-
How to debug a crossplane provider
4 min read
To be able to setup a crossplane provider there are some pieces that need to be aligned to be able to use it. For example, if we want to setup the AWS provider using an IAM Role for ServiceAccount. If something is missaligned, we might end up with an error while creating resources that doesn't really clarify what's the actual error:
$ kubectl describe bucket.s3.aws.crossplane.io/test-bucket Name: test-bucket Namespace: Labels: <none> Annotations: crossplane.io/external-name: pet2cattle-demo API Version: s3.aws.crossplane.io/v1beta1 Kind: Bucket Metadata: (...) Spec: (...) Provider Config Ref: Name: aws-provider Status: At Provider: Arn: Conditions: Last Transition Time: 2022-02-22T21:43:23Z Message: observe failed: failed to query Bucket: api error MovedPermanently: Moved Permanently Reason: ReconcileError Status: False Type: Synced Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning CannotObserveExternalResource 7s (x6 over 36s) managed/bucket.s3.aws.crossplane.io failed to query Bucket: api error MovedPermanently: Moved Permanently23/02/2022
Read more... -
Dynamically provisioned PersistentVolumes using StatefulSet
6 min read
The basic idea behind a StatefulSet is to be able to manage stateful workloads on Kubernetes, unlike Deployments, creating a unique identity for each Pod using a common spec.
With this in mind we might just copy the Pod's template from a Deployment to a StatefulSet object to make it stateful, but it's not always quite that simple.
21/02/2022
Read more... -
How to set filesystem permissions on Volumes for non-root containers
3 min read
As a best practice we should try run containers with the minimum privileges they require: If we want to run a container with a non-root user we need to specify the user we want to use with securityContext.runAsUser (unless the container is not already using a non-privileged user).
By doing so when working with Volumes we might get a Permission denied while accessing the container
18/02/2022
Read more... -
Managing (safely) Secrets as Code with sops and terraform
3 min read
If you are using Infrastructure as Code you've realized there is something it shouldn't be on a git repository: That's the secrets, we should never store clear-text secrets on a git repository, not even if it's a private repository: Anyone with access to that repository could get them.
How can we securely create secrets as code into the AWS Secrets Manager using terraform?
15/02/2022
Read more... -
Setting up the Vertical Pod Autoscaler
3 min read
To be able take advantage of using a Cluster Autoscaler (same applies to AWS Karpenter) we need make sure we properly set the resources any scheduled Pod is requesting to Kubernetes:
- If we are requesting too much resources, we will be wasting resources
- If we are requesting too few, the application might end up on a node where it needs to constantly share resources with other Pods
When we are not use the resources a given Pod or container is going to use, we can use the Vertical Pod Autoscaler to help us define them
14/02/2022
Read more...