• CoreDNS on Kubernetes: Allow DNS zone transfer

    3 min read

    kubernetes CoreDNS

    Kubernetes, by default, registers all the Pods and services using the cluster.local DNS zone. At some point we might want to be able to take a look at this zone. Zone transfers are going to be restricted by default:

    dnstools# dig axfr cluster.local

; <<>> DiG 9.11.3 <<>> axfr cluster.local
;; global options: +cmd
; Transfer failed.

    But if we are using CoreDNS, we can configure it to temporally allow zone transfers to be able to take a look at it

    25/04/2022

    Read more...

  • Keeping the terraform state in a Kubernetes Secret

    2 min read

    terraform state Kubernetes Secret

    Storing the terraform state into a S3 bucket with dynamoDB for locking has become the de facto standard for being able to share the state across an organization. Nevertheless, there are interesting alternatives: We can use a Kubernetes Secret

    19/04/2022

    Read more...

  • Kubernetes: Autoscaling using Prometheus as a external metrics provider

    5 min read

    kubernetes hpa prometheus external metrics

    Using an external metrics provider (Kubernetes 1.10+) we can use an HorizontalPodAutoscaler to automatically scale applications using any metric collected by Prometheus. Let's take a look on how to configure it

    05/04/2022

    Read more...

  • Building container images on Kubernetes with Kaniko

    3 min read

    kaniko docker build Kubernetes

    When trying to build container images on Kubernetes we might be tempted to use the Docker in Docker approach: To do this you'll need to:

    • Run a docker daemon on the nodes, either as a service or as a container runtime (which it is deprecated since 1.20)
    • Allow the Pod to communicate with docker's socket

    This approach is considered a security risk and it should be avoided.

    As alternative, we can use kaniko: It is a tool to build container images inside containers (hence, Kubernetes clusters)

    04/04/2022

    Read more...

  • Kubernetes: Enforcing policies using the OPA gatekeeper

    6 min read

    Kubernetes Policy enforcement OPA gatekeeper

    We might call it best-practices or policies but most organizations have some rules about how their applications should run, for example: Do not use the latest tag. Some others might even be required to meet certain compliance requirements to reach some security standard, for example: Do not use NodePort services.

    To be able to enforce these policies we can use a policy engine like OPA.

    29/03/2022

    Read more...

More recent...

Older content...

Kubernetes:
container orchestration
kubernetes
Categories
tags related to this category
Linkerd Argo Rollouts Rollouts Capsule Pod MutatingAdmissionPolicy MutatingAdmissionPolicyBinding kind kubectl plugin custom command Argo Workflows CronWorkflow StatefulSet Workflow Kaniko WorkflowTemplate install kubernetes security Pod Security Standards port-forward socat operator-sdk golang Pushgateway RBAC Rule troubleshooting APIRequestCount affinity topologySpreadConstraints Route ExternalSecret Secret jsonpath ServiceAccount Ingress k3s letsencrypt tcpdump ssh CRD additionalPrinterColumns Velero query PV Operator Role ClusterRole web-console operator oc-mirror Secrets Manager tekton context Policy enforcement Rules Project ConfigMap Environment ROSA IngressRoute redirect RDS psql API server S3 patch file apply selector minikube arm64 colima EKS-connector SecurityContextConstraint SecretStore scripting CRC credentials Deployment valueFrom setup helm StorageClass tagging EBS externalDNS ALB HPA convert API version example shipwright ECR imagePullSecrets ENI subnet krew blame cloud provider etcd availability zones CoreDNS backend state podAntiAffinity Composite images GKE activeDeadlineSeconds Job lifetime bestby IRSA label annotation PersistentVolume Volume fsGroup vpa cluster autoscaler Karpenter provider kubernetes_manifest fsGroupChangePolicy container escape spot instances termination handler persistentVolumeReclaimPolicy fieldPath upgrade privileged network NetworkPolicy bash ps longhorn ASCP QoD raspberry pi drain evict uncordon kubeconfig config view logs admission controller hook postStart preStop deprecations gp3 get-all taints securityGroup probe readinessProbe livenessProbe tolerations explain MutatingWebhook startupProbe RollingUpdate Recreate PDB emptyDir netstat ss autoscale Kubeconfig initContainers DNS tree DaemonSet stern tail LimitRange resource limits restartPolicy system-upgrade-controller rolling update history undo Volumes awsElasticBlockStore change-cause set image imperative hostAliases imagePullPolicy metrics-server Service overlay agent nodes declarative ELB HTTPS alpine package nodeSelector scheduler kubie api-versions events multiple containers SecretKeyRef ReplicaSet NodePort Pod restart rollout deployment nginx-contoller ValidatingWebhookConfiguration error recovery httpHeaders uid securityContext exec interactive LoadBalancer IAM scale replicas nodeName externalName namespace Cronjob multinode template yaml unused-volumes diff