Kubernetes Learning Week Series 4
Nan Song
Kubernetes Learning Week Series 3
Kubernetes Learning Week Series 2
Kubernetes Learning Week Series 1
Reduce Docker image by 40%, How?
https://bhupesh.me/publishing-my-first-ever-dockerfile-optimization-ugit/
This article discusses the author’s experience in reducing the size of their first published Docker image by 40%, from 31.4 MB to 17.6 MB, for a shell script named ‘ugit’ (a tool to undo Git commands). The author follows a step-by-step optimization process, including using multi-stage builds, identifying and including only necessary dependencies, and minimizing the terminal info database. The final Docker image can be found on Docker Hub.
Key points:
The author aims to provide the ‘ugit’ shell script as a Docker image.
The author uses multi-stage builds to reduce image size, starting with an Alpine base image and then copying only necessary binaries and dependencies into the final image.
The author uses the ‘ldd’ tool to identify and include only the shared libraries (dependencies) required by the binary.
The author removes the shebang (#!/) from the script, as the Bash binary is already included, saving a few bytes.
The author minimizes the terminal info database by including only the ‘xterm-256color’ terminal type, saving an additional 97 KB.
The final Docker image size is reduced by 40%, from 31.4 MB to 17.6 MB.
Docker is not the future
This article discusses the author’s views on the future of Docker and containers. It highlights the author’s experience in building a remote container build service called Depot, which addresses the inefficiencies and complexities of Docker and BuildKit.
Key points:
The future is not about Docker, but about containers.
Docker has struggled with commercialization and is now heavily reliant on Docker Desktop, which is not a new product but rather a licensing strategy.
Docker and BuildKit are overly complex and inefficient, with many unnecessary features and complexities.
There are better ways to assemble containers without relying on the complexities of Docker and BuildKit.
The Traffic Police: Using mirrord to Control Outbound Traffic
https://dev.to/meowchinist/the-traffic-police-controlling-outgoing-traffic-with-mirrord-216
This article discusses a feature in the mirrord tool that allows developers to control the outgoing traffic of applications while testing in a Kubernetes environment. The main points are:
Key points:
Mirrord can be used to redirect an application’s outgoing traffic to a local environment, while still allowing the application to communicate with other services in the cluster.
The new “outgoing traffic filter” feature in mirrord allows developers to specify which outgoing traffic should be sent locally based on the destination, instead of remotely.
The article provides a detailed example of how to use mirrord to test an “uwu-app” that communicates with an “uwu-service” in the cluster while writing to a local database instead of the database in the cluster.
The outgoing traffic filter feature, along with other mirroring capabilities, gives developers unprecedented control over how their applications interact with the cluster environment, simplifying the development and testing process.
Optimizing Wireshark in Kubernetes
This article discusses the challenges of using traditional packet capture tools like Wireshark in a Kubernetes environment and presents a new approach to improve network traffic analysis by using Falco and Falco Talon.
Key points:
The ephemeral nature of containers and the layered abstractions of Kubernetes make it difficult to capture and analyze network traffic using traditional tools.
Wireshark itself does not understand Kubernetes abstractions, making it challenging to directly associate network traffic back to specific pods or services.
Traditional packet capture strategies often result in large amounts of irrelevant data, making it harder to quickly and effectively isolate important information.
Falco and Falco Talon address these drawbacks by integrating the cloud-native detection engine Falco with the terminal version of Wireshark, tshark, for more effective and targeted network traffic analysis in Kubernetes environments.
Falco Talon’s event-driven API threat response method allows for real-time tshark captures triggered by Falco alerts, providing more focused and contextualized packet captures.
This targeted approach not only reduces the volume of captured data but also ensures that captured data is immediately relevant to detected security events, improving response time and effectiveness.
Reinventing Monitoring: The Evolution Story of Prometheus and Thanos
This article discusses how to use Prometheus and Thanos for large-scale monitoring. It covers the challenges of using standalone Prometheus setups and how Thanos addresses these limitations.
Key points:
Standalone Prometheus faces challenges in horizontal scaling, high availability, long-term storage, and caching.
Thanos is an open-source project that extends Prometheus to provide scalability, high availability, and long-term storage.
Thanos uses components such as Sidecar, Querier, Query Frontend, and Store to achieve these functions.
The article presents an integrated monitoring setup using Prometheus Operator, Querier, and Thanos components to address the limitations of standalone Prometheus.
Kubernetes Security Checklist
This article discusses the importance of implementing a comprehensive security checklist to protect Kubernetes, the ‘operating system of the cloud.’ It highlights the challenges DevOps teams face in maintaining the integrity of cloud infrastructure and applications while addressing critical security measures, especially as container environments become increasingly dynamic and ephemeral.
Key points:
Kubernetes has become the primary platform for developing and deploying cloud-native applications, but its complexity often leads to delays in implementing critical security measures.
Cloud environments are becoming increasingly complex, and by 2024, 70% of containers will have a lifespan of 5 minutes or less, making it challenging to detect and investigate abnormal behavior.
Addressing container security risks early is crucial, as delays can hinder cloud adoption momentum and exacerbate security and compliance vulnerabilities.
DevOps teams face additional burdens in creating, managing, and updating security checklists for critical cloud applications as they transition to production environments.
Rethinking security to match the speed of the cloud is essential, and a comprehensive security checklist is provided to guide the security strategy for Kubernetes and container deployments.
Kubernetes Learning Week Series 3
Subscribe to my newsletter
Read articles from Nan Song directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by