Building Docker Images Smaller, Rootless and Non-Shell for Kubernetes

After building a Docker image faster, I wanted to build it for the K8s cluster. Running the container on the local machine isn’t the same as running it on a cluster. I’m packaging a Go application in my example. But the same principles apply to any other language. Starting Dockerfile I’m starting with the following Dockerfile(Dockerfile_1): ARG GO_VERSION=1.20.3 FROM golang:${GO_VERSION}-buster as builder WORKDIR /app COPY go.mod go.sum /app/ RUN go mod download -x COPY . /app/ RUN go build -o app FROM debian:buster WORKDIR /app COPY --from=builder /app/app /app/ ENTRYPOINT [ "/app/app" ] And I build it with the following command: ...

April 14, 2023 · 9 min · Robert Nemet

Practical k8s: Pods

A Pod would be the smallest deployable unit one can create and manage inside Kubernetes(K8s). In practice, rarely you create a Pod directly. Instead, one would create a Deployment, a StatefulSet, a DaemonSet, a Job, or a CronJob. These are higher-level constructs that would create Pods for you. Here I’m covering common tasks that one would do with a Pod in daily work, like getting logs, opening a shell inside a container, debugging a Pod, etc. ...

October 24, 2022 · 6 min · Robert Nemet

How to make exclusive locks in Kubernetes

There is an application running in a Kubernetes cluster. Goal is to protect this application from any modifications, except if those modifications are coming from predefined actor. Setup Requirements To start let’s set up the Kind cluster and Klock. I assume you already have installed Kind. Now let’s create a cluster and install all requirements: Create cluster: kind create cluster Install cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml Install Klock : helm repo add rnemet https://rnemet.dev/helm-charts helm repo update helm install klock rnemet/klock Setup Scenario My application has one Pod and one ConfigMap. By default the Klock supports locking Deployments, Pods, Secrets, and ConfigMaps. So, I’m covered there. ...

October 1, 2022 · 4 min · Robert Nemet

Klock

Problem In an event-driven system like Kubernetes, access to a resource can be restricted with RBAC. RBAC is not designed to execute a mandatory or exclusive lock on a particular resource. It is not impossible, but I found it complicated and error-prone. Sometimes I want: The CronJob named daily-report is constant. No one can DELETE or UPDATE it. A workload payroll can be modified only by the actor with UID aa-dd-f445-d-55-d and no one else. All resources with the label site: for-fun can be updated, but not deleted. Solution Using RBAC is possible to partially meet requirements, but still when working in teams messing with operators, different automation tools, etc… Always something can go wrong. ...

September 7, 2022 · 2 min · Robert Nemet

Kubernetes in the bottle: k3d and k3s

Everyone wants to play with the Kubernetes(K8s). There are many options from Google, AWS, Heroku, etc. They offer free tiers that anyone can play with. But what if you want to have your K8s. On your laptop, for fun or to learn something new, without any restrictions. What is k3s The K3s is lightweight k8s by the rancher for Linux. K3s is intended to work with low resources and IoT devices. So, it can easily run on laptops. It is packed as a single binary so it is easy to setup. It requires to have installed docker, as nodes will be run inside containers. ...

March 11, 2021 · 5 min · Robert Nemet