Kubernetes Mutating Webhooks
Scaling Kubernetes sidecars to zero
CloudPro #46: Kubernetes Mutating Webhooks
Welcome to a brand new edition of the CloudPro! Today, we’ll talk about:
Masterclass:
Secret Knowledge:
Techwave:
Grafana Incident: new tools for faster, simpler incident response
Build genAI applications with Amazon Bedrock Studio (preview)
HackHub: Best Tools for the Cloud
A new project to resume development on the formerly open-source Redis
Optimize the docker build caching for "dotnet restore" instructions
Cheers,
Editor-in-Chief
Forwarded this Email? Signup Here
MasterClass: Tutorials & Guides
Scaling Sidecars to Zero in Kubernetes
Scaling sidecars to zero in Kubernetes refers to optimizing the resource usage of helper containers that run alongside main applications within Kubernetes pods. Typically, sidecar containers remain operational throughout the lifespan of the main app, leading to potential resource wastage.
The solution involves using Spin apps, which are based on WebAssembly (Wasm) technology. These Spin apps are lightweight, secure, and fast-executing, making them ideal for handling requests alongside main containerized applications. Unlike traditional sidecars, Spin apps are designed to start only when a request comes in and shut down when idle, effectively scaling down to zero resource consumption when not in use.
By leveraging Spin apps, developers can efficiently implement sidecar functionalities while minimizing resource overhead.
Structured Authorization Configuration In Kubernetes 1.30
In Kubernetes 1.30, the Structured Authorization Configuration feature (KEP-3221) is introduced, aiming to enhance the flexibility and manageability of API server authorization. Previously, configuring authorization was limited to command-line flags, allowing only a single webhook in the authorization chain. This posed challenges for administrators needing complex, fine-grained policies. Now, with Structured Authorization Configuration, multiple webhooks can be specified, each with distinct settings and failure policies.
Sample configurations demonstrate real-world scenarios like protecting Custom Resource Definitions (CRDs) and selectively triggering additional webhooks. These configurations allow administrators to define layered security policies and manage complex authorization scenarios efficiently.
In Kubernetes 1.30, the feature is in beta and enabled by default, with plans for further refinement based on user feedback. To use this feature, administrators must specify the path to the authorization configuration file.
Grafana Loki and Kubernetes Event exporter
This blog post explores integrating Grafana Loki and the Kubernetes Event exporter into your Kubernetes Cluster using a Helm chart. By doing so, you gain insights from Kubernetes events, effectively monitoring cluster health.
Key Steps:
Captures events from Kubernetes objects for monitoring.
Utilize Helm chart to install Loki for log aggregation.
Integrate Loki with Grafana for visualization.
Helm chart installation to capture Kubernetes events.
Import pre-configured dashboard for event monitoring.
Benefits:
Enables comprehensive monitoring and troubleshooting of Kubernetes clusters.
Provides valuable insights into cluster health and performance.
Building a network topology of a Kubernetes application
The author is exploring ways to understand the network behavior of a Kubernetes application without directly modifying its code. They use Gala-gopher, a tool powered by eBPF, to collect metrics related to request latency. However, determining the exact path of each request without intrusive manipulation of client code is challenging.
They propose a solution called FlowTracer, which involves transferring data between peers at the connection level, akin to HTTP load balancers' X-Forwarded-For header. They suggest using TCP header options to achieve this, particularly leveraging functions like bpf_store_hdr_opt and bpf_load_hdr_opt introduced in Linux Kernel 5.10.
By implementing this approach, they aim to provide both client and server with direct information about their peers without intrusive modifications.
Intro to Kubernetes Mutating Webhooks
Mutating Webhooks, introduced in Kubernetes version 1.9, allow you to modify Kubernetes resources dynamically based on certain actions. For example, you could automatically add labels to pods or attach additional processes. The article covers why mutating webhooks are useful, how to implement them using code and Kubernetes resources, and provides resources for further learning.
Secret Knowledge: Learning Resources
Graceful shutdown in Kubernetes
Graceful shutdown in Kubernetes ensures that connections and tasks are handled properly when Pods are created or deleted. When a Pod is created, Kubernetes assigns it to a node and prepares it for operation. The kubelet manages the creation process, including networking and storage setup. Endpoints are then updated to reflect the Pod's availability for incoming traffic.
During deletion, Kubernetes follows a reverse process, notifying components like kube-proxy and Ingress controllers to stop routing traffic to the Pod. To prevent abrupt shutdowns, Kubernetes sends a SIGTERM signal to the Pod, allowing applications to gracefully terminate connections and tasks before deletion. This signal triggers a preStop hook, which can be configured to wait for a specified duration.
The guide to kubectl I never had
The article provides a comprehensive guide to using `kubectl`, the Command Line Interface (CLI) tool for communicating with the Kubernetes API. It covers installation instructions for various operating systems, command syntax, imperative and declarative management of Kubernetes resources, and a wide range of useful commands for working with pods, nodes, deployments, daemonsets, statefulsets, jobs, secrets, and more. Additionally, it discusses plugins and tools that enhance Kubernetes management, such as Krew, Kubectx, k9s, cert-manager, and others. The article also includes a kubectl cheatsheet for quick reference.
Container Runtime Interface streaming explained
The Kubernetes Container Runtime Interface (CRI) facilitates communication between kubelet and container runtimes. Key RPCs—Exec, Attach, and PortForward—stream data between clients and containers. They use gRPC for communication and feature simple request-response interactions, enhancing runtime flexibility. Exec and Attach follow a defined protocol, while PortForward streams plain SPDY frames. Runtimes implement methods outlined in the kubelet's Runtime interface. Future enhancements focus on WebSocket support and runtime improvements.
Top 10 Linux commands for troubleshooting network issues
ping: Checks if a host is reachable and measures latency.
traceroute: Shows the path packets take to reach a destination.
netstat: Displays network connections, routing tables, and statistics.
ifconfig/ip: Views and configures network parameters for interfaces.
tcpdump: Captures and analyzes network traffic in real-time.
nslookup/dig: Queries DNS servers for domain name resolution.
iptables/firewalld: Manages firewall rules for packet filtering and NAT.
ss: Investigates sockets, showing TCP, UDP, and UNIX domain sockets.
arp: Displays and modifies IP-to-MAC address translation tables.
mtr: Combines ping and traceroute for detailed network path analysis.
Managing Kubernetes deployments with ArgoCD
ArgoCD automates Kubernetes deployments using Git configurations, ensuring consistency and reliability. It simplifies setup, provides real-time sync, and offers automated healing. Integration with Helm Charts enhances deployment management. Overall, it streamlines operations, improving efficiency and reliability.
TechWave: Cloud News & Analysis
OpenTofu 1.7.0 introduces new features like state encryption for security, dynamic provider-defined functions for more flexibility, and other enhancements. It's a community-driven project that's gaining popularity as an alternative to Terraform™. With features like state file management and compatibility with existing infrastructure, it simplifies cloud infrastructure management. The next version, OpenTofu 1.8, is already in the works with plans to incorporate user-requested features like using variables for module sources and backend configurations.
Red Hat launches GenAI for Konveyor
Red Hat is introducing generative artificial intelligence (GenAI) to Konveyor, their open-source project for modernizing applications. This integration aims to simplify application modernization, making it more cost-effective and efficient. GenAI models like IBM watsonx™ Code Assistant will offer IDE plugins and repository-level automation, providing developers with recommended source code changes directly in their workflow. This streamlines the development process, reduces errors, and speeds up cycles.
Introducing image mode for Red Hat Enterprise Linux
Red Hat Enterprise Linux introduces image mode, a container-native approach to deploying the OS as a bootc container image. This method leverages container tools and workflows, simplifying management at scale and bridging gaps between operations and development cycles. With image mode, users gain complete inventory control, simplified updates and rollbacks, faster experimentation, and seamless integration with containerized CI/CD workflows.
The tight integration with Podman Desktop and Podman AI Lab facilitates the development and deployment of AI workloads across various environments. Red Hat Insights offers enhanced management features for image mode hosts, including detailed host information, update initiation, security scanning, and automatic registration during provisioning.
Grafana Incident: new tools for faster, simpler incident response
Grafana Labs introduces new tools in Grafana Incident Response & Management (IRM) for faster incident response:
Sift Investigations utilizes machine learning to prioritize issues in real-time, speeding up diagnosis and resolution.
Grafana OnCall Integration automatically notifies relevant team members during incidents, enhancing collaboration.
OpenAI Integration provides concise incident summaries for effective communication.
Communication Enhancements like Slack Attachment Uploads streamline documentation and incident declaration.
Upcoming innovations include private incidents, customizable incident phases, and a unified Slack app for Grafana OnCall and Grafana Incident.
Gateway API v1.1: Service mesh, GRPCRoute, etc
Gateway API v1.1 introduces new features like service mesh support and GRPCRoute, which have graduated to the Standard Channel, meaning they're fully supported and backward compatible. It allows managing ingress and mesh traffic using the same API and introduces experimental features like session persistence and client certificate verification. The release also includes improvements in reporting and introduces BackendLBPolicy for session persistence configuration.
Build genAI applications with Amazon Bedrock Studio (preview)
Amazon Bedrock Studio is a new tool for building generative AI applications, available now for public preview. It speeds up the development process by providing a web-based environment with features like Knowledge Bases, Agents, and Guardrails. To get started, administrators create a workspace and add users. Builders can then explore models, customize applications with their own data, use functions for API calls, and set up guardrails for responsible AI. Applications built in Bedrock Studio deploy managed resources automatically to AWS
HackHub: Best Tools for Cloud
Valkey is a new high-performance key-value store that's still under construction. It's built from the open-source Redis project just before they changed their licensing. Valkey is designed for key/value workloads and supports various native data structures. You can add TLS support or integrate with systemd if needed. You can also customize memory allocation and clock sources.
dotnet-subset is a tool for .NET that takes files from a repository and copies only what's needed for a specific project or solution. It's often used in Dockerfiles to make "dotnet restore" commands in Docker builds faster. It copies necessary files, including project dependencies, MSBuild files, and NuGet configurations, while keeping their relative paths intact.
Helmper is a Go program that fetches Helm Charts from remote OCI registries and pushes their container images to your own registries. It simplifies managing Helm Charts and ensures reproducibility and security in Kubernetes environments.
Domino is a user-friendly platform for creating, editing, and monitoring workflows using a graphical interface, standardizing functional pieces, and controlling Apache Airflow through a REST API.
devkit-io/serverless-lambda-cron-cdk
This is a starter kit for setting up cron jobs using AWS Lambda, providing AWS CDK deployment code, CI/CD pipeline, and Lambda function source code, ideal for automating tasks on a schedule using Lambda.
If your company is interested in reaching an audience of developers and, technical professionals, and decision makers, you may want to advertise with us.
If you have any comments or feedback, just reply back to this email.
Thanks for reading and have a great day!