https://brainbit.uk/tags/kubernetes/Recent content in Kubernetes on BrainBit Latest ArticlesHugo -- gohugo.ioen-usThu, 13 Jan 2022 00:00:00 +0000https://brainbit.uk/posts/containerd/Thu, 13 Jan 2022 00:00:00 +0000https://brainbit.uk/posts/containerd/So long dockershim Hey as you know the latest versions of kubernetes have gotten rid of dockershim, so for example in GKE docker is not the default runtime anymore … which is a bit of a pain in a way cause is kind of handy to ssh into gke node and: docker exec --id 0 --privileged -it container bash Sometimes when contianers are run unprivielged and as non-root inside kubernetes , for example when you need to strace tcpdump etc.https://brainbit.uk/posts/pwru/Tue, 02 Nov 2021 00:00:00 +0000https://brainbit.uk/posts/pwru/PWRU (Packet Where Are you) Taken from the their github repo https://github.com/cilium/pwru : “pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.” So it is a tool that attach a bunch of kprobes to specific kernel functions or interfaces I’m not so sure and it shows places in the kernel data path that a given packet traverseshttps://brainbit.uk/posts/cilium-tls-inspection/Sat, 11 Sep 2021 00:00:00 +0100https://brainbit.uk/posts/cilium-tls-inspection/TLS in simple terms When your browser verifies a TLS certificate , it checks for expiration , domains , sans etc… but the most important thing it does is it verifies that the certificate has been signed by a CA (Certificate Authority ) it (the browser) trusts. These CAs are a bunch of arbitrary organisations that are allowed to sign certificate requests etc. A self-signed certificate , in general terms , is as valid as a certificate singed by a CA , the main difference is that is not signed by a CA that is trusted by the browser.https://brainbit.uk/posts/tracing-services-with-istio/Wed, 25 Jul 2018 11:52:35 +0000https://brainbit.uk/posts/tracing-services-with-istio/Super quick post , When istio injects the envoy container side car into your pod , each request that comes in and out is “appended” with a numbers of http headers that then they’re use for tracing . This is one of the many benefits of the “side car injection” approach that istio has embrace , bit intrusive yea , but so far seems to work nicely. Ok so quickly you can deploy jaeger and zipkin by enabling it on the chart:https://brainbit.uk/posts/istio-mixer-adapters/Tue, 24 Jul 2018 12:31:22 +0000https://brainbit.uk/posts/istio-mixer-adapters/Quick article about Mixer and adapters , one of the things i wanted to find out is what’s the involvement of Istio/Mixer when traffic is sent from one pod to another , having that kind of segregation or isolation could be useful , for example let’s imagine a 3 tier app in 3 different pods , you wouldn’t want your view layer speaking directly with the model , for example:https://brainbit.uk/posts/k-istio-little-deep-dive/Sat, 21 Jul 2018 19:51:13 +0000https://brainbit.uk/posts/k-istio-little-deep-dive/I’ve been playing a little bit with Istio mostly egress , but today i wanted to write about ingresses . Basically Istio ingresses are a number of proxies (envoy) that kind of talk to each other to deal with access , throttling and app routing in general. What is really interesting about the istio approach is the sidecar injection, imagine that you’re running a container execs nginx (port80 )S What istio does is “inject” a sidecar container , that runs on the same pod , that means , sharing the kernel network namespace with privileged mode and NET_ADMIN capabilities.https://brainbit.uk/posts/docker-quotas-and-mario-bros/Thu, 08 Feb 2018 19:33:48 +0000https://brainbit.uk/posts/docker-quotas-and-mario-bros/Intro: I’ve been meaning to write about docker and CFS (completely fair scheduler) for a long time , but I’ve been busy with work etc. I’m gonna use Docker to limit process’s cpu usage, and we gonna explore what kind of metrics do we have to maybe troubleshoot an under-provisioned application , we’re going to be playing with fceux and mario CFS (Scheduler): CFS has been the default scheduler of the linux kernel for a while , this isn’t an attempt to explain it in depth , but there’s a lot of interesting data about this , especially something about the main developer coming from the medical area or something like that.https://brainbit.uk/posts/kubernetes-daemonsets-sharp/Tue, 13 Jun 2017 09:57:38 +0000https://brainbit.uk/posts/kubernetes-daemonsets-sharp/Hello all , So today we will take a little look at daemonsets(DS) in Kubernetes, the idea behind DS is to ensure that all nodes (or some, depending on the selector) are running a copy of a given pod. A good question would be when to use these , and the documentation refer to things that you might want to run forcefully and all nodes: Log Aggregation and collection Storage Clusters Monitoring They’re described in yaml files like:https://brainbit.uk/posts/kubernetes-rollouts-sharp/Wed, 31 May 2017 07:53:51 +0000https://brainbit.uk/posts/kubernetes-rollouts-sharp/So what happens when you rollout , some containers will be destroyed , maybe some containers that live traffic go to , sitcky sessions etc etc. I wanted to quickly see how smooth the transition is so, lets create a deployment , update the image and run siege to see how much we loose: Siege: The % might not be an accurate measure since i was running siege before the rollout , but 37 transactions failed at a rate of 78/sec, this isn’t so bad , but im sure there’s ways to do this better.https://brainbit.uk/posts/kubernetes-iptables-sharp/Tue, 30 May 2017 14:27:39 +0000https://brainbit.uk/posts/kubernetes-iptables-sharp/I wanted to do some digging about how services work within the nodes , that is how packets are forwarded from the outside , evil and relentless world to the container through bridges etc. So step 1 , find what port has the service bound to: port is 30235 , apparently , now let’s look into iptables inside the node. Notice that is doing a -j (jump) to another chain/extension , in this case KUBE-SVC-URRHIARQWDHNXJTWhttps://brainbit.uk/posts/kubernetes-services-sharp/Tue, 30 May 2017 08:58:50 +0000https://brainbit.uk/posts/kubernetes-services-sharp/So i wanted to talk a little bit about services and addressing today , when you create a deployment , “A declarative update for pods and replicasets” , like the one we’ve created in the previous article you get: pod (with x ammount of replicas) replicaset So we will need services , services are an abstraction laying “logically” on top of pods , the idea is that as pods are sort of non static entities , as in pods died (old releases) and new ones are created .https://brainbit.uk/posts/kubernetes-basics-sharp/Mon, 29 May 2017 08:41:39 +0000https://brainbit.uk/posts/kubernetes-basics-sharp/Hi all , I’ve started playing with kubernetes some time back , and i wanted to write a series of articles about it , maybe starting with the basics and syntax and finishing with the internals ( if i get time to learn it myself) First of all , we gonna use minikube for these series , when we get to parts where minikube isn’t enough then we’ll plan something else.