2024 Highlights

Launching BuildSafe

BuildSafe, a project designed to address compromised supply chains by helping organizations build tamper-proof, zero-CVE artifacts, has had a groundbreaking year. Its developer-friendly approach and compliance with government regulations have positioned it as a transformative tool in the cloud-native ecosystem.
Key milestones for BuildSafe this year:

• Zero-CVE Base and Application Images: Empowered organizations to create secure, zero-CVE images, ensuring high standards of security and reliability.

• Hermetic Builds: Introduced seamless hermetic builds for organizations to achieve superior supply chain security.

• SLSA Compliance: BuildSafe provides high quality SBOM’s and also helps you achieve higher SLSA Levels.

• Community Growth: Built a thriving community of over 250+ members, fostering collaboration and innovation.

As BuildSafe continues to evolve, the mission remains clear: to simplify supply chain security while empowering organizations to innovate securely. Join us and lets get to zero CVE and go beyond SLSA Level 3.

Kubestronaut

Kubestronaut is a title recognising individuals who have cleared the CKA, CKAD, CKS, KCNA, and KCSA certifications. This was launched at KubeCon EU 2024, and I’m honoured to be part of the CNCF certification journey. I’ve also authored two books CKA and CKS to help others on this path.

Note - Use coupon “newyear” to avail 60% off :) Happy new year!

Thanks to my CNCF Ambassador program, I received a coupon for these certifications and managed to complete all of them in just one week, it was a fun and intense experience!

This is the FREE CKS playlist that I am creating and will be completed very soon in 2025.

CNCF TAG Sustainability Lead

I became a CNCF TAG Sustainability Lead in 2024, and I’m deeply grateful to the current TAG leads, co-chairs, and the CNCF TOC for this opportunity. This role aligns perfectly with my passion for creating impactful sustainability initiatives within the cloud-native ecosystem.

Notable achievements so far:

• Initiated TAG Sustainability APAC Meetings to involve more contributors from the region.

• Actively contributing to sub-projects under the TAG, ensuring we achieve the sustainability goals.

• Encouraging the community to use existing tools and practices to create an immediate impact.

If you’re interested in sustainability, join the Slack community and explore the amazing ongoing projects!

Career Transition: New Beginnings at Loft Labs

This year marked a significant shift in my professional journey. After almost four years at Civo, where I rose to the position of Field CTO, I decided it was time for a new challenge.

In June, I joined Loft Labs as Principal Developer Advocate. I already knew a few folks from the team and was familiar with their innovation in multi tenancy space. I even streamed a demo of vCluster on Kubesimplify back in 2021.

At Loft Labs, my focus is on solving Kubernetes multi-tenancy challenges, a key technology focus area highlighted at KubeCon NA, alongside reducing Kubernetes costs. It’s been an exciting journey so far, working with a visionary team to drive innovation.

Content Creation at Kubesimplify

This year has been amazing for Kubesimplify in terms of the quality and quantity of content we’ve produced. We significantly upgraded editing and video quality to 4K, added more comprehensive courses, and conducted frequent live streams throughout the year.

Highlights:

Kubesimplify English
This year was the year of courses, with two main ones I want to highlight:

• WASM Course: Created in collaboration with Rishit, this is one of the best WebAssembly courses available, offering a unique cloud-native perspective.

  %[https://www.youtube.com/watch?v=eYekV2Do0YU&t=11736s]

• The Complete DevOps Project:

  • Built a Golang application with PostgreSQL using CloudNativePG.

  • Instrumented the application with Prometheus, displaying metrics in Grafana.

  • Showcased load testing using K6 and scaling with HPA.

  • Secured the app with Cert-Manager and Gateway API for HTTPS.

  • Implemented CI/CD using GitHub Actions for CI and ArgoCD for CD.

  • Built a zero-CVE base and application image using BuildSafe, with builds executed via ko.

  • Hosted the app on managed Kubernetes clusters (AKS or GKE) created with ksctl.

Spooky Halloween Series
Inspired by Saloni’s imagination, we created a fun and spooky Kubernetes troubleshooting series. This was a labor of love to simplify Kubernetes troubleshooting for the community.

Content Summary for 2024:

• 38 videos

• 8 live streams

• 30 shorts

Kubesimplify Hindi

I elevated the Hindi channel to the next level with a mission not just to simplify Kubernetes but also to dive deeper into its complexities. The Kubernetes Bootcamp Live series has been a standout, with daily messages from viewers appreciating its detail and depth. This long-term commitment: 3-4 months of weekly detailed live streams, has been incredibly rewarding.

Overall stats for Kubesimplify Hindi - Although I was hoping for more on this particular channel

• 5 videos

• 16 shorts

• 15 live streams

Special New Year 2025 Surprise: "Let’s Get Certified Together"
Starting in January, I will launch a members-only live stream series to help participants achieve Kubernetes certifications. This includes access to a private Discord server for members, and to my surprise, we already have 10+ members signed up!

If you want please follow this livestream

Note: All members-only live streams will be made public for free one month later.

Conferences

Attending and speaking at conferences remains a highlight of my year. Being remote, these events provide a fantastic opportunity to meet people, share my work, and learn from others.

Key Themes of 2024 Talks:

1. Cloud-Native and AI

2. Sustainability

3. Multi-Tenancy and Cost Optimization

4. WebAssembly (WASM)

Below is the list of talks I have done this year:

• Civo Navigate US(Feb)- Generative AI in the Kubernetes Era with Kubeflow with Saiyam Pathak

• Wasm I/O 2024(March):
  - Accelerating ML Inferencing with WebAssembly & Spin 2.0
  - Sustainability with WASM? - faster, greener computing [Panel]
  - Create Production-Grade Wasm Applications on Kubernetes [Workshop]

• KubeCon EU 2024(March):
  - Building a Tool to Debug Minimal Container Images in Kubernetes, Docker and ContainerD
  - Heating Pools with Cloud Power: A New Wave in Green Computing

• KCD Pune(April) - Keynote: Let’s do Generative AI on Kubernetes (Not Recorded)

• KCD Hyderabad(June) - Keynote: Supply Chain Security in 2024 - Saiyam Pathak, Loft Labs - KCD Hyderabad

• ContainerDays 2024(September) - Building Scalable Cloud Native AI Apps with WebAssembly

• WasmCon 2024(November) - Exploring the Landscape for Open Telemetry for Wasm

• KubeCon NA 2024(November):
  - Cloud Native Sustainability Speedrun: Tools from Infrastructure to Application
  - The Spice Must Flow Green: CNCF's Environmental Sustainability TAG

• SOSS Community Days 2024(December) - Cooking up Secure OCI Artifacts with SLSA

• KubeCon India 2024(December) - Cell-Based Kubernetes - The Secret to Scalable, Repeatable and Resilient Cloud Architecture

Meetups

• CNCG Chandigarh - 10 years of Kubernetes

• CNCG Delhi - Secure Multi-Tenancy with vCluster and Falco

• GDG Bengaluru - Celebrating 10 Years of Kubernetes: Innovating Multi-Tenancy with vCluster

• Platform Meetup Bengaluru - Kubernetes Multi Tenancy.

Webinars

I also conducted webinars with Sysdig, SUSE, and PerfectScale, focusing on Kubernetes, sustainability, and multi-tenancy.

Personal Growth

2024 wasn’t just about professional milestones. I prioritised health and family this year:

• Health: Focused on yoga and dietary changes to maintain a healthier lifestyle.

• Family: Spent more quality time with my family, It’s always rewarding.

Additionally, I created a lot of content for vCluster on the Loft Labs YouTube channel, further contributing to the community.

In the end I would like to say a huge thanks to the community for appreciating the content I have been creating. If you want to support, just hit that subscribe button on YouTube channels and follow us everywhere:

• KubeSimplify English Youtube

• Kubesimplify Hindi Youtube

• Kubesimplify Blogs

• Kubesimplify Discord

• Newsletter

• Instagram

Here’s to an even more impactful 2025! 😊

KubeCon CFP results came in and I am giving 2 talks this season hopefully in person with my friends.

Students Ambassador program

The Student Ambassador program is going great, with over 100 submissions and it is going international ❤ Great to see the support from my friends in spreading the word! The applications will remain open so you can apply/share. I will keep on improving the initiative.

Videos

• Knative Walkthrough — Knative is a serverless platform on top of Kubernetes and in this video, I go over Knative serving and Knative eventing with a demo for each of them.

• KubeVirt — This is the recording from my alldaydevops session but still very valid and its adoption is increasing even more so be sure to check that out.

• Harvester by Techno Tim — Harvester is an open source HCI solution, I have a couple of streams on my channel as well with the maintainers of the project. It is based on Kubevirt layer so make sure to check out this project.

• Kubernetes vcluster “clusters in clusters” by my friends Lukas and Rich on Bret Fisher channel.

• Code Coverage for BPF Programs with bpfcov by Leo and Liz.

News and Announcements

• KubeCon EU 2022 Schedule is out — Check and register today!!

• Backstage project joins the CNCF Incubator — open platform for building developer portals maintained by a global community

• in-toto moves to CNCF incubation — this is a project in supply chain security space.

• Knative accepted as a CNCF incubating project — A huge step towards the adoption of Knative. It is an amazing project that everyone needs to check out!

• minikube GUI — Yes you heard it right, Minikube launched it’s most requested feature GUI (experimental), be sure to check that out.

• WASM on Exercism — 21 exercises from hello world to circular ring buffer exploring WebAssembly.

• Artifact Hub now checks if container images packages have been signed with cosign from sigstore.

• Moby v0.10.0 — Making every docker build a bit better.

Awesome March reads

• Hosting a React App with OpenFaaS — In this post, you will learn how to deploy a React app as an openfaas function ~ by Alex Ellis

• How to Run Docker in Rootless Mode — In this article you will learn a sample set up to run Docker in rootless mode though there are other tools like podman that can help you achieve it with ease. Also, Sysbox is another alternative that let you run rootless containers in Kubernetes. ~ by JACK WALLEN

• Scripting with Go by bitfieldconsulting — fancy shell scripts in go ;)

• Is WebAssembly Susceptible to Log4Shell-style Attacks? by Matt butcher

• Introducing apko — apko enables the creation of minimal, small-attack-surface images without the complications of relying on Bazel by Ariadne Conill.

• A case-study in end-to-end testing with Golang — Another great blog by my friend Alex on unit testing vs e2e testing and how to improve them with Go.

• 6 CNCF Projects for CI/CD — Interesting landscape and checkout my CNCFMinutes video for Flux and Argo.

• Model Server: The Critical Building Block of MLOps by Janakiram

Learning resources/repositories

• Flamingo — FSA (aka Flamingo) is the Flux Subsystem for Argo. FSA’s container image can be used as a drop-in replacement for the equivalent ArgoCD version to visualize, and manage Flux workloads, along side ArgoCD.

• Advanced Go Playground — frontend written in Go, with syntax highlighting, turtle graphics mode, and more

• strimzi — Apache Kafka running on Kubernetes

• Simple Docker project for beginners by Pavan

• Traefik Academy by my friend Adrian

Learn from Twitter

When your apps receive a ton of traffic, how do you scale your Ingress Controller in Kubernetes?

Here is what I do 👇 pic.twitter.com/T6aYurE7Lj

— Daniele Polencic (@danielepolencic) March 2, 2022

What is SSH ?#Linux #ssh #encryption pic.twitter.com/YDnVxAyxaU

— Rakesh Jain (@devops_tech) March 3, 2022

Let's talk about Rust.

A language with a steep learning curve but one of the most rewarding programming languages out there.

It powers parts of AWS, Dropbox, and even some important blockchain projects.

A thread. ↓ pic.twitter.com/UbwPLrDvN4

— 🇺🇦 Oliver Jumpertz (@oliverjumpertz) March 10, 2022

Sponsored content

This issue is brought to you by Cloudcasa, Sysdig, Robusta, Suborbital, Armo, SlimAI and Teleport ->

Cloudcasa is Free Kubernetes Backup and Cloud Migration with Cyber-Resilience as-a-Service. Mi Casa es Tu Casa!

Sysdig is driving the standard for cloud and container security. The company pioneered cloud-native runtime threat detection and response by creating Falco and Sysdig as open source standards and key building blocks of the Sysdig platform

ARMO assures DevOps, DevSecOps, and developers that every workload, cluster, container, and microservice is born and remains secure, from development to production and from configuration to run-time, every time. They are the creators of Kubescape.

Robusta — an open source platform for Kubernetes troubleshooting and automation. Robusta automates your incident response and troubleshooting — what Docker did to Day 1, Robusta does to Day 2.

Suborbital Making cloud native WebAssembly easy.

SlimAI — giving developers the power to build better cloud-native applications with less friction, complexity, and waste.

Teleport is the easiest, most secure way to access all your infrastructure. The open-source Teleport Access Plane consolidates connectivity, authentication, authorization, and audit into a single platform.

Latest from them

• CVE-2022–0847: “Dirty Pipe” Linux Local Privilege Escalation By Jason Avery ~ Sysdig

• Launching Sat Beta-1: Still tiny, still mighty By Connor Hicks ~ Suborbital

• CVE-2022–0492 — Privilege Escalation and Container Escape Vulnerability and its impact on Kubernetes By Leonid Sandler ~ Armosec

• CloudCasa Adds AWS Cloud Security Posture to Kubernetes Security Posture Reviews By Cloudcasa

• Kubernetes is the POSIX of the cloud By Natan ~ Robusta

• The 3 S’s of Software Supply Chain Security: SBOMs, Signing, Slimming By John Amaral ~ SlimAI

• SSH into Docker Container or Use Docker Exec? ~ Teleport

Individual supporters

Thank you to the amazing members -> Rawkode, Marky, Noel, Walid, Cedric , Jack , Blaize D’souza, ChadMCrowell, Dan POP, Meaux and Phil Shapiro

Special thanks to Catalogic, Sysdig, ARMO, Suborbital and Robusta for being an Org member and to SlimAI and Teleport for being a platinum member.

Some amazing partnerships coming up that will be announced on Twitter so keep an eye out if your org wants to grow the community and support my work then consider becoming a member as it comes with a lot of benefits(membership program)

Do not forget to subscribe to my YouTube channel

Thank you for reading this edition and hope you like it. Please take a minute to subscribe to the newsletter and let me know if you are doing something great that will benefit the community, I will include that.

bio.link/saiyampathak

February has been an interesting month as I had really nice conversation with the community and some organisations who are doing rad stuff in cloud native ecosystem, I personally learned a lot to understand the products they are running on the cloud and the problem they are solving. I believe talking to customers/orgs make you think more about what people are actually using to deploy their stuff for their customers and helping them solve a particular problem.

February is also celebrated as a love month throughout the globe, so let’s take this to cloud native level and celebrate all the projects that helped you, maintainers who made it happen, tag your favourite maintainer and favourite project on Twitter with hashtag #loveopensource and show then the love you feel for them as a maintainer or the project.

I am also glad to announce that I have 5 Org memberships and 2 Platinum memberships who are supporting my work with 11 individual members. Thank you all and if you want to support my work feel free to check out membership for Org membership please reach out first.

Let’s begin with the content now!!

Videos

• Chaos engineering 2022 — I gave this talk at Chaos carnival and it felt good as over 150+ people joined, this video gives an introduction to chaos engineering, cloud native chaos engineering, tools — Litmus and Chaos mesh and the whitepaper.

• CNCFMinutes video — ArgoCD — The best primer you can get on AgroD ;)

• My friend David had great live streams on Robusta Klustered check them out.

• Kunal posted videos on Docker and Kubernetes — Great for beginners, check them out.

• What is SRE by Nana

• Terraform Complete course by Sid Palas

• Check out the awesome talks from the containers devroom at FOSDEM 2022

News and Announcements

• CNCF Sees Record Kubernetes and Container Adoption in 2021 Cloud Native Survey — It shows how everyone is adopting containers and Kubernetes where more people are adopting managed Kubernetes offering from could providers.

• Docker makes comeback with over $50M in ARR two years into restructuring — This is an interesting read on how docker in the last year made over $50million annual recurring revenue.

• WebVM: server-less x86 virtual machines in the browser — a server-less virtual Linux environment that runs unmodified Debian binaries in the browser powered by CheerpX, a WebAssembly virtualization platform. try here

• The 20 Coolest Cloud Infrastructure Companies Of The 2022 Cloud 100 — Happy to see Civo listed in there :)

• CNCF Kubecon scholarship — Apply for scholarships before 13th March.

• CNCF Archives the Opentracing Project

• Include diagrams in your Markdown files with Mermaid

Nice February reads(1st to 15th Feb)

• CKA and CKAD Exam tips by Edidiong Asikpo — It will help you with various tips from the people who have cleared the exam in past.

• Keyless Signing with Tekton on AKS — sigstore is everywhere by Nghia Tran

• How to Enhance Nmap with Python by **Jose Vicente Nunez**

• A Primer: Accessing services in Kubernetes by Alex Ellis

• Kubernetes Security Best Practices: Definitive Guide by Armosec

• How to read WASM — Follow this series to understand WebAssembly from scratch by Divya Mohan

• Best Practices for Multi-tenancy in Argo CD by Dan Garfield

Beginners highlight — This is the section where I want to include and motivate people who are just starting!

• Tekton CI simplified by Avinash Upadhyaya

Learning resources/repositories

• API traffic viewer for Kubernetes

• Kubernetes instance calculator by my friends at Learnk8s

• Read and Organize Markdown Files in Linux Terminal With Glow

• Kubernetes YAML best practices, hygiene & security

• tf-controller — GitOps Terraform at your own pace

• ArgoCD demo repo — try on your own

Learn from Twitter

Sponsored content

This issue is brought to you by Cloudcasa, Sysdig, Robusta, Suborbital, Armo, SlimAI and Teleport ->

**Cloudcasa** is Free Kubernetes Backup and Cloud Migration with Cyber-Resilience as-a-Service. Mi Casa es Tu Casa!

**Sysdig** is a cloud-native visibility and security company that provides cloud and container security for enterprises and their DevOps teams. They are the creators of Falco.

**ARMO** assures DevOps, DevSecOps, and developers that every workload, cluster, container, and microservice is born and remains secure, from development to production and from configuration to run-time, every time. They are the creators of Kubescape.

**Robusta** — an open source platform for Kubernetes troubleshooting and automation. Robusta automates your incident response and troubleshooting — what Docker did to Day 1, Robusta does to Day 2.

**Suborbital** Making cloud native WebAssembly easy.

**SlimAI** — giving developers the power to build better cloud-native applications with less friction, complexity, and waste.

**Teleport** empowers engineers to quickly and securely access any computing resource anywhere on the planet. The Access Plane allows engineers and security professionals to unify secure access and provide visibility to infrastructure, applications, and data across all environments.

Latest from them

• Kubernetes Security Posture Review and Cross-Cluster Restores with New CloudCasa Release — Cloudcasa

• Sysdig Secure — When cloud provider security services are not enough — Sysdig

• CVE 2022–24348 — Argo CD High Severity Vulnerability and its impact on Kubernetes — Armo

• 100 Kubernetes tools playlist by Robusta

• Integrate Testing into Your Container Pipeline — SlimAI

• How Teleport Uses Teleport to Create and Maintain Shared Demo Environments — Teleport

Individual supporters

Thank you to the amazing members -> Rawkode, Marky, Noel, Walid, Cedric , Jack , Blaize D’souza, ChadMCrowell, Dan POP, Meaux and Phil Shapiro

Special thanks to Catalogic, Sysdig, ARMO, Suborbital and Robusta for being an Org member and to SlimAI and Teleport for being a platinum member.

Some amazing partnerships coming up that will be announced on Twitter so keep an eye out if your org wants to grow the community and support my work then consider becoming a member as it comes with a lot of benefits(membership program)

Do not forget to subscribe to my YouTube channel

Thank you for reading this edition and hope you like it. Please take a minute to subscribe to the newsletter and let me know if you are doing something great that will benefit the community, I will include that.

bio.link/saiyampathak

January has come to an end and It’s ok if you took a long break and have not started 2022 in full force. Sometimes it’s ok to take a break, relax and then come back strong. I see so many people on social media who produce great content every day, who help the community every day and I feel so good that I am in the human first circle of people.

Overall January has been good in terms of my work, learning and community contributions. To summarise I did

• 2 Events — A Keynote at DevSecOps conf and session at Chaos Carnival.

• 2 Blogs — Cloud Trends 2022 and HTTPS ingress controller with your own TLS certificate

• 3 Video uploads — Certifications are they worth it? , Sysbox and Rancher Desktop 1.0.

• 2 Twitter spaces — Kuberentes certs AMA with Brag and Walid and Startups/funding/VC’s — let’s try to understand the whole process. (the recording is only available till 30 days from the actual event)

• 2 Newsletters (this is the second one ;) )

• CFP review for KubeCon EU

• Exciting stuff at Civo

I have interacted with many people and also started the DevOps roadmap Discord channel so that I can be with you on this journey while you are learning and getting upskilled.

This month was also good in terms of the response I have received for ORG membership plan — I have onboarded Armosec, Suborbital, Robusta as the new org members and I have SlimAI and Teleport as Platinum members.

There are individual memberships as well if any individual wants to support my work and there are 8 individuals who are already supporting my work.

Videos

• WTF are eBPF & Cilium? with Liz Rice and Christopher Luciano — It will blow your mind!

• Sysbox — Next generation runc — this is a super interesting project with rootless containers and the ability to run most of the VM like workload.

• Rancher Desktop 1.0 — Rancher desktop and nerdctl is the full docker replacement if you are looking for one.

News and Announcements

These are the announcement in the past 15 days:

• Sysdig 2022 Cloud‑Native Security and Usage Report — Gives a nice infographic container usage and security. Interestingly 58% of containers are running as root!

• Prometheus Rust client library — Open Metrics client library allowing users to natively instrument applications.

• Slim.AI series A announcement — they are the creators of Dockerslim and taking things to next level.

• 1Password has raised $620 million (USD) in the largest funding round ever for a Canadian company. — I think this came out as an amazing announcement, we all love 1Password and they are doubling down on protecting the digital privacy.

• Rancher Desktop 1.0.0 Has Arrived — Bundled with nerdctl(docker like UI/UX cli for contained) Rancher Desktop is quickly becoming a favourite desktop application for running Kubernetes.

Nice January reads(15th — 31st Jan)

Do check out the awesome reads from the community in my previous newsletter as well. Looks like the community has doubled down on creating awesome content!!

• Cloud trends 2022 — These are my tailored predictions for 2022 and I think the cloud native community and some amazing startups are going to grow in this space.

• How To Call Kubernetes API using Simple HTTP Client — Ivan writes his post with so many details and with great diagrammatic representation that makes it a treat to read.

• WTF is Chainguard ? — Chainguard has been hiring amazing people from the cloud native community and building a dream team out there, this blog gives the answer to the most important question!

• Tutorial: Getting started with generics in Go — neat introduction to Generics in Golang.

• Introducing Ephemeral Containers — Ephemeral containers are a new type of container that is part of the Kubernetes core API and may be added to an existing Pod for administrative actions like debugging, it runs until it exits, and it won’t be restarted.

• Hardening Kaniko build process with Linux capabilities — Kaniko is a tool to build images from Dockerfile or inside a Kubernetes cluster and this article takes a step further to harden the whole build process.

• There is such a thing as an open source business model

• Building GitHub Apps with Golang

• Debugging Your Kubernetes Nodes in the ‘Not Ready’ State | nodenotready

Learning resources/repositories

• Algorithms implemented in Go for beginners, following best practices.

• https://www.tldraw.com/ — Alternative to excalidraw

• OPA Guidebook

• merbridge — Use eBPF to speed up your Service Mesh like crossing an Einstein-Rosen Bridge.

• Systemd by example playground — dope and you should check this out.

Learn from Twitter

Tweet1

Tweet2

Sponsored content

This issue is brought to you by Robusta, Suborbital, Armo, SlimAI and Teleport ->

**ARMO** assures DevOps, DevSecOps, and developers that every workload, cluster, container, and microservice is born and remains secure, from development to production and from configuration to run-time, every time. They are the creators of Kubescape.

Robusta — an open source platform for Kubernetes troubleshooting and automation. Robusta automates your incident response and troubleshooting — what Docker did to Day 1, Robusta does to Day 2.

Suborbital Making cloud native WebAssembly easy.

SlimAI — giving developers the power to build better cloud-native applications with less friction, complexity, and waste.

**Teleport** empowers engineers to quickly and securely access any computing resource anywhere on the planet. The Access Plane allows engineers and security professionals to unify secure access and provide visibility to infrastructure, applications, and data across all environments.

Latest from them

• CVE-2022–0185 — What does the newest kernel exploit mean for Kubernetes users and how to detect it? — Armo

• Kubernetes is complex because you want complex things — Robusta

• AssemblyScript vs. Rust: Which Is Right for Your Wasm App? — Suborbital

• Where Shift Left Goes Wrong — As if cloud infrastructure were not complex enough, there’s a whole new complication to contend with: Shifting left. — SlimAI

• What a Modern PAM Solution for Cloud-Native Applications Looks Like — Teleport

• How to Use SSH Agent Safely — Teleport

My supporters

Thank you to the amazing members -> Rawkode, Marky, Noel, Walid, Cedric , Jack , Blaize D’souza, ChadMCrowell and Phil Shapiro

Special thanks to ARMO, Suborbital and Robusta for being an Org member and to SlimAI and Teleport for being a platinum member.

Some amazing partnerships coming up that will be announced on Twitter so keep an eye out if your org wants to grow the community and support my work then consider becoming a member as it comes with a lot of benefits(membership program)

Do not forget to subscribe to my YouTube channel

Thank you for reading this edition and hope you like it. Please take a minute to subscribe to the newsletter and let me know if you are doing something great that will benefit the community, I will include that.

To succeed the only mantra is to do hard work and there are people in the cloud native ecosystem who are ready to help you get the direction. Keeping this thing in mind I created the “**DevOps roadmap 2022**” aiming to help thousands and make them job-ready. I want more people to take benefit of the free resources available and be part of cloud native community ending up in great jobs! All this just requires dedication and hard work from your side + the will to learn. Nothing else is required and yes ANYONE can learn.

The video has crossed 40k+ views and I also created a GitHub repository where people are sharing their journey and progress, it is so great to see so many people coming together to learn.

I also started an org membership plan that the organizations can join, this plan helps them with various benefits as mentioned on the membership page(though reach out first before purchasing it). I only have 8 slots to fill in and already 3 are taken and 3 are in progress. I got a great response from the companies and they loved the plan.

Videos

I did my first keynote for 2021 where I gave a talk on “Kubernetes security tools”. I discussed:

• What is DevSecOps

• 4C’s of security

• Kubernetes security

• CNCF Security landscape

• Falco

• Terrascan

• Kubescape

I also uploaded another video this month — “Certifications, are they worth it?” covering my viewpoint on Certifications and their importance. I covered this topic wrt cloud and Kubernetes certs but it fits all domains.

I will be creating more videos in the coming weeks mostly covering CNCF projects(CNCFMinutes) and a few walkthrough videos just like I did for Kubestr and Portainer.

CKS book update — 1.22

I updated my CKS book which is helpful in preparing for Kubernetes CKS certification to Kubernetes version 1.22. Basically, I re-ran all the scenarios on Kubernetes 1.22 cluster and updated them wherever necessary.

• A new playground for 1.22

• Updated a few scenarios including PodSecurityPolicy

• Kind cluster addition for local practice

• Added to the scenarios where containerd matters and where it will not matter that much

• Colour coding change

• Added images to Falco to make it more clear

This is the major upgrade and is free for people who already purchased in the past, for the rest you can buy the book here.

Katacoda Scenarios

I have been using Katacoda for a long time but now I want to help even more people by creating a few scenarios so that people can run/test things right in the browser and learn/practice quickly.

I have started creating scenarios and created a couple already, let me know what all scenarios you think would be beneficial for the community and I can spend some time from my weekends to create new Katacoda scenarios.

Kubernetes 1.22 + Container scenario

Kubescape scenario

News and Announcements

• Grafana University — a virtual hands-on education platform that’s free and easy to use covering concepts of observability and getting hands-on with Grafana.

• Kubernetes moving away from dockershim — process and timeline for deprecation.

• Civo Kubernetes with Cilium CNI — Now you can create Civo Kubernetes cluster with Cilium as the CNI

• CFP’s are open for KubeCon colocated events

• ​​BumbleBee: Build, Ship, Run eBPF tools

• LitmusChaos becomes a CNCF incubating project

Nice January reads

• Top 10 Linux security tutorials for sysadmins from 2021

• What an SBOM Can Do for You

• Install Kubernetes 1.23, containerd, and Multus CNI the Easy Way

• Working with Kubernetes API — Resources, Kinds, and Objects

• Kubernetes + Postgres Cluster From Scratch on Rocky 8

• Poly Haven — How we handle 80TB and 5M page views a month for under $400

• 5 AI Trends to Watch out for in 2022

• 7 Kubernetes Companies to Watch in 2022

• eBPF for security: a beginner’s guide

• Kubernetes — HTTPS ingress controller with your own TLS certificate

Learning repositories

• Kubernetes client-go examples

• go-internals — it is a work-in-progress book about the internals of the Go (1.10+) programming language.

• Zarf — Kubernetes Air Gap Buddy

• kube_security_lab — Kubernetes Local Security Testing Lab

• dive — A tool for exploring each layer in a docker image

Learn from Twitter

Tweet1

Tweet2

Sponsored content

This issue is brought to you by Armo and Teleport ->

**ARMO** assures DevOps, DevSecOps, and developers that every workload, cluster, container, and microservice is born and remains secure, from development to production and from configuration to run-time, every time. They are the creators of Kubescape.

Teleport empowers engineers to quickly and securely access any computing resource anywhere on the planet. The Access Plane allows engineers and security professionals to unify secure access and provide visibility to infrastructure, applications, and data across all environments.

Latest from them

Security Visionaries 2022 — Come hear what some of the world’s foremost security researchers, practitioners and thinkers see on the security horizon for 2022.

SSH Hardening Tips to Prevent Brute-Force Attacks

SSH Bastion Host Best Practices

My supporters

Thank you to the amazing members -> POP, Rawkode, Marky, Noel, Walid, Cedric , Jack , Blaize D’souza, ChadMCrowell and Phil Shapiro

Special thanks to ARMO for being an Org member and to Teleport for being a platinum member.

Some amazing partnerships coming up that will be announced on Twitter so keep an eye if your org wants to grow the community and support my work then consider becoming a member as it comes with a lot of benefits(membership program)

Do not forget to subscribe to my YouTube channel

Thank you for reading this edition and hope you like it, let me know if you are doing something great that will benefit the community, I will include that.

It’s that time of the year again where I tend to look back over the year to see what all I have achieved in the past year and how I have improved myself as a human being.

Yeah 2021, sigh, a year that has changed me in every way I live, my thoughts, my life and left a deep impact on me. I will be dividing this year round up into two parts:

• Personal front
• Learnings and Community

Life-changing experiences: I do not want this post to be only about my personal learnings but surely want to talk about two major events that changed me in a big way are

30th April 2021: Worst day of my life, my elder brother passed away due to COVID-19. He fought for about a month but in the end, his body gave up on fighting the virus and he left me alone in this world with tons of responsibilities. I and my brother shared a very very strong bond and we always used to help each other. He was sharp and I went to him whenever I had to clarify issues or faced any problems in my life. Now this space is so empty, all festivals, holidays and that happiness has gone. The wheel of time will never stop and it will keep on going with many events in life but him not being present with me and my family will always be felt, the tears will always be there behind the smile. This whole incident made me realise that we should love our friends/family when they are alive, be with them more than often, take care of each other, talk often, show support as this is what life is about, spreading love and happiness. Now I have realised that anyone can die anytime so leave each moment happily and there is nothing more important than friends and family.

24th September: Best day of my life as I became a DAD!! Yes on this day my wife gave birth to our beautiful daughter “Rushika”. She is so little that it is hard to hold her in my arms but I am loving it to see her grow every day. This is an entirely new feeling of being responsible.

These instances have taught me:

• Life can end at any moment so love the people who are alive.
• Help people as I have seen people struggle through tough times.
• Always be kind while talking as you may never know what other person might have gone through.
• Talk to your friends as they love you and you need to spare time for them.
• Life after a loss is super hard but you need to live for the ones you are alive and that is the reason I moved in with my parent permanently.

Even after what all happened on the personal front, I was able to do a lot of stuff in the cloud native space!

The CKS BOOK

So this year in January 2021 I wrote a book “Let’s learn CKS scenarios” which is based on Kubernetes CKS certification. I have sold more than 277 individual + 250 bulk copies generating more than 10k USD. It’s my first book and I am really happy with the response I got :)

And a big part of 2022 will be writing the CKA book that was requested the most after I published this book.

Streams

I did a lot of Youtube streaming this year with 60 streams with amazing people ❤. We covered a wide variety of topics and a series of streams including:

Knative series -> https://youtube.com/playlist?list=PL5uLNcv9SibBb77B9zyQot2kwUrMM1otq

Rancher-Suse Open source projects(Kubewarden, Harvester, Epinio, Opni, Rancher desktop& Kim, FuseML) ->

https://youtube.com/playlist?list=PL5uLNcv9SibB-7WUGePMaw3jdvmHzQ74S

CI/CD week ->

https://youtube.com/playlist?list=PL5uLNcv9SibB-7WUGePMaw3jdvmHzQ74S

And you can check out all the past live streams here that include all of the above and Crossplane, Fission, Kubespehere, Chaos-mesh, Litmus, Thanos, Linkerd, Opstrace, SigNoz, TimscaleDb, RISC-V, Kubernetes Networking, Docker slim, kubeform , kubernetes configurator, K3ai, Okteto, Kubecost, Keptn, Teleport, KCP, Rust, CUE, ClusterAPI, Kubevirt, K0s, Talos, COSI, OpenEBS, OPA, Kyverno, vcluster, JsPolicy, GraalVM, WebAssembly!!

Isn’t that awesome 😎 Those who have stayed with the channel this year would have learned all of the above from amazing people in the industry!

Apart from this, I did post youtube uploads where I explored various cloud native technologies.

How do I create these videos?
I go through the docs and explore the product, then try to create the simplest possible explanation including a demo in less time. Example: The Portainer walkthrough is 1 hour of demo crunched in under 17 minutes and Kubestr covers all the commands possible with demo in under 13 minutes. I love doing this and many people have given positive feedback on this.

CNCFMinutes

Another interesting thing I started that people loved the most this year is my CNCFMinutes playlist. My mission is to make cloud native technology easy to explore and the CNCF landscape can be daunting for newcomers or ever for people who would just like to know about a piece of software without going into much detail. This is where my CNCFminutes videos come in handy, these videos describe a CNCF project in a few minutes so that people know what the project is, its features, architecture and how it works! Again this is hours of effort that I crunch and put in a single video. As of today, there are 20 CNCFMinutes videos that teach you about 20 different CNCF projects!

Twitch streams

I also started Twitch streams aimed to do a product walkthrough LIVE on twitch but later discontinued it as I thought video uploads are better. But I did four and uploaded them to my channel.

Apart from my regular YouTube uploads I collaborated with other people and participated in various events, webinars and conferences. So let's get started!

Events, Webinars, conferences and collaboration:

• Deploying an App in Kubernetes with Saiyam Pathak : Bashwomen community Seema Saharan
• Easy Kubernetes Volumes using Longhorn : Data on Kubernetes
• GitOps at Scale Using Fleet : GitOps Days 2021
• College to career and SWE to Cloud Roles : Kunal Kushwaha
• Building a Kubernetes Based Cloud Platform at Civo [DevOps Deployed Ep. 05] : DevOps directive with Sid Palas
• CNCFMinutes-Kubernetes, Flux & Falco : Cloud native Bangalore meetup
• Introduction to CNCF in Hindi : Cloudshala
• 5 different ways to run Kubernetes clusters + learning resources : Cloud native hackathon
• Power Level 9000! Improving Application Performance with Chaos Engineering : KUBECON EU 2021
• Kubernetes power for VM’s using KubeVirt : AllDayDevOps
• Various policy engines for Kubernetes policies : ContainerDays 2021
• How to Gain Observability Into Your Kubernetes Workloads : CloudNative days with Kubernetes
• Containers and Kubernetes : Docker Mumbai meetup
• Preparing for the Certified K8s Security Specialist (CKS) Exam : Sysdig Webinar
• Intro to Kubernetes monitoring : Civo Hackathon
• Introduction to service meshes : Civo Webinar
• Kubernetes Security using Kube-bench: Civo Webinar
• Kubernetes Gateway API introduction: Civo Webinar
• Kubernetes at Scale using Rancher Fleet : Docker bangalore &Malaysia joint meetup
• Leverage Azure Tech Stack For Any Kubernetes Cluster Via Azure Arc : Azure Kubernetes Day
• AMA CKA/CKAD : KCD Bengaluru

That totals to 4 Webinars, 6 Conferences, 5 Events/meetups and 5 collaborations.

Event Organizer

• First ever KCD Bengaluru with awesome organising team
• CNCF Students Chapter
• First ever Container Garage event : Joint event by Docker captains and CNCF Ambassadors

Certs Magic show

An amazing group of people started cloudnative.tv : A series of great shows that runs throughout the week on the official CNCF channel. I am fortunate to be a part of it and run my show called “Certs Magic” show that aims to help people prepare for Kubernetes certifications. Here is the complete playlist that you can watch.

Blogs

A lot of people out there love to read blogs as well and I wrote a few this year which were published on Civo, Codefresh, Dzone and my personal website.

• Teleport 6.0 : Database Access Made Easy
• Twingate tryout to access private IP from K8s cluster
• Kubernetes power for Virtual machines using KubeVirt
• Use Open-Source Kubecost to Understand (and Control) Kubernetes Spending
• Kube-ception — Kubernetes within Kubernetes within Kubernetes using Harvester
• Webkubectl — Running Kubectl commands from your web browser
• Get up and running with Kubeflow on Civo Kubernetes
• Benchmarking Kubernetes storage using Kubestr
• Use Ketch to Deploy Apps on Kubernetes Without YAML
• Observability trends 2021
• Connect Civo Kubernetes to Codefresh
• My CKS Book

Civo Academy

Want to learn Kubernetes for free? Civo academy is your answer!!
A lot of people have been asking me to create a Kubernetes course, I started with this idea of Academy and curated the content that will teach everyone Kubernetes from the ground up. The course is free and there are different instructors who recorded different sections. Go signup and learn now if you haven't already done so!

Annoucement blog
Academy link

Youtube Memberships

A support program that I started recently so that people and organizations can support my channel and the work I am doing for the community. My channel has helped many people and that is the reason I never stopped producing awesome content. I think the work I do can help your product reach out to professionals and give you the visibility that is needed. So if you are a startup then reach out to me and would be happy to help.

I have fantastic 10+ Youtube members who joined at the various tiers and a couple at Platinum tier.

Note: The platinum tier is going to be removed soon and there will be a separate prospectus with benefits for Organizations.

All the content on YouTube is and will always remain free!

Membership link

Newsletter

I get to know a lot of information from various newsletters that I have subscribed to and I decided to start my own Newsletter this year and I am glad I did as these contain all the information that I go through personally, read personally or find interesting. I have received great feedback so I will keep writing the newsletter in 2022 as well.

Subscribe to the newsletter here if you want them straight in your inbox!

I have created 5 issues and all of them have tremendous content from where you can learn a lot, this is me talking straight to you.

KCNA Exam SME

Kubernetes and Cloud Native Associate is a beginner level certification who enters in Kubernetes and CNCF world. I was fortunate to be a part of the creation of the exam. It is an MCQ type exam that covers Kubernetes and cloud native ecosystem. It was fun working with the other SME’s and the exam has been well received by the community.

Apart from this, I have my day job at Civo where I work on many initiatives and we as a team have done quite a lot of stuff this year and will double down our efforts next year.

Overall I am happy with all my learnings and community work and even some of my new initiatives that have turned out well!

If you want to support my work then check out the membership program and subscribe to my YouTube channel.
If you want to connect with me then follow me on Twitter or join my Discord server.
If you want to move to cloud or move to Kubernetes or move from one cloud provider to Civo Kubernetes then DM me on Twitter and I will help you out. I am very confident that we are building something great out there for the community keeping the costs in mind.

Thank you all for being with me, supporting me and motivating me to do more! Hopefully, 2022 will be a better year and I would be able to meet you people IRL.

Much Love
Saiyam Pathak

In this guide we will see:

• How to deploy Twingate connector on Civo Kubernetes via Marketplace

• How to setup twingate account

• How to install Twingate client application and access private IP's from the cluster

Deploy Twingate Connector on Civo Kubernetes via marketplace

We'll use Civo Kubernetes, which is based on K3s, to experiment with this quickly. If you don’t yet have an account, sign up here. You could also use any other Kubernetes cluster you have access to.

Create a new cluster from the UI (you can also use Civo CLI) and select Twingate app from the marketplace

Once ready you should see the cluster with ready nodes.

Make sure you have kubectl installed, and the kubeconfig file for your cluster downloaded so that you can run kubectl get nodes and get details of the cluster you just created:

kubectl get nodes
NAME                                STATUS   ROLES                  AGE   VERSION
k3s-twingate-fc341107-node-4c50     Ready    <none>                 68s   v1.20.2+k3s1
k3s-twingate-fc341107-master-eeb3   Ready    control-plane,master   78s   v1.20.2+k3s1
k3s-twingate-fc341107-node-3fa2     Ready    <none>                 67s   v1.20.2+k3s1

Check the Twingate connector installation

kubectl get pods     
NAME                                  READY   STATUS                       RESTARTS   AGE
twingate-connector-7d77f45b9b-g5g5r   0/1     CreateContainerConfigError   0          117s

It will be in CreateContainerConfigError as we need to create a configmap and secret that will be done in the next step.

Twingate setup walkthrough

In this we will setup Twin gate account and get the tokens for creating configmap and secret

Go to twingate.com to create a trial account and get Started

Signup with your preferred method and enter the team

Select the private resources that you want to access

Add Team members

Select a plan to try out For this demo we just choose Twingate teams

Setup the connector

Add a connector

Generate the tokens

Create following secret with the tokens from above

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: connector
stringData:
  accessToken: "Access Token"
  refreshToken: "Refresh Token"

Also create a config map as below Here th eurl will be the once you chose during setup.

apiVersion: v1
kind: ConfigMap
metadata:
  name: connector
data:
  url: https://civo.twingate.com

After creating the configmap and secret you should see the status as connected

Create a deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - name: demo
          image: nginxdemos/hello:latest

Go to the Network and add resource

Add resource with the IP of the pod

kubectl get pods -owide
NAME                                  READY   STATUS        RESTARTS   AGE   IP           NODE                               NOMINATED NODE   READINESS GATES
demo-58f4cb989b-jzm68                 1/1     Running       0          14s   10.42.1.7    k3s-linkerd-60ab3687-node-dcfa     <none>           <none>

Twingate client application and connecting to the resource created

In this section we will install the Twingate client application on MacOS and then connect to the resource created in above step via the browser.

Now install twingate locally on Mac -> https://docs.twingate.com/docs/macos

Configure the client app

You will be able to see the network connected and open the deployed application in browser

Wrapping up

In this way you can connect the resources within the network from anywhere. These are the private ip's assigned to the pods that you are able to access directly from the browser even without exposing the services!! Let me know on Twitter @SaiyamPathak if you try Twingate out on Civo Kubernetes!

Teleport is an open source, identity-aware, access proxy with an integrated certificate authority. People have been using teleport for ssh-access, Kubernetes clusters and with Teleport 6.0 you get Database access as well (Postgress and MySQL).

In this tutorial, I will show you how you can do it all from scratch for a self-hosted MySQL Database(I will show the database install as well).

Prerequisites: 2 Ubuntu 20.04 instances with sudo access.

I have 2 machines called teleport and database

Complete setup

Step1: Login to the teleport instance and install teleport

curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
apt-get update
apt install teleport

Step2: Configure Teleport server

export IP={ip for the instance}
#in my case 
export IP=212.2.240.196

teleport configure --acme --acme-email=saiyam911@gmail.com --cluster-name=magic-$IP.nip.io --output="/etc/teleport.yaml"
Wrote config to file "/etc/teleport.yaml". Now you can start the server. Happy Teleporting!

Step3: Start teleport and add a user

systemctl start teleport
systemctl enable teleport
systemctl status teleport

tctl users add teleport-admin --roles=admin --logins=root

User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:

https://magic-212.2.240.196.nip.io:443/web/invite/b39e7b128d3243c6c10407b06d27be26

NOTE: Make sure magic-212.2.240.196.nip.io:443 points at a Teleport proxy which users can access.

Go to the link to set up 2FA

You get the Web-UI Access

Step4: Install Mysql database on the database instance

apt-get update

sudo apt install mysql-server -y

Step5: Add MySQL address in the proxy service of teleport.yaml on the teleport instance

vi /etc/teleport.yaml

#Add below in bold
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: :443
  public_addr: magic-212.2.240.196.nip.io:443
  mysql_listen_addr: 0.0.0.0:3036

Step6: certificate Key/pair creation

Below has to be run on teleport instance

# Export Teleport's certificate authority and generate certificate/key pair
# for host db.example.com with a one year validity period.
**tctl auth sign --format=db --host=localhost --out=server --ttl=8760h**

The credentials have been written to server.key, server.crt, server.cas

Copy over the files generated to the database instance

apt install sshpass
sshpass -p 'password' scp server.key server.crt server.cas user@{IP}:/etc/mysql/ssl

above will copy the files in /ssl directory of the database instance

cd /etc/mysql/ssl
ls | grep server
server.cas
server.crt
server.key

Step7: Configure MySQL on the database instance

cd /etc/mysql/
vi mysql.cnf

add below 

[mysqld]
require_secure_transport=ON
ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key

#in my case it is 

[mysqld]
require_secure_transport=ON
ssl-ca=/etc/mysql/ssl/server.cas
ssl-cert=/etc/mysql/ssl/server.crt
ssl-key=/etc/mysql/ssl/server.key

Change ownership

chown -R mysql:mysql /etc/mysql/ssl/

Create User alice and configure with certificate

mysql> CREATE USER 'alice'@'%' REQUIRE X509;
Query OK, 0 rows affected (0.00 sec)
mysql> ALTER USER 'alice'@'%' REQUIRE X509;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL ON `%`.* TO 'alice'@'%';
Query OK, 0 rows affected (0.00 sec)

Step8: Create the token for database service to join (below command should run on teleport instance)

**tctl tokens add \
--type=db  \
--db-name=mysql \     
--db-protocol=mysql \     
--db-uri=localhost:3306**

The invite token: 30b936383ccd1d117d9315770c08a63c.
This token will expire in 60 minutes.

Fill out and run this command on a node to start proxying the database:

> teleport start \
   --roles=db \
   --token=30b936383ccd1d117d9315770c08a63c \
   --ca-pin=sha256:0cff619a5e66cb079cbb6110ec884424e5a5d47f16e13b8855344889568b5770 \
   --auth-server=magic-212.2.240.196.nip.io:443 \
   --db-name=mysql \
   --db-protocol=mysql \
   --db-uri=localhost:3306

You can either use the above token and create a config file on the database instance for the database service using just the token (https://goteleport.com/docs/ver/6.1/database-access/guides/mysql-self-hosted/#start-database-service-with-config-file)

OR you can just use the output of the above command and run it on the database instance.

Step9: Install teleport on Database instance and then run the output from the above command

curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
apt-get update
apt install teleport

Run the command to start database service

teleport start \
>    --roles=db \
>    --token=30b936383ccd1d117d9315770c08a63c \
>    --ca-pin=sha256:0cff619a5e66cb079cbb6110ec884424e5a5d47f16e13b8855344889568b5770 \
>    --auth-server=magic-212.2.240.196.nip.io:443 \
>    --db-name=mysql \
>    --db-protocol=mysql \
>    --db-uri=localhost:3306
INFO [PROC:1]    Connecting to the cluster magic-212.2.240.196.nip.io with TLS client certificate. service/connect.go:128
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions/default. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming. service/service.go:1895
INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming/default. service/service.go:1895
INFO [DB:SERVIC] Database service has successfully started: [DatabaseServer(Name=mysql, Version=6.0.2, Labels=map[])]. service/db.go:205

Step10: Login to MySQL instance from Teleport:

Start the terminal session after login into the teleport server from the UI. You can also use tsh login on the teleport instance to login as a particular user.

It will open a terminal session

Now let’s try to access the MySQL database running on the database instance :

root@teleport-9cd889ac:~# **tsh db ls**
Name       Description Labels Connect
---------- ----------- ------ ------------------------------------------------------------------------------------------------------
mysql

root@teleport-9cd889ac:~# tsh db login mysql

Connection information for MySQL database "magic-212.2.240.196.nip.io-mysql" has been saved.

You can now connect to the database using the following command:

$ mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql

Or configure environment variables and use regular CLI flags:

$ eval $(tsh db env)
  $ mysql

root@teleport-9cd889ac:~# tsh db ls
Name       Description Labels Connect
---------- ----------- ------ ------------------------------------------------------------------------------------------------------
> mysql                       mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql --user=<user> --database=<database>

root@teleport-9cd889ac:~# mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql --user=alice --database=mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10027
Server version: 8.0.0-Teleport (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)

As you can see a user can establish a Mysql server connection from teleport. how cool is that !!!!

Conclusion:

In simple 10 steps, I was able to set up teleport, create users, create a database and connect to the database from the teleport UI. Optionally you can also create RBAC as teleport supports RBAC so you can create a db role for the database and create users with that role accordingly. docs to create RBAC: https://goteleport.com/docs/ver/6.1/database-access/guides/mysql-self-hosted/#create-role-and-user

Saiyam Pathak CNCF Ambassador Youtube: https://youtube.com/c/saiyam911 Twitter: https://twitter.com/saiyampathak Twitch: https://twitch.tv.saiyampathak Kubernetes CKS book: https://gumroad.com/l/cksbook

About CKS Certification :

CKS Certification was launched at KubeCon NA 2020 and was targeted to show the importance of security in Kubernetes. The prerequisite to take this certification is that you need to be CKA (Certified Kubernetes Administrator). This Certification is heavily focused on the third-party security tools that are required to make the cluster secure. Security best practices, the CIS benchmarks, and how to take care of security at each stage.

Compared to CKA and CKAD, this is the most difficult certification rated by the people who have taken the exam as this involves security concepts to be understood properly and you should know how to use external tools like Kube-bench, OPA, Trivy, Falco etc.

The Book

Soon after I cleared my certification I realized that this certification needs more practice and there are not many resources for it, so I decided to pen down my notes and created scenarios out the topics and the sections mentioned in the syllabus. I looked at the Kubernetes documentation for creating these practice questions/scenarios.

The unique thing about this book is that all questions are different and for each scenario, I have used Katakoda Playground so that the practice becomes easy and you can practice the scenarios anytime. For each question, you get a detailed solution which is broken down into Cluster setup + scenario setup + the question. These are not direct questions, I first create the questions from the cluster setup itself and then try to modify things, so you can do all questions by following the detailed solutions.

As of now, it’s a 52 pages book that might grow in the future as I add more scenarios to it based on the feedback from the community.

Buying Options:

There are two packs that you can purchase :

• Silver Pack: $15

- The Book 
- All new Updates
- Github gist for copy/pasting 
- Discord channel were you can ask questions and discuss with other people preparing for CKS

• Gold Pack: $25

- The Book 
- All new Updates
- Github gist for copy/pasting 
- Discord channel were you can ask questions and discuss with other people preparing for CKS
- Video Solutions to all the scenarios

I love doing things for the community so I decided to give a 50% discount on both packs for the first 100 users which is now over.

Gumroad Platform and Sales :

Writing a book can be difficult and then publishing it might be a whole new thing. What I wanted was that, I write something and then I can directly give that to the people/community so that they can immediately start using it. I also wanted my own style of writing, my freedom of the way, wanted to write some handwritten stuff so I chose to compile the doc, export as pdf then import in notability and then do my writing stuff on it.

Now the book was ready and I needed a way to publish it and Gumroad was super-easy, in less than 30 minutes I was able to publish my book, create different packs, get a sharable link, create a super simple coupon for a discount and share it with my community. Gumroad pays you via PayPal which is a fine for me since I am having a PayPal account. Also, I didn't have to go through any of the editorial review and publication complexities. So I just compiled my book in a pdf and I used Gumroad to publish that on the 26th of January.

The response I got from the community was awesome as I wasn’t even expecting 50 sales but in less than a month the book did 120+ sales which is just amazing and since then I have updated my book couple of times, created and provided Video Solutions and also created GitHub gist based on feedback.

The overall feedback for the book has been good as people are able to understand the scenario and practice them.

Below are the sales that I got via different mediums

I think that if you are living in a world where you have a strong community that is hungry to learn more, you will always find a way to create an impact.

It might not be too many sales for some but as my FIRST Book, it's a Huge Success for me. I got so much confidence and love from the community that I am really satisfied with my work. So thank you all who bought the book and all the best to those preparing for CKS.

Book Link: https://gumroad.com/l/cksbook

Feedback :

Thinking of Writing a book? Anyone can do it, Connect with me on Twitter to ask any questions regarding this book or to ask anything about my journey in general. Also, Follow my youtube channel where I do live streams with other community leaders and we all learn together.

Saiyam Pathak CNCF Ambassador Youtube: https://youtube.com/c/saiyam911 Twitter: https://twitter.com/saiyampathak Twitch: https://twitch.tv.saiyampathak

The Year 2020 came with a lot of enthusiasm but ended up being one of the worst years due to obvious reason-> COVID

There is something new that I believe in learning each day and 2020 was no different. I personally leaned a-lot this Year. In this post, I want to pen down some of the things that I have done and other things that happened in my life.

Meetups

Docker Meetup 16th Jan: Kickstart Your 2020 Container Journey with Docker & Kubernetes + Kubernetes101 Workshop

Year Begining I along with other community members organized the biggest Docker meetup at SAP Labs India. It was attended by more than 550 folks and we really had a great learning experience. My talk: Docker Security 101

CNCF Meetup Jan25th :Grokking Cloud Native Data Management Landscape

My talk: What, why and How of Timeseries database for kubernetes

Rise of COVID and all in person events cancelled

COVID Cases were rising worldwide and the events started to cancel so after 14th Feb there were no in-person events that I organized or spoke at. Conferences that were I was supposed to speak but didn’t happen due to COVID:

• Namma Cloud Conference, Bengaluru

• Kubecon EU Amsterdam (In-person)

• O’Reilly Open Source Software Conference in Portland 2020

March Became the year of lockdown where most of the countries started observing Lockdowns and we were supposed to stay at home 24/7 and only go out for essential commodities or order them at home. This was really tough as no one imagined doing this, panic buying, fear, people getting sick all around the globe was really unusual situation. In Reality, we all struggled to meet, travel, eat, and Live. Stuck at home I tried to explore myself more and see what more I can do like cooking, household stuff, and collaborate with the community ONLINE.

March was also the month where I planned a new way to connect with the community while sitting at home: **Youtube Livestreams**

So this started as an experiment and a vision where I connect with more and more folks and we all learn together as a community. I loved the response from the community, I took feedback from the community and upgraded the setup, streaming and the content as well. I have always listened to the community and will also do that in future as well as community is what drives me. Since then I have organically grown to 1.12k subscribers and I would like to thank the community for supporting me always and encouraging me to do MORE. Few stats Total Livestreams : 25+ Total likes: 840+ 2,548+ comments and 17,598 views

Job Change

I joined Civo ltd as a “Director of Technical Evangelism” in September and it was a big thing that happened in 2020. I thought A LOT before joining as there were so many challenges involved and as of today I am so glad that I joined this company of awesome people with amazing talent. We have big plans for 2021 and we all are working hard for this.

Stream List till December 2020:

• All About Calico with Alex Pollitt

• Let’s Learn Portainer with Neil Cresswell

• Kubernetes Distros with flavour of Fleet with Darren Shepherd

• Let’s Learn Ketch by Shipa with Bruno Andrade

• Hands on CKA,CKAD with CKS flavour (v1.19) with **Walid Shaari**

• Let’s Learn Okteto and Operator-sdk with **Ramiro**

• Let’s Learn Kubernetes Security with **Dan ‘POP’ Papandrea**

• Let’s Learn Kubermatic Kubernetes Platform

• Let’s Learn Traefik

• Let’s Learn about Getting involved with Open Source in different ways

• Let’s Learn Production grade k8s monitoring and extending k8s using Golang with **Rawkode**

• Let’s Learn QuestDb on RaspberryPi and K8s Networking with** David**

• Docker Internals and RKE Deep dive with **Nigel Poulton**

• Introduction to Terraform

• Introduction to Helm3

• Awesome Serverless using cloud run playlist

• Docker Series by **Saloni Narang**

• Introduction to Rust by **Sangam** and other Go videos by him as well.

Blogs that I wrote in 2020:

Blog Published on THENEWSTACK:

• How to Use InfluxDB with Its Python Client on Kubernetes

Blog published on cncf:

• Upgrade a K3s Kubernetes Cluster with System Upgrade Controller

Blogs published on civo.com:

• HashiCorp Waypoint — Solving the Build, Deploy and Release problem

• Chaos Experiments on Kubernetes using Litmus to ensure your cluster is production ready

• Deployments without YAML using Ketch

• Switching on the cluster insights using Headlamp

• Running Kubeflow Pipelines

• Ensuring YAML best practices using KubeLinter

Blogs published on rancher.com

• Upgrade Your K3s Clusters Smoothly in Rancher 2.4

• Schedule Security Scans in Rancher 2.4

• Rancher 2.3: Istio and Kiali

Blogs published on medium.com

• k0s — Yet Another Kubernetes Distro !!

• Portainer 2.0

• Shipa : A Complete developer-friendly Kubernetes

• Permission manager : RBAC management for Kubernetes

• Octant Simplified

Blogs published on Hashnode.com(connected to saiyampathak.com)

• Connect civo k3s Cluster with Azure ARC

• Let us take a dig into Kubevious

Conferences:

KUBECON EU Virtual with my friend Karthik Gaekwad and also did a Panel session. 34 Truths We Learned About Kubernetes and Edge Panel: CNCF Ambassadors: Building the Cloud Native Community

I got fancy badges as well!!

AllDayDevOps: [k3s ,k3d, k9s, k8s — what are all the numbers about ?](https://content.sonatype.com/2020addo-mi/addo2020-mi-narang-pathak)

PyConf Hyderabad: [InfluxDb and it’s python client](https://youtu.be/UFrMdzqYyGE)

Indiacloudsummit:

K3s -A Light Weight Kubernetes Distribution

Community Awards

I won 2 community awards in 2020 and got nominated for CNCF top Ambassador as well.

Docker and Influx Community Leader Award

Certifications

In 2020 I engaged with the cloud-native Community a lot this year(I tweeted 1622 times) sitting at home, I spent a lot of time with my family members, I talked to a lot of great people in the industry and learned a lot from them. I became more focussed and with 2021 coming, I will be more focussed on taking my youtube channel to extreme Level and do great things at Civo.

2021, A year of Hope and Learning!

**Subscribe the channel and support the work I am doing as it takes time to organise and do it LIVE!**

Thank you for supporting me and loving me.

Have a great 2021 everyone!

►►►Connect with me ►►► ► ► Discord: https://discord.gg/bH5wKDCZjB ► Telegram: https://t.me/joinchat/Qu6Qlxj1cnC_I1n... ► Website: https://saiyampathak.medium.com/ ► GitHub: https://github.com/saiyam1814 ► YouTube: http://youtube.com/c/saiyam911 ► Twitter: http://twitter.com/saiyampathak ► Instagram: http://instagram.com/saiyampathak/ ► Twitch: https://www.twitch.tv/saiyampathak ► LinkedIn: https://www.linkedin.com/in/saiyampathak

SAIYAM PATHAK

Now by this time you already must have started making comparisons of k0s with k3s which is a CNCF sandbox project & a CNCF certified kubernetes distribution. But first let us see what k0s has to offer, its vision, a demo, and then a comparison with k3s.

What is behind the name? - Zero friction meaning anyone can install without any kubernetes expertise.

• Zero OS dependencies
• Zero cost as its open-source
• Zero Downtime as it comes with automated cluster lifecycle management

Features:

• It is a single binary(around 165 mb) with no OS dependencies
• FIPS security compliance = k0s kubernetes core components + OS dependencies + components packaged on top
• Isolated Control Plane - the server will not have a container engine or kubelet running by default, meaning no workload can run on the server.
• Custom worker profiles
• Future native cluster backup/restore and other features

Note - Components included in binary will be explained in the comparison with k3s section

Architecture:

k0s uses Rancher's Kine) to allow a wide variety of backend data stores to be used such as MySQL, PostgreSQL, SQLite, and dqlite. k0s uses Konnectivity by default that is responsible for the control plane and worker bidirectional communication.

Other Notable points -

• From the commits k0s was previously called MKE (Mirantis kubernetes/container engine I suppose )
• It is claimed to be a successor of Pharos Project.
• k0s can be run as docker as well.
• k0s allows extending the functionality of kubernetes cluster by using extensions -> atm only helm CRD’s can be used.

Demo - For this demo, we will take 2 CentOs plain Virtual machines and create a Kubernetes cluster using k0s

Installing the binary Download the k0s binary on both the nodes:

curl -sSfL k0s.sh | sh
Downloading k0s from URL: [https://github.com/k0sproject/k0s/releases/download/v0.7.0/k0s-v0.7.0-amd64](https://github.com/k0sproject/k0s/releases/download/v0.7.0/k0s-v0.7.0-amd64)

Run the server on the node(the machine where you want the Control plane to be) with default config

k0s server

you can see all the control plane components running as processes

**ps -ef | grep k0s
**root     11169 11009  1 19:03 pts/0   00:00:00 **k0s server**
root     11175 11169  5 19:03 pts/0   00:00:02 **/var/lib/k0s/bin/etcd **...
root     11184 11169  6 19:03 pts/0   00:00:02 /var/lib/k0s/bin/**kube-controller-manager** ...
root     11187 11169 36 19:03 pts/0   00:00:12 /var/lib/k0s/bin/**kube-apiserver**...
root     11191 11169  0 19:03 pts/0   00:00:00 /var/lib/k0s/bin/**konnectivity-server**...
root     11196 11169  3 19:03 pts/0   00:00:01 /var/lib/k0s/bin/**kube-scheduler**...
root     11209 11169  0 19:03 pts/0   00:00:00 k0s api --config=/root/k0s.yaml

**Create the token for worker**

k0s token create --role=worker

On the worker node run the join command with the token just generated

k0s worker

you can see the k0s processes on the worker node as well:

ps -ef | grep k0s

root 12430 12356 2 19:09 pts/0 00:00:02 k0s worker .... root 12436 12430 18 19:09 pts/0 00:00:17 /var/lib/k0s/bin/containerd ... root 12441 12430 3 19:09 pts/0 00:00:02 /var/lib/k0s/bin/kubelet ... root 12523 1 0 19:09 pts/0 00:00:00 /var/lib/k0s/bin/containerd-shim-runc ... | | | root 13504 1 0 19:10 pts/0 00:00:00 /var/lib/k0s/bin/containerd-shim-runc-

From the control plane, you can see the status of the worker node (after installing kubectl as it is not packaged within the binary)

curl -LO "[https://storage.googleapis.com/kubernetes-release/release/$(curl](https://storage.googleapis.com/kubernetes-release/release/$(curl) -s [https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl](https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl)"
chmod +x kubectl 
mv kubectl /usr/local/bin/
mkdir ~/.kube
cp /var/lib/k0s/pki/admin.conf ~/.kube/config

kubectl get nodes
NAME   STATUS   ROLES    AGE    VERSION
test   Ready    <none>   7m1s   v1.19.3

Now we have a Kubernetes cluster up and running with the Kubernetes version v1.19.3

Comparison with k3s:

Note: k0s does not run on Arch Linux(thanks to Alex Ellis for pointing this) Though there are a few features in k0s that makes it different from k3s but they have a lot in common as well. IMO it would have been great if there were contributions made to k3s instead of creating a new distribution itself.

Let me know your thoughts on it in comments or on reddit.

Saiyam Pathak Director of Technical evangelism, Civo CNCF Ambassador

We will cover below scenarios:

• Installing Portainer on Managed k3s by Civo Cloud

• Installing Portainer Agent on GKE

Installing Portainer on Managed k3s

• Create a civo k3s cluster

• Download the Kubeconfig file

• Install Portainer directly on the cluster

**curl -LO [https://raw.githubusercontent.com/portainer/portainer-k8s/master/portainer-nodeport.yaml](https://raw.githubusercontent.com/portainer/portainer-k8s/master/portainer-nodeport.yaml)**

kubectl apply -f portainer-nodeport.yaml
namespace/portainer created
serviceaccount/portainer-sa-clusteradmin created
clusterrolebinding.rbac.authorization.k8s.io/portainer-crb-clusteradmin created
service/portainer created
deployment.apps/portainer created

kubectl get svc -n portainer
NAME        TYPE       CLUSTER-IP        EXTERNAL-IP   PORT(S)                         AGE
portainer   NodePort   192.168.159.221   <none>        9000:30777/TCP,8000:30776/TCP   13s

• Open Portainer UI: <NodeIp>:<Nodeport>(http://91.211.152.180:30777 in this case)

click on kubernetes

The Managed k3s cluster gets imported

Installing Portainer-agent on GKE:

Create a simple plain default GKE cluster

GKE cluster Creation

Connect to the cloud shell in order to Run Portainer Agent

Install Portainer Agent Load Balancer:

**gcloud container clusters get-credentials portainer --zone us-central1-c --project playground-s-11-14726b37**
Fetching cluster endpoint and auth data.
kubeconfig entry generated for portainer.

curl -L https://downloads.portainer.io/portainer-agent-k8s-lb.yaml -o portainer-agent-k8s.yaml; kubectl apply -
f portainer-agent-k8s.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1599  100  1599    0     0   1169      0  0:00:01  0:00:01 --:--:--  1169

namespace/portainer created
serviceaccount/portainer-sa-clusteradmin created
clusterrolebinding.rbac.authorization.k8s.io/portainer-crb-clusteradmin created
service/portainer-agent created
service/portainer-agent-headless created
deployment.apps/portainer-agent created

kubectl get svc -n portainer
NAME                       TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)          AGE
portainer-agent            LoadBalancer   10.28.7.233   35.238.43.218   9001:31739/TCP   84s
portainer-agent-headless   ClusterIP      None          <none>          <none>           82s

Create an Endpoint for GKE in the Portainer UI and enter the Endpoint URL as the <Load Balancer IP of Portainer-agent>:9000

With these little steps, you can run multiple agents on Different Kubernetes clusters and manage them(in the above example we were able to install server on Civo cloud and even connect GKE cluster). When I say manage them you can assign them to groups and create users for that. You can deploy the workloads from the Portianer UI

Creating team, users, Groups : With Portainer you can put clusters(endpoints) in different groups and assign user and team access. So create a team, create a user, create a new group, and team/user to that group, and then add cluster/endpoint to the new group. This way different users can assess different sets of clusters base on the need.

Creating Team:

Creating User:

Creating Group: In the endpoints section, create a new group.

Now once you have cluster added to a group, you can manage access as well as below:

Finally, Let us deploy a sample application to Civo cluster from Portainer.

Very easily you can define Image, Memory, CPU, NodePort and most of the customization and you can edit it on the fly from the UI.

Accessing application via NodePort

So with Portainer 2.0 you can import and manage multiple clusters and have them added to different groups as per the requirement of the teams or environments. Management is simple and so is the import cluster. Portainer with rich experience in Docker management now has a great release for Kubernetes management as well.

ENJOY PORTAINERING !!

Saiyam Pathak [CNCF Ambassador | CKA | CKAD ] Youtube Twitter

Visualizing Kubernetes is something that everyone wants, the more good the visualization, the more it gets adopted by the community. Tools that help to view/debug the issues/configurations right in front of the screen make the life of dev/ops people easy.

There are Different Tools as of today that do the visualization, but I found Kubevious to be different. Along with the visualizations, it also shows the misconfigured labels for the pods-services, instantly shows the RBAC roles/permissions for the service accounts. Sounds Exciting? Let us dive in and see it in action.

For this tutorial, we will install Kubevious to a managed k3s cluster (powered by civo cloud)

After creating a k3s cluster, save the kubeconfig locally, to check if the cluster is ready and running.

kubectl get nodes
NAME               STATUS   ROLES    AGE   VERSION
kube-node-ee97     Ready    <none>   61m   v1.18.6+k3s1
kube-master-650d   Ready    master   62m   v1.18.6+k3s1
kube-node-b70a     Ready    <none>   61m   v1.18.6+k3s1

Now you can deploy Kubevious to the Kubernetes cluster via helm charts easily (make sure to have helm installed locally )

kubectl create namespace kubevious
namespace/kubevious created


helm repo add kubevious https://helm.kubevious.io
"kubevious" has been added to your repositories

helm upgrade --atomic -i -n kubevious  --kubeconfig=config   --version 0.6.36     --set ingress.enabled=true     kubevious kubevious/kubevious 
Release "kubevious" does not exist. Installing it now.
NAME: kubevious
LAST DEPLOYED: Tue Aug 25 19:32:38 2020
NAMESPACE: kubevious
STATUS: deployed
REVISION: 1
TEST SUITE: None

Hooray!! Kubevious installed in seconds within the cluster. Let us see how we can access the dashboard

kubectl get pods -n kubevious
NAME                                    READY   STATUS    RESTARTS   AGE
pod/kubevious-ui-68668b4489-bjsqs       1/1     Running   0          4m37s
pod/kubevious-parser-84cfb9b8d9-slw6z   1/1     Running   0          4m37s
pod/kubevious-6b4786796b-s77hw          1/1     Running   0          4m37s
pod/kubevious-mysql-0                   1/1     Running   0          4m37s

kubectl get ingress -n kubevious
NAME        CLASS    HOSTS   ADDRESS         PORTS   AGE
kubevious   <none>   *       91.211.152.29   80      2m57s

kubectl get svc -n kube-system | grep traefik
traefik-prometheus   ClusterIP      192.168.149.96    <none>          9100/TCP                     76m
traefik              LoadBalancer   192.168.179.129   91.211.152.29   80:30078/TCP,443:32162/TCP   76m

You can directly access the Kubevious UI by hitting the External IP of Traefik and the port that points to port 80. in this case, it would be 91.211.152.29:30078

Below is the First UI that you get to see :

As you can see, it lists all the namespaces with its configurations (Roles, RoleBindings, ClusterRole, ClusterRoleBindings, Applications deployed in that namespace)

So if you see any warning signs or any red signs you can see that the alerts section will be populated with a reason for it.

You will also be able to view the complete visualization of RBAC - roles and role bindings of in a single view that gives the information on what is the access control level.

You can also see the list of deployed resources, their deployment information, and labels/selector for the service/pod. This is important for rectifying issues on the fly by viewing in the UI. Consider the below scenario:

Say you deploy an nginx app and expose it as a service and while creating the service you didn't specify the labels properly.

kubectl run nginx --image=nginx --replicas=2
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx created

#Create a Nodeport service and change the app label (in order to create the above scenario )
kubectl expose deployment/nginx --port=80 --type=NodePort
service/nginx exposed
kubectl get svc
NAME         TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   192.168.128.1     <none>        443/TCP        155m
nginx        NodePort    192.168.220.191   <none>        80:32485/TCP   2s

kubectl edit svc nginx 
#change the selector as below image

Let us check the Kubevious UI now for the default namespace and you can see that service selector is not able to find any apps.

Now, this becomes very helpful if you find any mismatch in the labels/selectors which is a common mistake.

Also, there is a very interesting feature called Time Machine Say that you have fixed the error now but in the Time Machine, you can view what the error was in past simply by dragging to a specific time window. Below I am showing 2 views -> wrong selector and correct selector

So, In my opinion, Kubevious really helps you to dig into your cluster especially the RBAC portions and also helps you debug the label/selector problem easily. For more information and features like Blast radius, universal search you can visit the official GitHub Repository: https://github.com/kubevious/kubevious.

Saiyam Pathak
[CKA | CKAD | CNCF Ambassador]
Youtube
Twitter

Azure ARC

Back in 2019 Azure ARC was announced to closed preview and now it's available for all to experiment with. So what Azure arc lets you do, it helps you to manage infrastructure not running in Azure. Kubernetes clusters running in different cloud vendors or on Premise can leverage the Azure Tech stack for management.

to Explain how Azure ARC will help consider a scenario that you have 50 clusters spanned across various cloud vendors and on premise, With Azure Arc you will be able to get a unified view for all the clusters and also you will be able to leverage:

• Security
• Governance
• Gitops
• RBAC Major thing I would say is the access control and ability for the developers to deploy applications on all the clusters from a single place with the GitOps model. Which sounds interesting to me.

Image is taken from Azure official blog

civo cloud has created a first-ever managed k3s cluster(you can get access by applying here ). So I will be using the k3s(certified kubernetes distribution) cluster. First login to civo cloud and create a cluster pretty simple and fast in less than 2 minutes as follows:

Let the cluster get created meanwhile let's configure and enable Azure ARC 1) Install Azure CLI - docs

2) Run following commands to enable azure arc feature

az login 
az feature register --namespace Microsoft.Kubernetes --name previewAccess 
az feature register --namespace Microsoft.KubernetesConfiguration --name sourceControlConfiguration

Verify the enablement by :
az feature list -o table | grep Kubernetes
Microsoft.Kubernetes/previewAccess                                                Registered
Microsoft.KubernetesConfiguration/sourceControlConfiguration                      Registered

Now Register the providers

az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration

Check if they are completed:
az provider show -n Microsoft.Kubernetes -o table 
az provider show -n Microsoft.KubernetesConfiguration -o table

All these commands will take some time to take effect so show some patience here.

Install kubernetes extensions(either add or update)

az extension add --name connectedk8s 
az extension add --name k8sconfiguration

az extension update --name connectedk8s 
az extension update --name k8sconfiguration

Install Helm3 as Azure Arc used Helm 3 for installing the agents on the cluster. You can install helm 3 from the docs.

3) Go to Azure Arc in Azure portal

Select Register Cluster Screen 1 will show all the prerequisite steps to be performed out of which I have done all except downloading the kubeconfig file

you can download the kubeconfig file from the civo cloud ui

Screen 2 just enter the cluster details

Screen3 Run the commands as shown (point the kubeconfig to the right config file)

Screen4 Verification page shows the cluster is connected and after finishing you can setup gitops, Azure monitoring and Compliance policies.

From the kubectl you can see the components running

kubectl get pods -n azure-arc --kubeconfig config 
NAME                                         READY   STATUS    RESTARTS   AGE
flux-logs-agent-799cb595f5-4qvqf             2/2     Running   0          11m
metrics-agent-784cddf6c6-l6hrg               2/2     Running   0          11m
controller-manager-7d6f9f56b5-8tqxq          3/3     Running   0          11m
resource-sync-agent-d86c6ddd-z7h7c           3/3     Running   0          11m
cluster-metadata-operator-745954d56d-nc5fk   2/2     Running   0          11m
clusteridentityoperator-5497448799-xdv9h     3/3     Running   0          11m
config-agent-57889d49d6-k6g28                3/3     Running   0          11m

That's it the cluster is now connected to Azure Arc. Let us try some GitOps now go to configurations and click add configuration and define the git repo from where you want to. have the application deployed on the cluster directly. In this case, I am taking sample git repo by azure

BOOM all the things get deployed automatically

kubectl get all -n demo --kubeconfig config2
NAME                             READY   STATUS    RESTARTS   AGE
pod/memcached-86bdf9f56b-r8d96   1/1     Running   0          14s
pod/demom-558478cbcb-kndmd       1/1     Running   0          14s


NAME                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)     AGE
service/memcached   ClusterIP   192.168.191.38   <none>        11211/TCP   14s


NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/memcached   1/1     1            1           15s
deployment.apps/demom       1/1     1            1           15s

NAME                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/memcached-86bdf9f56b   1         1         1       15s
replicaset.apps/demom-558478cbcb       1         1         1       15s

you can access the application and the port where the azure-vote-front service is running

kubectl get svc --kubeconfig config2
NAME               TYPE           CLUSTER-IP        EXTERNAL-IP   PORT(S)        AGE
azure-vote-back    ClusterIP      192.168.202.113   <none>        6379/TCP       14m
azure-vote-front   LoadBalancer   192.168.129.104   <pending>     80:30823/TCP   14m

It's pretty easy to connect the cluster and deploy the application onto kubernetes directly using Git. You will also be able to use helm to deploy the application from the configuration. Other things that can be done is setting up azure monitor and polices

Saiyam Pathak [CKA | CKAD | CNCF Ambassador]

Today I will be sharing some insights into working with Shipa.

So Shipa is a platform mainly built for the developers so that they can focus more on writing code and less on the infrastructure. The main idea IMO is to make developers' life easy and making their apps run on the best in class kubernetes clusters.

One can associate the Kubernetes clusters with ships using the following guide: Kubernetes Clusters Shipa gives Administrators the possibility of bringing together multiple Kubernetes clusters and it's nodes, that can…learn.shipa.io

Once the cluster is added it shows up in the dashboard for the shipa instance and you can have an overview of all the cluster/apps associated.

Dashboard :

Dashboard view if to view all the clusters, applications, metrics, and events for all the clusters associated with shipa at one place.

Few things to get started:

Installing the shipa CLI —

wget [https://storage.googleapis.com/shipa-cli/shipa_linux_amd64](https://storage.googleapis.com/shipa-cli/shipa_linux_amd64)

chmod +x shipa_linux_amd64 && mv -v shipa_linux_amd64 /usr/local/bin/shipa

Adding Shipa Target

[root@shipa ~]# shipa target-add first [http://35.185.233.31:8080](http://35.185.233.31:8080) -s
New target first -> [http://35.185.233.31:8080](http://35.185.233.31:8080) added to target list and defined as the current target
[root@shipa ~]# shipa target-list
* first (http://35.185.233.31:8080)
[root@shipa ~]#

Shipa Login and app lists

shipa login
Email: [x](mailto:admin@shipa.io)xxxxxxxxxxxx
Password: 
Successfully logged in!

[root@shipa ~]# shipa app-list
Error: you're not authenticated or your session has expired.
Calling the "login" command...
Email: xxxxxxxxxxxx
Password:

+---------------------------+-----------+--------------------------------------+
| Application               | Units     | Address                              |
+---------------------------+-----------+--------------------------------------+
| aks-app1                  | 1 started | http://aks-app1.35.199.180.138.nip.↵ |
|                           |           | io                                   |
+---------------------------+-----------+--------------------------------------+
| dashboard                 | 1 started | http://dashboard.35.199.180.138.nip↵ |
|                           |           | .io                                  |
+---------------------------+-----------+--------------------------------------+
| gke-app1                  | 1 started | http://gke-app1.35.199.180.138.nip.↵ |
|                           |           | io                                   |
+---------------------------+-----------+--------------------------------------+
| redis-service-service-app | 1 started | http://redis-service-service-app.35↵ |
|                           |           | .199.180.138.nip.io                  |
+---------------------------+-----------+--------------------------------------+

Successfully logged in!

Shipa teams :

shipa team-list
+--------+------------------+------+
| Team   | Permissions      | Tags |
+--------+------------------+------+
| admin  | app              |      |
|        | team             |      |
|        | service          |      |
|        | service-instance |      |
|        | cluster          |      |
|        | volume           |      |
|        | volume-plan      |      |
|        | webhook          |      |
+--------+------------------+------+
| system | app              |      |
|        | team             |      |
|        | service          |      |
|        | service-instance |      |
|        | cluster          |      |
|        | volume           |      |
|        | volume-plan      |      |
|        | webhook          |      |
+--------+------------------+------+

Adding ssh key :

shipa key-add my-rsa-key ~/.ssh/id_rsa.pub

Key "my-rsa-key" successfully added!

Creating an application :

shipa app-create demo1 python -t admin -o gke

It creates a complete developer experience wherein you get a git repository like

git@35.185.233.31:demo1.git

Now write and push the code:

git add.
git commit -m "first commit"
git push git@35.185.233.31:demo1.git master

shipe app-list => to get the endpoint for the application that is running on the cluster

+---------------------------+-----------+--------------------------------------+
| test2                     | 1 started | http://test2.35.199.180.138.nip.io   |
+---------------------------+-----------+--------------------------------------+

It's that simple for a developer to just write the code without having to learn or create any Kubernetes related object or yaml files and push it to the repository and DONE — your code is deployed on Kubernetes.

There is a lot that can be done using Shipa and a lot that is in the pipeline.

For having shipa you can install it via :

[https://github.com/shipa-corp/helm-chart](https://github.com/shipa-corp/helm-chart)

Saiyam Pathak [CKA|CKAD|CNCF AMbassador]

Came across a GitHub repository implemented by the awesome folks at Sighup.IO for managing user permissions for Kubernetes cluster easily via web UI.

GitHub Repo : https://github.com/sighupio/permission-manager

With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI. The project works on the concept of templates that you can create and then use that template for different users.Template is directly proportional to clusterrole. In rder to create a new template you need to defile a clusterrole with prefix template-namespaces-resources__. The default template are present in the k8s/k8s-seeds directory.

Example template:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___developer
rules:
  - apiGroups:
      - "*"
    resources:
      - "configmaps"
      - "endpoints"
      - "persistentvolumeclaims"
      - "pods"
      - "pods/log"
      - "pods/portforward"
      - "podtemplates"
      - "replicationcontrollers"
      - "resourcequotas"
      - "secrets"
      - "services"
      - "events"
      - "daemonsets"
      - "deployments"
      - "replicasets"
      - "ingresses"
      - "networkpolicies"
      - "poddisruptionbudgets"
      # - "rolebindings"
      # - "roles"
    verbs:
      - "*"

Let us now deploy it on Katakoda kubernetes playground and see the permission checker in action.

Step1: Open https://www.katacoda.com/courses/kubernetes/playground

Step 2: git clone https://github.com/sighupio/permission-manager.git

Step3: Change the deploy.yaml file

master $ kubectl cluster-info
Kubernetes master is running at [https://172.17.0.14:6443](https://172.17.0.14:6443)

update the deployment file “k8s/deploy.yaml” with the CONTROL_PLANE_ADDRESS from the result of the above command.

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: permission-manager
  name: permission-manager-deployment
  labels:
    app: permission-manager
spec:
  replicas: 1
  selector:
    matchLabels:
      app: permission-manager
  template:
    metadata:
      labels:
        app: permission-manager
    spec:
      serviceAccountName: permission-manager-service-account
      containers:
        - name: permission-manager
          image: quay.io/sighup/permission-manager:1.5.0
          ports:
            - containerPort: 4000
          env:
            - name: PORT
              value: "4000"
            - name: CLUSTER_NAME
              value: "my-cluster"
            - name: CONTROL_PLANE_ADDRESS
**              value: "https://172.17.0.14:6443"
**            - name: BASIC_AUTH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: auth-password-secret
                  key: password

---
apiVersion: v1
kind: Service
metadata:
  namespace: permission-manager
  name: permission-manager-service
spec:
  selector:
    app: permission-manager
  ports:
    - protocol: TCP
      port: 4000
      targetPort: 4000
**  type: NodePort**

Step4: Deploy the manifests

cd permission-manager

master $ kubectl apply -f k8s/k8s-seeds/namespace.yml
namespace/permission-manager created

master $ kubectl apply -f k8s/k8s-seeds
secret/auth-password-secret created
namespace/permission-manager unchanged
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
rolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/permission-manager-service-account-rolebinding created
serviceaccount/permission-manager-service-account created
clusterrole.rbac.authorization.k8s.io/permission-manager-cluster-role created
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created

master $ kubectl apply -f k8s/deploy.yaml
deployment.apps/permission-manager-deployment created
service/permission-manager-service created

Step5: Get the NodePort and open UI using Katakoda

master $ kubectl get svc -n permission-manager
NAME                         TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
permission-manager-service   NodePort   10.104.183.10   <none>        4000:**31996**/TCP   9m40s

n order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to 31996

Enter the username and password : username: admin password: 1v2d1e2e67dS You can change the password in k8s/k8s-seeds/auth-secret.yml file.

Now Let us create some users and assign one of the default template.

User Test1 with permission as a developer in permission-manager namespace

Let us download the kubeconfig file and test the permissions:

**master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods
**Error from server (Forbidden): pods is forbidden: User "test1" cannot list resource "pods" in API group "" in the namespace "default"
**master $ kubectl --kubeconfig=/root/permission-manager/newkubeconfig get pods -n permission-manager
**NAME                                             READY   STATUS    RESTARTS   AGE
permission-manager-deployment-544649f8f5-jzlks   1/1     Running   0          6m38s

master $ kubectl get clusterrole | grep template
template-cluster-resources___admin                                     7m56s
template-cluster-resources___read-only                                 7m56s
template-namespaced-resources___developer                              7m56s
template-namespaced-resources___operation                              7m56s

Summary: With permission checker you can easily create multiple users and give permission for specific resources in specific namespace using custom-defined templates.

About Saiyam

Saiyam is a Software Engineer working on Kubernetes with a focus on creating and managing the project ecosystem. Saiyam has worked on many facets of Kubernetes, including scaling, multi-cloud, managed kubernetes services, K8s documentation and testing. He’s worked on implementing major managed services (GKE/AKS/OKE) in different organizations. When not coding or answering Slack messages, Saiyam contributes to the community by writing blogs and giving sessions on InfluxDB, Docker and Kubernetes at different meetups. Reach him on Twitter @saiyampathak where he gives tips on InfluxDB, Rancher, Kubernetes and open source.

We’re hiring!

We are looking for engineers who love to work in Open Source communities like Kubernetes, Rancher, Docker, etc.

If you wish to work on such projects please do visit our job offerings page.

Definition From the Docs :

Octant is a tool for developers to understand how applications run on a Kubernetes cluster. It aims to be part of the developer’s toolkit for gaining insight and approaching complexity found in Kubernetes. Octant offers a combination of introspective tooling, cluster navigation, and object management along with a plugin system to further extend its capabilities.

Octant is one of the recent projects by VMware that aims to simplify the kubernetes view for developers. Now the developers would be able to see what all is happening in the cluster when they are deploying their workloads. Let us setup Octant on a Katakoda cluster and see what all capabilities it provides out of the box to the Developers. This tutorial is a quick overview of the latest version of the octant recently launched by the team which is v0.10.0.

Steps:

1: Got to- https://www.katacoda.com/courses/kubernetes/playground

2: Download the latest octant release v0.10.0

master $ wget [https://github.com/vmware-tanzu/octant/releases/download/v0.10.0/octant_0.10.0_Linux-64bit.tar.gz](https://github.com/vmware-tanzu/octant/releases/download/v0.10.0/octant_0.10.0_Linux-64bit.tar.gz)

master $ ls
octant_0.10.0_Linux-64bit.tar.gz

# Run 
master $ tar -xzvf octant_0.10.0_Linux-64bit.tar.gz
octant_0.10.0_Linux-64bit/README.md
octant_0.10.0_Linux-64bit/octant

# Verify
master $ cp ./octant_0.10.0_Linux-64bit/octant /usr/bin/
master $ octant version
Version:  0.10.0
Git commit:  72e66943d660dc7bdd2c96b27cc141f9c4e8f9d8
Built:  2020-01-24T00:56:15Z

Run Octant- In order to Run octant you can run the Octant command, by default it runs on localhost:7777and if you need to pass additional arguments (like running on a different port) run

master $ OCTANT_DISABLE_OPEN_BROWSER=true OCTANT_LISTENER_ADDR=0.0.0.0:8900 octant
2020-01-26T10:17:29.135Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/serviceEditor", "module-name": "overview"}
2020-01-26T10:17:29.135Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/startPortForward", "module-name": "overview"}
2020-01-26T10:17:29.136Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/stopPortForward", "module-name": "overview"}
2020-01-26T10:17:29.137Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/commandExec", "module-name": "overview"}
2020-01-26T10:17:29.137Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/deleteTerminal", "module-name": "overview"}
2020-01-26T10:17:29.138Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "deployment/configuration", "module-name": "overview"}
2020-01-26T10:17:29.139Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "overview/containerEditor", "module-name": "overview"}
2020-01-26T10:17:29.140Z        INFO    module/manager.go:79    registering action      {"component": "module-manager", "actionPath": "octant/deleteObject", "module-name": "configuration"}
2020-01-26T10:17:29.140Z        INFO    dash/dash.go:391        Using embedded Octant frontend
2020-01-26T10:17:29.143Z        INFO    dash/dash.go:370        Dashboard is available at [http://[::]:8900](http://[::]:8900)

You can see that Octant has started, now open port 8900 on Katakoda kubernetes playground to see the Octant dashboard.

In order to open port from Katakoda click on the + and select View HTTP port 8080 on Host 1 and change the port to 8900

octant dashboard

As you can see whole of the cluster is visible with easy to navigate options. you can navigate through the namespaces, see the pods running. Just run a few pods

kubectl run nginx --image nginx
kubectl run -i -t busybox --image=busybox --restart=Never

Now go to the workloads section and you can see the pods. Getting into the pods will give a much deeper look. Let us take a full view at busybox pod and see what all things you can easily see via the octant dashboard.

Overall View

Resource viewer and Pod logs

You can see how easy it is to view the logs, connected resources, overall summary, and the YAML file.

Another thing you can do with Octant is, have your own plugins and view them in octant for added functionality

This was a brief overview of Octant and how you can set up on a katakoda cluster in less than 5 minutes

Octant Documentation: https://octant.dev/docs/master/ Octant other communication channels for help and contribution:

[Kubernetes Slack](http://slack.k8s.io/) in the [#octant](https://kubernetes.slack.com/app_redirect?channel=CM37M9FCG) channel
[Twitter](https://twitter.com/projectoctant)
[Google group](https://groups.google.com/forum/#!forum/project-octant/)
[GitHub issues](https://github.com/vmware-tanzu/octant/issues)

Saiyam Pathak https://www.linkedin.com/in/saiyam-pathak-97685a64/ https://twitter.com/SaiyamPathak

Official GitRepo: **https://github.com/rancher/k3s**

Seeing the popularity of k3s, many developers/companies have started building products around k3s. CIVO cloud has come up with a cloud offering for First-Ever Managed k3s Kubernetes cluster.

CIVO Kubernetes Offering: CIVO cloud has created a lightweight Kubernetes managed cluster offering. Let us take a walk through some of the features of this managed k3s cluster and deploy a sample application.

NOTE: Before proceeding make sure you have the following:

• A Civo cloud account (they also have a 50$ free credit), you can sign up here.
• Civo cli tool installed: Civo cli is a command-line tool for interacting with resources in Civo Cloud. It's very handy and useful as you do not need to go to UI and can do most of the tasks from the Civo cli itself. For installation, you Need Ruby Installed in your machine (v 2.0.0 or later) and then run :

sudo gem install civo_cli

For more info visit: https://github.com/civo/cli

K3s Cluster: Civo Cloud has a managed k3s Kubernetes cluster offering and we can spin up the whole cluster using civo cli itself

Step1: Civo cli account setup using api keys

civo apikey add saiyam <yourkey>
 Saved the API Key
 <yourkey> as Demo_Test_Key

you can find your api key from: cloud account settings > Security > API Key (https://www.civo.com/account/security)

Set the apikey as the default key to connect to Civo resources:

civo apikey current saiyam

You can list all stored API keys in your configuration by invoking civo apikey list or remove one by name by using civo apikey remove apikey_name

Step2: Create a Kubernetes Cluster using CIVO cli

command: civo kubernetes create civofirst --wait --save

Building new Kubernetes cluster civofirst: Done
Created Kubernetes cluster civofirst in 01 min 30 sec
Merged config into ~/.kube/config

command: civo kubernetes list

cluster created

From UI

While creating the cluster using civo CLI you have a few options that can be provided : wait: spins until the cluster comes in ready state save: saves the kubeconfig file nodes: the number of nodes to be created, by default 3 nodes are created and master is counted as a node. size: the size of the nodes, default size is g2.medium

So that is it you have just launched a 3 node k3s cluster running Kubernetes version 1.14

k3s Deployment and service:

Now that we have created k3s cluster lets see some basic deployment of nginx image and exposing it as a service.

kubectl get nodes

NAME               STATUS   ROLES    AGE   VERSION

kube-master-3872   Ready    master   29m   v1.14.6-k3s.1

kube-node-6052     Ready    worker   29m   v1.14.6-k3s.1

kube-node-eaf0     Ready    worker   26m   v1.14.6-k3s.1

kubectl get pods --all-namespaces

NAMESPACE     NAME                    READY   STATUS      RESTARTS   AGE

kube-system   coredns-b7464766c-89nrt      1/1     Running     0          29m

kube-system   helm-install-traefik-g59pl   0/1     Completed   0          29m

kube-system   svclb-traefik-689lv          2/2     Running     0         29m

kube-system   svclb-traefik-bhg8h          2/2     Running     0          29m

kube-system   svclb-traefik-xpf46          2/2     Running     0         27m

kube-system   traefik-5c79b789c5-ns6xj     1/1     Running     0          29m

Now let us deploy a sample nginx application, service, and ingress:

Deployment: kubectl apply -f deploy.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata: 
  name: nginx-deployment
spec: 
  replicas: 2
  selector: 
    matchLabels: 
      app: nginx
  template: 
    metadata: 
      labels: 
        app: nginx
    spec: 
      containers: 
        - image: nginx
          name: nginx-container

Service: kubectl apply -f svc.yaml

apiVersion: v1
kind: Service
metadata: 
  name: nginx-service
spec: 
  ports: 
    - name: http
      port: 8080
      targetPort: 80
  selector: 
    app: nginx
  type: LoadBalancer

Ingress: kubectl apply -f ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: nginx.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-service
          servicePort: http

Let us see what all has been created.

**kubectl get deploy**

NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment       2/2     2            2           4m3s

kubectl get svc

NAME            TYPE           CLUSTER-IP        EXTERNAL-IP                              PORT(S)          AGE

kubernetes      ClusterIP      192.168.128.1     <none>                                   443/TCP          153m

nginx-service   LoadBalancer   192.168.139.191   172.31.3.106,172.31.3.157,172.31.3.159   8080:30051/TCP   3m16s

kubectl get ingress

NAME            HOSTS             ADDRESS        PORTS   AGE

nginx-ingress   nginx.localhost   172.31.3.106   80      3m44s

Now open the browser and access the service by NodeIp:30051

You have deployed a sample application and created a service accessible from the internet within minutes with prepackaged ingress controller -> Traefik that comes packaged with k3s managed Kubernetes cluster by Civo cloud.

Civo cli commands :

Scaling the cluster: Cluster can be scaled up to the quota and down to 1 via UI or civo cli

civo kubernetes scale civofirst --nodes=4

Kubernetes cluster civofirst will now have 4 nodes

UI

Renaming the cluster:

civo kubernetes rename civo --name="Prod"

Kubernetes cluster 27f587bc-587b-48b2-8302-3fd62baeff76 is now named Prod

Removing the cluster:

civo kubernetes remove Prod

Removing Kubernetes cluster Prod

Marketplace: Civo cloud has an extensive list of application with the one-click install from the UI. You can go to UI and select the app that you want to deploy to the cluster and it will be available within minutes. Let us try to deploy OpenFaas on k3s from the marketplace.

Select OpenFaaS and click Install Apps, within a few seconds you can see it appears in the Installed apps section with instructions as well to deploy a sample function.

You can access the OpenFaaS UI by NODE_IP:31112 and enter the username/password.

Here we just deployed a sample colorise function to convert image to black & white image.

From the command line, you can see below objects created in k3s cluster when you deployed the OpenFaaS application from the marketplace.

kubectl get all -n openfaas

NAME                                     READY   STATUS    RESTARTS   AGE

pod/alertmanager-85864b8547-qb5zb        1/1     Running   0          27m

pod/basic-auth-plugin-85994747dd-rvfds   1/1     Running   0          27m

pod/faas-idler-6568bb4c9b-5xfjz          1/1     Running   2          27m

pod/gateway-dcdd5b79c-rnfdj              2/2     Running   0          27m

pod/nats-d4c9d8d95-fjw89                 1/1     Running   0          27m

pod/prometheus-855d56876d-txscc          1/1     Running   0          27m

pod/queue-worker-56b64d6848-48b7w        1/1     Running   0          27m

NAME                        TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)          AGE

service/alertmanager        ClusterIP   192.168.214.254   <none>        9093/TCP         27m

service/basic-auth-plugin   ClusterIP   192.168.162.218   <none>        8080/TCP         27m

service/gateway             ClusterIP   192.168.146.141   <none>        8080/TCP         27m

service/gateway-external    NodePort    192.168.212.52    <none>        8080:31112/TCP   27m

service/nats                ClusterIP   192.168.164.158   <none>        4222/TCP         27m

service/prometheus          ClusterIP   192.168.194.224   <none>        9090/TCP         27m

NAME                                READY   UP-TO-DATE   AVAILABLE   AGE

deployment.apps/alertmanager        1/1     1            1           27m

deployment.apps/basic-auth-plugin   1/1     1            1           27m

deployment.apps/faas-idler          1/1     1            1           27m

deployment.apps/gateway             1/1     1            1           27m

deployment.apps/nats                1/1     1            1           27m

deployment.apps/prometheus          1/1     1            1           27m

deployment.apps/queue-worker        1/1     1            1           27m

NAME                                         DESIRED   CURRENT READY   AGE

replicaset.apps/alertmanager-85864b8547        1         1         1       27m

replicaset.apps/basic-auth-plugin-85994747dd   1         1         1       27m

replicaset.apps/faas-idler-6568bb4c9b          1         1         1       27m

replicaset.apps/gateway-dcdd5b79c              1         1         1       27m

replicaset.apps/nats-d4c9d8d95                 1         1         1       27m

replicaset.apps/prometheus-855d56876d          1         1         1       27m

replicaset.apps/queue-worker-56b64d6848        1         1         1       27m

Summary: Civo Kubernetes service is lightweight k3s managed cluster for production-ready workloads, currently in beta as they are improving the features based on community feedback via the KUBE100 program. Things we discussed in this article:

• Introduction to k3s and managed k3s

• Civo CLI

• Cluster creation/scaling/renaming/removing using Civo cli

• Deploying a sample application & exposing it to the outside world

• Deploying OpenFaaS application from Marketplace

Deep Dive into Rancher Features.

In my previous post, I walked you through the basics concept of Rancher , what it is and how to setup rancher for different cloud providers. Even importing a cluster.

Now in this section, we will go through the features and functionalities that you can do after having a cluster setup in Rancher.

Just for a quick heads up, we will quickly install Rancher Server \ and import that cluster via Rancher Dashboard and we will do it with play with kubernetes. So with this you can even practice while reading.

Setting Up 3 node Kubernetes cluster:

Step1: Launching a 3 node Kubernetes Cluster using the kubernetes playground -visit https://labs.play-with-k8s.com and start a session.

• Click add a new instance and follow the steps mentioned

kubeadm init --apiserver-advertise-address $(hostname -i)
#above command initialises the current machine as master and gives you the token to have it
#add two new Instances and then run the join command 
kubeadm join 192.168.0.13:6443 --token <token> --discovery-token-ca-cert-hash <hash>
#After that initialise cluster networking to the master so that the nodes come in ready state
kubectl apply -n kube-system -f \
    "[https://cloud.weave.works/k8s/net?k8s-version=$(kubectl](https://cloud.weave.works/k8s/net?k8s-version=$(kubectl) version | base64 |tr -d '\n')"

Kubernetes 3 node cluster is all set

Step2 : Installing Rancher Server Installing rancher is pretty simple using a simple docker command. Make sure to pass environment variables for proxied if you have.

docker run -d --restart=unless-stopped \
-p 80:80 -p 443:443 \
rancher/rancher:latest

Or you can also run it as a pod in Kubernetes.

Once you have rancher installed you can go to {{server_ip}} and see rancher running or if you have exposed it as a service in kubernetes then you can go to the node_ip:nodeport. And in the cluster you would see the cluster agent and node agent. Cluster agent is your rancher server and node agent is a daemon set running on every node.

Importing a cluster created in Rancher server:

Now that you have created a 3 node kubernetes cluster and installed rancher server, its time to import that cluster in rancher and see what all things you can actually do with it.

Step1: After logging into rancher server click on create cluster, select import and provide a name for the cluster.

Select import option as we already have a kubernetes cluster

Step2: Once you click create you will be given a curl command which is nothing but a yaml file for deploying rancher components onto the existing kubernetes cluster in order to make it available on rancher server.

Step3: Copy the commands and run in kubernetes cluster and click done.

Deploying Rancher manifests

you will see a pending cluster in the rancher dashboard:

After some time the cluster is available and active.

Active cluster

Now comes the real part where we actually go and see some of the cool features of rancher .

Monitoring :

Under the tools section for the cluster, you can select monitoring and then enable it. Note that you are required to give some parameters before enabling (give enough memory for monitoring as most of the times it fails when the cpu/memory parameters are not correct). I will keep it to default as it is a simple 3 node lightweight cluster …. well not as lightweight as the k3's.

Once you click save and go back to the cluster you will see for some time the “monitoring api is not ready “.

Monitoring api not ready

Actually what is happening is rancher is pulling the system-charts git repository in the rancher server and deploying it to the cluster. It can be visually seen in the UI under Cluster > System > Apps Section

Apps

So Rancher Server tries to spin up pods and if you are using kubernetes playground you will see that it will run out of space and the Prometheus pod will never come up. So I have change minds here now I am using the Katakoda playground as it has more memory than the kubernetes playground. When you launch monitoring for the kubernetes cluster running in katakoda — 2 node cluster you can see within few minutes the monitoring api will be active and there will be a small grafana icon displayed with all the resources in the rancher UI

Monitoring API enabled

Now that the API is enabled let's look at some of the dashboards out of the box, easily accessible, easily readable and moreover you can add custom dashboards as well.

Cluster Metrics

Node Metrics

Basic Troubleshooting for Monitoring API not coming up or not getting in the ready state:

• First, go to the cluster > system >> apps > click on the apps

• You would see Cluster-monitoring and monitoring-operator being installed which is nothing but creating pods inside the cluster.

• Click on one of the apps if you see the red and see the issue. Few of the common issues include : 1) Space issue or resources issue for this, have a look at cluster resources. 2) not able to pull system-charts repo from GitHub (this can be due to a private network or no internet access for the rancher server ). Resolution for this is to go inside the rancher server container and manually try to do a git pull. If in private network clone the repo to your laptop > push everything in your enterprise GitHub or any accessible Git repo > change the repo in /v3/catalogs /system-library.

• Not able to download the images from docker hub. For this, you need to update the registry and put your private registry where the images are present or the registry you have access over the network. You can change this in the global >> settings

• Other issues can be checked by seeing what error is displayed in the apps/workloads under the System for that cluster.

Rancher Security :

Let move over to Rancher security which includes > Roles, Pod Security Policies and Authentication. There are different authentication support provided by rancher and the roles are basically RBAC powered. Whenever you create a user with a role it is actually getting created inside the cluster with RBAC.

Roles: Roles are Global, CLuster level and Project Level. Except for the global roles you can create the other two from the UI. Cluster Role is really helpful in proving specific permissions for specific resources. Let's create a custom role for view-only permission to the cluster.

Cluster role creation

Now let us Create a standard USER and add this user to our created cluster.

user creation

Add the member to the cluster by selecting the custom role created.

adding a member to cluster

Lets login with “testuser” and try to edit a node.

permission error

So we have successfully created a view permission role for the user who can just view what is there in the cluster and cannot modify it in any way.

Different Authentications that can be integrated with rancher :

Authentication

Deployment via Rancher UI: Lets deploy a sample Nginx application from the Rancher UI itself. Choose the default project from the cluster and click deploy. Projects are the upper layer where you can place your namespaces. All the system level namespaces go in the system projects and all other you can put in different sets of projects and these projects can have assigned roles separately. That's the beauty of roles granularity that rancher provides.

As you can see that we have deployed 12 instances of nginx just by entering a few details. WE can enter further details like :

After the pod is spin up with 12 replicas lets go in the pod and reduce the replicas to 3 and see what other options are available to see its logs, health checks, etc.

replicas reduced to 3

You can edit/view tha yaml for pods, nodes etc on the live cluster from the rancher UI itself. You can install logging systems as well and install necessary apps fro CI/CD .

Node Configurations

You can Also launch kubectl shell and perform the command line activities from rancher UI itself. If for some reason the kubectl does not work then download the kubeconfig file and check it if it works. Sometimes the custom certificates used to set up the clusters have to be put in the settings in order to make the kubectl shell work properly.

local cluster shell

Customizing Rancher UI : If you want to customize rancher UI then clone the rancher/UI repository. Build it locally and point it to the server running for the local development. Once it is set. Run it on a server and change the UI index URL setting in the server pointing to the new UI. Git repository. : https://github.com/rancher/ui

All in All, you can do lots and lots of stuff using Rancher UI . Whatever we have discussed throughout the article is just a little explanation of some common things.

Recap: Things covered in this Article -

• Kubernetes playground cluster creation
• Launching Rancher Server
• Importing a Cluster
• Monitoring Concepts
• Grafana Dashboards
• Common monitoring enabling issues
• User Creation
• Role Creation
• Adding a member to the cluster
• Authentication
• Deployment via Rancher UI
• Playing with pod replicas
• Node Configurations
• Kubectl shell
• How to customize rancher UI

Happy Ranchering.!!

Saiyam Pathak https://www.linkedin.com/in/saiyam-pathak-97685a64/ https://twitter.com/SaiyamPathak