Posts

The previous blog talked about generating self-signed certificates using a binary. It was a manual, cumbersome process where you had to generate the certificates using a tool, embed them into a Kubernetes Secret via Helm chart, and then use it. There is a better way of doing it! Which is what this blog will discuss. We will use a Helm chart, which has a couple of Kubernetes Jobs that generates the self-signed certificate, embed them in a Kubernetes Secret and finally update the ValidatingWebhookConfiguration or MutatingWebhookConfiguration of your choice. And that’s it. Life is simpler! ...

If you have a script or a binary and want to run it as a Systemd service, keep following. This blog will show you how to take any such executable code and run it using Systemd. Sure, you can do similar stuff using Docker as well. Although there are certain downsides of using Docker (alone) for managing the daemons. Systemd is good at log management on the node over a Docker container. If a container fails, you may or may not have access to the logs. Systemd provides constructs in managing dependencies quite well. And finally, you may not be using Docker on the machine, while Systemd is quite ubiquitous on any Linux. ...

The client libraries that Kubernetes ships are meant to be imported, and you definitely don’t need this post explaining how to import them in your Golang based project. A simple go get ... should do the trick. But, what about the packages that are not meant to be imported? Or the ones that cannot be imported because of “technical reasons” ? Could you simply add them to your import statements in the .go file, and the go binary will do the right thing when you build the code? Well, let’s find that out! ...

UPDATE: There is a way to generate these certificates automatically. To find out how, read this post. If you are writing a webhook server for Kubernetes Admission Controllers like ValidatingAdmissionWebhooks or MutatingAdmissionWebhooks, you must expose it over HTTPS. To run these servers on HTTPS, you need TLS certificates. There are solutions available which you can use to solve this problem, first and foremost that comes to my mind is cert-manager. It is a great project and automates this problem. But it is an added dependency that you might have to keep running in your cluster. ...

Synopsis of the Book The Psychology of Money, written by Morgan Housel, published in 2020, could be categorised under Psychology, Finance, and Nonfiction. The author wrote an article three years ago which got a lot of traffic hence decided to write a book out of it. Last year I saw that the book was recommended by many folks in my network and on Twitter. All of the recommenders were highly impressed by the book and spoke intensely of it. Now that I have finished it, I can understand why! ...

In the previous blog, we discussed how any user without RBAC access to a Kubernetes secret can use a trick to access that secret. To mitigate that problem, we will use a validating admission webhook. But before looking at what sorcery this validating admission webhook server is, let us understand how Kubernetes handles the API requests. What are admission controllers? All requests going to the Kubernetes API server go through the following four steps: ...

You can gain access to any secret that you want in Kubernetes even if you don’t have RBAC permissions to get, list or view that secret. All you need is permission that allows you to do anything on pods and an ability to guess the names of secrets. With these two ingredients, here is how you can access any secret out there. Nasty User Here is a user called nastyuser who can only do stuff on pod objects. Everything else is forbidden. The user cannot list secrets, namespaces or deployments: ...

There are numerous Hindu festivals celebrated throughout the year. The rituals associated with each festival differ to the extent these festivals are celebrated. I am here to recount the environmental impact of the customs Hindus are involved in. Although a ritual associated with each festival and its effect on the environment is insignificant on a small scale. But with Hindus in India being close to a billion (966 million as per the 2011 census, with the population growth rate that might be almost a billion), these rituals don’t scale very well. The practices Hindus have been following, believing them benign, just a form of worshipping their god of belief. Let us look at the environmental impact of various rituals performed on particular occasions (festivals, funeral). ...

How do you monitor your own computer? Of course, using Prometheus, node-exporter and Grafana. You might ask why would you wanna do that when you can simply use the operating system provided, “System Monitor”. Well, yes, you can use that. But the data you get from the OS System Monitor is coarse-grained. OS system monitor is not configurable, but this stack is. It is like running htop but where you can go back in history, unlike htop, which only shows the current state. Using this stack of Prometheus, node-exporter, and Grafana is a proactive approach than being reactive to the problems that occur on a PC. Instead of digging later to figure out what went wrong, you are already collecting metrics so you can see on dashboards what went wrong. ...

If you are studying for the Certified Kubernetes Administrator (CKA) exam, you might have come across folks recommending Kelsey Hightower’s Kubernetes the Hard Way. It is an excellent first step for someone who has no idea about the components that form a Kubernetes cluster. As the name suggests, it is created so that you learn the Kubernetes building blocks the “hard way”. But all that can be intimidating to someone who hasn’t played with Kubernetes ever. Also, the guide uses Google Cloud as a platform to install everything, which mandates you to have a Google Cloud account. But don’t worry, there is a version of Kubernetes the Hard Way, which runs locally, hence free. Enter Kubernetes the Hard Way Vagrant! ...