Ivan on Containers, Kubernetes, and Backend Development


Hello friends!

Ivan's here with a traditional monthly round-up. After spending August (rather unexpectedly) heads down building the Kubernetes Explorer UI, it feels extremely great to be back to the business of writing. September was a very fruitful month, and I finally had a chance to leverage many of the things I've been working on so hard since the beginning of the year.

In this issue:

  • Kubernetes Explorer goes open-source! πŸŽ‰
  • One new and one revamped blog posts interactive tutorials πŸ§ͺ
  • My first Kubernetes 101 Workshop - I'm already nervous πŸ˜…
  • A lot of good reads I've come across over the past few weeks πŸ“š

Let's get started!


k'exp - Kubernetes Explorer

In the summer of 2022, over a weekend, I wrote a PoC of a visualization tool that was showing Kubernetes objects and their relationships on a dynamically updating graph.

Little did I know that it would take me more than a year to think the idea through and then almost a full month of extra work to turn the PoC into a functional MVP. Most of you, of course, know what tool I'm talking about - last month's issue was dedicated solely to this shiny new Kubernetes UI. And today, I'm happy to announce that k'exp has become open source!

Go give it a try github.com/iximiuz/kexp πŸ˜‰

kexp

open localhost:5173


What I was writing

One of the big features that landed in the Kubernetes Explorer in September was the Pods Insights view. I was so happy with the way it came out that I even started writing a blog post specifically to demo it. However, halfway through this work, I repurposed it, and in hindsight, it was the right choice - that's how iximiuz Labs got its very first Kubernetes tutorial:

​Making Sense Out of Native Sidecar Containers in Kubernetes​

Another tutorial that made it to iximiuz Labs this month is my good old Containers vs. Pods - Taking a Deeper Look. It was fully reworked to make examples compatible with the contemporary versions of Docker and Kubernetes. It's also the first tutorial on the platform that leverages a multi-node playground.

Somewhat off-topic, but I also wrote a piece on how to choose between JavaScript and TypeScript in a pragmatic way - it's a reflection on my own experience building a relatively complex website and a single-page application using both of these languages.


Kubernetes 101 Workshop

I'm thrilled (and a little bit nervous) to announce that I'll be doing my very first online Kubernetes workshop on October 5th. Many thanks to Cloud Native Islamabad and Saim Safdar personally for inviting me!

The workshop will be for Kubernetes beginners, and I'll try to draw parallels between running traditional VM (or bare-metal) services and achieving the same results but in a Kubernetes cluster. We'll start with a simple single-instance service and then see what it takes to organize ingress, scale the service, deploy it without downtime, and configure cross-service communication, including service discovery. It's going to be fun (I hope) and highly practical, with a lot of visual materials and, of course, leveraging iximiuz Labs.


What I was reading

I finally have more time to read, so I've been catching up on my list aggressively. Brace for impact.

​Kubernetes 1.28: Revenge of the Sidecars? by Linkerd - A slightly lengthy intro but otherwise a good read on the need for sidecars (as a design pattern) and how, up until recently, Kubernetes was lacking first-class support of them, making people use various workarounds to overcome initialization race conditions and pod termination quirks. Two particular issues I faced in my platform engineering days that aren't mentioned in the article: 1) upgrading the version of a sidecar for the entire org can take several months, slowing down the platform team, and 2) cumulative resource overhead of hundreds or even thousands of sidecar can actually be pretty high. Something Istio's new Ambient architecture might be solving for (but I have yet to take a closer look at it). But again, not every sidecar is a service mesh's proxy.

​Understanding Kubernetes' new sidecar container feature - Another valuable post on the new Kubernetes feature, this time by Mirantis. I've read too many of them, and most aren't complimentary to what the docs already say. This one sheds more light by rehashing the KEP and providing extra historical and practical aspects.

A good series (1, 2, 3, 4, 5, 6) on container internals and their implications on the security of containerized workloads by Rory McCune.

​Fun with privileged container breakout also by Rory McCune - fun (and scary) stuff - containers aren't really meant for security, and privileged containers are essentially just root processes on your host because the only thing that "isolates" it is a chroot(-like) barrier, and Rory McCune shows how easily can it be broken out.

​Fun with container images - Bypassing vulnerability scanners - image vulnerability scanner is an awful misnomer, IMO. My (layman’s) take on it is that these tools are essentially (still pretty primitive) SBOM constructors - they try to turn a black box container image into a list of installed system and programming language packages. And when such a list is ready, they run it against a database of known vulnerabilities. By no means such a tool should be called a vuln scanner because it gives a false feeling of safety. But don’t get me wrong - maintaining SBOMs and complete software inventories of what you consume and what you ship, including cross-checking this data against known vuln databases, is an important integral part of securing the software supply chain. It’d be great to just name things slightly less misleadingly.

​The internals and the latest trends of container runtimes (2023) - A great read by Akihiro Suda on the internals of container runtimes and the latest trends in the area (2023 edition). It's full of helpful visuals that definitely speed up sorting facts out.

​helm-playground.com - a handy playground. Not only for playing with Helm charts but also for just debugging Go template expressions (which I find myself doing more often than not).

​Good Enough Abstractions by Matt Rickard - Enduring abstractions aren’t always the philosophically pure ones. They are messy and leaky, but they are handy and good enough. Markdown is a perfect example.

​Akin's Laws of Spacecraft Design again by Matt Rickard - so many gems there. I even wrote my own reflection.

​Automate (But Automate Last) - that’s a strategy I (often subconsciously) follow when I’m wearing my DevOps hat. Some early-stage processes might be too volatile to script them. Rollout of new code (or baking a new iximiuz Labs playground) is a perfect example. Instead of scripting it right away, I let the routine stabilize and by performing it manually the first few times. Of course, the initial procedure gets, most of the time, fully reworked by the end of the fifth attempt. So why then spend time on automation of something that won’t be here next month?

​The Not Kubernetes Podcast, with David Heinemeier Hansson - many things DHH shares here resonate with me. About building software, finding a niche, managing risks and not following the business runbooks others want you to follow, and more. I have a strange relationship with DHH's work - I admired Basecamp, 37signals, and Rework, got into Ruby and RoR because of his influence and hated the framework with all my heart, find his recent tweets & blog posts on Cloud and Kubernetes contradicting my own model of the industry, and I totally loved how reasonable everything sounded in this podcast episode.


Wrapping up

That is it for September. Hope you find my work helpful πŸ™Œ

Cheers

Ivan

Help iximiuz Labs evolve faster by supporting my work on Patreon. As a patron, you'll get more powerful playgrounds, access to premium content, and an invite to a private Discord community. Does your company have a learning and development budget? Then this expense most likely can be reimbursed 😎

Ivan Velichko

Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way πŸš€

Read more from Ivan Velichko
Diagram showing desired network policy configuration between frontend and backend pods

Hey, fellow server dweller πŸ‘‹ Ivan here with an exciting iximiuz Labs update! The month isn't over yet, so it's not quite time for the traditional monthly roundup. However, there have been so many updates on the platform in the past couple of weeks that they couldn't possibly fit into a single email. So, let's dive in πŸš€ Backend Revamp: Faster, Smarter, Stronger Over the past few weeks, I rolled out a significant backend rewrite at iximiuz Labs, and I couldn't be more excited to share the...

Hello πŸ‘‹ Ivan's here with November's roundup of all things Linux, Containers, Kubernetes, and Server Side πŸ§™ What I was working on This month was (extremely) development-heavy. Two-thirds of it went into the implementation of custom playground machinery and a new Kubernetes "Omni" playground, and in the last part, I was unexpectedly busy with expanding the platform's capacity and launching a new server in India πŸŽ‰ The latter became possible thanks to the support of all of you who got the premium...

Hello, fellow server dweller πŸ‘‹ I've got two exciting announcements to make. Starting with the shorter one, this year, I decided to give Black Friday a try. This is an experiment - iximiuz Labs hasn't done sales before and won't have any in the foreseeable future, at least not until next November. So, if you wanted to get a premium membership but the price felt too high, this is your rare chance to get it with a 50% discount. The offer is limited to exactly one week. Now, to the second, much...