Tag: kubernetes
Laughably Loquacious Logging
So you are pretty proud of yourself. You have a full micro-services running in Kubernetes with a service mesh (courtesy of Istio). You have configured your liveness probes to once per second. You are using an EFK stack (Elasticsearch / Fluent-Bit/ Kubernetes). Live is good. You are evaluating turning on either Jaeger or Zipkin. You…
The agony and the ecstasy of the read-only
So earlier today I counselled to run your container filesystem read-only. Its higher security (something can’t weasel in as easily) You want to be able to dynamically dispose and restart containers somewhere else, how can you do this if they are stateful The overlay fileystem is not hgh performance Now, this last one. Lets say…
Have you set your security context recently?
You’d be shocked at how few people copy these few lines into their YAML in Kubernetes. Highly recommend you do this. Why? Well, lets walk through them. runAsNonRoot: self explanatory. Why would you want root permission inside this container? What possible good could come of that? is it because you need to bind to <…
PSA: launcher.gcr.io is not being maintained
So you might have cut and paste some code from somewhere, maybe an ‘from launcher.gcr.io/debian9’ kind of thing. That’s a good upstream, right? They are maintaining it with a strong CI? When suddenly you read Hmm. Double whammy. You have been relying since 2018-07-18 on something which is not being updated (and daily rebuilding your…
Kubernetes volume-mounts with subPath and inotify. Bah humbug
So. I’ve been working on this tool ‘fluent-bit‘. You know the drill. Compile, curse, change, pull-request, repeat. And one of the features I added was to auto-watch its config file and restart on change. This is important in a Kubernetes environment since you supply config via a ‘config map’, and expect it to auto-apply. Great.…