KubeFM

Pod Topology Spread Constraints is a convenient feature to control how pods are spread across your cluster among failure domains such as regions, zones, nodes, etc.You can also choose the pod distribution (skew), what happens when the constraint is unfulfillable (schedule anyway vs don't) and the interaction with pod affinity and taints.It's a great and straightforward feature, so what could possibly go wrong?In this episode of KubeFM, you will follow Martin and his team's journey in discovering and fixing a production incident (on a Friday afternoon) due to a misconfiguration.You will also learn:What are Pod Topology Spread Constraints, and how to use them?How unfulfillable scheduling requirements could lead to un-schedulable pods.How to detect and alert on unscheduled pods.How to manage your team during an incident to keep them calm and focused.SponsorThis episode is sponsored by Learnk8s — become an expert in KubernetesMore infoFind all the links and info for this episode here: https://ku.bz/pCFzfGtHSInterested in sponsoring an episode? Learn more.

On average, Kubernetes nodes running on ARM instances are 20% cheaper than their AMD counterpart.Optimising your cloud bill is tempting, but how do you seamlessly migrate existing workloads to a different architecture?And how do you do it at scale, with more than 4000 engineers and 30 clusters in 4 regions?In this episode of KubeFM, Thibault and Miguel explain how Adevinta built an internal platform on Kubernetes for mixed AMD and ARM workloads.You will learn:The challenges they faced with validating containers for mixed architecture with a mutating webhook and the open source solution they came up with: noe.Building an internal platform requires careful planning and designing simple interfaces that are backwards compatible.How to not DDoS your container registries.How to onboard users to an internal platform and evangelise it.SponsorThis episode is sponsored by Learnk8s — become an expert in KubernetesMore infoFind all the links and info for this episode here: https://ku.bz/_k-Y1jgFSInterested in sponsoring an episode? Learn more.

The best way to learn something is to break it or to build it yourself.And that's precisely what Luca did to understand how Linux containers (and Docker) work: he built his own, Barco.In this episode of KubeFM, you will learn:Why Linux containers "don't exist" but are the product of several Linux features you can put together and configure properly to get what we know as containers.How Kernel features such as cgroups and namespaces isolate a process.How you can use seccomp and capabilities to secure the container.How to make the right syscall from C to build your own container engine.Also, Luca explained how he learned how to build Barco from scratch, detailing the (struggle) to find reputable sources and (lack of) respected books.SponsorThis episode is sponsored by Learnk8s — become an expert in KubernetesMore infoFind all the links and info for this episode here: https://ku.bz/5W1r90mvPInterested in sponsoring an episode? Learn more.

What if Kubernetes was so easy to install and manage to be foolproof?In this KubeFM, Mat argues that GKE is the only Kubernetes managed service that offers a beginner-friendly and thought-through experience in running a Kubernetes cluster.Follow Mat's journey to AKS, GKE and EKS and learn:How GKE autopilot can help you optimize costs and reduce underutilized node resources.How the GKE container-optimized OS prevents and eliminates an entire set of security misconfigurations in node management.How GCP's application of machine learning on the IAM permissions can help you gradually refine security permissions as applications are deployed.But Mat didn't stop there and had more food for thought:Are we over-logging and over-monitoring in Kubernetes?CNI and Ingress have evolved since their inception. What happens now that we are stuck with those decision choices?Is there a simpler alternative to Kubernetes that is multi-cloud and cloud agnostic, and what could it look like?More infoFind all the links and info for this episode here: https://ku.bz/G6tPB0114Interested in sponsoring an episode? Learn more.

Network Policy usage is inverted.It's easier to list the services that you want to connect to, but Network Policy forces you to list all clients that can connect to your pod.How would you even know that another team plans to connect your apps?But if Network Policy is not the right tool, then what should you use?In this KubeFM podcast, you will explore:How Network Policies are not as bad as you might think, but they are low-level APIs that are not always practical to use directly.Intent-based Access Control (IBAC) as a higher-level abstraction to describe your network segmentation requirements.How you can use IBAC to generate Network Policies, Istio Authorization Policies, AWS IAM & Roles, and more.More infoFind all the links and info for this episode here: https://ku.bz/Xhd2xKDH7Interested in sponsoring an episode? Learn more.

Jacco Taal draws a parallel between Helm and PHP, highlighting their success despite focusing on templating strings. He discusses Helm's flaws, alternative tools, managing third-party packages, and duplicated charts. The podcast also covers community reaction, expressing opinions, and scuba diving in Zealand.

By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.And this is fine — at least, this is what Mac argues in this episode of KubeFM.Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.In this episode, you will learn:How to define a threat model to inform your security posture and mitigations.How Kubernetes Secrets offer sufficient guarantees for most common threat models.If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).Mac also covers tips and advice on becoming a security expert.More infoFind all the links and info for this episode here: https://ku.bz/rFlp8Yj9sInterested in sponsoring an episode? Learn more.

What does it take to build a Kubernetes cluster on bare metal?In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:Identify dependencies and priorities between components to avoid incidents in the future.Leverage FluxCD to have a predictable and documented setup.Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.Use Talos to have a self-contained Kubernetes operating system.Mathias also shared tips and advice for other engineers embarking on the same process.More infoFind all the links and info for this episode here: https://ku.bz/WxLPC_WlbInterested in sponsoring an episode? Learn more.

Should every project start with Kubernetes?And if not, when is the right time to switch without incurring (unbearable) technical debt?In this episode of KubeFM, you will learn how the team at Loovatech designed an app from scratch and decided to use Docker Compose to host their infrastructure cheaply and effectively in a single virtual machine.As the project grew, the team had to make the difficult choice to rearchitect their infrastructure and plan for scalability and fault tolerance.Follow their journey and learn:How to migrate from a single Docker Compose file with 24 containers to Kubernetes.How to verify that your apps are stateless and what changes are necessary to deploy them into Kubernetes.How to manage expectations and explain the value of a complex migration to your boss or (non-tech-savvy) customers.Vasily and Ronald also shared how they integrated ArgoCD and their existing CI/CD to leverage push and pull-based GitOps and their plans to incorporate multi-tenancy and custom metrics.More infoFind all the links and info for this episode here: https://ku.bz/-lNhQ2fgqInterested in sponsoring an episode? Learn more.

How do you upgrade a Kubernetes cluster to the latest release without breaking anything?And what if you had to upgrade hundreds of clusters simultaneously?In this episode, Pierre explains the process, tooling and testing strategy in upgrading clusters at scale.You will learn:How the team at Qovery keeps updated with the latest (vanilla) Kubernetes changes and managed services changelogs.How to upgrade Helm charts gradually and safely. Pierre has some tips for Custom Resource Definitions (CRDs).How to test API deprecations with end-to-end testing.How to automate the process of upgrading clusters.You will also learn from Pierre's experience in managing stateful applications in Kubernetes with 4500 nodes on bare metal.More infoFind all the links and info for this episode here: https://ku.bz/cVYyDRLqQInterested in sponsoring an episode? Learn more.