Cloud Native News - CNN21/26
About FinOps for Kubernetes to reduce cost overspend, Policymanagement: OPA vs Kyverno, design and implementation of Linux conntrack, and an answer to the question: "What makes up a cluster?".
Containers & Orchestration
- Amazon EKS add-ons implemented with Terraform
Marcin Cuber about his experience with EKS Add-Ons using Terraform. Are they ready yet? - How a Docker foot gun led to a vandal deleting NewsBlur’s MongoDB database
"A vandal deleted NewsBlur’s MongoDB database during a migration." - Read the full story! - Kubernetes Policy Management Tools Compared: OPA with Gatekeeper vs. Kyverno
Viktor Farcic comparing two very exciting solutions for automated policy management. It is objective and entertaining. I liked it. - What’s New in the Docker and Kubernetes CIS Benchmarks
Here is what new in the long-awaited update of Docker and Kubernetes CIS Benchmark. If you haven't heard of both projects yet, give them a try to check if your setup complies with CIS best practices! - FinOps for Kubernetes: Insufficient – or nonexistent – Kubernetes cost monitoring is causing overspend
Monitoring costs (and reacting accordingly) doesn't only help your wallet but also the environment! 🌱 - How to use Podman inside of a container
"Have you ever wondered about running Podman in a container: Podman in Podman, Podman in Docker, or even Podman in Kubernetes?"
Observability
- Prometheus Cheat Sheet - Moving Average, Max, Min, etc. (Aggregation Over Time)
A little promql deep dive on how to smooth out spikes via moving window functions.
Security
- Announcing HashiCorp Boundary 0.4
"HashiCorp Boundary 0.4.0 and Boundary Desktop 1.2.0 includes features supporting brokering of HashiCorp Vault secrets for Boundary targets to end-users, enhanced session cleanup, and foundational features for event logging." - Privilege Escalation in AKS Clusters
"In a default AKS (Azure Kubernetes Service) cluster, the cluster admin credentials are stored amongst configuration data, thus enabling users with read access to configuration data to become the cluster admin — a textbook example of a privilege escalation attack." - this is an older story. The issue has already been fixed, but still worth a read... - containers/udica
A tool for generating SELinux security profiles for containers. 🔥
Networking
- Connection Tracking (conntrack): Design and Implementation Inside Linux Kernel
This is an older article, but it is still a gem for every Linux networking nerd.
Development
- Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
An example for a DevSecOps pipeline... I get goosebumps just looking at the architecture diagram.
Data & Storage
- The Untold Story of SQLite
"SQLite is everywhere. It’s in your web browser, it’s in your phone, it’s probably in your car, and it’s definitely in commercial planes. It’s where your iMessages and WhatsApp messages are stored, and if you do a find on your computer for *.db, you’ll be amazed at how many SQLite databases you find."
Other
- Make your cluster SWIM
"In this blog post we'll cover how systems form clusters, what clusters actually are and what are their responsibilities. We'll also present different protocols responsible to serve the needs of the clusters with a various tradeoffs associated with them."