tobru.guru Newsletter #14
11 min read

tobru.guru Newsletter #14

The after-Holiday-edition, the biggest one ever. Upcoming ones will not be that big anymore, promised. It features a lot of diverse content, the most prominent clearly is Kubernetes multitenancy. And a bit about KDE.

News

Software releases, news articles and other new stuff

Argo CD v1.7-rc1 is here! | by Alexander Matyushentsev
#argocd, #release

The first release candidate is available at https://github.com/argoproj/argo-cd/releases/tag/v1.7.0-rc1!

This one will be a great release and I can't wait to give it a try. My absolute favorites in this release:

  • GnuPG Signature Verification
  • Namespace Auto-Creation
  • Failed Sync Retry

Project Syn will adopt these features over time.

Release v0.1.0 · kubernetes-sigs/seccomp-operator · GitHub
#seccomp, #kubernetes, #operator

Welcome to the first release of the seccomp-operator, we hope you enjoy this release as much as we do!

More security related projects are very welcome in the land of Kubernetes. This seccomp one is an important security facility to make workload running in a container much more secure.

KDE's August 2020 Apps Update : KDE.org
#kde, #applications, #release

KDE is an open community of friendly people who want to create a world in which everyone has control over their digital life and enjoys freedom and privacy.

A bunch of new KDE application updates. I'm always looking forward to new releases for my favorite desktop environment since nearly 20 years. And thanks to Arch, my desktop is already up-to-date.

Inlets – The Cloud Native Tunnel
#inlets, #tunnel, #kubernetes

Secure TCP tunnels that work anywhere

There are two versions available, the commercial Pro version supporting TCP tunneling and the Open Source one supporting HTTP(S) tunnels. I'm using it for several use-cases and it makes many things much easier.

Introducing Tekton Hub - CD Foundation
#tekton, #hub, #kubernetes

Tekton Hub provides a central hub for searching and sharing Tekton resources across many distributed Tekton catalogs hosted by various organizations and teams.

Marketplaces everwhere, now featuring a new one for Tekton recipes.

Open source release of Baserow
#table, #api, #sql

Baserow has been released open source under the MIT license. We have finished our developer and API documentation and the repository is hosted at GitLab.

This is a self-hosted alternative to e.g. Airtable. Still a long way to go, but it already looks promising.

Troy Hunt: I'm Open Sourcing the Have I Been Pwned Code Base
#opensource, #security

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public.

Good move! Having the possibility to look behind the scenes for security related services is a must nowadays.

Rook v1.4: Storage Enhancements and Ceph Features | by Sébastien Han
#ceph, #rook, #operator

We are excited to announce yet another Rook release to bring more features and improvements to the storage community. We have worked hard to ensure it is a “boring” release such that the deployments and upgrades will roll out smoothly to keep your data safe.

Rook rocks! With it's steady progress I'm pretty sure it's going to be a graduated CNCF project soon.


Articles

Interesting articles and blog posts

Why Linux’s biggest ever kernel release is really no big deal - Linux.com
#linux, #kernel, #git, #development

When the Linux 5.8 Release Candidate opened for testing recently, the big news wasn’t so much what was in it, but its size. As Linus Torvalds himself noted, “despite not really having any single thing that stands out … 5.8 looks to be one of our biggest releases of all time.”

How the Linux Kernel project is maintained is always fascinating. And thanks to Git, it scales massively.

How to contact Google SRE: Dropping a shell in cloud SQL – Offensi
#google, #cloud, #security

Because Cloud SQL is a fully managed service, users don’t have access to certain features. In particular, the SUPER and FILE privilege. In MySQL, the SUPER privilege is reserved for system administration related tasks and the FILE privilege for reading/writing to and from files on the server running the MySQL daemon. Any attacker who can get a hold of these privileges can easily compromise the server.

Cool story. In the end managed services in the cloud are also only cooked with water.

The Case of the Top Secret iPod - TidBITS
#apple, #ipod, #story

15 years ago, Apple helped the US government develop a custom iPod for clandestine missions. Of course, neither Apple nor the US government will admit this ever happened. Former Apple engineer and inadvertent intelligence operative David Shayer tells the story of the iPod that never existed.

If it's true or no I don't really care. But it's a nice story to read.

About the Quay.io Outage: Post Mortem
#postmortem, #learning, #story

A deep dive into how we found and fixed an issue on Quay.io

Learning from others is always important and this one again shows that some things are hard to predict when a service runs for a long time.

Application Configuration Management with Kapitan » Giant Swarm
#kapitan, #jsonnet, #cfgmgmt, #syn

From Giant Swarm's series on application configuration management in Kubernetes, this time we look at Kapitan.

Kapitan is an important building part of Project Syn, this article does a very good introduction to it.

Web by Google (TM)
#google

Looking at Mozilla’s finances, it’s reasonable to conclude that Google is keeping them on life support to keep the anti-trust hounds at bay. Mozilla’s deal with Google will account for at least 70% of their revenues going forward. That’s over $400 million to be the default search provider in 4% of browsers.

Some thoughts about how Mozilla is financed and about the dominance of Google in the Internet.

No to .io, yes to .xyz! — yarmo
#domain, #tld

The de-facto choice is .io. Numerous startups use it as a way to make their offering more legitimate, due to the long history of it being used by businesses, starting in 1998 with levi.io, registered by Levi Strauss & co. The appeal comes from the shortness of the TLD and, with regards to the high-tech sector, it being the abbreviation for "input/output".

I already stopped registering .io domains a few years back when I figured this out. And the stability of the .io domain is also very questionable.

Multi-Master Replication Solutions for PostgreSQL - Percona Database Performance Blog
#postgresql, #cluster, #replication

Covering multi-master replication solutions for PostgreSQL including BDR, xDB, PostgreSQL XL, Bucardo, and more.

Dear Google Cloud: Your Deprecation Policy is Killing You | by Steve Yegge
#google, #cloud, #deprecation

I’ll begin with a small but enlightening story from my early days at Google. For the record, I know I’ve said some perhaps unkind things about Google lately, because it’s frustrating when your corporate alma mater makes incompetent business decisions on the regular. But Google’s internal infrastructure is truly extraordinary, and you could argue that there is still none better today. The people who built Google were far better engineers than I will ever be, as this anecdote should serve to illustrate.

I didn't have this on my radar, it's good that I discovered this article. This will certainly shape how I work with Google Cloud in the future.

Introducing Hierarchical Namespaces | Kubernetes
#kubernetes, #namespaces, #hierarchy, #operator, #multitenancy

Safely hosting large numbers of users on a single Kubernetes cluster has always been a troublesome task. One key reason for this is that different organizations use Kubernetes in different ways, and so no one tenancy model is likely to suit everyone. Instead, Kubernetes offers you building blocks to create your own tenancy solution, such as Role Based Access Control (RBAC) and NetworkPolicies; the better these building blocks, the easier it is to safely build a multitenant cluster.

Good progress on getting better multitenant support in Kubernetes. And as I'm currenty figuring out how the future APPUiO Public will look like, this comes in handy.

Introduction to Virtual Clusters in Kubernetes | Loft Blog
#kubernetes, #virtual, #multitenancy

Virtual Kubernetes clusters are the latest innovation for a practical and cost-efficient Kubernetes virtualization

What a nice idea! This is something I want to explore further as this could really solve multitenancy on a shared Kubernetes cluster. And another good usecase for k3s.

Container Image Retention Policy | Docker
#docker, #registry, #retention

Image retention is based on the activity of each individual image stored within a user account. If an image has not either been pulled or pushed in the amount of time specified in your subscription plan, the image will be tagged “inactive.” Any images that are tagged as “inactive” will be scheduled for deletion.

Yeah, something like that was to be expected. I was always wondering how they're able to host millions of images which might not be used anymore.

Updating a Mainframe
#mainframe, #maintenance

I have done systems administration for as long as I remember, and while I have set up countless of services and servers - I have quite limited experience working with the full life-cycle of truly enterprise software. Therefor, I thought it would be interesting to understand more on how one would plan for and execute updates on an IBM Z Series mainframe.

While I don't own a mainframe and never will be, I had some touching points with mainframes during my apprenticeship long time ago. It's fascinating to learn more about it, it's such a different world than we're usually are used to with x86 or ARM.

Why you should fire your bad customers
#customers

Know when it's time to break up with your customers.

Oh yes, this is so important. I know that first-hand from being part of VSHN since it's inception.

Validating Kubernetes YAML for best practice and policies
#kubernetes, #config, #yaml, #test

How can you prevent deployments that don't follow best practices from reaching the cluster? In this article you will compare six tools to validate Kubernetes YAML files.

Securing Your Terraform Pipelines with Conftest, Regula, and OPA - DEV
#terraform, #config, #test, #cicd

While continuous compliance is important to an effective cloud security strategy, shifting this feedback further to the left (of the pipeline) helps misconfigurations from being introduced into the environment.

Adding a fiber link to my home network
#ftth, #fiber

Despite using a FTTH internet connection since 2014, aside from the one fiber uplink, I had always used network gear with 1 Gbit/s links over regular old rj45 cat5(e) cables.

One can always improve. Let's see how long it takes until newly built homes will have fiber by default to every room.

The structure of KDE, or how anarchy sometimes works – Adventures in Linux and KDE
#kde, #community

KDE is a funny beast. In a lot of ways, it’s an anarchic society that actually works! Engineers and designers work on KDE software and websites, but none of them are paid by KDE itself.

The most important take-away from this article: "you have to minimize negativity!"

The best parts of Visual Studio Code are proprietary - Underjord
#vscode, #opensource

I've been very surprised and delighted over a number of years now by Microsoft's strong efforts in open source. I understand the skeptics, I was on Slashdot when they tried to sue Linux out of existence and I think only time will tell. I figure MS contributing is better than them hunting Linux distributions for sport. So I was mostly onboard for Microsofts efforts and I've especially found Visual Studio Code useful.

That was to be expected to me.


Tools

Open Source tools newly discovered

GitHub - TimeToogo/tunshell: Remote shell into ephemeral environments 🐚 🦀
#tunnel, #shell, #debugging

Tunshell is a simple and secure method to remote shell into ephemeral environments such as deployment pipelines or serverless functions. The project is predominately written in Rust.

GitHub - Uzay-G/archivy
#knowledgebase, #archive

Archivy is a self-hosted knowledge repository that allows you to safely preserve useful content that contributes to your knowledge bank.

GitHub - fugue/regula: Regula checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
#cloud, #security, #scanning, #terraform, #rego

Regula is a tool that evaluates Terraform infrastructure-as-code for potential AWS, Azure, and Google Cloud security misconfigurations and compliance violations prior to deployment.

GitHub - fugue/fregot: Fugue Rego Toolkit
#opa, #rego, #cli, #test

fregot (Fugue Rego Toolkit) is a set of tools for working with the Rego policy language, which is part of the Open Policy Agent (OPA) policy engine.  fregot allows you to easily evaluate expressions, debug code, test policies, and more.

GitHub - hartwork/git-delete-merged-branches: Command-line tool to delete merged Git branches
#git, #cleanup, #branch

A convenient command-line tool helping you keep repositories clean.

GitHub - cyberark/kubeletctl: A client for kubelet
#kubelet, #kubernetes, #cli

Kubeletctl is a command line tool that implement kubelet's API. Part of kubelet's API is documented but most of it is not. This tool covers all the documented and undocumented APIs. The full list of all kubelet's API can be view through the tool or this API table.
A related blog post: https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster

GitHub - itaysk/kubectl-neat: Clean up Kubernetes yaml and json output to make it readable
#kubectl, #plugin

Remove clutter from Kubernetes manifests to make them more readable.

Libravatar :: federated avatar hosting service
#avatar

Libravatar is a service which delivers your avatar (profile picture) to other websites. If you create an account with us, your photo could start popping up next to forum posts or blog comments on any site where you left your email address.

multi-tenancy/incubator/virtualcluster at master · kubernetes-sigs/multi-tenancy · GitHub
#kubernetes, #virtual, #cluster, #multitenancy

VirtualCluster represents a new architecture to address various Kubernetes control plane isolation challenges. It extends existing namespace based Kubernetes multi-tenancy model by providing each tenant a cluster view. VirtualCluster completely leverages Kubernetes extendability and preserves full API compatibility. That being said, the core Kubernetes components are not modified in virtual cluster.

DevSpace - The Fastest Developer Tool for Kubernetes (open-source)
#kubernetes, #development, #cli

DevSpace is an open-source CLI tool that allows you to accelerate your development workflow when building applications on top of Kubernetes. It provides a powerful localhost UI and uses hot reloading to update containers while you are coding.

GitHub - LiqoTech/liqo: Building your shared Kubernetes ocean
#k3s, #share, #cluster

Liqo is a framework to enable dynamic sharing across Kubernetes Clusters. You can run your pods on a remote cluster seamlessly, without any modification (Kubernetes or your application).

Ruckstack
#k3s, #packaging

Your entire stack + more…to go

GitHub - thomasdarimont/awesome-keycloak: A curated list of resources for learning about http://www.keycloak.org
#keycloak, #awesome, #links

A curated list of resources for learning about the Open Source Identity and Access Management solution Keycloak. Contains books, websites, blog posts, links to github Repositories.

GitHub - riggraz/astuto: A free, open source, self-hosted customer feedback tool 🦊
#feedback

Astuto is a free, open source, self-hosted customer feedback tool. It helps you collect, manage and prioritize feedback from your users. It has been heavely inspired by Canny.io ("astuto", indeed, is the italian translation of the word "canny"). If you are interested, you can check out a demo of Astuto.

GitHub - caronc/apprise: Apprise - Push Notifications that work with just about every platform!
#notifications, #chat

Apprise allows you to send a notification to almost all of the most popular notification services available to us today such as: Telegram, Discord, Slack, Amazon SNS, Gotify, etc.

GitHub - nestybox/sysbox: Sysbox repository
#cri, #docker, #runtime, #container

Sysbox is an open-source container runtime (aka runc), originally developed by Nestybox, that enables Docker containers to act as virtual servers capable of running software such as Systemd, Docker, and Kubernetes in them, easily and with proper isolation. This allows you to use containers in new ways, and provides a faster, more efficient, and more portable alternative to virtual machines in many scenarios.

GitHub - cloud66-oss/copper: A configuration file validator for Kubernetes.
#kubernetes, #validation, #javascript

Copper is a simple tool for validate your configuration files. This is specifically useful with Kubernetes configuration files to enforce best practices, apply policies and compliance requirements.

GitHub - cloudhut/kowl: Kafka WebUI for exploring messages, consumers. configurations and more with a focus on a good UI & UX.
#kafka, #gui

Kowl (previously known as Kafka Owl) is a web application that helps you to explore messages in your Apache Kafka cluster and get better insights on what is actually happening in your Kafka cluster in the most comfortable way.

GitHub - argoproj-labs/argocd-image-updater: Automatic container image update for ArgoCD
#argocd, #gitops, #maintenance

Argo CD Image Updater is a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD. In a nutshell, it will track image versions specified by annotations on the Argo CD Application resources and update them by setting parameter overrides using the Argo CD API.

GitHub - evgeni/cfgdiff: diff(1) all your configs
#diff, #config, #cfgmgmt

Ever tried comparing MySQL's my.cnf from a Debian and a Gentoo machine with diff(1) without going crazy?

Enjoying these posts? Subscribe for more