Another very interesting new feature from the latest re:Invent is the EKS Pod Identities: a new ability to manage Pod access to AWS resources. The current state: IAM Roles for Service Accounts Before that, we used the IAM Roles for Service Accounts (IRSA) model, where in order to give a Pod access to, for example,… Read More »
We have two new projects in the Elastic Kubernetes Service (см. AWS Elastic Kubernetes Service: a cluster creation automation, part 1 – CloudFormation), each project lives in its own separate Namespace. In addition, there are two users, developers, who need to be given access to these two Namespaces, but only to Pods in them and… Read More »
We continue to develop our monitoring stack. See the first part – VictoriaMetrics: creating a Kubernetes monitoring stack with its own Helm chart. What do we want to do next: give access to developers so that they can set Silence for alerts themselves in Alertmanager to avoid spamming Slack, see Prometheus: Alertmanager Web UI alerts… Read More »
Storing access data in Kubernetes Secrets has an important drawback, because they are only available within the Kubernetes cluster itself. To make them available to external services, we can use Hashicorp Vault and integrate it with Kubernetes using solutions such as vault-k8sor use services from AWS – Secrets Manager or Parameter Store. Integrating AWS Secrets Manager and Parameter… Read More »
Currently, I’m setting up a new EKS cluster. Among other things, I’m running ExternalDNS on it, which uses a Kubernetes ServiceAccount to authenticate to AWS in order to be able to make changes to the domain zone in Route53. However, I forgot to configure the Identity Provider in AWS IAM and ExternalDNS threw an… Read More »
Instance metadata (IMDS – Instance Metadata Service) – data about an EC2 instance, such as information about AMI, IP, hostname, etc. You can also add User Data to Instance Metadata to store some parameters, which can then be retrieved inside the instance. See Instance metadata and user data and Instance metadata categories. From the beginning of the… Read More »
Pritunl is a VPN server with a bunch of advanced security and access control features. In fact, it is just a wrapper over OpenVPN, adding such Access Control Lists to it in the form of Organizations, users, and routes. The task is to deploy a Pritunl test instance in Kubernetesб so we can take a… Read More »
AWS VPC Flow Logs allow you to log traffic information between network interfaces in a VPC. Further, these logs can be stored in AWS S3 or sent to AWS CloudWatch Logs, while enabling traffic logging does not affect the performance of the network interface in any way. Let’s briefly review the basic concepts, and… Read More »
The rtfm.co.ua blog is quite slow for users. For example, you can test your website using the https://gtmetrix.com: 4.3 seconds till full load! That’s awful. At the bottom of the results, you can check top of issues on a site: At first, the page size is 1.16 MB, which is big enough. The second thing… Read More »
During an SSH connection, I started getting the “Too many authentication failures” error message from a remote host. The error, and its cause Actually, the root cause is simple: during establishing a new SSH connection, the local ssh-client first tries to use keys, that are loaded by the local ssh-agent, and only after that will… Read More »