Posts

This list is being updated on regular basis General info https://kubernetesreadme.com/ Comparison API comparison https://kube-api.ninja/ https://learnk8s.io/research https://docs.google.com/spreadsheets/d/1RPpyDOLFmcgxMCpABDzrsBYWpPYCIBuvAoUQLwOGoQw/edit#gid=907731238 Hosting kapsule https://www.scaleway.com/en/ free https://cloud.okteto.com/ Secrets External secrets management integration with k8s https://github.com/godaddy/kubernetes-external-secrets Integrate Kubernetes with 1Password https://github.com/1Password/onepassword-operator Kubernetes mutating webhook for secrets-init injection https://github.com/doitintl/kube-secrets-init AWS EKS Secrets store CSI driver https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/ RBAC RBAC practices and tooling https://rbac.dev/ Visualize RBAC https://github.com/team-soteria/rback RBAC Manager is designed to simplify authorization in Kubernetes https://github....

Keep the cloud provider platform secure Least privilege Secure traffic into cluster Run security test in development environments Mirror environments Cluster authentication & authorization Leverage OIDC for k8s authentication RBAC - define roles In cluster network/security/micro segmentation Prevent namespace-to-namespace communication Network policy Policy & Governance k8s admission controllers Read only Non-privileges ports Runtime security & monitoring...

AWS Control Tower Landing Zone 4.0 introduces a flexible Controls-Only experience, allowing full programmatic setup and customization of multi-account environments. Key Changes: Optional Service Integrations - Choose which integrations to enable: AWS Config AWS CloudTrail Security Roles AWS Backup Dedicated Resources - Better isolation with separate resources per service: Separate S3 buckets for AWS Config and CloudTrail Individual SNS topics for each service Flexible Organization Structure - Removed previous requirements:...

GitHub’s platform engineering team shares their approach to tackling infrastructure challenges at scale. Key strategies include: Understanding your domain: Talk to neighboring teams with more experience Investigate old issues to understand system limitations Read documentation to build foundational knowledge Platform-specific skills: Network fundamentals (TCP, UDP, L4 load balancing, debugging tools) Operating systems and hardware selection for scalability and cost Infrastructure as Code (Terraform, Ansible, Consul) Distributed systems understanding (failures are inevitable, need failover/recovery) Impact radius considerations:...

AWS Certificate Manager (ACM) now supports automated certificate management for Kubernetes workloads through AWS Controllers for Kubernetes (ACK). Previously, using ACM certificates in Kubernetes required manual steps: exporting certificates via API, creating Kubernetes Secrets, and manually updating them at renewal. With ACK, you can define certificates as Kubernetes resources, and the controller automates the complete lifecycle - requesting, exporting, creating Secrets, and auto-updating at renewal. This works for both public certificates (ACM exportable certificates) and private certificates (AWS Private CA), enabling automated certificate management for:...

Managing Terraform state securely is one of those things that seems simple until you’re dealing with hundreds of accounts and thousands of resources. Cloudflare, being their own Customer Zero, had to solve this problem at enterprise scale. The interesting part? They built a custom solution called tfstate-butler - a Go program that acts as an HTTP backend for Terraform state storage. The Security Problem When you’re managing infrastructure at Cloudflare’s scale, a single compromised state file could be catastrophic....

You know what’s wild? AWS is almost twenty years old now. That’s both cool and kind of terrifying at the same time. I’ve been working with AWS for a while, and honestly, I still catch myself thinking about things the way they used to be, not how they actually work today. The problem is that AWS changes constantly, but a lot of the foundational stuff has evolved in ways that aren’t super obvious....

Another year, another AWS re:Invent has come and gone. I’ve been following the announcements closely, and there are some genuinely interesting developments worth discussing. The Big Picture This year’s re:Invent felt a bit different. The pre:Invent announcements started later than usual (mid-November instead of early October), and the keynote felt more focused on GenAI than infrastructure improvements. That said, there are still plenty of practical enhancements that can make our lives easier....

It’s 2024, and AWS finally built a browser-based S3 viewer. Twenty years after S3 launched, you can now browse your buckets directly in the browser. It’s still in alpha, but hey, better late than never, right? You might be thinking - wait, weren’t there options before? Like S3Fox? Yeah, there were some third-party tools, but AWS itself never had an official browser interface. So what took so long? Real Problem: Access Control Turns out, building a simple file browser wasn’t the hard part....

Disclaimer: here you might not find something new if you know 12 factors app. The 12-factor app methodology 12factor.net, is a set of principles designed to enable applications to be built with portability and resilience when deployed to the web. These principles focus on declarative formats for automation, clean contracts with the operating system, and suitability for deployment on modern cloud platforms, thus minimizing divergence between development and production, enabling continuous deployment for maximum agility....