Hello friends!

Ivan's here with a traditional monthly round-up. After spending August (rather unexpectedly) heads down building the Kubernetes Explorer UI, it feels extremely great to be back to the business of writing. September was a very fruitful month, and I finally had a chance to leverage many of the things I've been working on so hard since the beginning of the year.

In this issue:

• Kubernetes Explorer goes open-source! 🎉
• One new and one revamped blog posts interactive tutorials 🧪
• My first Kubernetes 101 Workshop - I'm already nervous 😅
• A lot of good reads I've come across over the past few weeks 📚

Let's get started!

k'exp - Kubernetes Explorer

In the summer of 2022, over a weekend, I wrote a PoC of a visualization tool that was showing Kubernetes objects and their relationships on a dynamically updating graph.

Little did I know that it would take me more than a year to think the idea through and then almost a full month of extra work to turn the PoC into a functional MVP. Most of you, of course, know what tool I'm talking about - last month's issue was dedicated solely to this shiny new Kubernetes UI. And today, I'm happy to announce that k'exp has become open source!

Go give it a try github.com/iximiuz/kexp 😉

kexp

open localhost:5173

What I was writing

One of the big features that landed in the Kubernetes Explorer in September was the Pods Insights view. I was so happy with the way it came out that I even started writing a blog post specifically to demo it. However, halfway through this work, I repurposed it, and in hindsight, it was the right choice - that's how iximiuz Labs got its very first Kubernetes tutorial:

​Making Sense Out of Native Sidecar Containers in Kubernetes​

Another tutorial that made it to iximiuz Labs this month is my good old Containers vs. Pods - Taking a Deeper Look. It was fully reworked to make examples compatible with the contemporary versions of Docker and Kubernetes. It's also the first tutorial on the platform that leverages a multi-node playground.

Somewhat off-topic, but I also wrote a piece on how to choose between JavaScript and TypeScript in a pragmatic way - it's a reflection on my own experience building a relatively complex website and a single-page application using both of these languages.

Kubernetes 101 Workshop

I'm thrilled (and a little bit nervous) to announce that I'll be doing my very first online Kubernetes workshop on October 5th. Many thanks to Cloud Native Islamabad and Saim Safdar personally for inviting me!

The workshop will be for Kubernetes beginners, and I'll try to draw parallels between running traditional VM (or bare-metal) services and achieving the same results but in a Kubernetes cluster. We'll start with a simple single-instance service and then see what it takes to organize ingress, scale the service, deploy it without downtime, and configure cross-service communication, including service discovery. It's going to be fun (I hope) and highly practical, with a lot of visual materials and, of course, leveraging iximiuz Labs.

What I was reading

I finally have more time to read, so I've been catching up on my list aggressively. Brace for impact.

​Kubernetes 1.28: Revenge of the Sidecars? by Linkerd - A slightly lengthy intro but otherwise a good read on the need for sidecars (as a design pattern) and how, up until recently, Kubernetes was lacking first-class support of them, making people use various workarounds to overcome initialization race conditions and pod termination quirks. Two particular issues I faced in my platform engineering days that aren't mentioned in the article: 1) upgrading the version of a sidecar for the entire org can take several months, slowing down the platform team, and 2) cumulative resource overhead of hundreds or even thousands of sidecar can actually be pretty high. Something Istio's new Ambient architecture might be solving for (but I have yet to take a closer look at it). But again, not every sidecar is a service mesh's proxy.

​Understanding Kubernetes' new sidecar container feature - Another valuable post on the new Kubernetes feature, this time by Mirantis. I've read too many of them, and most aren't complimentary to what the docs already say. This one sheds more light by rehashing the KEP and providing extra historical and practical aspects.

A good series (1, 2, 3, 4, 5, 6) on container internals and their implications on the security of containerized workloads by Rory McCune.

​Fun with privileged container breakout also by Rory McCune - fun (and scary) stuff - containers aren't really meant for security, and privileged containers are essentially just root processes on your host because the only thing that "isolates" it is a chroot(-like) barrier, and Rory McCune shows how easily can it be broken out.

​Fun with container images - Bypassing vulnerability scanners - image vulnerability scanner is an awful misnomer, IMO. My (layman’s) take on it is that these tools are essentially (still pretty primitive) SBOM constructors - they try to turn a black box container image into a list of installed system and programming language packages. And when such a list is ready, they run it against a database of known vulnerabilities. By no means such a tool should be called a vuln scanner because it gives a false feeling of safety. But don’t get me wrong - maintaining SBOMs and complete software inventories of what you consume and what you ship, including cross-checking this data against known vuln databases, is an important integral part of securing the software supply chain. It’d be great to just name things slightly less misleadingly.

​The internals and the latest trends of container runtimes (2023) - A great read by Akihiro Suda on the internals of container runtimes and the latest trends in the area (2023 edition). It's full of helpful visuals that definitely speed up sorting facts out.

​helm-playground.com - a handy playground. Not only for playing with Helm charts but also for just debugging Go template expressions (which I find myself doing more often than not).

​Good Enough Abstractions by Matt Rickard - Enduring abstractions aren’t always the philosophically pure ones. They are messy and leaky, but they are handy and good enough. Markdown is a perfect example.

​Akin's Laws of Spacecraft Design again by Matt Rickard - so many gems there. I even wrote my own reflection.

​Automate (But Automate Last) - that’s a strategy I (often subconsciously) follow when I’m wearing my DevOps hat. Some early-stage processes might be too volatile to script them. Rollout of new code (or baking a new iximiuz Labs playground) is a perfect example. Instead of scripting it right away, I let the routine stabilize and by performing it manually the first few times. Of course, the initial procedure gets, most of the time, fully reworked by the end of the fifth attempt. So why then spend time on automation of something that won’t be here next month?

​The Not Kubernetes Podcast, with David Heinemeier Hansson - many things DHH shares here resonate with me. About building software, finding a niche, managing risks and not following the business runbooks others want you to follow, and more. I have a strange relationship with DHH's work - I admired Basecamp, 37signals, and Rework, got into Ruby and RoR because of his influence and hated the framework with all my heart, find his recent tweets & blog posts on Cloud and Kubernetes contradicting my own model of the industry, and I totally loved how reasonable everything sounded in this podcast episode.

Wrapping up

That is it for September. Hope you find my work helpful 🙌

Cheers

Ivan