-
Docker: Using the host's network
2 min read
If we use the --net=host option with docker to create a new container, it will share it's network namespace with the host machine. It's main advantage is that it will provide higher performance (it will be close to bare metal speed); however, we might get port conflicts.
24/02/2022
Read more... -
How to debug a crossplane provider
4 min read
To be able to setup a crossplane provider there are some pieces that need to be aligned to be able to use it. For example, if we want to setup the AWS provider using an IAM Role for ServiceAccount. If something is missaligned, we might end up with an error while creating resources that doesn't really clarify what's the actual error:
$ kubectl describe bucket.s3.aws.crossplane.io/test-bucket Name: test-bucket Namespace: Labels: <none> Annotations: crossplane.io/external-name: pet2cattle-demo API Version: s3.aws.crossplane.io/v1beta1 Kind: Bucket Metadata: (...) Spec: (...) Provider Config Ref: Name: aws-provider Status: At Provider: Arn: Conditions: Last Transition Time: 2022-02-22T21:43:23Z Message: observe failed: failed to query Bucket: api error MovedPermanently: Moved Permanently Reason: ReconcileError Status: False Type: Synced Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning CannotObserveExternalResource 7s (x6 over 36s) managed/bucket.s3.aws.crossplane.io failed to query Bucket: api error MovedPermanently: Moved Permanently23/02/2022
Read more... -
Dynamically provisioned PersistentVolumes using StatefulSet
6 min read
The basic idea behind a StatefulSet is to be able to manage stateful workloads on Kubernetes, unlike Deployments, creating a unique identity for each Pod using a common spec.
With this in mind we might just copy the Pod's template from a Deployment to a StatefulSet object to make it stateful, but it's not always quite that simple.
21/02/2022
Read more... -
How to set filesystem permissions on Volumes for non-root containers
3 min read
As a best practice we should try run containers with the minimum privileges they require: If we want to run a container with a non-root user we need to specify the user we want to use with securityContext.runAsUser (unless the container is not already using a non-privileged user).
By doing so when working with Volumes we might get a Permission denied while accessing the container
18/02/2022
Read more... -
Managing (safely) Secrets as Code with sops and terraform
3 min read
If you are using Infrastructure as Code you've realized there is something it shouldn't be on a git repository: That's the secrets, we should never store clear-text secrets on a git repository, not even if it's a private repository: Anyone with access to that repository could get them.
How can we securely create secrets as code into the AWS Secrets Manager using terraform?
15/02/2022
Read more...