Security News
PyPI’s New Archival Feature Closes a Major Security Gap
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
github.com/operator-framework/operator-lifecycle-manager
This project is a component of the Operator Framework, an open source toolkit to manage Kubernetes native applications, called Operators, in an effective, automated, and scalable way. Read more in the introduction blog post.
OLM extends Kubernetes to provide a declarative way to install, manage, and upgrade operators and their dependencies in a cluster.
It also enforces some constraints on the components it manages in order to ensure a good user experience.
This project enables users to do the following:
kubectl
This project does not:
Install OLM on a Kubernetes or OpenShift cluster by following the installation guide.
For a complete end-to-end example of how OLM fits into the Operator Framework, see the Operator Framework Getting Started Guide.
An Operator is an application-specific controller that extends the Kubernetes API to create, configure, manage, and operate instances of complex applications on behalf of a user.
OLM requires that applications be managed by an operator, but that doesn't mean that each application must write one from scratch. Depending on the level of control required you may:
Once you have an application packaged for OLM, you can deploy it with OLM by writing a ClusterServiceVersion
.
ClusterServiceVersions can be collected into CatalogSource
s which will allow automated installation and dependency resolution via an InstallPlan
, and can be kept up-to-date with a Subscription
.
Learn more about the components used by OLM by reading about the architecture and philosophy.
OLM standardizes interactions with operators by requiring that the interface to an operator be via the Kubernetes API. Because we expect users to define the interfaces to their applications, OLM currently uses CRDs to define the Kubernetes API interactions.
Examples: EtcdCluster CRD, EtcdBackup CRD
OLM introduces the notion of “descriptors” of both spec
and status
fields in kubernetes API responses. Descriptors are intended to indicate various properties of a field in order to make decisions about their content. For example, this can drive connecting two operators together (e.g. connecting the connection string from a mysql instance to a consuming application) and be used to drive rich interactions in a UI.
See an example of a ClusterServiceVersion with descriptors
To minimize the effort required to run an application on kubernetes, OLM handles dependency discovery and resolution of applications running on OLM.
This is achieved through additional metadata on the application definition. Each operator must define:
EtcdCluster
.EtcdCluster
, because Vault is backed by etcd.Basic dependency resolution is then possible by finding, for each “required” CRD, the corresponding operator that manages it and installing it as well. Dependency resolution can be further constrained by the way a user interacts with catalogs.
Dependency resolution is driven through the (Group, Version, Kind)
of CRDs. This means that no updates can occur to a given CRD (of a particular Group, Version, Kind) unless they are completely backward compatible.
There is no way to express a dependency on a particular version of an operator (e.g. etcd-operator v0.9.0
) or application instance (e.g. etcd v3.2.1
). This encourages application authors to depend on the interface and not the implementation.
OLM has the concept of catalogs, which are repositories of application definitions and CRDs.
Catalogs contain a set of Packages, which map “channels” to a particular application definition. Channels allow package authors write different upgrade paths for different users (e.g. alpha vs. stable).
Example: etcd package
Users can subscribe to channels and have their operators automatically updated when new versions are released.
Here's an example of a subscription:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: etcd
namespace: local
spec:
channel: alpha
name: etcd
source: rh-operators
This will keep the etcd ClusterServiceVersion
up to date as new versions become available in the catalog.
Use the OpenShift admin console (compatible with upstream Kubernetes) to interact with and visualize the resources managed by OLM. Create subscriptions, approve install plans, identify Operator-managed resources, and more.
Ensure kubectl
is pointing at a cluster and run:
$ ./scripts/run_console_local.sh
Then visit http://localhost:9000
to view the console.
Subscription detail view:
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
Research
Security News
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.
Security News
CISA's KEV data is now on GitHub, offering easier access, API integration, commit history tracking, and automated updates for security teams and researchers.