Kubernetes on Bill Glover

Tanzu Application Platform, Pinniped and Auth0

hello@bill.dev (Bill) — Fri, 04 Nov 2022 09:18:10 +0000

This post documents adding authentication to the Tanzu Application Platform (TAP) using Auth0 and Pinniped.

I often take shortcuts with authentication when demonstrating technology. In-part this is because setting up authentication and authorization can be difficult. That said, there are benefits to the flexibility of an administrative user. Like many who work with short-lived Kubernetes clusters, my default is Cluster Admin.

One downside to using cluster-admin is that I’m unable to explore RBAC capabilities. The capabilities and limitations of RBAC influence the experience of a product. The Tanzu Application Platform (TAP) is no exception. If real world use sees users mapped to one of the four default user roles that come with TAP, why do I use cluster-admin? I needed an instance of TAP configured with an identity provider that allowed me to map users to roles.

Backup and Restore AKS Clusters with Tanzu (Azure File storage)

hello@bill.dev (Bill) — Wed, 05 Oct 2022 11:25:00 +0000

Context

A customer asked how I might backup and restore workloads running on AKS using Azure File Premium storage. Azure Files mount an SMB share backed by an Azure storage account to pods running on AKS. For more details on storage options on AKS see the Azure documentation.

Migrate between Kubernetes clusters with Tanzu (Rancher to Azure)

hello@bill.dev (Bill) — Wed, 05 Oct 2022 11:20:00 +0000

Context

A customer asked how I might approach the challenge of migrating applications running on one Kubernetes cluster and restore them onto a new cluster running a different Kubernetes distribution. Assuming you don’t need to migrate the applications under load, backup and restore is a reasonable option.

Migrate between Kubernetes clusters with Tanzu (Rancher to Tanzu)

hello@bill.dev (Bill) — Wed, 05 Oct 2022 11:15:00 +0000

Context

Use the Kubernetes downwards API to set GOMEMLIMIT

hello@bill.dev (Bill) — Wed, 14 Sep 2022 21:10:06 +0100

Go 1.19 introduced the ability to tune the way the garbage collector works by setting a soft memory limit. One recommendation is to use this new memory limit when deploying in a container environment. This post looks at using the Kubernetes Downward API to set this soft limit.

Do I need a Soft Memory Limit

Do take advantage of the memory limit when the execution environment of your Go program is entirely within your control, and the Go program is the only program with access to some set of resources (i.e. some kind of memory reservation, like a container memory limit).

Copy Files to and from a Container

hello@bill.dev (Bill) — Tue, 24 May 2022 09:56:32 +0000

Problem: I needed to copy some database files into a container running on Kubernetes without modifying the image or restarting the parent Pod.

Solution: The Kubernetes CLI includes a sub-command for copying files into and out of a running container: kubectl cp /tmp/foo <some-pod>:/tmp/bar

Background

I’ve never found the need to copy files into a running container without issuing an updated image. This is somewhat of an anti-pattern as modifications to containerised filesystems that aren’t mounted externally are lost when the container process terminates.

Update Trivy Database in Harbor

hello@bill.dev (Bill) — Thu, 19 May 2022 14:56:00 +0000

I recently deployed Harbor and Trivy with automatic updating disabled. I hadn’t realise that this would prevent images from being scanned at all and so needed to trigger a manual update. This note describes how to manually trigger an update to the Trviy database in Harbor deployed on top of VMware Tanzu Kubernetes Grid.

Demo

Instructions

Switch context to the cluster where you have deployed Harbor.

How I Manage Kubernetes Config

hello@bill.dev (Bill) — Fri, 12 Jun 2020 06:00:00 +0000

If you work with Kubernetes, you’ll be aware of the config file that defines contexts. This config is what kubectl uses to gain access to a cluster. I work with a large number of ephemeral clusters and have found that this config is difficult to manage. This post shows how I’ve switched to using individual config files for each cluster.

The importance of Health Probes

hello@bill.dev (Bill) — Thu, 30 Apr 2020 20:35:35 +0000

Introduction

Organisations of all sizes are now deploying applications to platforms such as Kubernetes. Many of these applications do not adopt cloud native practices. Often the excuse is application age or product limitation.

Many teams invest in platform infrastructure but failed to capitalise on these benefits. So what gives? Are platforms overhyped? Are the complexities of the enterprise too much for modern platforms?

Engineers deploy applications to Kubernetes to take advantage of common platform features. Many of these features claim to help maintain service availability including:

Dive Through the Layers

hello@bill.dev (Bill) — Fri, 28 Feb 2020 06:16:35 +0000

Dive Through the Layers

I’ve been working with a container image for a Django application and was surprised to find that an image for a simple application was 1.2 GB. This was particularly jarring as, coming from the world of Go, I’m used to images that come in at under 20 MB.

It’s not the size of the container image that’s the problem. Layer caching and re-use means that you are rarely transferring the full image around and that storage on disk is usually less than the sum of all your images. The worry I have with an image that is 1.2 GB is that everything that makes up that image needs to be maintained, patched, watched for security vulnerabilities, etc. 1.2 GB is a lot of software.

The Sidecar Pattern

hello@bill.dev (Bill) — Sun, 12 Jan 2020 08:16:35 +0000

The sidecar is a multi-container pattern used to provide additional functionality to a containerised-application without requiring changes to the application itself. The sidecar is the foundation of popular tools like the Istio service mesh. But how does it work?

In this post, I will demonstrate how to use the Sidecar pattern to add TLS termination to an existing application using a custom-built proxy server. In reality, there should be no reason to build everything from scratch, I’ve done so here to validate my understanding of how things work. This post has been written so that you can read along without implementing the examples, but if you want to get your hands dirty and code along, I’ve made a few assumptions: