Securikube, part 0

I’ve been avoiding unnecessary outings because of COVID cases in our household. This is a perfect opportunity to do some research. I’ve done plenty with Docker: I’ve found it great for externalizing dependencies in development environments. I have also done security work around the edges of AKS or EKS. Next I’m interested in digging deeper into Kubernetes security inside the cluster, but I’d like to deploy a cluster or two for myself first.

I started from first principles with a basic Spring Boot application, tried some different distributions of Kubernetes, and made an application deploy. Then made the thing visible from my local computer. That took a long time. Here’s what I learned:

Apple Silicon has teething issues: I love my M1 MacBook Pro. I found the following gumption traps in my first session:

  • The official Kubernetes tutorial doesn’t work by default on ARM, as it refers to images that aren’t binary compatible.
  • Docker will throw occasional errors - either crashing on start, or having networking glitches. I’m sure that will get fixed. I’m using Rancher in the interim.
  • Minikube didn’t work out of the box. Many posts online suggest configuring minikube to use Docker, which didn’t work for me.
  • You’ll get used to setting the platform parameter everywhere, to run Intel/AMD containers instead of ARM.

The ecosystem is a loud bazaar: On the desktop there’s several different distributions of Kubernetes. Each cloud provider supports at least one implementation. The ecosystem that interacts with these is huge. Similar itches are being scratched many different ways. My view is that you needs to work out what Dev and Ops cultures matter in your team:

  • If GitOps is your thing, then you might like ArgoCD
  • If you’re into configuration as code, you might like CDK8S
  • If you like templating YAML or JSON, there are many different tools (Kustomize, Tanka out there for you.

It’s hard to choose tools correctly the first time: as communities and systems evolve, yesterday’s right choice might be today’s technical debt. If you can keep an open mind about where to apply different approaches, then you may be able to incubate newer tools and get some payoff from them. If you stick to the tools that you’re comfortable with, you may find yourself with an obsolete stack.

Where I got to with my playpen application: I’m building local images using the Docker CLI against Rancher, orchestrated with Make, and calling down to Gradle to build Java stuff. After experimenting with plain YAML and kubetcl, exploring Tanka, I finished with the Terraform provider for Kubernetes. I would want to deploy AKS or EKS infrastructure with Terraform, and to kick the tyres I will continue with Terraform to get apps lifted and shifted to Kubernetes. That won’t scale forever, and at some point I’ll find the right tools to manage the inside of the cluster. But for today, I’m going to add one new tool to the toolbelt.

DevOps New Zealand