Ivan Velichko

Ivan on Containers, Kubernetes, and Backend Development

Published 7 months agoΒ β€’Β 5 min read

Hello friends!

Ivan's here with a traditional monthly round-up. After spending August (rather unexpectedly) heads down building the Kubernetes Explorer UI, it feels extremely great to be back to the business of writing. September was a very fruitful month, and I finally had a chance to leverage many of the things I've been working on so hard since the beginning of the year.

In this issue:

  • Kubernetes Explorer goes open-source! πŸŽ‰
  • One new and one revamped blog posts interactive tutorials πŸ§ͺ
  • My first Kubernetes 101 Workshop - I'm already nervous πŸ˜…
  • A lot of good reads I've come across over the past few weeks πŸ“š

Let's get started!

k'exp - Kubernetes Explorer

In the summer of 2022, over a weekend, I wrote a PoC of a visualization tool that was showing Kubernetes objects and their relationships on a dynamically updating graph.

Little did I know that it would take me more than a year to think the idea through and then almost a full month of extra work to turn the PoC into a functional MVP. Most of you, of course, know what tool I'm talking about - last month's issue was dedicated solely to this shiny new Kubernetes UI. And today, I'm happy to announce that k'exp has become open source!

Go give it a try πŸ˜‰


open localhost:5173

What I was writing

One of the big features that landed in the Kubernetes Explorer in September was the Pods Insights view. I was so happy with the way it came out that I even started writing a blog post specifically to demo it. However, halfway through this work, I repurposed it, and in hindsight, it was the right choice - that's how iximiuz Labs got its very first Kubernetes tutorial:

​Making Sense Out of Native Sidecar Containers in Kubernetes​

Another tutorial that made it to iximiuz Labs this month is my good old Containers vs. Pods - Taking a Deeper Look. It was fully reworked to make examples compatible with the contemporary versions of Docker and Kubernetes. It's also the first tutorial on the platform that leverages a multi-node playground.

Somewhat off-topic, but I also wrote a piece on how to choose between JavaScript and TypeScript in a pragmatic way - it's a reflection on my own experience building a relatively complex website and a single-page application using both of these languages.

Kubernetes 101 Workshop

I'm thrilled (and a little bit nervous) to announce that I'll be doing my very first online Kubernetes workshop on October 5th. Many thanks to Cloud Native Islamabad and Saim Safdar personally for inviting me!

The workshop will be for Kubernetes beginners, and I'll try to draw parallels between running traditional VM (or bare-metal) services and achieving the same results but in a Kubernetes cluster. We'll start with a simple single-instance service and then see what it takes to organize ingress, scale the service, deploy it without downtime, and configure cross-service communication, including service discovery. It's going to be fun (I hope) and highly practical, with a lot of visual materials and, of course, leveraging iximiuz Labs.

What I was reading

I finally have more time to read, so I've been catching up on my list aggressively. Brace for impact.

​Kubernetes 1.28: Revenge of the Sidecars? by Linkerd - A slightly lengthy intro but otherwise a good read on the need for sidecars (as a design pattern) and how, up until recently, Kubernetes was lacking first-class support of them, making people use various workarounds to overcome initialization race conditions and pod termination quirks. Two particular issues I faced in my platform engineering days that aren't mentioned in the article: 1) upgrading the version of a sidecar for the entire org can take several months, slowing down the platform team, and 2) cumulative resource overhead of hundreds or even thousands of sidecar can actually be pretty high. Something Istio's new Ambient architecture might be solving for (but I have yet to take a closer look at it). But again, not every sidecar is a service mesh's proxy.

​Understanding Kubernetes' new sidecar container feature - Another valuable post on the new Kubernetes feature, this time by Mirantis. I've read too many of them, and most aren't complimentary to what the docs already say. This one sheds more light by rehashing the KEP and providing extra historical and practical aspects.

A good series (1, 2, 3, 4, 5, 6) on container internals and their implications on the security of containerized workloads by Rory McCune.

​Fun with privileged container breakout also by Rory McCune - fun (and scary) stuff - containers aren't really meant for security, and privileged containers are essentially just root processes on your host because the only thing that "isolates" it is a chroot(-like) barrier, and Rory McCune shows how easily can it be broken out.

​Fun with container images - Bypassing vulnerability scanners - image vulnerability scanner is an awful misnomer, IMO. My (layman’s) take on it is that these tools are essentially (still pretty primitive) SBOM constructors - they try to turn a black box container image into a list of installed system and programming language packages. And when such a list is ready, they run it against a database of known vulnerabilities. By no means such a tool should be called a vuln scanner because it gives a false feeling of safety. But don’t get me wrong - maintaining SBOMs and complete software inventories of what you consume and what you ship, including cross-checking this data against known vuln databases, is an important integral part of securing the software supply chain. It’d be great to just name things slightly less misleadingly.

​The internals and the latest trends of container runtimes (2023) - A great read by Akihiro Suda on the internals of container runtimes and the latest trends in the area (2023 edition). It's full of helpful visuals that definitely speed up sorting facts out.

​ - a handy playground. Not only for playing with Helm charts but also for just debugging Go template expressions (which I find myself doing more often than not).

​Good Enough Abstractions by Matt Rickard - Enduring abstractions aren’t always the philosophically pure ones. They are messy and leaky, but they are handy and good enough. Markdown is a perfect example.

​Akin's Laws of Spacecraft Design again by Matt Rickard - so many gems there. I even wrote my own reflection.

​Automate (But Automate Last) - that’s a strategy I (often subconsciously) follow when I’m wearing my DevOps hat. Some early-stage processes might be too volatile to script them. Rollout of new code (or baking a new iximiuz Labs playground) is a perfect example. Instead of scripting it right away, I let the routine stabilize and by performing it manually the first few times. Of course, the initial procedure gets, most of the time, fully reworked by the end of the fifth attempt. So why then spend time on automation of something that won’t be here next month?

​The Not Kubernetes Podcast, with David Heinemeier Hansson - many things DHH shares here resonate with me. About building software, finding a niche, managing risks and not following the business runbooks others want you to follow, and more. I have a strange relationship with DHH's work - I admired Basecamp, 37signals, and Rework, got into Ruby and RoR because of his influence and hated the framework with all my heart, find his recent tweets & blog posts on Cloud and Kubernetes contradicting my own model of the industry, and I totally loved how reasonable everything sounded in this podcast episode.

Wrapping up

That is it for September. Hope you find my work helpful πŸ™Œ



Help iximiuz Labs evolve faster by supporting my work on Patreon. As a patron, you'll get more powerful playgrounds, access to premium content, and an invite to a private Discord community. Does your company have a learning and development budget? Then this expense most likely can be reimbursed 😎

Ivan Velichko

Software Engineer at day. Tech Storyteller at night. Helping people master Containers.

Read more from Ivan Velichko

Hello friends! Ivan's here - with a well overdue February roundup of all things Linux, Containers, Kubernetes, and Server-Side craft πŸ§™ What I was working on A lot of stuff on the dev side - not so much on the content side. But things are soon to reverse 🀞 Announcing labCTL - the long-awaited iximiuz Labs CLI A dozen people have asked me over the past year-ish if there'll be access to the playgrounds from the local terminal and not only from the browser. And while I myself wanted this feature...

about 1 month agoΒ β€’Β 7 min read

Hello there! πŸ‘‹ Debugging containerized applications is... challenging. Debugging apps that use slim variants of container images is double challenging. And debugging slim containers in hardened production environments is often close to impossible. Before jumping to the DevOps problems that I prepared for you this week, let's review a few tricks that can be used to troubleshoot containers. If the container has a shell inside, running commands in it with docker exec (or kubectl exec) is...

about 2 months agoΒ β€’Β 1 min read

Hey hey! Are you ready for your next DevOps challenge? Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! 🀯 The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc. Notice how, on the diagram above, most high-level container runtimes actually rely on the...

2 months agoΒ β€’Β 1 min read
Share this post