Secure Your Docker Images With Cosign (and OPA Gatekeeper)

We built CI/CD pipelines so far which have Docker images as output but how we make sure about the provenance of the workload we run on Kubernetes? How can be sure that the containers we are running are run from images built from our pipelines? One way to ensure trust with Docker images is to sign these images. We can sign them during our CI pipeline and then verify the signature at runtime when deploying....

January 19, 2022 · 9 min · Justin

Centralized (multi tenant) Logging with Kubernetes: Part 3

This is a series. You can find part 1 here and part 2 here. On this last post I am going to cover the monitoring (with Prometheus and Grafana) for OpenSearch and Fluentd. FluentD If you recall from part-1, we set up a specific configuration for Prometheus in Fluentd main-fluentd-conf.yaml kind: ConfigMap apiVersion: v1 metadata: name: fluentd-es-config namespace: logging labels: addonmanager.kubernetes.io/mode: Reconcile data: fluent.conf: |-<source> type forward bind 0.0.0.0 port 32000 </source> [....

December 12, 2021 · 3 min · Justin

Centralized (multi tenant) Logging with Kubernetes: Part 2

This is a series. You can find part 1 here and part 3 here. We were left on part-1 with a fully functional log pipeline. As I said, we’re going to check how to achieve a single shared index in OpenSearch. Shared Index If you recall, on the previous part we set a field on each document we were indexing in OpenSearch by leveraging the FluentD record_transformer plugin. main-fluentd-conf.yaml kind: ConfigMap apiVersion: v1 metadata: name: fluentd-es-config namespace: logging labels: addonmanager....

December 8, 2021 · 5 min · Justin

Centralized (multi tenant) Logging with Kubernetes: Part 1

This is a series. You can find part 2 here and part 3 here. Managing multiple Kubernetes clusters is not so easy; even more managing the logs that are produced from these clusters. The architecture that I want to show you is still a WIP but on the right track. Let’s start from this scenario: 15 Kubernetes clusters (that we will call Tenants) where Spring Boot based microservices are running. We need to provide to the developers a central logging dashboard where they can navigate and correlate logs; in this case we will use OpenSearch (formerly known as Open Distro for ElasticSearch)....

November 21, 2021 · 8 min · Justin

Podman

Podman is an OCI Open Containers Initiative specification compatible container-engine part of RedHat Linux which can be used instead of the Docker runtime. Podman in contrast to Docker is daemonless: it interacts directly with the containers, image registry and storage through the runC container runtime process just by using the CLI (podman); you can even alias podman as alias docker=podman without any problem! How to install Podman on MacOs Note: this guide is tested on a Macbook Pro 2019 (Intel)....

September 26, 2021 · 4 min · Justin