With the advent of the cloud and container orchestrators, containers are becoming more commonplace. Docker is one of the most popular container runtimes that we use, and Docker images are everywhere. However, as it is a relatively new technology — and with the increased focus on shift-left — container security is a hot topic.
Most enterprises focus on runtime container security. However, sometimes the containers themselves have a vulnerability at build time that goes undetected to the untrained eye.
Containers use layers, and most containers are built from third-party base images that are available on Docker Hub. So, even if…
For most DevOps professionals, creating a VM usually consists of spinning it up on a cloud using Terraform and then using a config management tool (e.g. Ansible or Puppet) or a bootstrap script (e.g. cloud-init) to convert the raw Virtual Machine to a purposeful server.
We all have been doing it for a long time and it works for most cases, but it comes with some drawbacks.
I will give you an example from personal experience. We have a horizontally scalable web server running on GCP using managed instance groups (MIG). …
Like most of us have heard, Kubernetes is deprecating Docker as a runtime from v1.20 in favour of runtimes using the Container Runtime Interface (CRI), such as containerd and CRI-O.
It isn’t a reason to panic, though. First of all: it’s a deprecation — i.e., you’ll start getting a warning from v1.20, so you aren’t immediately impacted. You still have a full year to come up with a plan, as Docker will be unsupported at v1.22, which they’ll roll out in late 2021.
Even if you aren’t ready by that time, you can choose to not upgrade to v1.22 until…
A Kubernetes Pod is the basic building block of Kubernetes. Comprising of one or more containers, it is the smallest entity you can break Kubernetes architecture into.
When I was new to Kubernetes, I often wondered why they designed it so. I mean why containers did not become the basic build block instead. Well, a bit of doing things in the real environment and it makes more sense now.
So, Pods can contain multiple containers, for some excellent reasons — primarily, the fact that containers in a pod get scheduled in the same node in a multi-node cluster. …
Kubernetes has been able to revolutionise the cloud-native ecosystem by allowing people to run distributed applications at scale. Though Kubernetes is a feature-rich and robust container orchestration platform, it does come with its own set of complexities. Managing Kubernetes at scale with multiple teams working on it is not easy, and ensuring that people do the right thing and do not cross their line is difficult to manage.
Kyverno is just the right tool for this. It is an open source, Kubernetes-native policy engine that helps you define policies using simple Kubernetes manifests. It can validate, mutate, and generate Kubernetes…
Falco is an open source runtime security tool that can help you to secure a variety of environments. Sysdig created it and it has been a CNCF project since 2018. Falco reads real-time Linux kernel logs, container logs, Kubernetes logs, etc. against a powerful rules engine to alert users of malicious behaviour.
It is particularly useful for container security — especially if you are using Kubernetes to run them — and it is now the de facto Kubernetes threat detection engine. It ingests Kubernetes API audit logs for runtime threat detection and to understand application behaviour.
It also helps teams…
Deployment resources within Kubernetes have simplified container deployments, and they are one of the most used Kubernetes resources. Deployments manage ReplicaSets, and they help create multiple deployment strategies by appropriately manipulating them to produce the desired effect.
Surprisingly, deployments only have two Strategy types:
RollingUpdate is the default strategy where Kubernetes creates a new ReplicaSet and starts scaling the new ReplicaSet up and simultaneously scaling the old ReplicaSet down, the
Recreate strategy scales the old ReplicaSet to zero and creates a new one with the desired replicas immediately.
That does not limit Kubernetes’ ability, though, for…
Setting up a Kubernetes cluster is getting simpler with time. There are several turnkey solutions available in the market, and no one currently does it the hard way!
Notably, Minikube has been one of the go-to clusters for developers to get started with development and testing their containers quickly. While Minikube currently supports a Multi-node cluster in an experimental phase, it isn’t GA yet.
Therefore, this becomes a limitation for integration and component testing, and most organisations rely on cloud-based managed Kubernetes services for that.
Integrating Kubernetes in the CI/CD pipeline and doing a test requires multiple tools, such as…
Recently, Kubernetes has been in vogue and growing at a tremendous pace. With Kubernetes being part of CNCF and the industry taking a more cloud-native approach, Kubernetes engineers are in demand as never before.
The Cloud Native Computing Foundation, in collaboration with the Linux Foundation, has come up with certificate offerings that allow developers, system administrators, and cybersecurity personnel to validate their knowledge on Kubernetes. They have developed these certificates to match industry requirements and to ensure that every developer or system administrator has the knowledge to be called Kubernetes experts.
Unlike other tech certifications, the Kubernetes certifications offered by…
Vertical Pod Autoscaling is one of those cool Kubernetes features that are not used enough — and for good reason. Kubernetes was built for horizontal scaling and, at least initially, it didn’t seem a great idea to scale a pod vertically. Instead, it made more sense to create a copy of the Pod if you want to handle the additional load.
However, that required extensive resource optimisation, and if you didn’t tune your Pod appropriately, by providing a proper resource request and limits configuration, you may either end up evicting your pods too often or wasting many useful resources. …