Open Policy Agent (OPA) is a powerful framework that allows you to validate your data structures against some policies, written in Rego. There are multiple implementations of OPA for various tools and systems e.g. Gatekeeper for Kubernetes.

However, you can write your own implementation and use if, for example, for unit tests. This articles provides some examples of how to write your own OPA checks in Go.

#programming #opa

Microsoft in its blog reviled some details on the recent cyberattack on the number of Ukrainian governmental websites

Investigation is still ongoing. However, we already know that attackers have overridden Master Boot Record (MBR) on infected machines. Microsoft also published hashes of malicious software in the same blog article.

I also found information that hackers initially broke through a proprietary Content Management System (CMS) tool. However, I haven’t found any official proofs of it.

#security

After I published my article about Kubernetes backups, I got some questions regarding cluster organization and maintenance procedure. Specifically about managing Kubernetes clusters “as cattle” and this statement:

…*investing in cluster automation early on* is important. You may end up in a situation when you need to re-create a cluster from scratch.

I started writing an article about managing clusters “as cattle” to address these questions. Moreover, that was my initial plan. However, I realized that I have very little exposure on how other people are managing their clusters! I have only the perspective of my current and my previous employers.

Thus, I decided to issue a survey on how people are managing their Kubernetes clusters, their core components like CNI, Ingress, etc., and business applications.

I would appreciate it, if you can spend some time filling up this survey. You can also reach out to me directly and share your story of managing Kubernetes in your company. I left contacts in that Google form.

Here’s the link to that article about backups, in case you missed it.

Have a great week, y’all!

#kubernetes

I'm a bit late with these news, but it looks like Helm plugin helm-diff now supports three-way-merge option.

Thus, it should be able to show, which changes were made manually aka the drift.

#kubernetes #helm

The channel denoscription says "... and other issues", right?

So, today I want to share with you WSJF model of SAFe framework, which helps to compare priorities of different projects. WSJF stands for "Weighted Shortest Job First".

This concept won't be new at all for the product people and project managers. And this is exactly why I want to share it here. Through my career, I saw a lot of examples, when platform teams or OPS teams didn't have their dedicated product/project manager. Therefore, there were a lot of struggles in what to prioritize among multiple projects.

I saw this framework in action and I think it's useful. Ofc, this is not a silver bullet. You may need to make a few tweaks to the process here and there, but in general this is a good start if you're not sure what you should pick up next from the pile of platform work.

#management #agile #safe

Not so long time ago, I shared with you a tool called Acra for encryption/decryption of sensitive data in a database. This tool is written in Go, and obviously it uses TLS.

Now, they have written an article about TLS implementation in Go, specifically about the implementation of OCSP and CRL extensions.

This article would be interesting for you, foremost, to get some ideas on OCSP and CRL extensions and their use cases. Secondly, if you need to implement TLS in your apps or advise on the implementation to your developers.

#security #programming #go #tls

New AWS white paper with guidance for implementing WAF

#aws #security

If you haven’t read a Roblox’s postmortem on October‘s 73-hour outage, you definitely should!

Even though this event happened in October, the postmortem was released just a few days ago. And in this case, this is a very good decision! Especially, because this write up provides a detailed analysis on what happened at that time and what chain of events caused that.

It‘s cool to read postmortem the next day after an outage - we are all curious human beings. Unfortunately, those postmortems usually they are lacking many details. This is understandable: it‘s not enough time for a thorough analysis, also your team is probably already tired.

In this case, though, you can have a detailed overview of what happened as well as plans to prevent this chain of events happening again. Moreover, with some plans already implemented.

It‘s a pity that not may companies do similar postmortems. And I must say that this is probably in their disadvantage either. After reading this document I have a feeling that Roblox is a cool place to work, TBH.

#postmortem #hashicorp #consul

Just a friendly reminder that we still have our Kubernetes survey form opened!

We would appreciate it if you can spend some time filling it!

Cheers!

#kubernetes

RedHat presented their own minimal Kubernetes distribution targeted at edge devices - MicroShift.

Functionally, MicroShift repackages OpenShift core components into a single binary that weighs in at a relatively tiny 160MB executable (without any compression/optimization).

As a monolith, it provides an “all-or-nothing” start/stop behavior that works well with systemd and enables fast (re)start times of a few seconds.

So first of all, you can now install OpenShift on a Raspberry Pi as a single binary. Secondly, your car will probably run Kubernetes in the nearest future.

#kubernetes #OpenShift #RedHat

It's time to patch node OS for your Kubernetes clusters. If you manage nodes on your own, of course.

CVE-2022-0185 can allow a container in Kubernetes to escape using unshare Linux command. Usually, it's blocked by Docker's seccomp filter, which is disabled by default in Kubernetes.

#kubernetes #security

And another security update comes from Let's Encrypt.

Let's Encrypt will revoke all active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022. Because of a bug, those certificates are considered mis-issued.

They estimate this is <1% of all active certificates, so it's not that bad, though.

#security #tls

Some Friday material.

This short article is a perfect analogy for programming and systems design in general!

Consul API Gateway is now in beta.

It also got TCPRoute Support as well as now it's supported in the official Helm Chart.

There is also a new learning material for you to take a closer look at it.

#hashicorp #kubernetes #networking #consul

So, if you want to know, how the real serverless looks like, here you are.

WebVM allows you to run fully functional Debian virtual machine in your browser.

The article provides an overview of the technology as well as the things that make this possible.

Obviously, there are not many businesses implementations for this at the moment, but I see great potential in it.

#serverless #wasm

Information from our chat.

Be careful committing to SOPS for your secret management.

It looks like they're looking for maintainers at the moment, which means that this project is not supported right now to a degree it was before.

P.S.: If you want to share any interesting information, feel free to join our chat! Although, keep in mind that a mix of Ukrainian and Russian is used there.

#security

​​​​​​​​​​​​HUG Kyiv #13: Q/A session with HashiCorp co-founders in 1 day!

When: Thursday 3rd February, 19:50 (Kyiv TZ)
Where: Online
Language: English

Feel free ask and vote for questions here

#event

This post will be interesting to those, who run Java application in Kubernetes. Specifically, if you use OkHttp client for Java.

Kubernetes network load balancing using OkHttp client - the name speaks for itself. Basically, the problem is that OkHttp uses persistent connections to communicate with the peers. Therefore, IPVS - the default K8s load balancer - is unable to properly balance those connections. Thus, you may have all the connections served by a single replica of your downstream service!

This article provides some useful insights on how to trace down this issue and how to fix it in your code, as well as it mentions tradeoffs of such fix.

#kubernetes #java #programming

We will start in 10 minutes

Youtube - https://youtu.be/GCvhy4I2bzU

Zoom - https://www.meetup.com/Kyiv-HashiCorp-User-Group/events/281541295/

#event

Docker Desktop had already became a paid option for corporate users and not all the companies are willing to pay. Some just haven't bought the licenses yet. This is bad news for Mac user stations, which are likely a majority in the corporate world.

However, there are projects out there, which aim to solve the problem of virtual machine to run your Docker containers.

This article tells a story of migration to Lima from Docker Desktop on MacOS.

There is also a complimentary project with a funny name - Colima, which simplifies the migration even further.

#docker #containers

From our subscribers.

A postmortem by Mozilla on the recent Firefox outage.

For those services hosted on Google Cloud Platform (GCP) these load balancers have settings related to the HTTP protocol they should advertise and one of these settings is HTTP/3 support with three states: “Enabled”, “Disabled” or “Automatic (default)”. Our load balancers were set to the “Automatic (default)” setting and on January 13, 2022 at 07:28 UTC, GCP deployed an unannounced change to make HTTP/3 the default.

Lessons Learned...

GCP’s deployment of HTTP/3 as default was unannounced. We are actively working with them to improve the situation. We realize that an announcement (as is usually sent) might not have entirely mitigated the risk of an incident, but it would likely have triggered more controlled experiments (e.g. in a staging environment) and deployment.

I'm yet to read this postmortem through.

P.S.: If you want to suggest any interesting materials for this channel, you can always do it in our chat. The chat itself is Ukrainian and Russian speaking.