#kubernetes (2018-10)
Archive: https://archive.sweetops.com/kubernetes/
2018-10-01

@Erik Osterman (Cloud Posse) yes sir!

https://blog.scottlowe.org/2018/09/28/setting-up-the-kubernetes-aws-cloud-provider/
(in addition to https://aws.amazon.com/blogs/opensource/provision-aws-services-kubernetes-aws-service-broker/, which was mentioned here before)
Setting up the Kubernetes AWS Cloud Provider - Scott’s Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

使用 AWS Service Broker 通过 Kubernetes 配置 AWS 服务 There’s no doubt that containers have changed how we build projects. One of the guiding principles of a containerized workflow approach has been to give back control to the developer, allowing them to choose their dependencies and how to consume them – most importantly, when they […]

@Andriy Knysh (Cloud Posse) can you add some context?

this link https://aws.amazon.com/blogs/opensource/provision-aws-services-kubernetes-aws-service-broker/ describes an AWS service broker for k8s so we could provision some AWS resources from Kubernetes (e.g. Load Balancers or Route53 records)

使用 AWS Service Broker 通过 Kubernetes 配置 AWS 服务 There’s no doubt that containers have changed how we build projects. One of the guiding principles of a containerized workflow approach has been to give back control to the developer, allowing them to choose their dependencies and how to consume them – most importantly, when they […]

this link https://blog.scottlowe.org/2018/09/28/setting-up-the-kubernetes-aws-cloud-provider/ shows some pitfalls when using it
Setting up the Kubernetes AWS Cloud Provider - Scott’s Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking
2018-10-03

This provides a monitor dashboard that makes it easy to see which jobs are running and if their latest status was “succeeded” or “failed”. - pietervogelaar/kubernetes-job-monitor

2018-10-07


Have you ever tried to integrate Amazon DynamoDB with an application running in Kubernetes? How about deploying an S3 Bucket for your application to use? If you have, you will know this usually requires you to use some tool such as AWS CloudFormation or Hashicorp Terraform. Then you’ll need to create a way to deploy […]
2018-10-09

Hello

[root@server kubernetes]# kubectl run hello-minikube –image=worpress The connection to the server localhost:8080 was refused - did you specify the right host or port?

How to fix this

hey @Gaurav - please share a little bit more about your env

are you on linux or mac?

@Gaurav the error usually means that kube config is not set or not found. Take a look here, hopefully some of the answers will work for you: https://github.com/kubernetes/kubernetes/issues/23726
Going through this guide to set up kubernetes locally via docker I end up with the error message as stated above. Steps taken: export K8S_VERSION='1.3.0-alpha.1' (tried 1.2.0 as well) copy-…

I have followed the helloword tutorial on http://kubernetes.io/docs/hellonode/. When I run: kubectl run hello-node –image=[gcr.io/PROJECT_ID/hello-node//gcr.io/PROJECT_ID/hello-node:v1) –port=8080 I get: The connection to …
2018-10-10

Thanks @Erik Osterman (Cloud Posse) and @Andriy Knysh (Cloud Posse)

I am running this command in my centos7 desktop machine

Didn’t got a fix yet :(

Ok, so you’ve already installed minikube? If so, how did you go about it?
2018-10-12

@samh has joined the channel

A set of scripts inspired by CIS Kubernetes Benchmark that checks best-practices of Kubernetes installations - neuvector/kubernetes-cis-benchmark

Hunt for security weaknesses in Kubernetes clusters - aquasecurity/kube-hunter

Thanks @Erik Osterman (Cloud Posse)
2018-10-17

hi @Erik Osterman (Cloud Posse) Saw this yesterday https://github.com/skyscrapers/terraform-kubernetes. They are using null resources to call kops and helm.

@Erik Osterman (Cloud Posse) any idea about making https://www.telepresence.io work with geodesic
Telepresence: a local development environment for a remote Kubernetes cluster

I don’t think geodesic stands in the way.

isn’t it just a glorified (but cool) reverse proxy?

i thought it replaces your pod for your service

and then proxies it back to your local workstation

that’s correct, but it also modifies entries in iptables

oh really?

IMO (“in a perfect world”), seems like one should just replace the image
with vendor/telepresence
and pass some kind of KEY
env

yes, I couldn’t debug it completely but it worked flawlessly when running natively but within geodesic it doesn’t able to resolve the proxied items

oh

are you saying the iptables
stuff happens locally?

yes

aha, i see

yea, makes sense - now I understand what you want to do and how geodesic affects that

someway if geodesic can use the mac’s iptable or sync with that

can you do something like you did with kubectl proxy
?

port bind

actually there isn’t a way to pass port binding

I can’t think of a practical way to keep it in geodesic

I think you’d need to export a kubecfg and run telepresence
and kubectl
natively

or run your apps in geodesic

e.g. nodejs app

i thought that also

will raise an issue about it on their git, let’s see if they have a recommendation
2018-10-22

anyone know of a neat secrets management thing that lets me back stuff up when using GKE + KMS

(I know etcdctl
exists, I’m just wondering if that’s literally how you do it)

The alternative is to encrypt all secrets in git using public KMS key. Then the system of record is git. Thus restoring is more about redeploying.

Anyone want to comment on https://medium.com/virtuslab/think-twice-before-using-helm-25fbb18bc822 ?

re: secure… Previously I used helm in a “Helm per namespace” model. Meaning, each app resided in it’s own namespace, each namespace got it’s own tiller, and each tiller got locked down by some very restrictive RBAC policies. Because of how Tiller operates, it effectively is a “giant sudo server”, as the author puts it, but with the right policies, it can be used safely. What I most often hear is “what if someone gets on the tiller pod, they can do anything!” which is solved by the helm-per-namespace model. I wrote policies that allowed helm/tiller to create, update, and read within it’s own namespace (meaning, i, as a human, was required to destroy something, because from day 2 on this wasn’t required very often), and any attempt to retrieve any information from k8s outside of the namespace was denied.

the tiller is also slated to be deprecated in helm v3, for a strictly client-side operation

just like kubernetes, helm provides an interface for representing applications on kubernetes

kubernetes secrets, for example, are an interface for representing sensitive information. until kubernetes 1.8 these weren’t encrypted and people scoffed at it too. these are fair critiques that don’t go unnoticed. the thing is though, because these interfaces are defined well, the underlying implementations can be improved. that’s what happened with kubernetes secrets.

the same will happen with helm and it won’t require massive re-tooling.

Helm really became a de-facto as Kubernetes Package Manager. Helm is the best way to find, share, and use software built for Kubernetes as it states on https://helm.sh. That’s true and sounds very cool. Since Helm v2, helm got a server part called The Tiller Server which is

(via one of the comments)

but I’m not sure about Lua scripting because it can add additional complexity to the charts.

while I’m not crazy about Lua, it’s worked out well for Nginx as the embedded language.

in terms of adding complexity, strongly disagree

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

I don’t think gotemplating is easier to manage complexity. i think an actual language that could evolve into a DSL would be better. Lua has that potential.

also, v3 won’t be limited to Lua. that’s just the first alternative engine they are introducing. gotemplating will still be supported.

pull-based DevOps workflow, a new Helm Controller project will be started

is this related to Flux?
2018-10-23

The Helm provider is used to deploy software packages in Kubernetes. The provider needs to be configured with the proper credentials before it can be used.

not sure if i prefer terraform managing helm to helmfile
managing helm

we’ve had to do a lot of conditional logic to support helm configuration which is supported by helmfile

but configurable values in helm is not easy. maybe with 0.12 it will be a viable alternative.

with terraform shared state as a service, it may win me over


Come and read Google GKE vs Microsoft AKS vs Amazon EKS on Kubedex.com. The number one site to Discover, Compare and Share Kubernetes Applications.

a kops column would be nice


yea, I guess they are looking more at managed offerings

but kops would be good for comparison nonetheless

what’s going on with Alibaba Cloud ACK ? (failed in many cases)
2018-10-31

whats the go to deployment tool you guys are using

im looking for something that is simple for customers without any k8 experience


smarty pants

we use helmfile https://github.com/roboll/helmfile
Deploy Kubernetes Helm Charts. Contribute to roboll/helmfile development by creating an account on GitHub.

and we have a collection of common helmfiles we use https://github.com/cloudposse/helmfiles
Comprehensive Distribution of Helmfiles. Works with helmfile.d
- cloudposse/helmfiles

so you are running tiller and such on k8?

yes

also @Ryan Ryke, we use https://codefresh.io for CI/CD

in there, you can deploy a helm chart to a k8s cluster from the console

have you guys looked at jenkins x?

you can have a helm chart in any repositories (museums), they even offer their own Managed Helm repos

no, we did not use jenking x for that

its too bad the aws tools arent a little better suited

skaffold looks cool too

yea AWS is lacking a lot in k8s space

Looks like Deis and Dies Workflow are both no longer maintained

Those were the reason though helm exists

They are built to create a Heroku like experience for Kubernetes

Oh looks like Flynn is still alive and well https://github.com/flynn/flynn
A next generation open source platform as a service (PaaS) - flynn/flynn

Imo the were the underdog to deis. Deis got acquired by Microsoft and got abandoned shortly there after .


This is the first in a series of posts for managing Kubernetes costs. Article shows how to quickly setup monitoring for basic cost metrics.

@Daren

scimmed it quick, is it free?

as far as I can tell

Quickly install kube-state-metrics, prometheus, and grafana on your cluster with helm. - AjayTripathy/kubecost-quickstart

yea i went to the Kubecost website at the bottom of the article

Effectively manage your Kubernetes costs

for those that missed it

and they had some pricing shennigans

⎈❏ Terminal and Web console for Kubernetes. Contribute to astefanutti/kubebox development by creating an account on GitHub.