This article with a clickbait title got my attention recently. It was even translated in Ukrainian by one of the largest Ukrainian developers-oriented media.
The most interesting part of this article, in my opinion, isn’t its premise and even not the points that the author is making (some of those points are 5 years late, TBH). The thing that caught my attention was what the author chooses to compare Kubernetes to. And those are managed platforms like Heroku, etc.
This is interesting for a couple of reasons: first of all it seems like other orchestration solutions are out of the table already. Second, it reaffirms the statement of Viktor Farcic (you can find those in the Den Vasyliev’s blog). Basically, the idea is that in the future Kubernetes will “disappear”. Not in the sense that it will fade away, but in the same way hypervisors have “disappeared”. The majority of us use them today, but we rarely think about what virtualization powers our cloud instances, etc. In the same way at some point there will an extendable API that allows one to run workloads and whatever cluster technology is underneath would be a concern of a cloud provider.
#kubernetes
The most interesting part of this article, in my opinion, isn’t its premise and even not the points that the author is making (some of those points are 5 years late, TBH). The thing that caught my attention was what the author chooses to compare Kubernetes to. And those are managed platforms like Heroku, etc.
This is interesting for a couple of reasons: first of all it seems like other orchestration solutions are out of the table already. Second, it reaffirms the statement of Viktor Farcic (you can find those in the Den Vasyliev’s blog). Basically, the idea is that in the future Kubernetes will “disappear”. Not in the sense that it will fade away, but in the same way hypervisors have “disappeared”. The majority of us use them today, but we rarely think about what virtualization powers our cloud instances, etc. In the same way at some point there will an extendable API that allows one to run workloads and whatever cluster technology is underneath would be a concern of a cloud provider.
#kubernetes
Medium
Why you shouldn’t use Kubernetes
Weaknesses and strengths of Kubernetes compared to Paas / FaaS competitors.
Aqua Security warn people about the danger of the supply chain attacks using Kubernetes Secrets.
We all know this story:
However! There’s another viewpoint on Kubernetes Secrets - Plain Kubernetes Secrets are fine. This is the thing I wanted to share with you today.
The main gist of this article is that you cannot really tell if something is secure or not without a threat modeling. Also, that the auto-unsealing feature in Vault kinda negates some if its security features.
Apparently, there’s a discussion about this article in a form or a podcast but I haven’t checked it out yet.
Also, if you need some guides for threat modeling, OWASP website is a good place to start.
So, do your due diligence, do threat modeling, and have a nice day!
#security #kubernetes
We all know this story:
base64
is not an encryption, Kubernetes Secrets may have a ton of sensitive information, etc. The article just provides some data from Aqua’s recent research.However! There’s another viewpoint on Kubernetes Secrets - Plain Kubernetes Secrets are fine. This is the thing I wanted to share with you today.
The main gist of this article is that you cannot really tell if something is secure or not without a threat modeling. Also, that the auto-unsealing feature in Vault kinda negates some if its security features.
Apparently, there’s a discussion about this article in a form or a podcast but I haven’t checked it out yet.
Also, if you need some guides for threat modeling, OWASP website is a good place to start.
So, do your due diligence, do threat modeling, and have a nice day!
#security #kubernetes
Aqua
The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets
Aqua Nautilus researchers found exposed Kubernetes secrets that pose a critical threat of supply chain attack to hundreds of organizations and OSS.
An interesting read by Monzo about how they implemented Kubernetes Network Policies for 1.5k microservices.
There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.
An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.
Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.
Also, here's a Reddit discussion on the topic. I love the top comment there:
#kubernetes #networking
There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.
An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.
Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.
Also, here's a Reddit discussion on the topic. I love the top comment there:
How would you even know that another team plans to connect your apps?
- By communicating...
#kubernetes #networking
If you are running dynamic environments in Kubernetes or any other ephemeral workloads, you need a way to clean up things once these environments are no longer needed or once your tests are done.
k8s-cleaner may help with it. It's a controller that deletes Kubernetes resources, including custom resources, on a schedule. It supports dry run and some options for customizations.
#kubernetes
k8s-cleaner may help with it. It's a controller that deletes Kubernetes resources, including custom resources, on a schedule. It supports dry run and some options for customizations.
#kubernetes
GitHub
GitHub - gianlucam76/k8s-cleaner: Cleaner is a Kubernetes controller that identifies unused or unhealthy resources, helping you…
Cleaner is a Kubernetes controller that identifies unused or unhealthy resources, helping you maintain a streamlined and efficient Kubernetes cluster. It provides flexible scheduling, label filteri...
Do you run databases in Kubernetes?
Even if you don't, I bet you may run database migrations there. How do you do that?
This article on "The New Stack" makes a case for GitOps approach to the database migrations in Kubernetes.
*tl;dr*: It's Atlas Operator, there's no alternative.
#kubernetes #databases
Even if you don't, I bet you may run database migrations there. How do you do that?
This article on "The New Stack" makes a case for GitOps approach to the database migrations in Kubernetes.
*tl;dr*: It's Atlas Operator, there's no alternative.
#kubernetes #databases
The New Stack
GitOps for Databases on Kubernetes
The case for applying the Operator Pattern to database migrations.
I’m a CLI guy. For me it was always easier to use good old commands like
Thus, it is still much easier to me to use plain
However, I know that many folks prefer graphical interfaces or at least some TUI. Also, I remember that a lot of folks were pissed when Lens split into a community and a paid versions.
So, today I want to share a new native Kubernetes desktop client - Seabird.
I haven’t tried it for the reasons I mentioned above, but you may enjoy it.
#kubernetes
find
and cd
to navigate around. At some point I even memorized the flags of tar.
Thus, it is still much easier to me to use plain
kubectl
with a couple of plugins to navigate the clusters.However, I know that many folks prefer graphical interfaces or at least some TUI. Also, I remember that a lot of folks were pissed when Lens split into a community and a paid versions.
So, today I want to share a new native Kubernetes desktop client - Seabird.
I haven’t tried it for the reasons I mentioned above, but you may enjoy it.
#kubernetes
GitHub
GitHub - getseabird/seabird: Native Kubernetes desktop IDE designed for seamless cluster exploration
Native Kubernetes desktop IDE designed for seamless cluster exploration - getseabird/seabird
Did you know that Isovalent (a company behind Cilium) has some amazing labs that can teach you about using Cilium, Hubble, and Tetragon.
The labs have multiple tracks, such as: platform, network, security, etc.
These labs also cover topics like the new
#kubernetes #networking #cilium #ebpf
The labs have multiple tracks, such as: platform, network, security, etc.
These labs also cover topics like the new
GatewayAPI
. Doing some of these labs tight now at #cfgmgmtcamp24 and love them so far!#kubernetes #networking #cilium #ebpf
Isovalent
Labs Resource Library - Isovalent
Get hands-on with Isovalent's labs and learn about eBPF, Cilium, network security, and more. Our labs provide step-by-step guides to help you understand and implement our solutions effectively. From getting started with Cilium to advanced use cases, our labs…
Linux Foundation has some discounts for its courses and certifications till the end of February. Including Kubernetes, ArgoCD, and Istio certifications.
They are still not cheap, but you can save up to 50%, which is nice.
#kubernetes #training #courses
They are still not cheap, but you can save up to 50%, which is nice.
#kubernetes #training #courses
Linux Foundation - Training
Promo Inactive - Linux Foundation - Training
Sign up for our newsletter to get updates on our latest promotions.
For you to know: the full Kubernetes CKS (certified security specialist) is available on YouTube. There are both theory and practice, but obviously you will need to take the exam separately.
#kubernetes
#kubernetes
YouTube
Kubernetes CKS Full Course Theory + Practice + Browser Scenarios
All you need for your Certified Kubernetes Security Specialist (CKS) preparation!
I will present each CKS topic in a simple and visual way. We'll run through various practical hands-on challenges.
You'll setup own CKS cluster in which you'll learn, simple…
I will present each CKS topic in a simple and visual way. We'll run through various practical hands-on challenges.
You'll setup own CKS cluster in which you'll learn, simple…
Some time ago I had a task to split the
So, I found this issue in the Helm’s repository. People were suggesting using AWK for that, but that didn’t work well for me at the time, so I opted out for YQ.
A couple of days ago someone left a comment to that issue that apparently there is a tool called Kubesplit that can do exactly that. So, feel free to use it if you need to achieve something similar to what I did.
#kubernetes
helm template
output into separate files per object.So, I found this issue in the Helm’s repository. People were suggesting using AWK for that, but that didn’t work well for me at the time, so I opted out for YQ.
A couple of days ago someone left a comment to that issue that apparently there is a tool called Kubesplit that can do exactly that. So, feel free to use it if you need to achieve something similar to what I did.
#kubernetes
GitHub
feature request: option in `helm template` to split output files when using {{ range }} · Issue #4680 · helm/helm
Hi When using helm template to generate static yaml files, and when using --output-dir , helm correctly generate multiple files according to source files.. would be useful if in I can add some hint...
Kubernetes: tracing requests with AWS X-Ray, and Grafana data source is a step-by-step guide on how to setup tracing in your EKS cluster using AWS X-Ray by Arseniy Zinchenko - a member of the Ukrainian DevOps community.
Also, make sure to subscribe to his Substack! He posts new things quite often and I have no idea where does he find time and willpower to do so 😅
#aws #kubernetes #observability
Also, make sure to subscribe to his Substack! He posts new things quite often and I have no idea where does he find time and willpower to do so 😅
#aws #kubernetes #observability
RTFM! DevOps[at]UA
Kubernetes: tracing requests with AWS X-Ray, and Grafana data source
Launching AWS X-Ray on AWS Elastic Kubernetes Service, creating a Python Flask with the AWS X-Ray SDK, and connecting a Grafana data source for X-Ray
Some time ago, I predicted that there is going to be more Kubernetes distributions. Then it didn’t happen, so I thought I was wrong.
Yet, now Canonical has introduced their Kubernetes distribution.
It’s based on the upstream Kubernetes 1.30, has some built-in add-ons, and yes, you can install it with
#kubernetes
Yet, now Canonical has introduced their Kubernetes distribution.
It’s based on the upstream Kubernetes 1.30, has some built-in add-ons, and yes, you can install it with
snap.
#kubernetes
Ubuntu
How should a great K8s distro feel? Try the new Canonical Kubernetes, now in beta | Ubuntu
Try the new Canonical Kubernetes beta, our new distribution that combines ZeroOps for small clusters and intelligent automation for larger production environments that also want to benefit from the latest community innovations […]
Kondense is a Kubernetes tool that allows you resize contianers in a pod based on the memory pressure.
It’s installed as a sidecar and uses real-time memory pressure to determine the optimal memory for each containers in a pod.
You can read the justification behind this tool in this Reddit post
#kubernetes
It’s installed as a sidecar and uses real-time memory pressure to determine the optimal memory for each containers in a pod.
You can read the justification behind this tool in this Reddit post
#kubernetes
GitHub
GitHub - unagex/kondense: Automated resources sizing tool for containers in kubernetes
Automated resources sizing tool for containers in kubernetes - unagex/kondense
Despite a clickbait title, this is actually a good article with a list of good practices for Kubernetes.
tl;dr list:
- Use ephemeral contianers for debug
- Use admission controllers
- Kustomize is a nice tool
- Autoscale based on custom metrics if it makes sense
- Tweak API Priority and Fairness (APF) if it makes sense
- Submariner for multicluster (I have used other tools for multi-cluster, there are many ways of connecting clusters, so it's up to you to decide, what to use)
- Use Topology Spread Constraints
#kubernetes
tl;dr list:
- Use ephemeral contianers for debug
- Use admission controllers
- Kustomize is a nice tool
- Autoscale based on custom metrics if it makes sense
- Tweak API Priority and Fairness (APF) if it makes sense
- Submariner for multicluster (I have used other tools for multi-cluster, there are many ways of connecting clusters, so it's up to you to decide, what to use)
- Use Topology Spread Constraints
#kubernetes
Medium
7 Mind-Blowing Kubernetes Hacks
Kubernetes harbors capabilities that even seasoned developers might not be fully aware of. These hacks delve into the more esoteric, yet…
If you work with Kubernetes, there won't be any new information for you. However, when you encounter a namespace stuck in the "Termination" state the first time, it might be dumbfounding.
This article describes what to do in such situations. Also, it's good to learn about
#kubernetes
This article describes what to do in such situations. Also, it's good to learn about
finalizers
at some point anyway.#kubernetes
Devoriales
Resolve Stuck Namespaces in Kubernetes: A Step-by-Step Tutorial
Ha! I was sure I shared this article with y'all before, but when I tried to find it on the channel today, I was unable to. In any case, even it was here, it won't hurt to repeat it.
So, here it is - Kubernetes: EKS, Calico and custom Admission Webhooks.
This article sheds some light on the EKS networking. The gist is that if you use anything except the native VPC CNI, your control plane pods (API, scheduler, etc.) and workload pods will end up in different networks, because you cannot install any custom pods into the control plane.
Unless you use admission webhooks, you probably won't even notice; but if you do, API won't be able to contact your admission controller pods without some workarounds.
This is the nature of managed services: you gain something - you loose something.
#kubernetes #eks #aws
So, here it is - Kubernetes: EKS, Calico and custom Admission Webhooks.
This article sheds some light on the EKS networking. The gist is that if you use anything except the native VPC CNI, your control plane pods (API, scheduler, etc.) and workload pods will end up in different networks, because you cannot install any custom pods into the control plane.
Unless you use admission webhooks, you probably won't even notice; but if you do, API won't be able to contact your admission controller pods without some workarounds.
This is the nature of managed services: you gain something - you loose something.
#kubernetes #eks #aws
Medium
Kubernetes: EKS, Calico and custom Admission Webhooks
Timeout problems
My talk from DevOps FW Days 2024 about Helm charts testing is available on YouTube now!
All the code that I used for the demo is available on GitHub as well!
The talk is in Ukrainian, but I'll write a blog post in English on this topic soon (tm) - I've just wanted to ensure that the materials are publicly available on the FW Days side, so I don't violate any policies.
#slides #helm #kubernetes
All the code that I used for the demo is available on GitHub as well!
The talk is in Ukrainian, but I'll write a blog post in English on this topic soon (tm) - I've just wanted to ensure that the materials are publicly available on the FW Days side, so I don't violate any policies.
#slides #helm #kubernetes
YouTube
Тестування Helm чартів або туди й назад - Юра Рочняк [Fwdays DevOps]
Відео з DevOps fwdays'24 конференції, яка пройшла 17 лютого 2024 року
https://fwdays.com/event/devops-fwdays-2024
Опис доповіді:
Я хотів би поділитись невеличкою історією того, як і навіщо ми почали тестувати свої Helm чарти. Наш шлях пролягав від повної…
https://fwdays.com/event/devops-fwdays-2024
Опис доповіді:
Я хотів би поділитись невеличкою історією того, як і навіщо ми почали тестувати свої Helm чарти. Наш шлях пролягав від повної…
An article called Maybe you need Kubernetes is surprisingly not about Kubernetes.
Instead, it touches the topic of embracing the complexity of modern tech and, more importantly, how one can only progress by learning complex stuff.
As the author puts it himself:
P.S. It's also nice to see that this article is an answer to a video on YouTube. I missed the good old polemics. It seems like online comments have killed it.
#career #kubernetes
Instead, it touches the topic of embracing the complexity of modern tech and, more importantly, how one can only progress by learning complex stuff.
As the author puts it himself:
People don’t like to hear this, but difficulty is a moat. When something gets easy, it gets cheap. If you want to be paid a lot, you need to be really good at something that’s both in-demand and hard. If it were easy, everyone would be doing it.
P.S. It's also nice to see that this article is an answer to a video on YouTube. I missed the good old polemics. It seems like online comments have killed it.
#career #kubernetes
Boot.dev Blog
Maybe You Do Need Kubernetes
Theo has this great video on Kubernetes, currently titled “You Don’t Need Kubernetes”. I’m a Kubernetes enjoyer, but I’m not here to argue about that.
At last! I converted my talk from FW Days DevOps 2024 into an article in English.
You can find it in my blog or on Substack.
This is the Part I which goes through the ideas behind the testing of Helm charts. But have no fear! I learn on my previous mistakes, so the second part that walks you through the technical aspects of tests is also ready and will be published tomorrow!
Also, you can still watch the video of my talk on the FW Days conference (in Ukrainian). It has basically the same content as the articles.
Enjoy!
#kubernetes #helm #testing
You can find it in my blog or on Substack.
This is the Part I which goes through the ideas behind the testing of Helm charts. But have no fear! I learn on my previous mistakes, so the second part that walks you through the technical aspects of tests is also ready and will be published tomorrow!
Also, you can still watch the video of my talk on the FW Days conference (in Ukrainian). It has basically the same content as the articles.
Enjoy!
#kubernetes #helm #testing
grem1.in
Testing Helm Charts Part I
This article is also available on Substack.
Before answering this question, we should decide why to test Helm chart? and if you even need to bother with that. Following an example from this xkcd comic, the real answer is: it depends.
So, I want to share with…
Before answering this question, we should decide why to test Helm chart? and if you even need to bother with that. Following an example from this xkcd comic, the real answer is: it depends.
So, I want to share with…
The second practical part of the Helm charts testing article.
- Read in the blog
- Read on Substack
#kubernetes #helm #testing
- Read in the blog
- Read on Substack
#kubernetes #helm #testing
grem1.in
Testing Helm Charts Part II
_This article is also available on Substack.
This is a very basic example of using Helm Unittestas well as an example of the “test pyramid” discussed in the previous article. The code is available on GitHub.
Structure We have two charts:
fw-demo - a chart…
This is a very basic example of using Helm Unittestas well as an example of the “test pyramid” discussed in the previous article. The code is available on GitHub.
Structure We have two charts:
fw-demo - a chart…