Bullish DevOps News/Updates — May 2021

Bullish DevOps News/Updates May edition is here! We provide a compendium of recent DevOps news, updates, recommendations, and other helpful DevOps-related content every month. This digest is created for DevOps engineers, developers, system administrators, IT operation specialists, IT leaders and other DevOps-impassioned people to be updated about the DevOps World’s latest news and useful insights. So, in the May issue: systemd service security improving, choosing a right PaC solution, the most well-known cloud platforms comparison, and many other delicious DevOps-allied treats.

How to improve systemd service security

With hackers attacks increasing daily, organizations are entirely in search of ways to minimize the attack surface. One of the best methods is to resort to containerization, however, with apps developed on systemd, it could be hard. So, how to strengthen the security of systemd-based software with the help of features like sandboxing. This is discussed by Alessio Greggi in his “Systemd Service Hardening” work.  

How to pick a proper Policy-as-Code solution

While on the subject of container cluster security improvement, we’ve chosen to share these articles from Amazon on “Policy-based countermeasures for Kubernetes” Part 1 and Part 2. In these issues, AWS experts stress the need for policy-as-code solutions (PaC) for automated security, compliance, and privacy controls to detect, reduce and, more importantly, prevent each known and unknown threat. With the right PaC solution, organizations can reuse DevOps and GitOps strategies to manage and apply the countermeasures across fleets of container clusters.

How to write a custom Kubernetes operator

In the “Writing a Kubernetes Operator: From Zero to Hero” article, Anupam Gogoi explained how to create a very simple k8s custom operator from zero using the Operator-SDK. Operators are the product extensions that utilize custom resources to operate the software and its components. More detailed information about operators you can find here. The author stressed that users can create any custom operator leveraging any language they like. 

Template Files with HashiCorp Packer 

Presently, for OS configuration just before you connect it to the VM you need to utilize the boot-command argument. A boot_command imitates manual keystrokes and sends them at a regular cadence. You aggregate these keystrokes for installing and configuring packages in a preseed file. Packer allows sharing preseed files by making them available statically through an HTTP server. In this post, Adrien Delorme showed how to use the http_content and the template file functions combined to build preseed file templates for two Ubuntu images: with HashiCorp Nomad and with HashiCorp Consul. 

GCP / AWS / Azure services comparing

Pretty often cloud-platform users face the problem of service abundance and get confused with all the product names, definitions, prices, etc. which leads to unreasonable waste of resources. With that, Google presented a table that listed generally available Google Cloud services and traced them to similar offerings in Amazon Web Services (AWS) and Microsoft Azure. Additionally, users can filter the list with keywords like service type, capability, or product name. Plus, you can estimate and compare costs here. 

Dealing with custom resource definition service

If you want to introduce your own extensions (a.k.a custom resources) into the Kubernetes cluster, getting acquainted with a custom resource definition (CRD) file is a must. CRD defines your own object kinds and lets the API Server handle the entire lifecycle. This frees you from writing your API server to deal with the custom resource. Here is a comfortable, open-source service to create CRDs presented by GitHub pro bono. 

How to run Ceph on k8s with Rook top practices

Ceph and Kubernetes are sophisticated tools that harmonize interactions between the two. This is especially true for users who are new to any of these systems. The questions they ask are as follows: How can I restrict Ceph to a fraction of my nodes? Can I set Kubernetes CPU or RAM limits for my Ceph daemons? How can I improve the performance of my cluster? This document, presented by SUSE experts, describes proven patterns and best practices to answer these and other questions. The examples and tips based on Ceph Octopus (v15) with Rook v1.3 running on a Kubernetes 1.17 cluster will help you configure and manage your Ceph cluster running on k8s to meet your needs.

Kubernetes SSO – detailed guide

In his “Kubernetes Single Sign-on (SSO)” guide Ben Dixon showed how to set up an end-to-end group SSO for Kubernetes, including kubectl CLI, any web ingress-kind app, docker registry, and Gitea. He covered most of the common SSO models, for them to be easily adapted to other tools like Gitlab, Kibana, Grafana, etc. The complete solution uses Keycloak supported by OpenLDAP. OpenLDAP is required for the Gitea component but can be skipped for other components, including OIDC-based SSO for kubectl.

Wrapping things up

Bullish DevOps News/Updated digest is created every month to make sure specialists who have made DevOps their life’s project catch up with all state-of-art and handy info from the DevOps world. You are very welcome to share your thoughts in the comments. Tell us what was good to learn in the May edition and what you want to read about in the June issue, which is just around the corner.