#office-hours (2019-09)

Meeting password: sweetops

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cpco.io/slack-office-hours

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cpco.io/slack-office-hours

Meeting password: sweetops

2019-09-26

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy (Cloud Posse) @Andriy Knysh (Cloud Posse) @Igor Rodionov @Maxim Mironenko (Cloud Posse) maybe something nice to check out

Jeremy (Cloud Posse) avatar
Jeremy (Cloud Posse)
05:45:12 PM

@Jeremy (Cloud Posse) has joined the channel

Igor Rodionov avatar
Igor Rodionov
05:45:12 PM

@Igor Rodionov has joined the channel

Maxim Mironenko (Cloud Posse) avatar
Maxim Mironenko (Cloud Posse)
05:45:12 PM

@Maxim Mironenko (Cloud Posse) has joined the channel

2019-09-25

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
derailed/popeye

🧭 A Kubernetes cluster resource sanitizer. Contribute to derailed/popeye development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
getsentry/sentry-kubernetes

Kubernetes event reporter for Sentry. Contribute to getsentry/sentry-kubernetes development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
derailed/k9s

Kubernetes CLI To Manage Your Clusters In Style! - derailed/k9s

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
tmrts/boilr

boilerplate template manager that generates files or directories from template repositories - tmrts/boilr

roth.andy avatar
roth.andy

I seriously use k9s every freaking day. It is my favorite tool since brew

roth.andy avatar
roth.andy

The maintainer is super active, nice, reliable, quick to respond, and brilliant

roth.andy avatar
roth.andy

I’ve tried a bunch of times to get him to set up the donation stuff but he doesn’t seem interested in money. I want to buy the man like 10 beers

2019-09-18

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@here public #office-hours starting now! join us to talk shop https://zoom.us/j/508587304

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Feature: Conditionally load tfvars/tf file based on Workspace · Issue #15966 · hashicorp/terraform

Feature Request Terraform to conditionally load a .tfvars or .tf file, based on the current workspace. Use Case When working with infrastructure that has multiple environments (e.g. "staging&q…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Restrict Plan or Apply to Github Teams or Github Users · Issue #308 · runatlantis/atlantis

what Allow operator to define a list of permitted users who can trigger atlantis commands why Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Deploying to Kubernetes with Helm and GitHub Actions

This tutorial will go through the basics of GitHub actions as well as deploying to Kubernetes using a pre-built Helm action

dalekurt avatar
dalekurt

What was the issue with using kube2iam?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Every node is responsible for negotiating with AWS apis to get sts tokens

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you restart all your pods or launch a lot of pods you will overload the kube2iam server and AWS apis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Rate limits are account wide

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So you can basically DOS attack the AWS apis and they return the favor by blocking you

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have had this happen across multiple accounts and customers before switching to Kiam

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also the security model of kube2iam means the nodes them selves need an admin IAM role

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

With Kiam only the server needs it and that can be deployed to a dedicated node pool

dalekurt avatar
dalekurt

Coincidentally, my team member just asked about using kube2iam and I recalled that from our office hours.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And it caches the credentials so it’s both much faster and doesn’t DoS AWS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Kiam: Iterating for Security and Reliability attachment image

Kiam bridges Kubernetes’ Pods with Amazon’s Identity and Access Management (IAM). It makes it easy to assign short-lived AWS security…

dalekurt avatar
dalekurt

Thanks @Erik Osterman (Cloud Posse) that was helpful.

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Read all about it here

dalekurt avatar
dalekurt
roth.andy avatar
roth.andy

page not found

roth.andy avatar
roth.andy

paywall?

roth.andy avatar
roth.andy

@Erik Osterman (Cloud Posse) Can you share that link to the AWS Service Operator-like operator for Terraform?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
rancher/terraform-controller

Use K8s to Run Terraform. Contribute to rancher/terraform-controller development by creating an account on GitHub.

roth.andy avatar
roth.andy

thanks

rancher/terraform-controller

Use K8s to Run Terraform. Contribute to rancher/terraform-controller development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that downside with these operators is surfacing errors

roth.andy avatar
roth.andy

I can see that, another one would be, for example, provisioning an RDS DB takes 30+ minutes sometimes

roth.andy avatar
roth.andy

Is the rest of your deployment going to sit there and wait? I guess it will have to

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, for that reason we use containers for disposable staging environments

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

usually prebaked with datasets to speed up delivery

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@dalekurt here is how we deploy kiam with cert-manager: https://github.com/cloudposse/helmfiles/tree/master/releases

cloudposse/helmfiles

Comprehensive Distribution of Helmfiles. Works with helmfile.d - cloudposse/helmfiles

2019-09-11

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

joining now!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sorry running late

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

#office-hours starting now! ask questions, get answers. free for everyone. https://zoom.us/j/508587304

Alex Siegman avatar
Alex Siegman

just me today? i don’t have anything, was just going to listen in. no offices for me to be noisy in

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, no one yet.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@russell.t.sherman saw you registered for office hours

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’re on now.

Alex Siegman avatar
Alex Siegman

also helps if i unmute my headphones lol

oscar avatar
oscar

I just got home

oscar avatar
oscar

Gimmie a 5 mins

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sure, i’ll just hang out

Alex Siegman avatar
Alex Siegman

I do have something we could work through if i can steal an office

Alex Siegman avatar
Alex Siegman

i need to debug why i’m getting a “too many redirects” on a new service, might be interesting for folks who want to see the workings of the CP stack

Alex Siegman avatar
Alex Siegman

nothing sensitive that i’d be afraid to show

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ok, sure thing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Alex Siegman [forecastle.stakater.com/url](http://forecastle\.stakater\.com/url): 'https://{{- env "KEYCLOAK_INGRESS_HOSTS" -}}/auth/admin/'

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
stakater/Forecastle

Forecastle is a control panel which dynamically discovers and provides a launchpad to access applications deployed on Kubernetes – [✩Star] if you’re using it! - stakater/Forecastle

2019-09-10

dalekurt avatar
dalekurt

@tamsky To clarify, we have VPC peering between the AWS accounts and AWS<~>GCP we are using VPN

1
:--1:1

2019-09-04

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

#office-hours starting now! ask questions, get answers. free for everyone. https://zoom.us/j/508587304

dalekurt avatar
dalekurt

It is done @Erik Osterman (Cloud Posse)?

tamsky avatar
tamsky

Mentioned in today’s #office-hours was “VPC peering between GCP and AWS.” I hadn’t heard of this before, and after looking around, I still don’t know if what was meant was actually VPC peering between AWS<>GCP or a VPN solution.

    keyboard_arrow_up