The KRACK attack was disclosed and Kubernetes will be built into Docker.

KRACK

Sometimes it’s convenient when something big goes up right after my weekly note as it ensures that all the immediate hype is passed before I talk about it. That said, it also means that there isn’t much new to say as most of you will have heard about the KRACK attack that breaks WPA2.

Regardless, this is also for me to ensure I know these things, how does this work? Without going into all the various details¹ KRACK basically allows an attacker to replace the keys used to encrypt traffic between the user and the access point. This then lets the attacker read and decrypt the data transferred. Obviously, when connecting to a secure endpoint (https, SSL, or even a VPN) this is less of an issue, but still there.

Next up, what is the actual impact? While it is a bad attack, please keep in mind that it is also one that can only be carried out locally. Which means that public WiFi is not secure², and that if your home router isn’t patched you might be vulnerable to an attack there too. This is more likely to be a problem if you live in an apartment building, but even otherwise it could be attacked by someone in the street or a neighbor³. How likely is a different matter of course.

Of course, devices and operating systems have already started receiving patches. The biggest issue there is likely Android phones, which are not only vulnerable to a more powerful version of the attack⁴, but also has have their regular issue with receiving updates. The other patching issue would be IoT devices, and especially those where the firmware can’t-or is unlikely to-be updated. Unfortunately there isn’t much to be done about that, and to be completely secure you’ll probably have to replace these devices.

Docker and Kubernetes

In more fun news, Kubernetes is now a first class orchestration tool within Docker. This coincides with Kubernetes changing its container runtime away from Docker to CRI-O, basically having the two projects switch roles in this regard.

Kubernetes will have a similar status as Swarm, and come built into the releases of Docker. This will be the standard version of Kubernetes, without any changes made to it. Docker will also automatically translate the Docker native config files for Swarm so that Kubernetes can understand them so you don’t need to change how you write it.

Moby⁵ is hard at work updating the various components to make it all work better together. That said, while having it incorporated into your Docker development work is nice, I suspect for existing Kubernetes users it might still be easier to just run it locally using the tools they already have. It will definitely help in most other scenarios though, and in my mind this is a great win for both projects.