Discover all the great things happening in the world of Kubernetes, learn (controversial) opinions from the experts and explore the successes (and failures) of running Kubernetes at scale.
Kubernetes base64 secrets are fine, with Mac Chaffee
By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
How to define a threat model to inform your security posture and mitigations.
How Kubernetes Secrets offer sufficient guarantees for most common threat models.
If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Find all the links and info for this episode here: https://kube.fm/kubernetes-secrets-mac
Plain Kubernetes secrets are fine
Gatekeeper policy for privilege pods
Gatekeeper policy for Ingresses with wildcard hostnames
Formal methods to threat modeling
Bitnami Sealed Secrets
Vault Shamir secret sharing
HSM backed Vault
Vault HA configuration
"keep it secret, keep it safe." — Gandalf
Chaos Engineering by Kelly Shortridge
Kubernetes on bare-metal: lessons learned, with Mathias Pius
What does it take to build a Kubernetes cluster on bare metal?
In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.
You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:
Identify dependencies and priorities between components to avoid incidents in the future.
Leverage FluxCD to have a predictable and documented setup.
Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
Use Talos to have a self-contained Kubernetes operating system.
Mathias also shared tips and advice for other engineers embarking on the same process.
Find all the links and info for this episode here: https://kube.fm/bare-metal-kubernetes-mathias
8-part series: Kubernetes on bare-metal
Cilium cluster-wide network policies
CiliumCon in Amsterdam
Cilium: policy audit mode
Migrating 24 services from Docker compose to Kubernetes, with Ronald Ramazanov and Vasily Kolosov
Should every project start with Kubernetes?
And if not, when is the right time to switch without incurring (unbearable) technical debt?
In this episode of KubeFM, you will learn how the team at Loovatech designed an app from scratch and decided to use Docker Compose to host their infrastructure cheaply and effectively in a single virtual machine.
As the project grew, the team had to make the difficult choice to rearchitect their infrastructure and plan for scalability and fault tolerance.
Follow their journey and learn:
How to migrate from a single Docker Compose file with 24 containers to Kubernetes.
How to verify that your apps are stateless and what changes are necessary to deploy them into Kubernetes.
How to manage expectations and explain the value of a complex migration to your boss or (non-tech-savvy) customers.
Vasily and Ronald also shared how they integrated ArgoCD and their existing CI/CD to leverage push and pull-based GitOps and their plans to incorporate multi-tenancy and custom metrics.
Find all the links and info for this episode here: https://kube.fm/docker-compose-migration-vasily-ronald
Application migration from Docker Compose to Kubernetes. How, why, and what problems we’ve encountered
Using Docker Compose
Uploading and copying objects using multipart upload in AWS S3
Amazon Elastic File System
AWS EKS changelog
ArgoCD user guide: Helm
GitOps: Push-based vs. Pull-based Deployments
How to autoscale apps on Kubernetes with custom metrics
Upgrading hundreds of Kubernetes clusters, with Pierre Mavro
How do you upgrade a Kubernetes cluster to the latest release without breaking anything?
And what if you had to upgrade hundreds of clusters simultaneously?
In this episode, Pierre explains the process, tooling and testing strategy in upgrading clusters at scale.
You will learn:
How the team at Qovery keeps updated with the latest (vanilla) Kubernetes changes and managed services changelogs.
How to upgrade Helm charts gradually and safely. Pierre has some tips for Custom Resource Definitions (CRDs).
How to test API deprecations with end-to-end testing.
How to automate the process of upgrading clusters.
You will also learn from Pierre's experience in managing stateful applications in Kubernetes with 4500 nodes on bare metal.
Find all the links and info for this episode here: https://kube.fm/upgrading-100s-clusters-pierre
The cost of upgrading hundreds of Kubernetes clusters
Kubernetes the hard way
Pod Distruption Budget
Vertical Pod Autoscaler
Horizontal Pod Autoscaler
Testing Helm charts
helm install --atomic
helm install --wait
KubeCon EU 2024
Unpacking observability, ditching Prometheus, with Hannah Maxwell and Adriana Villela
Are logs enough to troubleshoot your deployment and infrastructure?
Perhaps, but there's a better way to observe, monitor and debug your stack: embracing observability.
In this episode, Adriana explains how she learned to love Open Telemetry and:
How you can combine Traces, Metrics and logs to really understand the root cause of your production issues.
What the Open Telemetry Collector is, and how it can simplify the ingestion of traces, logs and metrics without tying you into a particular vendor?
How to convince colleagues and the business to adopt new technologies.
In this episode, Bart also invited a special guest, Hannah (Adriana's daughter), to ensure that Adriana tells the truth and nothing but the truth.
Hannah shared some great tips on public speaking and… baking!
Find all the links and info for this episode here: https://kube.fm/adriana-hannah-unpacking-o11y
ServiceNow Cloud Observability
Red Hat Openshift
Geeking Out podcast
On Call Me Maybe podcast
Adriana's Medium blog
SLA vs SLO vs SLI
Open Telemetry signals: traces, metrics, logs
Open Telemetry instrumentation
OpenTelemetry Q&A Feat. Hazel Weakly
KubeCon North America 2023
Open Telemtry End User Working Group
OpenTelemetry Community End User Surveys
Toronto CNCF meetup
Observability Day 2023
All Things Open 2023
Reducing compute capacity by 40% on EKS with Bottlerocket and Karpenter, with Gazal Gafoor
Follow Gazal's journey as he shares the lessons learned in adopting, rolling out and scaling EKS clusters at Target Australia over seven years.
You will learn:
What is Bottlerocket OS.
How Bottlerocket helps with securing your workloads.
Karpenter as an alternative to the Cluster Autoscaler.
How Karpenter can efficiently schedule and de-provision workloads.
Gazal hinted at a 40% reduction in compute capacity when combining Bottlerocket OS and Karpenter (and 30% lower response times).
Find all the links and info for this episode here: https://kube.fm/gazal-eks-bottlerocket-karpenter
Bolstering Security & Automating Management of Target Australia’s EKS clusters
Terraform AWS EKS
IAM Roles for Service Accounts
AWS EBS CSI driver
Amazon VPC CNI now supports Kubernetes Network Policies
AWS Controllers for Kubernetes (ACK)
AWS Load Balancer Controller
Amazon Linux 2
Deprovisioning in Karpenter
AWS Node Termination Handler
Scheduling in Karpenter
Karpenter Provisioner CRD