-
Install Crossplane on AWS with the native provider
4 min read
Crossplane is an open source Kubernetes add-on that lets you create cloud resources using Kubernetes objects (CRDs). It's installation it's straightforward, but once we have it installed the key it to properly configure it's providers. Here we are going to use the crossplane's native AWS provider
28/02/2022
Read more... -
Docker: Using the host's network
2 min read
If we use the --net=host option with docker to create a new container, it will share it's network namespace with the host machine. It's main advantage is that it will provide higher performance (it will be close to bare metal speed); however, we might get port conflicts.
24/02/2022
Read more... -
How to debug a crossplane provider
4 min read
To be able to setup a crossplane provider there are some pieces that need to be aligned to be able to use it. For example, if we want to setup the AWS provider using an IAM Role for ServiceAccount. If something is missaligned, we might end up with an error while creating resources that doesn't really clarify what's the actual error:
$ kubectl describe bucket.s3.aws.crossplane.io/test-bucket Name: test-bucket Namespace: Labels: <none> Annotations: crossplane.io/external-name: pet2cattle-demo API Version: s3.aws.crossplane.io/v1beta1 Kind: Bucket Metadata: (...) Spec: (...) Provider Config Ref: Name: aws-provider Status: At Provider: Arn: Conditions: Last Transition Time: 2022-02-22T21:43:23Z Message: observe failed: failed to query Bucket: api error MovedPermanently: Moved Permanently Reason: ReconcileError Status: False Type: Synced Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning CannotObserveExternalResource 7s (x6 over 36s) managed/bucket.s3.aws.crossplane.io failed to query Bucket: api error MovedPermanently: Moved Permanently23/02/2022
Read more... -
Dynamically provisioned PersistentVolumes using StatefulSet
6 min read
The basic idea behind a StatefulSet is to be able to manage stateful workloads on Kubernetes, unlike Deployments, creating a unique identity for each Pod using a common spec.
With this in mind we might just copy the Pod's template from a Deployment to a StatefulSet object to make it stateful, but it's not always quite that simple.
21/02/2022
Read more... -
How to set filesystem permissions on Volumes for non-root containers
3 min read
As a best practice we should try run containers with the minimum privileges they require: If we want to run a container with a non-root user we need to specify the user we want to use with securityContext.runAsUser (unless the container is not already using a non-privileged user).
By doing so when working with Volumes we might get a Permission denied while accessing the container
18/02/2022
Read more... -
Managing (safely) Secrets as Code with sops and terraform
3 min read
If you are using Infrastructure as Code you've realized there is something it shouldn't be on a git repository: That's the secrets, we should never store clear-text secrets on a git repository, not even if it's a private repository: Anyone with access to that repository could get them.
How can we securely create secrets as code into the AWS Secrets Manager using terraform?
15/02/2022
Read more... -
Setting up the Vertical Pod Autoscaler
3 min read
To be able take advantage of using a Cluster Autoscaler (same applies to AWS Karpenter) we need make sure we properly set the resources any scheduled Pod is requesting to Kubernetes:
- If we are requesting too much resources, we will be wasting resources
- If we are requesting too few, the application might end up on a node where it needs to constantly share resources with other Pods
When we are not use the resources a given Pod or container is going to use, we can use the Vertical Pod Autoscaler to help us define them
14/02/2022
Read more... -
Kubernetes provider for terraform: kubernetes_manifest
2 min read
Since version 2.8.0 of the Kubernetes provider for terraform, the kubernetes_manifest resource is no longer considered experimental. With this resource we can push any kind of Kubernetes objects using terrraform that doesn't have a specific resource for it:
resource "kubernetes_manifest" "example_km" { manifest = yamldecode(<<-EOF apiVersion: v1 kind: Namespace metadata: name: example-ns annotations: test: example EOF ) }11/02/2022
Read more... -
How to build a multi architecture container using rootless nerdctl
3 min read
One of the great things about using nerdctl is that it does not try to include everything you might need. This means that if you try to build a container using nerdctl you'll realize you still need to install the buildkit (unless you have installed the "nerdctl-full" version)
Moreover it's something you don't actually need to have installed locally:
$ nerdctl build --help | grep buildkit Build an image from a Dockerfile. Needs buildkitd to be running. --buildkit-host string BuildKit address [$BUILDKIT_HOST] (default "unix:///run/user/1000/buildkit/buildkitd.sock")09/02/2022
Read more... -
Running rootless containers with nerdctl
6 min read
It's no secret that docker comes stuffed with many options that many of us don't need. This is why on servers we can find containerd instead of a fully featured docker. Despite that, the real deal breaker is that whatever we are running, we are going to do it with root privileges. We can check this by running the following container:
$ docker run -v /etc:/itc -it --rm alpine sleep 24And then looking for the process on the host
$ ps auxf root 1307 0.0 0.1 2084820 46676 ? Ssl 11:36 0:04 /usr/bin/containerd root 66978 0.0 0.0 709860 6120 ? Sl 05:12 0:00 \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/50cf9789d0e68949d1cf79462956bde98b46a4616e8 b81977d8c89d2af9c34e7 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc root 66996 2.0 0.0 1588 4 pts/0 Ss+ 05:12 0:00 \_ sleep 24Is it possible to run rootless containers? Is there an alternative to docker?
08/02/2022
Read more...