Cert-Manager Issuer for Cross-Account Route 53 [ EKS ]

Cert-Manager is a very powerful tool when we talk about managing TLS certificates & issuers and no other tool comes near the Cert-Manager for kubernetes in terms of open source, visibility, documentation, installation option, integration, and many more. Even with the same account or cross-account option, there is a direct integration option provided by cert-manager CRDs. This will lead to ease of setting of certificates and managing those created certificates.

ASSUMPTION

For this session/blog, we are going to use ACME certificates [or Let’s encrypt certificates] using DNS01 challenger.

Before setting up we need to have the clarity of account and their functionality.

ACCOUNT-X — EKS SETUP

ACCOUNT Y — ROUTE 53

NOTE: For the same account, you can use serviceaccount to make a call through OIDC To AWS IAM Role.

Continue reading “Cert-Manager Issuer for Cross-Account Route 53 [ EKS ]”

Kubernetes CRI — Container Runtime Interface

Kubernetes is one of the most popular projects around container orchestration but it’s quite interesting that Kubernetes itself has no code to run or manage Linux/windows containers. So, what is running the containers within your Kubernetes pods?

Yes… Kubernetes doesn’t run your containers

It’s just an orchestration platform sitting above container runtimes. No code to run a container and to manage the container’s lifecycle on its own, instead, dockershim was implemented (in kubelet ) for talking to Docker as container runtime. I will talk about dockershim in the later section of the blog.

Also, docker has grown and matured over the last few years and has gained a stack of components like runc (open container initiative), containerd (CNCF project). OCI (est. in June,2015) splits docker into two parts:

1) to handle docker cli & processing requests and
2) to handle container running functions i.e runC.

High Level Overview — Before OCI standards
Continue reading “Kubernetes CRI — Container Runtime Interface”

Protected EFK Stack Setup for Kubernetes


In this blog, we will see how we can deploy the Elasticsearch, Fluent-bit, and Kibana (EFK) stack on Kubernetes. EFK stack’s prime objective is to reliably and securely retrieve data from the K8s cluster in any format, as well as to facilitate anytime searching, analyzing, and visualizing of the data.

What is EFK Stack?

EFK stands for Elasticsearch, Fluent bit, and Kibana.

Elasticsearch is a scalable and distributed search engine that is commonly used to store large amounts of log data. It is a NoSQL database. Its primary function is to store and retrieve logs from fluent bit.

Fluent Bit is a logging and metrics processor and forwarder that is extremely fast, lightweight, and highly scalable. Because of its performance-oriented design, it is simple to collect events from various sources and ship them to various destinations without complexity.

Continue reading “Protected EFK Stack Setup for Kubernetes”

On-Premise Setup of Kubernetes Cluster Components (Offline Mode) – PART 2

In the previous blog, we discussed setting up Offline Kubernetes Cluster over on-premises servers. After setting up the Kubernetes cluster we need to have some basic components to manage the orchestration and monitoring of the Kubernetes Cluster which will help Horizontal Pod Autoscaler and Vertical Pod Autoscaler to get information about CPU/Memory. Also, we have to limit access to all the components and Microservice we have set up for the SSO tool.

To begin with, we need a service mesh tool to manage the traffic flow between multiple microservices and We have many tools for this like Istio, Linkerd, Cilium Service Mesh, Consul connect, etc. Here I am considering Istio.

 Firstly, We will be talking Istio Setup over Kubernetes Cluster.

Istio is an open source service mesh that helps organizations
run distributed, microservices-based apps anywhere.
Istio enables organizations to secure, connect, and monitor
microservices, so they can modernize their enterprise apps more
swiftly and securely.
Istio allows organizations to deliver distributed applications at scale. It simplifies service-to-service network operations like traffic management, authorization, and encryption, as well as auditing and observability.

Continue reading “On-Premise Setup of Kubernetes Cluster Components (Offline Mode) – PART 2”

Kubernetes CSI: Container Storage Interface – Part 1

There are different application categories in the general application world, but we usually define them in two major types, i.e., stateless and stateful applications.

To have a clearer perspective, we can say that API-based applications are generally stateless, and databases are stateful. In simple words or definition, a stateless application is an application that doesn’t save or persists the client data. On the other hand, a stateful application saves data about each client and uses it for other requests.

In the older days, when we didn’t have a concept of containers and container orchestrators, there was a common way to manage both types of applications: server. For example- API and database-based applications get hosted on servers but with different configurations depending on the resource requirements.

Continue reading “Kubernetes CSI: Container Storage Interface – Part 1”