Blog

I wanted to write a quick blog on my past week at KubeCon / Cloud Native Con Europe, happening in Amsterdam. I went 4 days, with one pre conference day spent on ArgoCon. In the past, I wrote detailed report on all the talks I attended but I wanted to keep it more general this time. This blog post is the result of me going through my notes and pointing out what I found interesting and am hoping to spend some time on.

It was a long week, and I am still recovering of all the excitement on this sunday afternoon writing this blog post. I had to pick between doing a bunch more research to be absolutely sure that all I wrote down is correct, or just glance my notes and dump my brain with the risk I am not 100% accurate in what I write down. I decided to take that risk, as the first option might not happen due to time constraints. At least my memory is a bit fresh now.

Please contact me if you see any errors so they can be resolved.

GitOps

We use ArgoCD at work for our GitOps needs. We have a pretty sophisticated setup with Terraform automatically adding new Kubernetes clusters to ArgoCD, but we can improve a bit here by looking into some more “advanced” usecases.

• We ourselves a bit in some ArgoApplication manifests, ArgoApplicationSets can probably help us out here.
• ArgoCD UI should be read-only. At this time we can (but are never) making modifications through the UI. Essentially all should be driven by Git. (As GitOps implies)
• Interesting concept on ArgoCD “smart diffs” was presented at ArgoCon. Basically, in your PR, a automatic process will preview the current state of the eventually parsed manifest will be diffed to the ones currently applied to your clusters
• Look into Kargo for application promotions between multiple environments

eBPF

I’m interested in eBPF for years but it’s a highly technical subject on which I have not spent any time to grasp. Apparantly you can go pretty deep on this stuff, but it gives you so much power I should not longer ignore tools using this. The Cilium Project is doing a lot of work here.

Cilium adds a Container Network Interface to Kubernetes using eBPF to essentially get observability / security reporting for free. It also gives you an advanced policy framework that allows you to go beyond vanilla Kubernetes network policies. You can also add multi cluster support and even talk to external endpoints like virtual machines.

I feel the overview below is newer (as it is including Tetragon) but maybe less clear

I am really going to keep paying attention to Tetragon, as it can be dropped into any workload and gives you a lot of insights in how your application is behaving, with additional security benefits as well. I did a workshop using Tetragon and it could detect malicious processes running on a host normal Kubernetes security tooling might miss

Observability

• Look into the OpenTelemetry Operator to get observability for free.
  • Cilium provides this as well, lots of options…
• Look into Thanos to replace our central Prometheus server, as this looks much more scalable than we have now

Security

• Apparantly security scanners can be mislead due to malicious compliance. We should be wary in trying to be compliant with policies in my opinion. I rather KNOW where problems are than being compliant to some policy while actually not being compliant at all. Thanks, SIG-Honk, for this insight!
• Look into KubeAudit to scan our manifest for obvious errors
• Interesting concept by ING where a change to their internal container runtime environment will trigger a complete redeploy. They practice Zero Trust where noone can logon to production systems and all is driven through CI/CD. Interesting concept, which requires a lot of engineering capacity and a mature operations department to build and maintain. I’d like to get there soon as well

MISC things to look into

Just a quick dump of tools and topics to end this blog post with. I need to properly look into this

• Kyverno, compared to Gatekeeper
• ContainerSSH
• Server-Side Apply
• VCluster for easy testing

To end this with, i’m thinking of started a side project in which I build some kind of reference system which you can use to spin up Kubernetes clusters in an automated, GitOps way with Cluster API and ArgoCD, this will probably keep me up at night. There was an amazing talk showcasing just this and I will probably steel everything they made.