Week 17, 2018 - Azure Sphere; Docker EE 2.0; kaniko; Vault Operator

By (3 minutes read)

Azure Sphere is announced for IoT security; Docker EE 2.0 is released; and there are a couple of interesting new tools for Kubernetes.

Azure Sphere

Microsoft announced Azure Sphere, their new solution for securing the IoT devices of the future. It’s an interesting and ambitious project that gives on the pillars; a custom designed MCU1, a custom version of Linux2, and the Azure Sphere Security Service.

While it’s the first two of those where it seems that Microsoft is boldly going where they haven’t gone before, I’m more interested in the latter. Basically, this sounds like a security SaaS for IoT devices that have the Microsoft designed chip.

Obviously having a security system that updates is a good thing, as it allows a device to protect itself against new threats. Similarly, I like that supposedly3 this will be a cloud agnostic service which means that theoretically the providers have total control over getting security updates to their customers.

I am going to be negative here though. As we can see in the mobile phone market, there is little incentive to provide security updates for cheap devices, and I’m honestly not convinced that will be different here. Oh, I’m sure that the more expensive ones will be updated for a while, but those are already updated regularly4. It’s the cheaper ones where security is most lacking, and they probably won’t invest in a solution like this.

Of course, I hope they will and that Sphere leads the way to more secure IoT devices. I just don’t know if that will happen.

Docker EE 2.0

Docker Enterprise Edition 2.0 is out. The focus for this release is on better tools for enterprises 5, but there is also a clear push against lock-in. Except of course, for using Docker EE. Possibly the most interesting thing is that this is the first real release from a Docker project that comes with Kubernetes integration included. While it came first in the Docker on Desktop products, those are still only available in the Edge channels. In that regard, I’m a bit surprised that the enterprise offering has it first.

In general, it looks like a solid release. I don’t have any real experience with Docker EE though, so there isn’t a lot I can add to this.


Google introduced kaniko, a way to build container images in Kubernetes without privileges. In this case without privileges means that you don’t need to be a privileged user on the building machine to do so. The Dockerfile itself will still be executed as root user inside the container. The finer details of what privileged means in this context is explained in this excellent Twitter thread by Jessie Frazelle, as well as what the consequences of it are in this context.

{{< tweet 985947353981976576 >}}

Vault Operator for Kubernetes

Under their CoreOS branding, Red Hat released the Vault Operator for Kubernetes. This means it will be possible to integrate with Hashicorp’s Vault as if it’s a native application. While an interesting addition in itself, my primary interest here is in the proof that Red Hat lets CoreOS continue building useful tools and releasing these to the community. While I was mildly positive about this acquisition, it’s good to see some signs that validate that.

  1. Microcontroller chip ↩︎

  2. Yes, this really is from Microsoft. I know. ↩︎

  3. There is a one-page PDF on the Sphere product page saying it’s cross cloud, but I don’t know how it works. ↩︎

  4. Remember not to turn off your lights when you update your Hue lightbulbs ↩︎

  5. Shocker, I know. ↩︎

comments powered by Disqus