Cloud Native News - CNN25
Join the SIG-Observability, Loodse is now Kubermatic, learn the K8s RBAC 101, scaling with common sense, Kubernetes Goat, Kube2Hadoop
CNCF & Community
- Interested in the Future of Cloud Native Observability? Join SIG-Observability
The short-term goals include working through both the review and project backlog, and also think about best current practices, to make suggestions for how to operate observability in a cloud native manner. - Loodse is now Kubermatic!
German Kubernetes company Loodse is not only rebranding to "Kubermatic", but also open sourcing its Kubernetes automation platform under the Apache 2.0 License.
Processes / Guides / Articles
- Testing Kubernetes Deployments within CI Pipelines
"How to test Kubernetes artifacts like Helm charts and YAML manifests in your CI pipelines with a low-overhead, on-demand Kubernetes cluster deployed with KIND - Kubernetes in Docker." If you are interested in the topic, D2IQ recently did something similar! - Kubernetes RBAC 101: Overview
Role-based access control (RBAC) is a critical security mechanism of every Kubernetes cluster. As it can be quite complex, it can be intimidating at first as it is not always obvious how a production ready implementation should look like. Kublr does a good job in explaining terminology and approaches in a three-part series. - AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors
"In this first blog in our series on cross-account-trust, we will present the results from 90 vendors showing that 37% had not implemented the ExternalId correctly to protect against confused-deputy attacks." - Scaling with common sense
Kailash Nadh lists some common-sense techniques to typical scaling problems. Most of them are trivial and can be implemented as low-hanging fruit. In no particular order and without any claim to completeness. - Autoscaling apps on Kubernetes with the Horizontal Pod Autoscaler
"This article gives a high-level overview of how the Horizontal Pod Autoscaler (HPA) in Kubernetes works and how to use it." - Architecting Kubernetes clusters — choosing a cluster size
It is a common question with multiple dimensions, where there is no "right" or "wrong". Though, there are some indicators of certain patterns, that point to one or the other approach. - Validating Kubernetes YAML for best practice and policies
"The article compares six static tools to validate and score Kubernetes YAML files for best practices and compliance." - Comparing Kubernetes managed services across Digital Ocean, Scaleway, OVHCloud and Linode
There are more managed Kubernetes providers than the "big three". Depending on your requirements, it might be worth giving the "smaller ones" a try. Adrian Todorov put quite some effort into comparing them. - What happens when you update your DNS?
A wise man once said "It's always DNS". Julia Evans, famous for explaining complex tech on point, is looking behind the scenes of what is happening when a DNS record gets changed. - We built network isolation for 1,500 services to make Monzo more secure
By automating the creation of the network policies of their services, Monzo achieved a state where all of there services can reach exactly those services that they need to. A great achievement for their security. - High Availability Load Balancers with Maglev
"Maglev has been serving Google's traffic since 2008. It has sustained the rapid global growth of Google services, and it also provides network load balancing for Google Cloud Platform.". This article covers the motivation and solution of cloudflares adoption of Maglev.
Tools
- Kubernetes Goat
A Kubernetes cluster, intentionally designed to be vulnerable to practice Kubernetes security. The corresponding documentation guides through a couple of vulnerable spots. - podtnl
"A Powerful CLI that makes your pod available to online without exposing a k8 service" - CoreDNS 1.7
The new CoreDNS housekeeping release removes Kubernetes related plugins and improves metric naming. It is worth mentioning that this is, therefore, a backwards incompatible release. - Kube2Hadoop
"Offline training jobs on Kubernetes, such as TensorFlow or Spark jobs need secure access to datalake like HDFS. However, there exists a gap between the security model of Kubernetes and Hadoop. Kube2Hadoop bridges this gap by providing a scalable and secure integration of Kubernetes and HDFS Kerberos."
Bonus
Course notes to Certified Kubernetes Administrator exam CKA
Redditor Adnan Rashid published his CKA course notes, including diagrams for each subject area. A useful reference for future refresher.
The German Corona Warning App is out since this week
After two days, it already had round about 10 million downloads. Nicolai Parlog went through its (outstanding!) open source documentation and pointed out some interesting details. One of which: the backend is hosted on Kubernetes.
Photo by Carlos Muza on Unsplash