K8s

A fleet of remote development environments (with docker, fish shell, and even minikube) running in your kubernetes cluster, accessible through VS Code in the browser ! There should have been a video here but your browser does not seem to support it. What & why This setup is the v2 of a previous post on remote dev env using jupyterlab I made a year and a half ago. Thee OG setup was functionnal, but it had some issues, mainly around user management, container lifecycle and persistent data handling. As $dayjob has grown, so has the infrastructure, and so has the development needs. So a new solution was required. ...

what & why In late 2022 while preparing a workshop around k8s for some french people, I realized that a lot of the k8s documentation isn’t translated in french. What to translate and what not to Albeit I’m not a fan of trying to translate the concepts name, ressources or objects revolving around k8s (for example PersistentVolumeClaim should not be translated as it’s used in config files, command lines args etc), it can be beneficial to translate the documentation itself for non-english native to better grasp a given concept. ...

what & why If you need to give access to your cluster to either another human or for a given service, you should create a dedicated account for it. This is how to do it. To authenticate, humans can use both the ServiceAccount resource (through a token) and as Users (trough a key and crt). Bots or non-human things should only use ServiceAccounts. A word on RBAC Role Based Access Control (RBAC) is a way of separating users from privileges, by introducing roles. Instead of linking users to privlieges directly (Jake has read access on the pods), we link users to roles, which have a given set of privileges (Jake is a developper, and the developper role has read access on pods.). We can now attach multiple users to a role, and albeit it complexifies somewhat the number of ressources, ...

Scale workloads based on the size of a rabbitMQ queue automatically, and have on-demand processing for any tasks There should have been a video here but your browser does not seem to support it. A sped up example of autoscaling using KEDA with a rabbitMQ setup what & why Kubernetes is a great fit for autoscaling, and it already has a built-in system for doing autoscaling based on the metrics-server infos, like CPU usage for a pod. It’s quite easy to do that using the Horizontal Pod Autoscaler (HPA), and I made a demo system with it (here)[/posts/kube-hpa]. ...

what & why The CKS (Certified Kubernetes Security Specialist) is a great resource for knowing how to secure a kubernetes cluster. It covers a lot of topics, from the cluster side (admission controller, webhooks, audit), app side (Pod Security Policies) and supply chain (image scanning). Another great resource for this is the Kubernetes Hardening Guidance by NSA & CISA But some of the concepts defined in both these resources are very case-specific, and require a lot of time, tools & effort to setup. In some environnements, it might be infeasible to deploy each and every one of those concepts. But that doesn’t mean we should avoid some basic security-minded steps when deploying to k8s. I won’t cover things on the cluster-side (audit, tools like falco, or admission controllers), but how you can improve the security of your front-facing app by adding a few lines here and there. ...

a fully featured, multi-user, dev env running on your k8s cluster that can coldboot in less than 10s There should have been a video here but your browser does not seem to support it. what & why I use VS Code as my primary IDE for everything, from python development, to kubernetes/helm chart generation, even when building stuff for raspberry pico or arduino. My daily workflow at work is : ...

what & why From principlesofchaos.org : Advances in large-scale, distributed software systems are changing the game for software engineering. As an industry, we are quick to adopt practices that increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: How much confidence we can have in the complex systems that we put into production? Applying this philosophy to kube is a very pertinent thing to do, but how ? The same website defines Chaos Engineering as the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production. ...

what & why Let’s say you have a scalable architecture (like a server/worker model), and you want autoscaling to happens automatically based on the workers CPU usage, which is useful is some scenarios. Kubernetes has an Horizontal Pod Autoscaler feature that we can utilize to do just that ! how First, let’s talk requirements. You’ll need : a k8s cluster (k0s, minikube or microk8s), kubectl installed and configured to talk to your cluster metrics-server deployed. This will provide the metrics necessary for the autoscaling algorithm to work. Check on your particular provider how to do so. example architecture Here is an example architecture that can benefit from scaling : ...