Learn Kubernetes Weekly issue 81

Kubernetes at Decathlon, Webhook used by attackers, When is admin not admin? HPA based on Google Calendar, Database in Kubernetes: a good idea?

29 May 2024

This newsletter is brought to you by Otterize — automate workload IAM policies: zero-friction development, zero-trust security.

Articles

1. Kubernetes webhook used by attackers

   This article explains how malicious admission controllers can be used to deploy backdoors, emphasizing the importance of surveillance and tools like Falco for detecting such attacks.

2. When is admin not admin? When it's super-admin!

   The article discusses a change in Kubernetes 1.29 , where the default admin.conf credential is no longer a member of the system:masters group and a new super-admin.conf credential has been introduced.

3. Kubernetes HPA based on events in Google Calendar

   Vlad Tkachuk

   In this article, you will learn how to dynamically scale deployments using the Horizontal Pod Autocaler and Google Calendar.

4. Seamless data exchange with Kafka Connect and Strimzi on Kubernetes at Decathlon

   Thomas Dangleterre

   Decathlon uses Apache Kafka and Strimzi on Kubernetes for data streaming, processing 50M+ events daily.

   Learn how they faced and solved data interconnections and Kafka Connect cluster deployment challenges.

5. Database in Kubernetes: is that a good idea?

   Ruohang Feng

   This article discusses the controversy surrounding the deployment of databases in Kubernetes, highlighting the challenges with stateful services.

   It explores the trade-offs in reliability, security, performance, and complexity.

6. Rightsizing Kubernetes requests/limits usage

   Tim Harrison

   In this article, you'll learn the importance of rightsizing Kubernetes requests and limits and highlight the impact of overprovisioning on resource utilization.

   You'll also discover how to identify and correct skewed resource allocation.

Articles worth checking out:

• Per-pod PIDs limit on EKS

• Docker Engine exposed: understanding namespaces, cgroups, union filesystems, and security layers

• Journey into Kubernetes: building resilience, one container at a time

• How an EKS upgrade almost broke our production

• What is Kubernetes Downward API and why you might need it?

• Exhausting conntrack table space crippled our Kubernetes cluster

• Do Linux containers suffer any performance penalty compared to physical servers?

• Our top 13 deployment & templating tools for Kubernetes

• Small Kubernetes for your local experiments: k0s, MicroK8s, kind, k3s, and minikube

Human readable Network Policies and Kafka ACLs

Otterize

Instead of managing pod identities and manually authoring individual network policies, Otterize implements intent-based access control (IBAC).

Declare what the pods can do, and everything is automatically wired together.

Tutorials

1. Multi-environment Kubernetes setup with Flux and vCluster on AWS

   Frank Bernhardt

   This tutorial explores using Flux and vCluster to build an adaptable environment that smoothly transitions through various stages of application development: from development to production.

2. Setting up a K3S cluster on Alpine Linux with Raspberry Pi 5 using a Mac

   Nedim Yilmaz

   This article guides you through setting up a K3S cluster on Alpine Linux with Raspberry Pi 5.

   It covers installing Alpine Linux, preparing the SD card, configuring the RPi, installing K3S, and managing the system for a standalone or cluster setup.

3. Efficient cloud native application deployment — KCL and KubeVela integration

   Through this guide, you'll learn how to deploy apps using KubeVela and KCL.

   It discusses the benefits of this integration and provides a step-by-step workflow for application deployment.

Kubernetes jobs

1. • Site Reliability Engineer with Commify

   • Salary: €78K to €82K a year

   • Location: based in the office (and remote from home) in Bucharest, RO

   • Tech stack: Kubernetes, Azure, Shell, Python, Ruby, C#, Powershell, Terraform, Azure DevOps, Jenkins

2. • 🔥 Software Engineer with Mercari

   • Salary: ¥4.8M to ¥6.34M a year

   • Location: remote from Japan

   • Tech stack: Kubernetes, AWS, GCP, Go, SQL, Javascript, Java, PHP, Swift, Kotlin

3. • Site Reliability Engineer with Commify

   • Salary: £70K to £75K a year

   • Location: based in the office (and remote from home) in Nottingham, GB

   • Tech stack: Kubernetes, Azure, Shell, Python, Ruby, C#, Powershell, Terraform, Azure DevOps, Jenkins

4. • Software Engineer with Monta

   • Salary: kr. 540K to kr. 660K a year

   • Location: based in the office (and remote from home) in Copenhagen, DK

   • Tech stack: Kubernetes, AWS, Docker, Java, Kotlin, Redis, MySQL, Grafana, Prometheus, Loki

Discover more Kubernetes jobs on Kube Careers →

Code & tools

1. Omni: SaaS deployment of Kubernetes

   Omni is a SaaS-simple deployment of Kubernetes - on your hardware.

   It allows you to start with bare metal, virtual machines or a cloud provider and create clusters spanning all your locations with a few clicks.

2. cdebug: container debugging

   cdebug is a swiss army knife of container debugging:

   • Troubleshoot containers lacking shell.
   • Forward unpublished or even localhost ports to your host system.
   • Expose endpoints from the host system to containers & Kubernetes networks.

3. Percona Operator for MySQL

   Percona Operator for MySQL follows our best practices for deployment and configuration of highly available, fault-tolerant MySQL instances in a Kubernetes-based environment on-premises or in the cloud.

4. Kubernetes Web View

   Kubernetes Web View allows you to list and view all Kubernetes resources (including CRDs) with permalink-friendly URLs on a plain HTML frontend.

   This tool was mainly developed to provide a web version of kubectl for troubleshooting.

5. Declarative TUI dashboard

   buoy is a declarative TUI dashboard for Kubernetes.

   You define your dashboard in a JSON file, and it will fetch the information from your Kubernetes cluster and build a dashboard for viewing the requested content right in your terminal window.

Other interesting projects:

• Admiral: Fargate logs

• Cloudflare Tunnel Ingress Controller

• OPA Image Scanner admission controller

• secretgen-controller

• Tetragon

Upcoming Kubernetes events

1. May

   30

   Should you use Kubernetes and Docker in your next project?

   Online webinar organized by Learnk8s.

   • This is a virtual event

   • This is a free event.

2. May

   30

   Running 10,000 ephemeral stateful jobs in managed Kubernetes daily

   Online & in-person meetup organized by Cloud Native Prague.

   • Location: Prague, CZ and virtual

   • This is a free event.

3. Jun

   4

   Devopsdays Ukraine: let's talk security

   Online conference organized by Devopsdays.

   • This is a virtual event

   • This event requires an entrance fee

4. Jun

   5

   The state of ingress: why do we need Gateway API?

   Online meetup organized by CNCF Online Programs.

   • This is a virtual event

   • This is a free event.

5. Jun

   6

   Kubernetes Community Days Czech Slovak 2024

   Online & in-person conference organized by KCD Czech & Slovak.

   • Location: Prague, CZ and virtual

   • This event requires an entrance fee

   • • Use Learnk8s to get 20% off

6. Jun

   13

   Advanced Kubernetes course

   Online workshop organized by Learnk8s.

   • This is a virtual event

   • This event requires an entrance fee

Discover more Kubernetes events on Kube Events →

Kubernetes Call for Papers

1. expired

   KubeCon North America

   The Call For Paper was open until 10 June 2024 at UTC. More info →

   • Location: Salt Lake City, UT, USA and virtual

   • Online & in-person conference organized by Linux Foundation.

   • The conference starts on the 12 November 2024.

   • Apply here

2. expired

   Kubernetes Community Days UK

   The Call For Paper was open until 4 June 2024 at UTC. More info →

   • Location: London, UK

   • In-person conference organized by KCD UK.

   • The conference starts on the 23 October 2024.

   • Apply here

3. expired

   Kubernetes Community Days Washington DC 2024

   The Call For Paper was open until 3 June 2024 at UTC. More info →

   • Location: Washington, DC, USA

   • In-person conference organized by KCD Washington DC.

   • The conference starts on the 24 September 2024.

   • Apply here

4. expired

   Kubeday Colombia

   The Call For Paper was open until 29 June 2024 at UTC. More info →

   • Location: Medellín, CO

   • In-person conference organized by Linux Foundation.

   • The conference starts on the 9 October 2024.

   • Apply here

5. expired

   Kubernetes Community Days Austria 2024

   The Call For Paper was open until 23 June 2024 at UTC. More info →

   • Location: Vienna, AT

   • In-person conference organized by KCD Austria.

   • The conference starts on the 8 October 2024.

   • Apply here

6. expired

   Kubernetes Community Days Lahore 2024

   The Call For Paper was open until 22 June 2024 at UTC. More info →

   • Location: Lahore, PK

   • In-person conference organized by KCD Lahore.

   • The conference starts on the 7 July 2024.

   • Apply here

7. expired

   Kube Native 2024

   The Call For Paper was open until 26 August 2024 at UTC. More info →

   • This is a virtual event

   • Online conference organized by Conf42.

   • The conference starts on the 26 September 2024.

   • Apply here

8. expired

   CloudX 2024

   The Call For Paper was open until 14 June 2024 at UTC. More info →

   • Location: Santa Clara, CA, USA

   • In-person conference organized by DevNetwork.

   • The conference starts on the 5 November 2024.

   • Apply here

9. expired

   Platform Engineering 2024

   The Call For Paper was open until 5 August 2024 at UTC. More info →

   • This is a virtual event

   • Online conference organized by Conf42.

   • The conference starts on the 5 September 2024.

   • Apply here

Until next time!

— Dan

Subscribe and, every Wednesday, receive the latest Kubernetes news!