A fleet of remote development environments (with docker, fish shell, and even minikube) running in your kubernetes cluster, accessible through VS Code in the browser ! There should have been a video here but your browser does not seem to support it. What & why This setup is the v2 of a previous post on remote dev env using jupyterlab I made a year and a half ago. Thee OG setup was functionnal, but it had some issues, mainly around user management, container lifecycle and persistent data handling. As $dayjob has grown, so has the infrastructure, and so has the development needs. So a new solution was required. ...

what & why In late 2022 while preparing a workshop around k8s for some french people, I realized that a lot of the k8s documentation isn’t translated in french. What to translate and what not to Albeit I’m not a fan of trying to translate the concepts name, ressources or objects revolving around k8s (for example PersistentVolumeClaim should not be translated as it’s used in config files, command lines args etc), it can be beneficial to translate the documentation itself for non-english native to better grasp a given concept. ...

what & why If you need to give access to your cluster to either another human or for a given service, you should create a dedicated account for it. This is how to do it. To authenticate, humans can use both the ServiceAccount resource (through a token) and as Users (trough a key and crt). Bots or non-human things should only use ServiceAccounts. A word on RBAC Role Based Access Control (RBAC) is a way of separating users from privileges, by introducing roles. Instead of linking users to privlieges directly (Jake has read access on the pods), we link users to roles, which have a given set of privileges (Jake is a developper, and the developper role has read access on pods.). We can now attach multiple users to a role, and albeit it complexifies somewhat the number of ressources, ...

Example of metrics exported from Apple Health in Grafana: If you want to test the tool, check out the Github repo here what & why Having a health tracker such as an apple watch is great, but the default views in the Health app on the iPhone can be too simplistic. We can’t correlate between metrics, define a specific time range, etc.. But it’s possible to export all of the collected health data in an archive. The goal then is to parse this archive and import it in a more analysis friendly tool. I’m most familiar with the InfluxDB+Grafana stack, so that’s what I’ll be using, but the parsing tool should provide a groundwork for parsing the exported data, and could be adapted to import to other tools. ...

Avoid bursting and brute forcing on your flask app, with RFC6585 compliance what & why Rate limiting is a powerful way to restrict the use of a given service by allowing a given rate of requests. Banning on the other hand can be used to block malicious attacks, mainly brute forcing on authentification routes. The Flask framework does not provide these functionnalities natively (which is normal, it’s a WSGI app constructor) but we can create a module to perform these features through flask’s primitives. ...

Scale workloads based on the size of a rabbitMQ queue automatically, and have on-demand processing for any tasks There should have been a video here but your browser does not seem to support it. A sped up example of autoscaling using KEDA with a rabbitMQ setup what & why Kubernetes is a great fit for autoscaling, and it already has a built-in system for doing autoscaling based on the metrics-server infos, like CPU usage for a pod. It’s quite easy to do that using the Horizontal Pod Autoscaler (HPA), and I made a demo system with it (here)[/posts/kube-hpa]. ...

what & why The CKS (Certified Kubernetes Security Specialist) is a great resource for knowing how to secure a kubernetes cluster. It covers a lot of topics, from the cluster side (admission controller, webhooks, audit), app side (Pod Security Policies) and supply chain (image scanning). Another great resource for this is the Kubernetes Hardening Guidance by NSA & CISA But some of the concepts defined in both these resources are very case-specific, and require a lot of time, tools & effort to setup. In some environnements, it might be infeasible to deploy each and every one of those concepts. But that doesn’t mean we should avoid some basic security-minded steps when deploying to k8s. I won’t cover things on the cluster-side (audit, tools like falco, or admission controllers), but how you can improve the security of your front-facing app by adding a few lines here and there. ...

a fully featured, multi-user, dev env running on your k8s cluster that can coldboot in less than 10s There should have been a video here but your browser does not seem to support it. what & why I use VS Code as my primary IDE for everything, from python development, to kubernetes/helm chart generation, even when building stuff for raspberry pico or arduino. My daily workflow at work is : ...

what & why During a project, I needed to build a container that could render graphs based on pretty big arrays, using plotly, kaleido and pandas. The arrays would be DataFrames from pandas, turned into graphs through plotly, and then renderer as jpeg images using kaleido. This is not uncommon to have pretty big dependencies in a python project, but when pulling these pacakges locally, it took quite a long time, so I checked the size of each : ...

what & why From principlesofchaos.org : Advances in large-scale, distributed software systems are changing the game for software engineering. As an industry, we are quick to adopt practices that increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: How much confidence we can have in the complex systems that we put into production? Applying this philosophy to kube is a very pertinent thing to do, but how ? The same website defines Chaos Engineering as the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production. ...