Hello friends!
It's Ivan Velichko, a software engineer and a technical storyteller, with my traditional monthly roundup.
I'd like to start this issue with the exciting personal news. I'm joining the Slim.AI team to build cool stuff for all of us dealing with containers.
I've been an old fan of the Slim.AI SaaS - a service where you can search images on multiple container registries simultaneously and inspect the image content right in the browser. I also admire the magic behind their OSS DockerSlim project - this tool can trim down a container image by some tens of percents without requiring much of the user input. And of course, there is a lot to come.
So, my innate interest in containers and solid ops experience made this role sound like a perfect opportunity - I'll be spending even more time tinkering with Docker and Kubernetes (meaning more insights on the blog and twitter ๐), and, hopefully, it'll result into something the whole DevOps guild could benefit from. Looking forward to my first day next week!
SPONSORED Kubernetes API Access Security Hardening - a worthwhile post by Teleport. Extremely relevant for those of us who's concerned with securing Kubernetes API access. Do recommend if you need to implement strong authN/authZ in Kubernetes clusters.
What I Was Working On
Somehow, this month I switched the gears from Kubernetes back to Containers. I'm not done with the Working With Kubernetes API series yet, and I still have at least three WiP articles - a "how to write a custom controller" primer, a client-go walkthrough, and a client-go "advanced stuff" article with the explanation of informers, work queues, and alike. But none of them were finished this month.
It all started from me running into this DockerSlim bug. While fixing it, I had to remember a few clever tricks:
April 3rd 2022
|
But after a week spent debugging containers, I couldn't already help but think of dumping my fresh Container thoughts to the blog:
- โLearning Docker with Docker - Toying With DinD For Fun And Profitโ
- โCracking the Docker CLI: How to Grasp Container Management Commandsโ
While preparing materials for one of these posts, I came up with a nasty technique - writing an entire Go program in a Dockerfile. It's obviously a very bad idea, especially for production use, but nevertheless, I shared it on Twitter, and it took off...โ
The above stuff took a surprisingly long time to write down, and by the end of the month, I felt bad that I didn't spend enough time working on my Kubernetes API series, so I ended up drawing this diagram on how to extend the Kubernetes API using Custom Resources, Admission Webhooks, and Controllers. Kind of a teaser of the future work:
What I Was Reading
- โRunning a Container off the Host /usr/ - Lennart Poettering, the creator of systemd, shares his thoughts on local development environments for folks doing system development. Pretty neat, but I'm still in favor of fully disposable playgrounds.
- โUnderstanding root inside and outside a container - old but gold; there is still plenty of containers running as (true) root, and it's important to understand the difference.
- โThe shortcomings of rootless containers - kind of a follow-up for the previous article, but pay attention to the publication date - a lot might have been improved since then.
- โThe differences between Docker, containerd, CRI-O and runc - a good addition to my Journey From Containerization To Orchestration And Beyond.
- โLimiting access to Kubernetes resources with RBAC - I wish this article existed when I'd been learning Kubernetes RBAC. It follows my favorite kind of explanation: start from a clear problem - how to do access control; show a technology-agnostic solution; map it to K8s primitives: Roles/RoleBindings/ClusterRoles, etc.
- โVirtual Kubernetes clusters: A new model for multitenancy - for someone who spent the past few months developing a multi-cluster Kubernetes E2E testing framework, these virtual clusters sound very promising. Spinning up a bunch of KinD clusters on one machine is a pain.
- โKubernetes Ephemeral Container Security - "If there is one takeaway from this post, it is that any policy tool that has not been updated in the last couple of months will not enforce rules on ephemeral containers. This also includes all policies written in house! It is not enough to update the community policies." This is actually applicable to all Kubernetes features, not just ephemeral containers.
- โThe Principle of Ephemerality - the shorter, the better. This principle applies to almost everything in computing. Not just security credentials but also infrastructure. As a (former) Platform Engineer, I couldn't agree more.
- โHow Go Mitigates Supply Chain Attacks - hot topic for everyone these days...
- โcontainerd CRI plugin: Insecure handling of image volumes - please upgrade your clusters.
- โIntroducing Dagger: a new way to create CI/CD pipelines - Dagger is out โค๏ธ From my experience, CI/CD still sucks in 2022. Hopefully, Dagger will do the same to CI/CD that Docker did to Containers.
- โMerkle Trees - this data structure (?) became (in)famous with the rise of crypto, but Matt Rickard kindly reminds us that it's been used in many other places too. Kudos to Matt.
- โAn incredible story on protecting replit from hackers - this is nuts! But I'm particularly interested in stories like that because I still haven't given up on the idea of turning my blog into an interactive learning platform one day.
Stay Tuned
Well, this is it for this month. A lot of stuff, but even more to come! Stay safe and healthy, friends! And make code, not war!
Cheers,
Ivan Velichko
P.S. If you find this newsletter helpful, please spread the word - forward this email to your friend :)