Romulo Santos soeirosantos

GKE Security Tips

This is a concise and direct list of tips and best practices for securing your GKE cluster and workloads. While some of them are GKE-specific others are applicable to Kubernetes in general. Please, follow the links for a detailed and in-depth explanation of each topic.

Use Container-Optimized OS - https://cloud.google.com/container-optimized-os/docs/
Enable Automatic Node Upgrades - https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades
Use private cluster and master authorized networks - https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
Use k8s secrets for sensitive information - https://kubernetes.io/docs/concepts/configuration/secret/

Log aggregator sidecar pattern with Fluentd and Sumo Logic

This gist shows how to use a sidecar logging container to collect applicattion logs and ship them to Sumo Logic.

For this example we are using a Sumo Logic Hosted Collector and an HTTP Endpoint Source.

One note about this approach: In order to send the application logs to Sumo Logic we are using Fluentd as a sidecar container to collect and ship the logs. This is probably not the ideal solution since the ideal solution would, maybe, be a cluster-wide configuration to integrate with Sumo Logic. Although, with the config presented here, we keep all the necessary changes and related

Getting started with Intel Python Distribution

Today I got to know about this Intel Distribution for Python and, after browsing a bit on their web site, I was interested to run one of the benchmarks by myself and play a bit with it to compare the results.

Here is how I got two different environments ready for tests and play:

The Intel Python:

GCE Instance with persistent disk provisioned

In this lab we create a GCE instance, and attach and mount an SSD persistent disk to it.

To run this code you can clone this gist

$ git clone https://gist.github.com/6c9cf7efafafc710af0e063e1a90848a.git
$ cd 6c9cf7efafafc710af0e063e1a90848a

Terraform Module Refactoring

In this lab we are gonna show how to extract Terraform code to modules and update the state to keep your infrastructure configuration.

If testing this out you must export your GCP project id export TF_VAR_project=your_project_id

This would be our original configuration:

	package main

	import (
	"fmt"
	)

	func main() {
	fmt.Println(mergeSort([]int{20, 30, 1, 200, 3, -6, 90000}))
	}

	#!/bin/bash
	#
	# Utility to unseal Vault lab and test environments.
	# Got questions? slack: #delivery-engineering
	#
	# How to use:
	# Provide a list of the Vault IP addresses you want to unseal
	# and a file `.unseal_key` with a single line containing the
	# unseal key
	#

	fun bubbleSort(arr: Array<Int>): Array<Int> {
	for (i in 0 until arr.size) {
	for (j in arr.size - 1 downTo i) {
	if (arr[i] > arr[j]) {
	swap(arr, i, j)
	}
	}
	}
	return arr
	}

	{
	"db_url": "127.0.0.1",
	"db_port": 8080,
	"db_username": "foo",
	"db_password": "bar"
	}

	Vagrant.configure("2") do \|config\|
	config.vm.box = "bento/ubuntu-18.04"
	config.vm.hostname = "node1"
	config.vm.provision "shell", inline: <<-SHELL
	# https://docs.docker.com/engine/install/ubuntu/
	apt-get update

	apt-get install -y \
	apt-transport-https \
	ca-certificates \