CloudPro #52: How Kubernetes succeeded
Things you wish you didn't need to know about S3
Welcome to the 52nd edition of CloudPro! Today, we’ll talk about:
⭐Masterclass:
🔍Secret Knowledge:
⚡Techwave:
🛠️HackHub: Best Tools for the Cloud
Identify cloudformation stacks that are not in sync with their template files
automates secure database credential management in Kubernetes
Cheers,
Editor-in-Chief
Forwarded this Email? Signup Here
⭐MasterClass: Tutorials & Guides
Kubernetes started as an open-source project based on Google's internal tool Borg, designed to manage software containers within microservices applications. Initially, it was great for handling stateless application containers, which don't require persistent storage. However, Kubernetes initially struggled with stateful applications that need stable network identifiers and persistent storage.
Over time, Kubernetes evolved significantly. Key developments like StatefulSets and Kubernetes Operators made it possible to manage more complex, stateful workloads. The community's active involvement was crucial in driving these improvements, allowing Kubernetes to handle databases and storage systems effectively.
As an open-source project under the Cloud Native Computing Foundation, Kubernetes attracted widespread support and contributions, helping it become a flexible and powerful platform. Today, it is the leading choice for managing cloud-native applications, capable of running on any cloud provider or data center.
⭐Things you wish you didn't need to know about S3
Amazon S3, one of the earliest services from AWS, has a robust but quirky API that is often rediscovered with surprise. One of its main oddities is that while most API requests are made directly to the bucket's URL, some are made to generic S3 endpoints. This inconsistency can lead to confusion, especially regarding public vs. private access.
A bucket policy allowing all actions to everyone can inadvertently make the bucket publicly accessible, enabling anyone to perform operations like deleting the bucket without authentication.
Furthermore, S3 has intricate mechanisms that can be exploited to bypass restrictions. For instance, denying the `s3:ListBucket` operation does not prevent listing object keys through other means, like listing versions or multipart uploads.
Multipart uploads, which can remain incomplete, also introduce complexities in managing objects and their metadata.
Additionally, S3 buckets can be made publicly accessible via CloudFront distributions or AWS Cognito configurations, even if traditional public access settings are disabled. These nuances underscore the importance of meticulous configuration and vigilance in managing S3 security.
⭐Optimizing Postgres Memory Usage
To get the most out of Postgres memory settings, it’s crucial to understand how Postgres utilizes RAM and how to fine-tune these settings for optimal performance. The two primary memory components are shared_buffers and work_mem. Shared_buffers is where Postgres stores frequently accessed data, and it is essential to size this appropriately to avoid over-allocation, which could lead to out-of-memory errors. A common recommendation is to set shared_buffers to 25% of your system's RAM. You can use tools like the pg_buffercache extension to monitor and adjust the size of shared_buffers based on actual usage to ensure it’s not set too high or too low.
Work_mem controls the amount of memory allocated for sorting and hashing operations in queries. Since each query node can allocate its own work_mem, it’s important not to set this too high, especially on systems with many concurrent queries, to avoid excessive memory consumption that could cause the operating system to terminate Postgres processes. Use the EXPLAIN command and pg_stat_statements extension to analyze query plans and estimate appropriate values for work_mem. Additionally, session pooling with tools like PgBouncer can help manage memory by reducing the number of concurrent active connections.
⭐Shielding Your Kubernetes Network: Mastering iptables for Enhanced Security
The article discusses the importance of securing a Kubernetes cluster beyond using NetworkPolicies, emphasizing the role of firewalls, particularly iptables, in enhancing network security. NetworkPolicies only secure the internal cluster network, leaving potential vulnerabilities from external threats unaddressed. By using iptables, a robust and flexible firewall tool, administrators can control and restrict incoming network traffic to their Kubernetes clusters, preventing unauthorized access and potential attacks.
The article explains the basic concepts of iptables, likening its structure to a series of rooms (tables) and desks (chains) where network packets are evaluated against a set of rules. Specifically, it focuses on the INPUT chain in the filter table, which handles incoming packets. By default, iptables allows all traffic, but the article advises setting it to deny all traffic by default, only allowing packets that match specified rules. This change enhances security by ensuring that only trusted packets can access the system, reducing the risk of infiltration and malware spread.
⭐The trouble with Topology Aware Routing: Sacrificing reliability in the name of cost savings
Topology Aware Routing (TAR) in Kubernetes aims to cut costs by keeping cluster traffic within the same availability zone (AZ), avoiding the high expenses associated with cross-zone data transfers. However, this cost-saving measure can compromise reliability. TAR strictly blocks cross-zone traffic, which means that if an issue arises in one zone—like a pod failure or increased latency—traffic cannot reroute to healthy pods in other zones, leading to potential system failures and defeating the purpose of a multi-zone setup designed for high availability.
While TAR reduces costs effectively when the system is healthy, it introduces a single point of failure by preventing traffic rerouting in case of zone-specific issues. This limitation can lead to catastrophic failures and performance bottlenecks. Therefore, while TAR offers financial benefits, it also necessitates careful consideration of the trade-offs in system reliability and resilience. Exploring more advanced traffic management solutions, such as L7 request balancing, may provide a balanced approach to achieving both cost savings and high availability.
🔍Secret Knowledge: Learning Resources
🔍How does Docker work? A Technical Deep Dive
Docker is a platform that simplifies the process of creating, distributing, and running applications within containers. At its core, Docker uses a client-server architecture, where the Docker client communicates with the Docker daemon (server) to manage containers. The client sends commands to the daemon, which performs tasks such as building, running, and managing containers. Containers themselves are lightweight and portable units that encapsulate an application and its dependencies, ensuring consistent behavior across different environments.
Docker achieves containerization by leveraging Linux kernel features like namespaces and control groups (cgroups). Namespaces provide isolated environments for containers, so they appear to have their own filesystem, network, and process space. Cgroups limit and prioritize resources such as CPU, memory, and disk I/O for containers, ensuring that no single container can monopolize system resources.
By abstracting the underlying infrastructure, Docker allows developers to package applications with all their dependencies, making it easy to deploy them on any system that supports Docker, thereby streamlining the development and deployment processes.
🔍Learning resources to become an SRE: By Google
Systems engineering at Google, particularly in SRE (Site Reliability Engineering), involves designing and implementing robust and scalable systems. This discipline focuses on practical approaches like non-abstract large system design (NALSD), ensuring reliability through structured processes like Service Level Objectives (SLOs), and utilizing tools for automation and consistency in deployments. Google's SREs emphasize iterative design, managing risk with error budgets, and continuous improvement through feedback loops. These practices are crucial for maintaining the reliability of Google's extensive production environments.
🔍Another five myths about platform engineering
Platform engineering is about optimizing software development by providing self-service tools and automating complex tasks, not eliminating infrastructure teams but evolving their role to manage and optimize infrastructure within a streamlined process. It's a strategic approach to enhance efficiency without dramatically increasing staffing costs, focusing on gradual improvements and tailored solutions rather than immediate fixes. Platform engineering isn't a universal solution for all applications; it's about selectively applying practices where they provide the most value, integrating cloud services thoughtfully, and continually refining the platform to meet evolving needs.
🔍How to securely transfer files with presigned URLs
Using presigned URLs for securely transferring files involves generating temporary URLs that grant access to specific resources stored in Amazon S3 buckets. These URLs have a limited lifespan and are generated programmatically using AWS services like IAM and Amazon S3. They eliminate the need for exposing long-term credentials or making data publicly accessible, thus maintaining security and control over sensitive information.
To implement this securely, organizations should follow best practices such as tightly scoped IAM permissions, using temporary credentials like roles instead of access keys, and enforcing encryption for data in transit. Network isolation through AWS VPC endpoints enhances security by keeping S3 access within private networks. Additionally, requiring multi-factor authentication (MFA) for generating presigned URLs adds an extra layer of identity protection.
Monitoring and governance are crucial aspects of securely using presigned URLs. Implementing HTTPS encryption for URL transmission, defining strict CORS permissions, and using AWS WAF for rate limiting and monitoring access attempts help mitigate risks. Regularly analyzing access logs and metrics in CloudWatch enables organizations to detect and respond to suspicious activities promptly, ensuring continuous protection of shared resources. By integrating these practices, organizations can facilitate secure and controlled file transfers while safeguarding against unauthorized access and data breaches.
🔍Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets
Bitbucket offers a service called Bitbucket Pipelines for automating software development processes. One critical feature is "Secured Variables," designed to store sensitive information like AWS keys securely. However, recent investigations by Mandiant highlight a significant security risk: these secured variables can inadvertently leak plain-text secrets. This occurs when variables are copied into artifact objects within Bitbucket, which are then accessible to anyone who can view these artifacts, such as through publicly accessible locations like S3 buckets or company websites.
Developers often use artifacts for troubleshooting or passing data between stages in their pipelines. When sensitive information ends up in these artifacts, it can be exposed unintentionally. This exposure allows threat actors to exploit leaked secrets, potentially gaining unauthorized access to cloud resources like AWS, as demonstrated in recent incidents.
To mitigate these risks, it's crucial for organizations using Bitbucket Pipelines to implement strict security practices. This includes avoiding storing secrets directly in Bitbucket and instead using dedicated secrets management tools. Additionally, careful monitoring of artifacts and thorough code scanning throughout the pipeline lifecycle are essential to detect and prevent inadvertent exposures of sensitive information.
⚡ TechWave: Cloud News & Analysis
⚡New release for Argo Image updater — 0.13
Argo Image Updater is a tool that works alongside Argo CD to automatically update Kubernetes applications when new container versions are available. This allows for continuous delivery without custom pipelines. The latest release includes new features like supporting multi-source applications and specifying Git repositories for write-back actions. It also improves handling of parameter overrides and adds support for separate GitHub credentials. These updates enhance flexibility and usability for teams managing Kubernetes deployments with Argo CD and Image Updater.
⚡Adopt New AWS features with the Terraform AWS Cloud Control provider
The Terraform AWS Cloud Control (AWS CC) Provider lets you quickly adopt new AWS features using Terraform. It leverages AWS's Cloud Control API to support over 950 AWS resources, automatically updating as new services are released. This means you can manage AWS infrastructure as code with minimal delay, integrating new features into your existing Terraform workflows seamlessly. The provider simplifies provisioning and managing AWS resources using consistent CRUD-L operations, ensuring compatibility with Terraform's familiar configuration blocks and enabling faster time-to-market for your cloud deployments.
⚡Raspberry Pi is now a public company
Raspberry Pi, known for its affordable mini computers, recently became a publicly traded company on the London Stock Exchange. The initial public offering (IPO) priced its shares at £2.80 each, valuing the company at about $690 million. After the IPO, the share price rose by 32% to £3.70, potentially raising over $200 million.
⚡Hijacking a Sovereign State's Top-Level Domain
Hijacking the top-level domain (.cd) of a sovereign state like the Democratic Republic of Congo involved acquiring control of a crucial domain used for its DNS (Domain Name System). By purchasing a domain that was part of the DNS infrastructure managing .cd, Fredrik Nordberg Almroth temporarily gained the ability to redirect a significant portion of .cd domain traffic.
⚡Embrace and Grafana Labs sign go-to-market agreement
Embrace and Grafana Labs are teaming up to enhance observability for mobile apps using OpenTelemetry. Embrace specializes in mobile app observability, providing detailed insights into user experiences through metrics and traces. Grafana Labs, known for their open-source operational dashboards, will integrate Embrace's data, allowing teams to monitor both frontend mobile performance and backend systems in one platform. This partnership aims to streamline troubleshooting, improve user engagement, and support SREs, DevOps, and mobile developers in delivering seamless digital experiences.
🛠️HackHub: Best Tools for Cloud
Snorlax is a Kubernetes tool that schedules deployments to sleep and wake up based on specified times, helping save costs and enhance security by reducing resource usage during inactive periods.
🛠️awslabs/cloudfront-hosting-toolkit
The CloudFront Hosting Toolkit is a tool that helps developers deploy fast and secure frontends on AWS cloud infrastructure. It offers a command-line interface (CLI) for easy setup and management of static websites. You can integrate it with GitHub or S3 repositories, automate deployment pipelines, and manage infrastructure with AWS CodePipeline and Step Functions. This toolkit ensures rapid updates and optimized performance through caching, security headers, and custom domain support with TLS certificates. It's designed to streamline the deployment process, making it easier to focus on developing website content rather than managing infrastructure details.
Outtasync helps users identify AWS CloudFormation stacks that are out of sync with their corresponding stack files. This can happen if a stack is updated but the changes aren't committed to the codebase or deployed to other environments. It provides both a TUI (Text User Interface) mode for local use and a CLI mode for CI pipelines. Users can configure it with a YAML file to specify stack details and AWS regions. It integrates with Git to show diffs and supports filtering stacks based on tags or regex patterns. Outtasync ensures AWS credentials are refreshed as needed and offers keymaps for navigation and interaction in its TUI mode.
The Vault Database Injector uses Vault's database engine to create credentials, sends them to Kubernetes applications using annotations and a mutating webhook, and manages their lifecycle.
🛠️aws/aws-advanced-python-wrapper
The AWS Advanced Python Driver enhances existing Python database drivers to fully utilize Amazon Aurora's failover capabilities, minimizing downtime by quickly switching to backup instances when primary ones fail. It ensures continuous availability and faster reconnections during database outages.
📢 If your company is interested in reaching an audience of developers and, technical professionals, and decision makers, you may want to advertise with us.
If you have any comments or feedback, just reply back to this email.
Thanks for reading and have a great day!