Introduction In the last months I have been dealing with Kubernetes based (micro)services that I could not change, either because they were off-the-shelf or because they had been externally developed. In terms of observability this is a challenge, especially when application metrics are only partially available. I could have opted for a service mesh, but implementing Istio for an application composed of 20 microservices seemed quite overkill, adding a lot of complexity and cognitive load. Read more

Introduction Since the Grafana Image Renderer plug-in is not supported anymore from Grafana 7.0 some changes are required to switch to the remote image renderer, and run it as a docker container. This post goes into the details of setting-up a remote image renderer for Kubernetes, on amd64, arm/v7 and arm64. Multi-arch build The official git repo only supports linux/amd64 at this moment but there is an issue for arm-support. Read more

Introduction Whether it is from CI/CD or from the command-line, I often see the default kube-config with cluster-admin rights being used. This is like permanently working with root privileges and there certainly are more secure ways. In this post we will look into demystifying Kubernetes RBAC, and setting-up more suitable permissions for two use-cases: a CI/CD pipeline that needs full permissions on anything located in a given Namespace a reader who needs to access resources for troubleshooting purposes Concepts Roles and ClusterRoles define sets of permissions to objects at the namespace and cluster scope. Read more

Introduction Gatekeeper is a validating webhook that enforces CRD-based policies executed by Open Policy Agent. In a previous post, we went into details about OPA: this post superseeds it. The differences between OPA and Gatekeeper are listed here. In this post we will explore Gatekeeper and start with implementing a policy to enforce a given label to be present at the namespace level. In future posts coming soon we will implement policies as described here: Read more

Introduction Understanding Kubernetes' concepts is key to running highly available applications. This article will take you through the scenario of deploying a new version of a pod, and show how understanding the pod lifecycle and implementing a readiness probe will help you deploying new releases without downtime. Without a readiness probe Kubernetes will try to guess when your pod is ready, and then schedule traffic to it. If the pod has latency between the point-in-time when the container is running and when it can handle traffic, this will cause transactions to be dropped, a. Read more