Hello friends!
Ivan's here with a traditional monthly round-up. After spending August (rather unexpectedly) heads down building the Kubernetes Explorer UI, it feels extremely great to be back to the business of writing. September was a very fruitful month, and I finally had a chance to leverage many of the things I've been working on so hard since the beginning of the year.
In this issue:
Let's get started!
In the summer of 2022, over a weekend, I wrote a PoC of a visualization tool that was showing Kubernetes objects and their relationships on a dynamically updating graph.
Little did I know that it would take me more than a year to think the idea through and then almost a full month of extra work to turn the PoC into a functional MVP. Most of you, of course, know what tool I'm talking about - last month's issue was dedicated solely to this shiny new Kubernetes UI. And today, I'm happy to announce that k'exp has become open source!
Go give it a try github.com/iximiuz/kexp π
kexp
open localhost:5173
One of the big features that landed in the Kubernetes Explorer in September was the Pods Insights view. I was so happy with the way it came out that I even started writing a blog post specifically to demo it. However, halfway through this work, I repurposed it, and in hindsight, it was the right choice - that's how iximiuz Labs got its very first Kubernetes tutorial:
βMaking Sense Out of Native Sidecar Containers in Kubernetesβ
Another tutorial that made it to iximiuz Labs this month is my good old Containers vs. Pods - Taking a Deeper Look. It was fully reworked to make examples compatible with the contemporary versions of Docker and Kubernetes. It's also the first tutorial on the platform that leverages a multi-node playground.
Somewhat off-topic, but I also wrote a piece on how to choose between JavaScript and TypeScript in a pragmatic way - it's a reflection on my own experience building a relatively complex website and a single-page application using both of these languages.
I'm thrilled (and a little bit nervous) to announce that I'll be doing my very first online Kubernetes workshop on October 5th. Many thanks to Cloud Native Islamabad and Saim Safdar personally for inviting me!
The workshop will be for Kubernetes beginners, and I'll try to draw parallels between running traditional VM (or bare-metal) services and achieving the same results but in a Kubernetes cluster. We'll start with a simple single-instance service and then see what it takes to organize ingress, scale the service, deploy it without downtime, and configure cross-service communication, including service discovery. It's going to be fun (I hope) and highly practical, with a lot of visual materials and, of course, leveraging iximiuz Labs.
I finally have more time to read, so I've been catching up on my list aggressively. Brace for impact.
βKubernetes 1.28: Revenge of the Sidecars? by Linkerd - A slightly lengthy intro but otherwise a good read on the need for sidecars (as a design pattern) and how, up until recently, Kubernetes was lacking first-class support of them, making people use various workarounds to overcome initialization race conditions and pod termination quirks. Two particular issues I faced in my platform engineering days that aren't mentioned in the article: 1) upgrading the version of a sidecar for the entire org can take several months, slowing down the platform team, and 2) cumulative resource overhead of hundreds or even thousands of sidecar can actually be pretty high. Something Istio's new Ambient architecture might be solving for (but I have yet to take a closer look at it). But again, not every sidecar is a service mesh's proxy.
βUnderstanding Kubernetes' new sidecar container feature - Another valuable post on the new Kubernetes feature, this time by Mirantis. I've read too many of them, and most aren't complimentary to what the docs already say. This one sheds more light by rehashing the KEP and providing extra historical and practical aspects.
A good series (1, 2, 3, 4, 5, 6) on container internals and their implications on the security of containerized workloads by Rory McCune.
βFun with privileged container breakout also by Rory McCune - fun (and scary) stuff - containers aren't really meant for security, and privileged containers are essentially just root processes on your host because the only thing that "isolates" it is a chroot(-like) barrier, and Rory McCune shows how easily can it be broken out.
βFun with container images - Bypassing vulnerability scanners - image vulnerability scanner is an awful misnomer, IMO. My (laymanβs) take on it is that these tools are essentially (still pretty primitive) SBOM constructors - they try to turn a black box container image into a list of installed system and programming language packages. And when such a list is ready, they run it against a database of known vulnerabilities. By no means such a tool should be called a vuln scanner because it gives a false feeling of safety. But donβt get me wrong - maintaining SBOMs and complete software inventories of what you consume and what you ship, including cross-checking this data against known vuln databases, is an important integral part of securing the software supply chain. Itβd be great to just name things slightly less misleadingly.
βThe internals and the latest trends of container runtimes (2023) - A great read by Akihiro Suda on the internals of container runtimes and the latest trends in the area (2023 edition). It's full of helpful visuals that definitely speed up sorting facts out.
βhelm-playground.com - a handy playground. Not only for playing with Helm charts but also for just debugging Go template expressions (which I find myself doing more often than not).
βGood Enough Abstractions by Matt Rickard - Enduring abstractions arenβt always the philosophically pure ones. They are messy and leaky, but they are handy and good enough. Markdown is a perfect example.
βAkin's Laws of Spacecraft Design again by Matt Rickard - so many gems there. I even wrote my own reflection.
βAutomate (But Automate Last) - thatβs a strategy I (often subconsciously) follow when Iβm wearing my DevOps hat. Some early-stage processes might be too volatile to script them. Rollout of new code (or baking a new iximiuz Labs playground) is a perfect example. Instead of scripting it right away, I let the routine stabilize and by performing it manually the first few times. Of course, the initial procedure gets, most of the time, fully reworked by the end of the fifth attempt. So why then spend time on automation of something that wonβt be here next month?
βThe Not Kubernetes Podcast, with David Heinemeier Hansson - many things DHH shares here resonate with me. About building software, finding a niche, managing risks and not following the business runbooks others want you to follow, and more. I have a strange relationship with DHH's work - I admired Basecamp, 37signals, and Rework, got into Ruby and RoR because of his influence and hated the framework with all my heart, find his recent tweets & blog posts on Cloud and Kubernetes contradicting my own model of the industry, and I totally loved how reasonable everything sounded in this podcast episode.
That is it for September. Hope you find my work helpful π
Cheers
Ivan
Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way π
Hello π Ivan's here with a slightly delayed September roundup of all things Linux, Containers, Kubernetes, and Server Side π§ What I was working on This month, I worked on an assorted set of topics. Skill Paths First off, the skill paths! I finally finished the underlying machinery, and now iximiuz Labs supports a new type of content - short roadmaps that you can use to develop or improve a specific skill: how to debug distroless containers, how to copy images from one repository to another,...
Hello friends! Ivan's here with another monthly roundup of all things Linux, Containers, Kubernetes, and Server Side π§ The issue's main topic is iximiuz Labs' largest-ever upgrade: Fresher and more streamlined look of the frontend UI π A new 5.10 Linux kernel built with nftables support (finally, we can try out kube-proxy's nftables mode). New default playground user - laborant (yep, rootless containers learning for). New playgrounds: Ubuntu 24.04, Debian Trixie, Fedora, and Incus (yay! more...
Hello friends! Ivan's here with a slightly delayed July roundup of all things Linux, Containers, Kubernetes, and Server Side π§ What I was working on This month, I got nerd-sniped by cgroups. It all started when I ran into a pretty significant difference in how Docker and Kubernetes handle the OOM events. When you limit the memory usage of a multi-process Docker container, the OOM killer often terminates only one of the processes if the container runs out of memory. If this process is not the...