{ inercia } @inercia - Tumblr Blog

Kyverno is a new CNCF incubating project that is designed to be a Kubernetes native version of OPA, something that can be more convenient but also less powerful and with a reduced number of integrations with other systems.

Policies are expressed with custom resources that are loaded by the Kyverno Admission Controller, like this example for disallowing the use of bind mounts:

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-bind-mounts spec: validationFailureAction: audit rules: - name: validate-hostPath match: resources: kinds: - Pod validate: message: "Host path volumes are not allowed" pattern: spec: =(volumes): - X(hostPath): "null"

#kubernetes #opa #policy #open policy agent #security #kyverno #cluster policy

Kubernetes runs in half of container environments

Nearly 90 percent of containers are orchestrated

A majority of Kubernetes workloads are underutilizing CPU and memory

GKE, AKS, and EKS dominate on their respective cloud platforms

1 in 3 AWS container environments runs Fargate

Larger Kubernetes clusters contain larger nodes

Networking technologies are prevalent among DaemonSets

The most popular Kubernetes version is 17 months old

Organizations are in the early stages of service mesh adoption

Half of all containers are now managed by cloud provider and third-party registries

NGINX, Redis, and Postgres are the most popular container images

(via 11 Facts About Real-World Container Use | Datadog)

The CNCF Cloud Native Interactive Landscape.

We have created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes.

(via Attack matrix for Kubernetes)

#kubernetes #security #containers #kubeconfig #cloud

Modern source-control systems provide powerful tools that make it easy to create branches in source code. But eventually these branches have to be merged back together, and many teams spend an inordinate amount of time coping with their tangled thicket of branches. There are several patterns that can allow teams to use branching effectively, concentrating around integrating the work of multiple developers and organizing the path to production releases. The over-arching theme is that branches should be integrated frequently and efforts focused on a healthy mainline that can be deployed into production with minimal effort.

From Patterns for Managing Source Code Branches.

#branching #git #source code #versioning

The official style guides for the Go language used in the Thanos project. Thanos is an Open source, highly available Prometheus setup with long term storage capabilities.

#golang #code-style

A comparison of the cost of the main managed Kubernetes offerings. Taking into account that GKE will start charging for their managed GKE cluster, it is interesting to see the alternatives...

(via Managed Kubernetes Price Comparison (2020) | DevOps Directive)

#GKE #kubernetes #AKS #EKS

Recently, someone asked me what the difference between NodePorts, LoadBalancers, and Ingress were. They are all different ways to get…

#kubernetes #ingress #TCP #traffic

Some kubectl plugins

kubectl can be extended with plugins for having custom sub-commands. By having a binary like kubectl-something in your PATH, so you can run kubectl something --my-flag and kubectl will automatically invoke kubectl-something --my-flag for you.

I have found several kubectl plugins that extend the functionality of this tool, mainly for inspecting or debugging problems in your cluster.

krew: a package manager for kubernetes plugins.

kubespy: a tool for observing in realtime, showing how resources are created and destroyed.

kubectl-dig: a plugin that shows many useful things like connections, open files, threads, sockets, etc...

kubectl-capture: it can trigger a capture in the underlying host which is running a pod, so you can run kubectl capture nginx-78f5d695bd-bcbd8 and it is going to start capturing all the system calls that pod does.

ksniff: use kubectl to upload a statically compiled tcpdump binary to your pod and redirecting it's output to your local Wireshark for smooth network debugging experience.

kubectl-trace: a plugin that allows you to schedule the execution of bpftrace programs in your Kubernetes cluster.

ksync: not really a kubectl plugin, but it allows you to syncrhonize a local directory with some directory in a pod, so you can modify your running pods automatically.

#kubernetes #kubectl #plugins #diag #ksniff #tcpdump #wireshark #trace #ebpf #bpf #capture #kubespy #kubectl-capture #kubectl-dig #kubectl-trace

(via Life of a Packet)

In this talk, Michael Rubin goes through the main concepts in the Kuberentes network stac, things like traffic between pods, services and network policies.

Besides the basic introduction to how CNI works, one of the key ideas is that entities like Services and Cluster IPs are really abstractions that do not correspond to real things in the cluster, but some Kubernetes sub-systems like the kube-proxy create the illusion of these things being real. The kube-propxy is responsible for creating the right iptables (or IPVS) rules for sending packets to one of the endpoints in the cluster that serves this service.

#kubernetes #networking #network #packets #networkpolicy #services #service #k8s

In this article, we’ll see how to build and deploy your first Kubernetes Operator using the Operator SDK.

An introduction to Kubernetes operators using the Operators SDK. You can also take a look at Kubebuilder, a framework I used in the past for developing a couple of operators (1, 2). I could not say which one is better for developing an operator nowadays, but I guess the Operators SDK must have a bigger community taking into account it is supported by RedHat...

There is also a new framework for developing operators in Python from the guys of Zalando: kopf. Looking at the examples in the repo I think Python could provide a lot of simplicity to your operator logic, removing a lot of boilerplate and going straight to the point...

#kubernetes #operators #operator-sdk #kubebuilder #kopf

Practical Go: Real world advice for writing maintainable Go programs

A presentation from Dave Cheney on some best practices writing Go code.

#go #golang #code style #idioms #packages #variables

"In this paper, we perform the first systematic study on concurrency bugs in real Go programs. We studied six popular Go software including Docker, Kubernetes, and gRPC. We analyzed 171 concurrency bugs in total, with more than half of them caused by non-traditional, Go-specific problems. Apart from root causes of these bugs, we also studied their fixes, performed experiments to reproduce them, and evaluated them with two publicly-available Go bug detectors."

#golang #bugs #debugging #Go #docker #kubernetes

A visual guide to Go Memory Allocator from scratch

#Golang #Go #memory allocation #malloc #memory

#golang #patterns #Go #decorators #singleton #sync #synchronization #static members #semaphores #errgroups

Modern Microprocessors: A 90-Minute Guide!

#microprocessors #CPU #architecture #computers #cache #memory #superscalar

Trending Blogs

Recently Viewed Blogs

{ inercia }