In addition to our last post.

An article on what happens if you push secrets into a public repository with some advices on how to mitigate that risk.

This article was sent to me by one of our subscribers. Big thanks for it! If you want to share interesting stuff as well, you can either send it to our chat or admins directly.

#security

If you work with Open Policy Agent, you probably want to test the policies you write.

Lucky there is an ability to write test suites for Rego.

However, these tests suits are not always very obvious as well as Rego policies themselves. Here is an article by Dustin Specker on how to write tests for your policies. This article helped a lot me personally. And I hope it will be helpful for you too.

#opa #kubernetes #testing

Speaking of Infrastructure as Software from the previous post

Kris Nova has created naml - a framework to replace Kubernetes YAML with Go.

Obviously, this project is in a very early stage. However, the industry is clearly moving in the direction of IaS with products like Pulumi, various CDKs, and this one.

So, it's a good time to start learning software engineering practices, if you haven't already.

#kubernetes #ias

A post of irony :)

We have created an internal toolset to manage the lifecycle of Kubernetes clusters in my company. It allows us to create clusters, upgrade them, destroy, as well as manage some plugins like CNI, Ingress, and other core plugins as we call them.

Just yesterday, I had a thought that this could be one's business model - create an OSS-core tool to manage ready-to-use clusters and then sell support, or some enhancement plugins, or some additional functionality like automagical cluster upgrades.

And also yesterday, Flant has released the source code for their Deckhouse project! This is a project aimed to manage cluster lifecycle, and it was used in Flant internally for quite some time already.

Also, it looks like they're going to build the business around this tool as well. At least they have a website dedicated to it, but unfortunately not much info there. Unfortunately, I haven't found any blogposts or press releases about this tool in English. However, I did find a few reports on the Internet that people tried it out, and it works. At least, it creates a cluster.

I personally would say that this is too early to tell what the future of this tool would look like, but I like the general idea. I personally think that Kubernetes goes the same way Linux kernel went earlier: there is an OSS core and then there are tons of distributions managed by different companies. With RedHat being the first to jump on this train, of course.

So, brace yourself! More distro wars to come!


#kubernetes

A blog post by AWS about how to create a LIFO (last in first out) queue using DynamoDB and Lambda

AWS SQS provides FIFO (first in first out) queues out of the box. However, LIFO queues could be useful in throughput constrained environments like IoT, for example.

This article shows how to create a LIFO queue and an example worker using DynamoDB, Lambda, and SAM framework to deploy all these things.

#aws

Kinda longread about optimizations of JS code in the environments, where JIT compilation is not available e.g. iOS, gaming consoles, serverless environments, etc.

The main idea is to run JS inside WebAssembly instance.

Wizer pre-initializer is used as an example here.

Even though, information from here might be not very useful for the people, who run JS in a "traditional" way I.e. in a browser. However, I personally think this is an interesting read for those who build JS-powered serverless services as well as those who deploy JS code to portable devices.

Also, it's important to mark that such an approach could be used for other run other runtimes like Python, Ruby, or Lua.

#programming

Stargz Snapshotter is a non-core containerd project which allows you to lazy load container images and speed up start up time.

It works with stargz (seekable tar.gz) image format. Also, it has a converter that optimizes images for better loading (since you will need to communicate with a remote fs)

You can read more about stargz format in the buildkit documentation

#containers

There is a saying that there are only two ways to learn something: to build it or to fix it.

Sam Lewis have built his own mesh VPN solution to learn better how those mesh VPNs work. And also because he could.

He put it all into a blog post. So, you can find some insights about mesh VPNs there. Probably, you won't even need to build your own.

In any case, this is not a tool you should get into production right away. Just an interesting read. No more, no less.

#networking #security #vpn

​​Be extra careful upgrading Kubernetes to v1.22. A lot of API beta versions are completely removed in that release.

Among them:
- Ingress
- CustomResourceDefinition
- ValidatingWebhookConfiguration
- MutatingWebhookConfiguration
- CertificateSigningRequest

There are some more that you can find in the release notes. Also, release notes contain the information on how to upgrade to more stable API versions.

#kubernetes

AWS instance type naming cheatsheet aka "What do those letters mean anyways?!"

#aws

A small neat write up on learnings about incident responses

Key takeaways:
- Declare incidents on smaller things. Division between SEV1 and SEV3 incidents helps you to track system health better. As well a bunch of smaller problems may lead to a critical failure. Also, such problems are usually easy to fix one by one.
- Decrease the time between the incident and postmortem analysis. Analysis will be much more accurate, when you have a fresh memory of what has happened.
- Alert on symptoms, not causes. Alert only if your users (external or internal) have issues, not when CPU utilization is high

#observability

​​Data storage cheatsheet for public clouds and cloud-agnostic services as well.

This obviously not a full list of all the available databases. However, it provides some insights on what the Big Three cloud vendors provide as well as some open-source alternatives.

#databases

Alongside with Lambda@Edge and CloudFlare Workers Fastly presents their own Compute@Edge solution.

Now you can run JavaScript code on Fastly's edge locations. They also promise zero cold starts for this service and high level of isolation & security because the technology that creates and destroys a sandbox for each individual request from JavaScript compiled through WebAssembly.

#cdn #edge

Kent Beck is arguing that not all the things can be changed by setting the incentives.

Moreover, wrong or vague incentives can bring more harm than good. For example, when you push for TDD and incentify people simply to write tests, they would. However, a lot of those tests will be bad tests.

Being very careful and patient while creating incentives is crucial not only for technical organization, but for any organization in general.

#culture

Not some technical news, but important ones.

Google is delaying return to the office till mid-October at least in the US.

Also, once campuses are fully re-opened, they will demand any person to come in to be fully vaccinated. This is important because a lot of smaller companies tend to copy the behavior (and tech approaches) from the industry giants. Therefore, many other companies will delay the return as well.

Also, this a loud and clear signal regarding the vaccination. Probably, the first one came from the private sector in the IT industry.

Obviously, this article doesn't mean that Google accepts remote work. This battle is yet to be fought. However, the world has already changed. Remote work is no longer an exceptional benefit. More and more companies now offer a hybrid format at least. And I personally can only welcome these changes!

Flant has officially announced their Deckhouse solution to bootstrap ready to use Kubernetes platforms.

I've already written about it here: https://t.iss.one/catops/1723

So, not to repeat myself too much: I think this is a move in the right direction. I expect more and more Kubernetes distributions in the future, just like it happened to Linux.

People need platforms, not orchestrators!

#kubernetes

CDK Construct Hub:

https://aws.amazon.com/blogs/developer/construct-hub-preview/

Construct Hub is a one-stop destination for finding, reusing and sharing constructs authored by AWS, AWS Partner Network partners, third parties, and the developer community.
CDK constructs are cloud architecture building blocks and patterns that you can use to stand up complete production-ready cloud applications.

#CDK

"When I see a door with a push sign, I pull first to avoid conflicts" - anonymous

In version 2.23 of git, two new commands have been introduced: git switch and git restore. Both are aimed to replace ambiguous behavior of git checkout. Although, the original checkout command is still available.

Switch works the same way as checkout on branches and restore as checkout on files.

Why? Because the previous implementation was confusing.

#git

​​I remember being on a meetup in the Twitter HQ where people were talking about the success of Finagle and eventually presented an idea and some first versions of Linkerd.

It was in 2017 and now Linkerd is a graduated project of CNCF.

Congratulations!

These is an interesting part:

Linkerd is the first service mesh to rise to the level of graduation. But Linkerd has a long history of firsts: Linkerd was the first service mesh project and the one to coin the term itself. It was the first project to enter the CNCF’s inception (now sandbox) phase. It was the first CNCF project to adopt Rust

P.S. A nostalgic photo from the Twitter HQ

#networking

Would be nice to get this for mobile devices as well.Anyways, this is a great feature and a huge step forward!

https://twitter.com/github/status/1425505817827151872?s=28

Welcome the new ultimate versioning convention for modern projects - 0ver!
.
.
.
.
.
.
P.S. This is a satire post. You should not do that!