This article with a clickbait title got my attention recently. It was even translated in Ukrainian by one of the largest Ukrainian developers-oriented media.

The most interesting part of this article, in my opinion, isn’t its premise and even not the points that the author is making (some of those points are 5 years late, TBH). The thing that caught my attention was what the author chooses to compare Kubernetes to. And those are managed platforms like Heroku, etc.

This is interesting for a couple of reasons: first of all it seems like other orchestration solutions are out of the table already. Second, it reaffirms the statement of Viktor Farcic (you can find those in the Den Vasyliev’s blog). Basically, the idea is that in the future Kubernetes will “disappear”. Not in the sense that it will fade away, but in the same way hypervisors have “disappeared”. The majority of us use them today, but we rarely think about what virtualization powers our cloud instances, etc. In the same way at some point there will an extendable API that allows one to run workloads and whatever cluster technology is underneath would be a concern of a cloud provider.

#kubernetes

Aqua Security warn people about the danger of the supply chain attacks using Kubernetes Secrets.

We all know this story: base64 is not an encryption, Kubernetes Secrets may have a ton of sensitive information, etc. The article just provides some data from Aqua’s recent research.

However! There’s another viewpoint on Kubernetes Secrets - Plain Kubernetes Secrets are fine. This is the thing I wanted to share with you today.

The main gist of this article is that you cannot really tell if something is secure or not without a threat modeling. Also, that the auto-unsealing feature in Vault kinda negates some if its security features.

Apparently, there’s a discussion about this article in a form or a podcast but I haven’t checked it out yet.

Also, if you need some guides for threat modeling, OWASP website is a good place to start.

So, do your due diligence, do threat modeling, and have a nice day!

#security #kubernetes

An interesting read by Monzo about how they implemented Kubernetes Network Policies for 1.5k microservices.

There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.

An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.

Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.

Also, here's a Reddit discussion on the topic. I love the top comment there:

 How would you even know that another team plans to connect your apps?
- By communicating...

#kubernetes #networking

If you are running dynamic environments in Kubernetes or any other ephemeral workloads, you need a way to clean up things once these environments are no longer needed or once your tests are done.

k8s-cleaner may help with it. It's a controller that deletes Kubernetes resources, including custom resources, on a schedule. It supports dry run and some options for customizations.

#kubernetes

Do you run databases in Kubernetes?

Even if you don't, I bet you may run database migrations there. How do you do that?

This article on "The New Stack" makes a case for GitOps approach to the database migrations in Kubernetes.

*tl;dr*: It's Atlas Operator, there's no alternative.

#kubernetes #databases

I’m a CLI guy. For me it was always easier to use good old commands like find and cd to navigate around. At some point I even memorized the flags of tar.

Thus, it is still much easier to me to use plain kubectl with a couple of plugins to navigate the clusters.

However, I know that many folks prefer graphical interfaces or at least some TUI. Also, I remember that a lot of folks were pissed when Lens split into a community and a paid versions.

So, today I want to share a new native Kubernetes desktop client - Seabird.

I haven’t tried it for the reasons I mentioned above, but you may enjoy it.

#kubernetes

Did you know that Isovalent (a company behind Cilium) has some amazing labs that can teach you about using Cilium, Hubble, and Tetragon.

The labs have multiple tracks, such as: platform, network, security, etc.

These labs also cover topics like the new GatewayAPI. Doing some of these labs tight now at #cfgmgmtcamp24 and love them so far!

#kubernetes #networking #cilium #ebpf

Linux Foundation has some discounts for its courses and certifications till the end of February. Including Kubernetes, ArgoCD, and Istio certifications.

They are still not cheap, but you can save up to 50%, which is nice.

#kubernetes #training #courses

For you to know: the full Kubernetes CKS (certified security specialist) is available on YouTube. There are both theory and practice, but obviously you will need to take the exam separately.

#kubernetes

Some time ago I had a task to split the helm template output into separate files per object.

So, I found this issue in the Helm’s repository. People were suggesting using AWK for that, but that didn’t work well for me at the time, so I opted out for YQ.

A couple of days ago someone left a comment to that issue that apparently there is a tool called Kubesplit that can do exactly that. So, feel free to use it if you need to achieve something similar to what I did.

#kubernetes

Kubernetes: tracing requests with AWS X-Ray, and Grafana data source is a step-by-step guide on how to setup tracing in your EKS cluster using AWS X-Ray by Arseniy Zinchenko - a member of the Ukrainian DevOps community.

Also, make sure to subscribe to his Substack! He posts new things quite often and I have no idea where does he find time and willpower to do so 😅

#aws #kubernetes #observability

Some time ago, I predicted that there is going to be more Kubernetes distributions. Then it didn’t happen, so I thought I was wrong.

Yet, now Canonical has introduced their Kubernetes distribution.

It’s based on the upstream Kubernetes 1.30, has some built-in add-ons, and yes, you can install it with snap.

#kubernetes

Kondense is a Kubernetes tool that allows you resize contianers in a pod based on the memory pressure.

It’s installed as a sidecar and uses real-time memory pressure to determine the optimal memory for each containers in a pod.

You can read the justification behind this tool in this Reddit post

#kubernetes

Despite a clickbait title, this is actually a good article with a list of good practices for Kubernetes.

tl;dr list:
- Use ephemeral contianers for debug
- Use admission controllers
- Kustomize is a nice tool
- Autoscale based on custom metrics if it makes sense
- Tweak API Priority and Fairness (APF) if it makes sense
- Submariner for multicluster (I have used other tools for multi-cluster, there are many ways of connecting clusters, so it's up to you to decide, what to use)
- Use Topology Spread Constraints

#kubernetes

If you work with Kubernetes, there won't be any new information for you. However, when you encounter a namespace stuck in the "Termination" state the first time, it might be dumbfounding.

This article describes what to do in such situations. Also, it's good to learn about finalizers at some point anyway.

#kubernetes

Ha! I was sure I shared this article with y'all before, but when I tried to find it on the channel today, I was unable to. In any case, even it was here, it won't hurt to repeat it.

So, here it is - Kubernetes: EKS, Calico and custom Admission Webhooks.

This article sheds some light on the EKS networking. The gist is that if you use anything except the native VPC CNI, your control plane pods (API, scheduler, etc.) and workload pods will end up in different networks, because you cannot install any custom pods into the control plane.

Unless you use admission webhooks, you probably won't even notice; but if you do, API won't be able to contact your admission controller pods without some workarounds.

This is the nature of managed services: you gain something - you loose something.

#kubernetes #eks #aws

My talk from DevOps FW Days 2024 about Helm charts testing is available on YouTube now!

All the code that I used for the demo is available on GitHub as well!

The talk is in Ukrainian, but I'll write a blog post in English on this topic soon (tm) - I've just wanted to ensure that the materials are publicly available on the FW Days side, so I don't violate any policies.

#slides #helm #kubernetes

An article called Maybe you need Kubernetes is surprisingly not about Kubernetes.

Instead, it touches the topic of embracing the complexity of modern tech and, more importantly, how one can only progress by learning complex stuff.

As the author puts it himself:

People don’t like to hear this, but difficulty is a moat. When something gets easy, it gets cheap. If you want to be paid a lot, you need to be really good at something that’s both in-demand and hard. If it were easy, everyone would be doing it.

P.S. It's also nice to see that this article is an answer to a video on YouTube. I missed the good old polemics. It seems like online comments have killed it.

#career #kubernetes

At last! I converted my talk from FW Days DevOps 2024 into an article in English.

You can find it in my blog or on Substack.

This is the Part I which goes through the ideas behind the testing of Helm charts. But have no fear! I learn on my previous mistakes, so the second part that walks you through the technical aspects of tests is also ready and will be published tomorrow!

Also, you can still watch the video of my talk on the FW Days conference (in Ukrainian). It has basically the same content as the articles.

Enjoy!

#kubernetes #helm #testing

The second practical part of the Helm charts testing article.

- Read in the blog
- Read on Substack

#kubernetes #helm #testing