For years I have appreciated the clean and simple way Kubernetes approached Ingress into container workloads. The idea of an IngressController that dynamically reconfigures itself based on the current state of Ingress resources seemed very clean and easy to understand. Istio, on the other hand, felt more confusing, so I set out to correlate what I refer to as “traditional kubernetes ingress” with Istio ingress. The following diagram will help visualize my comments below. Dynamic Ingress Control Load Balancer at the Edge Both approaches are very similar in how they treat traffic at......
Continue Reading
UPDATE: Beginning in June, 2020, GKE will charge for the control plane. This means the design below will jump from $5/month to nearly $80/month. I was recently inspired by a post claiming it was possible to run kubernetes on Google for $5 per month. One reason I have been shy to jump all in with kubernetes is the cost of running a cluster for development work and later for production. After going through the post above, I realized that I could actually afford double that amount and end up with a very usable......
Continue Reading
etcd, https://coreos.com/etcd/, is a distributed key/value store and contains all details about a kubernetes cluster, such as resources and their states. How etcd is installed I install kubernetes, and etcd along with it, using kubespray https://github.com/kubernetes-incubator/kubespray Interacting with etcd etcd runs as a container. The startup script used by systemctl is /usr/local/bin/etcd, which has the contents below #!/bin/bash /usr/bin/docker run \ --restart=on-failure:5 \ --env-file=/etc/etcd.env \ --net=host \ -v /etc/ssl/certs:/etc/ssl/certs:ro \ -v /etc/ssl/etcd/ssl:/etc/ssl/etcd/ssl:ro \ -v /var/lib/etcd:/var/lib/etcd:rw \ --memory=512M \ --blkio-weight=1000 \ --name=etcd1 \ quay.io/coreos/etcd:v3.2.18 \ /usr/local/bin/etcd \ "$@" Interacting with the running etcd process......
Continue Reading
In spite of the popularity of Let’s Encrypt for generating free SSL/TLS certificates, I think their getting started page stinks. In case you feel the same way, I’ll try to give you a real quick start that will get you to your first certificate. Certificate Authority Let me point out that anyone with Linux (or Docker for that matter) can create a strong SSL/TLS certificate and encrypt their data. No third party is necessary. Where third parties like Comodo, GeoTrust, Verisign and now Let’s Encrypt come in is as Certificate Authorities. Publishers of......
Continue Reading
Often in development or when working on proofs of concept (PoC), I need working SSL to protect an endpoint. If I controlled the domain, I would use Lets Encrypt to generate a certificate. When I don’t control the domain, I often use self signed certificates. Below is how I create them and then use them to create a Secret in kubernetes. Choosing a domain (common name) When I don’t control the domain, that usually means I can’t setup a subdomain with appropriate name resolution for my project. In this case I use a......
Continue Reading
Introduction Kubernetes (also written k8s) is a powerful container orchestration platform that works with Docker. This first video provides a high level explanation of how kubernetes differs from traditional application deployment and infrastructure management. Overview A kubernetes cluster is made up of masters and nodes. The masters are responsible for orchestration and the nodes host the orchestrated containers. In addition to orchestrating containers, it is helpful to have a gateway to route traffic through the cluster and a persistent storage mechanism. While these last two components aren’t strictly part of kubernetes, I consider......
Continue Reading
Kubernetes is getting a lot of attention recently, and there is good reason for that. Docker containers alone are little more than a developer convenience. Orchestration moves containers from laptop into the datacenter. Kubernetes does that in a way that simplifies development and operations. Unfortunately I struggled to find easy to understand high level descriptions of how kubernetes worked, so I made the diagram below. Operations While I don’t show the operator specifically (usually someone in IT, or a managed offering like GKE), everything in the yellow box would be managed by the......
Continue Reading
IT general controls are important for various reasons, such as business continuity and regulatory compliance. Traditionally, controls have focused on the infrastructure itself. In the context of long running servers in fixed locations, this was often an effective approach. As virtualization and container technologies become more prevalent, especially in public cloud, infrastructure focused IT controls can start to get in the way of realizing the following benefits: Just in time provisioning Workload migration Network isolation Tight capacity management DevOps Automated deployments Automated remediation One way to maintain strong IT controls can still get......
Continue Reading
One of the most significant enablers of IT and software automation has been the shift away from fixed infrastructure to flexible infrastructure. Virtualization, process isolation, resource sharing and other forms of flexible infrastructure have been in use for many decades in IT systems. It can be seen in early Unix systems, Java application servers and even in common tools such as Apache and IIS in the form of virtual hosts. If flexible infrastructure has been a part of technology practice for so long, why is it getting so much buzz now? Infrastructure as......
Continue Reading
I found this article on serverwatch today: http://www.serverwatch.com/server-trends/why-kubernetes-is-all-conquering.html It’s not technically deep, but it does highlight the groundswell of interest for and adoption of kubernetes. It’s also worth noting that GCE and Azure will now both have a native, fully managed kubernetes offering. I haven’t found a fully managed docker datacenter offering, but I’m sure there is one. It would be interesting to compare the two from a public cloud offering perspective. I’ve worked a lot with OpenStack for on premises clouds. This naturally leads to the idea of using OpenStack as a......
Continue Reading