang to 1.16 (#3190)

  • Metaserver: support shutdown server graceful (#3239)

  • Support labelselector for metaserver (#3262)

Future Outlook

With the release of v1.9, KubeEdge supports custom HTTP request routing from Edge to Cloud through ServiceBus for applications, supports CloudCore running independently of the Kubernetes Master host, supports containerized deployment of CloudCore using Helm, supports tls and encryption security and the ease of use of EdgeMesh. Thanks to Huawei, China Unicom, DaoCloud, Zhejiang University SEL Lab, ARM and other organizations for their contributions, as well as all community contributors for their support!

The community plans to further improve the user experience and the stability of KubeEdge in subsequent versions and create the best “open source” intelligent edge computing platform for everyone to freely use.

For more details regarding KubeEdge, please follow and join us here:

https://kubeedge.io

· 阅读需 4 分钟
Kevin Wang
Fei Xu

KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. It also supports MQTT and allows developers to author custom logic and enable resource constrained device communication at the Edge.

On October 31st, the KubeEdge community is proud to announce the availability of KubeEdge 1.8. This release includes a major upgrade for Active-Active HA Support of CloudCore for Large Scale Cluster, EdgeMesh Architecture Modification, EdgeMesh Cross LAN Communication, and Kubernetes Dependencies Upgrade, which includes:

  • Active-Active HA Support of CloudCore for Large Scale Cluster [Beta]

  • EdgeMesh Architecture Modification

  • EdgeMesh Cross LAN Communication

  • Onvif Device Mapper

  • Kubernetes Dependencies Upgrade

  • 30+ bug fixes and enhancements.

Please refer to CHANGELOG v1.8 for a full list of features in this release

备注

Release details - Release v1.8

备注

How to set up KubeEdge - Setup

Release Highlights

Active-Active HA Support of CloudCore for Large Scale Cluster [Beta]

CloudCore now supports Active-Active HA mode deployment, which provides better scalability support for large scale clusters. Cloud-Edge tunnel can also work with multiple CloudCore instances. CloudCore now can add the iptable rules for Cloud-Edge tunnel automatically.

Refer to the links for more details. (#1560, #2999)

EdgeMesh Architecture Modification

EdgeMesh now has two parts: edgemesh-server and edgemesh-agent. The edgemesh-server requires a public IP address, when users use cross lan communication, it can act as a relay server in the LibP2P mode or assist the agent to establish p2p hole punching. The edgemesh-agent is used to proxy all application traffic of user nodes, acts as an agent for communication between pods at different locations.

Refer to the links for more details. (edgemesh#19)

EdgeMesh Cross LAN Communication

Users can use cross LAN communication feature to implement cross LAN edge to edge application communication and cross LAN edge to cloud application communication.

Refer to the links for more details. (edgemesh#26, edgemesh#37, edgemesh#57)

Onvif Device Mapper

Onvif Device Mapper with Golang implementation is provided, based on new Device Mapper Standard. Users now can use onvif device mapper to manage the ONVIF IP camera.

Refer to the links for more details. (mappers-go#48)

Kubernetes Dependencies Upgrade

Upgrade the vendered kubernetes version to v1.21.4, users now can use the feature of new version on the cloud and on the edge side.

Refer to the links for more details. (#3021, #3034)

In addition to the above new features, KubeEdge v1.8 also includes the following enhancements:

  • Refactor edgesite: import functions and structs instead of copying code (#2893)

  • Avoiding update cm after created a new cm (#2913)

  • Solved the checksum file download problem when ke was installed offline (#2909)

  • cloudcore support configmap dynamic update when the env of container inject from configmap or secret (#2931)

  • Remove edgemesh from edgecore (#2916)

  • keadm: support customsized labels when use join command (#2827)

  • support k8s v1.21.X (#3021)

  • Handling node/*/membership/detail (#3025)

  • sync the response message unconditionally (#3014)

  • support default NVIDIA SMI command (#2680)

Future Outlook

With the release of v1.8, KubeEdge supports Active-Active HA mode deployment, which provides better scalability support for large scale clusters, supports cross LAN communication by EdgeMesh, and supports Onvif Device Mapper. Thanks to Huawei, China Unicom, DaoCloud, Zhejiang University SEL Lab, ARM and other organizations for their contributions, as well as all community contributors for their support!

The community plans to further improve the user experience and the stability of KubeEdge in subsequent versions and create the best “open source” intelligent edge computing platform for everyone to freely use.

For more details regarding KubeEdge, please follow and join us here:

https://kubeedge.io

· 阅读需 4 分钟
Kevin Wang
Fei Xu

KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. It also supports MQTT and allows developers to author custom logic and enable resource constrained device communication at the Edge.

On June 10th, the KubeEdge community is proud to announce the availability of KubeEdge 1.7. This release includes a major upgrade for Active-Active HA Support of CloudCore for Large Cluster and a new Device Mapper Framework, which includes:

  • Active-Active HA Support of CloudCore for Large Scale Cluster [Alpha]

  • Support to manage Clusters on Edge [Alpha]

  • Decoupled EdgeMesh from EdgeCore

  • Autonomic Kube-API Endpoint for Applications On Edge Nodes [Beta]

  • Custom HTTP Request Routing between Cloud and Edge for Applications [Alpha]

  • Kubernetes Dependencies Upgrade

  • 34+ bug fixes and enhancements.

Please refer to CHANGELOG v1.7 for a full list of features in this release

备注

Release details - Release v1.7

备注

How to set up KubeEdge - Setup

Release Highlights

Active-Active HA Support of CloudCore for Large Scale Cluster [Alpha]

CloudCore now supports Active-Active HA mode deployment, which provides better scalability support for large scale clusters. Cloud-Edge tunnel can also work with multiple CloudCore instances.

Refer to the links for more details. (#1560, #2867)

Support to manage Clusters on Edge [Alpha]

In some scenarios, uses may have full-size Kubernetes clusters deployed on the edge. With EdgeSite, users are now able to access clusters on edge (in private network, behind NATed gateway, etc) from center cloud. (#2650, #2858)

Decoupled EdgeMesh from EdgeCore

EdgeMesh aims to provide simplified network and services for edge applications. The EdgeMesh module is now decoupled from EdgeCore and able to be deployed as an independent components in containers.

Refer to EdgeMesh for more details

Mapper Framework

Users are now able to use mapper framework to generate a new device mapper. This simplifies the mapper development when users trying to integrate with new protocols or new devices. (mappers-go#41)

Autonomic Kube-API Endpoint for Applications On Edge Nodes [Beta]

Autonomic Kube-API Endpoint provides native Kubernetes API access on edge nodes. It's very useful in cases users want to run third-party plugins and applications that depends on Kubernetes APIs on edge nodes. With reliable message delivery and data autonomy provided by KubeEdge, list-watch connections on edge nodes keep available even when nodes are located in high latency network or frequently get disconnected to the Cloud.

In this release, a bunch of corner case issues are fixed and the stability is improved. And the feature maturity is now Beta.

Custom HTTP Request Routing between Cloud and Edge for Applications [Alpha]

A new RuleEndpointType servicebus is added to RuleEndpoint API, to support custom http request routing between cloud and edge for applications. This simplifies the rest api access with http server on the edge while client is in the cloud. (#2588)

28+ bug fixes and enhancements

In addition to the above new features, KubeEdge v1.7 also includes the following enhancements:

  • Implement update rule status

  • Install crd for router in keadm

  • Remove synckeeper in edgehub

  • upstream: refactor kubeClientGet

  • make customsiz labels available when restart

Future Outlook

With the release of v1.7, KubeEdge supports Active-Active HA mode deployment, which provides better scalability support for large scale clusters. Thanks to Huawei, China Unicom, Zhejiang University SEL Lab, ARM and other organizations for their contributions, as well as all community contributors for their support!

The community plans to further improve the user experience and the stability of KubeEdge in subsequent versions and create the best “open source” intelligent edge computing platform for everyone to freely use.

For more details regarding KubeEdge, please follow and join us here:

https://kubeedge.io

· 阅读需 4 分钟
Kevin Wang
Fei Xu

KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. It also supports MQTT and allows developers to author custom logic and enable resource constrained device communication at the Edge.

KubeEdge v1.6: A major upgrade for maintainability

On 27th February, the KubeEdge community is proud to announce the availability of KubeEdge 1.6. This release includes a major upgrade for maintainability, which includes:

  • Support Autonomic Kube-API Endpoint for Applications On Edge Nodes [Alpha]

  • Custom Message Routing between Cloud and Edge for Applications [Alpha]

  • Simplified Application Autonomy Configuration When Node Is Off-line

  • New home for Device Mappers code

  • OPC-UA Device Mapper

  • 24+ bug fixes and enhancements.

Please refer to CHANGELOG v1.6 for a full list of features in this release.

备注

Release details - Release v1.6

备注

How to set up KubeEdge - KubeEdge Setup

Release Highlights

Support Autonomic Kube-API Endpoint for Applications On Edge Nodes [Alpha]

Autonomic Kube-API Endpoint is now available on edge nodes! Users are now able to run third-party plugins and applications that depends on Kubernetes APIs on edge nodes. List-watch connections are established between client and the local endpoint provided by EdgeCore. With reliable message delivery and data autonomy provided by KubeEdge, list-watch connections on edge nodes keep available even when nodes are located in high latency network or frequently get disconnected to the Cloud.

This is very useful in cases that users want to install customized versions of Kubelet, Kube-Proxy, CNI and CSI plugins with KubeEdge. Particularly, Kubernetes CRDs are also supported on edge nodes. (#2508, #2587)

Custom Message Routing between Cloud and Edge for Applications [Alpha]

Added support of routing management with Rule, RuleEndpoint API and a router module. Users are now able to use KubeEdge to deliver their custom messages between cloud and edge.

Note that it's designed for control data exchange between cloud and edge, not suitable for large data delivery. The data size of delivery at one time is limited to 12MB.

Refer to custom message deliver for more details. (#2413)

Simplified Application Autonomy Configuration When Node Is Off-line

If user wants any application to stay on edge nodes when disconnected to the cloud, simply add label app-offline.kubeedge.io=autonomy to its pods. KubeEdge will automatically override pod default toleration configuration for Taint node.kubernetes.io/unreachable to avoid Kubernetes evicting pods from unreachable nodes. (#2499)

New home for Device Mappers code

Device Mappers implementations now have a new home kubeedge/mappers-go.

OPC-UA Device Mapper

OPC-UA Device Mapper with Golang implementation is provided, based on new Device Mapper Standard. (mappers-go#4).

24+ bug fixes and enhancements

In addition to the above new features, KubeEdge v1.6 also includes the following enhancements:

  • support kubectl get --raw /api/v1/nodes/{node}/proxy/metrics (#2437)

  • support more metric path in cloud (#2482)

  • edgecore: add nfs localpath support (#2529)

  • add func that make subscribed topics persistence (#2457)

Future Outlook

With the release of v1.6, KubeEdge provides autonomic Kube-API endpoint for applications On Edge nodes, custom message routing between Cloud and Edge, a new repository for Device Mappers, a more friendly user experience, and a more friendly community contributor experience. Thanks to Huawei, China Unicom, Zhejiang University SEL Lab, ARM and other organizations for their contributions, as well as all community contributors for their support!

The community plans to further improve the user experience and the stability of KubeEdge in subsequent versions and create the best “open source” intelligent edge computing platform for everyone to freely use.

For more details regarding KubeEdge, please follow and join us here:

https://kubeedge.io