An article that could be a tweet (xeet?) but with more context.
tl;dr: avoid Helm hooks when possible.
I totally agree with the statement, yet an example in this article is rather weak. Anyways, if you need to have some imperative actions for your app, it’s always better to use higher level abstractions like ordering on the CD tool level or even an operator.
Having an init container that has access to the API is rather a security concern than a workaround.
#kubernetes
tl;dr: avoid Helm hooks when possible.
I totally agree with the statement, yet an example in this article is rather weak. Anyways, if you need to have some imperative actions for your app, it’s always better to use higher level abstractions like ordering on the CD tool level or even an operator.
Having an init container that has access to the API is rather a security concern than a workaround.
#kubernetes
Thomas Stringer
Helm Hooks Are An Anti-Pattern and Should Be Avoided
Helm has been at the heart of Kubernetes deployments for years. If you are managing any amount of Kubernetes clusters, then you have likely already installed a Helm chart in your environment. And for a good reason, too. It’s a great way to distribute software…
Here's a neat article with some good practices regarding security when configuraing an EKS cluster.
If you work with AWS and Kubernetes a lot, it won't give you any dramatic insights, but you could still use it as a checklist / cheat sheet when configuring a cluster, since it's easy to forget something when there are many moving parts.
#aws #kubernetes
If you work with AWS and Kubernetes a lot, it won't give you any dramatic insights, but you could still use it as a checklist / cheat sheet when configuring a cluster, since it's easy to forget something when there are many moving parts.
#aws #kubernetes
Medium
Balancing Security and Operability for EKS cluster
Welcome to my Kubernetes blogs. The blogs aim to provide you with effective Kubernetes knowledge and tools that increase efficiency while…
This article with a clickbait title got my attention recently. It was even translated in Ukrainian by one of the largest Ukrainian developers-oriented media.
The most interesting part of this article, in my opinion, isn’t its premise and even not the points that the author is making (some of those points are 5 years late, TBH). The thing that caught my attention was what the author chooses to compare Kubernetes to. And those are managed platforms like Heroku, etc.
This is interesting for a couple of reasons: first of all it seems like other orchestration solutions are out of the table already. Second, it reaffirms the statement of Viktor Farcic (you can find those in the Den Vasyliev’s blog). Basically, the idea is that in the future Kubernetes will “disappear”. Not in the sense that it will fade away, but in the same way hypervisors have “disappeared”. The majority of us use them today, but we rarely think about what virtualization powers our cloud instances, etc. In the same way at some point there will an extendable API that allows one to run workloads and whatever cluster technology is underneath would be a concern of a cloud provider.
#kubernetes
The most interesting part of this article, in my opinion, isn’t its premise and even not the points that the author is making (some of those points are 5 years late, TBH). The thing that caught my attention was what the author chooses to compare Kubernetes to. And those are managed platforms like Heroku, etc.
This is interesting for a couple of reasons: first of all it seems like other orchestration solutions are out of the table already. Second, it reaffirms the statement of Viktor Farcic (you can find those in the Den Vasyliev’s blog). Basically, the idea is that in the future Kubernetes will “disappear”. Not in the sense that it will fade away, but in the same way hypervisors have “disappeared”. The majority of us use them today, but we rarely think about what virtualization powers our cloud instances, etc. In the same way at some point there will an extendable API that allows one to run workloads and whatever cluster technology is underneath would be a concern of a cloud provider.
#kubernetes
Medium
Why you shouldn’t use Kubernetes
Weaknesses and strengths of Kubernetes compared to Paas / FaaS competitors.
Aqua Security warn people about the danger of the supply chain attacks using Kubernetes Secrets.
We all know this story:
However! There’s another viewpoint on Kubernetes Secrets - Plain Kubernetes Secrets are fine. This is the thing I wanted to share with you today.
The main gist of this article is that you cannot really tell if something is secure or not without a threat modeling. Also, that the auto-unsealing feature in Vault kinda negates some if its security features.
Apparently, there’s a discussion about this article in a form or a podcast but I haven’t checked it out yet.
Also, if you need some guides for threat modeling, OWASP website is a good place to start.
So, do your due diligence, do threat modeling, and have a nice day!
#security #kubernetes
We all know this story:
base64 is not an encryption, Kubernetes Secrets may have a ton of sensitive information, etc. The article just provides some data from Aqua’s recent research.However! There’s another viewpoint on Kubernetes Secrets - Plain Kubernetes Secrets are fine. This is the thing I wanted to share with you today.
The main gist of this article is that you cannot really tell if something is secure or not without a threat modeling. Also, that the auto-unsealing feature in Vault kinda negates some if its security features.
Apparently, there’s a discussion about this article in a form or a podcast but I haven’t checked it out yet.
Also, if you need some guides for threat modeling, OWASP website is a good place to start.
So, do your due diligence, do threat modeling, and have a nice day!
#security #kubernetes
Aqua
The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets
Aqua Nautilus researchers found exposed Kubernetes secrets that pose a critical threat of supply chain attack to hundreds of organizations and OSS.
An interesting read by Monzo about how they implemented Kubernetes Network Policies for 1.5k microservices.
There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.
An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.
Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.
Also, here's a Reddit discussion on the topic. I love the top comment there:
#kubernetes #networking
There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.
An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.
Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.
Also, here's a Reddit discussion on the topic. I love the top comment there:
How would you even know that another team plans to connect your apps?
- By communicating...
#kubernetes #networking
If you are running dynamic environments in Kubernetes or any other ephemeral workloads, you need a way to clean up things once these environments are no longer needed or once your tests are done.
k8s-cleaner may help with it. It's a controller that deletes Kubernetes resources, including custom resources, on a schedule. It supports dry run and some options for customizations.
#kubernetes
k8s-cleaner may help with it. It's a controller that deletes Kubernetes resources, including custom resources, on a schedule. It supports dry run and some options for customizations.
#kubernetes
GitHub
GitHub - gianlucam76/k8s-cleaner: Cleaner is a Kubernetes controller that identifies unused or unhealthy resources, helping you…
Cleaner is a Kubernetes controller that identifies unused or unhealthy resources, helping you maintain a streamlined and efficient Kubernetes cluster. It provides flexible scheduling, label filteri...
Do you run databases in Kubernetes?
Even if you don't, I bet you may run database migrations there. How do you do that?
This article on "The New Stack" makes a case for GitOps approach to the database migrations in Kubernetes.
*tl;dr*: It's Atlas Operator, there's no alternative.
#kubernetes #databases
Even if you don't, I bet you may run database migrations there. How do you do that?
This article on "The New Stack" makes a case for GitOps approach to the database migrations in Kubernetes.
*tl;dr*: It's Atlas Operator, there's no alternative.
#kubernetes #databases
The New Stack
GitOps for Databases on Kubernetes
The case for applying the Operator Pattern to database migrations.
I’m a CLI guy. For me it was always easier to use good old commands like
Thus, it is still much easier to me to use plain
However, I know that many folks prefer graphical interfaces or at least some TUI. Also, I remember that a lot of folks were pissed when Lens split into a community and a paid versions.
So, today I want to share a new native Kubernetes desktop client - Seabird.
I haven’t tried it for the reasons I mentioned above, but you may enjoy it.
#kubernetes
find and cd to navigate around. At some point I even memorized the flags of tar.Thus, it is still much easier to me to use plain
kubectl with a couple of plugins to navigate the clusters.However, I know that many folks prefer graphical interfaces or at least some TUI. Also, I remember that a lot of folks were pissed when Lens split into a community and a paid versions.
So, today I want to share a new native Kubernetes desktop client - Seabird.
I haven’t tried it for the reasons I mentioned above, but you may enjoy it.
#kubernetes
GitHub
GitHub - getseabird/seabird: Native Kubernetes desktop IDE designed for seamless cluster exploration
Native Kubernetes desktop IDE designed for seamless cluster exploration - getseabird/seabird
Did you know that Isovalent (a company behind Cilium) has some amazing labs that can teach you about using Cilium, Hubble, and Tetragon.
The labs have multiple tracks, such as: platform, network, security, etc.
These labs also cover topics like the new
#kubernetes #networking #cilium #ebpf
The labs have multiple tracks, such as: platform, network, security, etc.
These labs also cover topics like the new
GatewayAPI. Doing some of these labs tight now at #cfgmgmtcamp24 and love them so far!#kubernetes #networking #cilium #ebpf
Isovalent
Labs Resource Library - Isovalent
Get hands-on with Isovalent's labs and learn about eBPF, Cilium, network security, and more. Our labs provide step-by-step guides to help you understand and implement our solutions effectively. From getting started with Cilium to advanced use cases, our labs…
Linux Foundation has some discounts for its courses and certifications till the end of February. Including Kubernetes, ArgoCD, and Istio certifications.
They are still not cheap, but you can save up to 50%, which is nice.
#kubernetes #training #courses
They are still not cheap, but you can save up to 50%, which is nice.
#kubernetes #training #courses
Linux Foundation - Training
Promo Inactive - Linux Foundation - Training
Sign up for our newsletter to get updates on our latest promotions.