30 Matching Annotations
  1. Sep 2022
  2. Aug 2022
  3. May 2022
    1. Protection Vulnerability management tools will identify all known vulnerabilities in base images and packages and provide upgrade recommendations. When vulnerabilities can’t be patched or there is no patch available, providing virtual patching and other runtime protection can be useful compensating controls. For Kubernetes components, this is another reason to consider managed Kubernetes offerings, rather than rolling your own. All the major cloud providers’ managed Kubernetes offerings lock down the kubelet component by default and are not susceptible to this exploit. For those self-managing Kubernetes clusters, tools like Prisma Cloud can identify unsecure components to secure using our Kubernetes audits. Integrations with Open Policy Agent (OPA) can also prevent spinning up privileged containers and other violations of secure Kubernetes practices.

      container security

    1. The kubelet doesn't manage containers which were not created by Kubernetes.


    2. kubelet Synopsis The kubelet is the primary "node agent" that runs on each node. It can register the node with the apiserver using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider.


  4. Oct 2021
      1. service account 自动mount
      2. service account 自动设置在pod的spec.serviceAccountName
      3. 1.6以上可以通过设置automountServiceAccountToken来disable自动mount的行为
      4. pod默认的service account是自己ns的default account
      5. 对于任意给定的serviceaccount 我们可以手动的给他创建token,方式是创建secret,在annotation中指定service-account,auto-controller会自动在这里更新token
      6. 无法更改已经创建的pod的serviceaccount
  5. Jul 2021
  6. Jun 2021
  7. Apr 2021
  8. Mar 2021
    1. seems a interesting talk on k8s

      听了一半,这里的 Builders and Operators 指的是运维而非 k8s controller 里的 operator,以后有机会再看看吧

      配合自己用 kubeadm 部署一个 cluster 可能不错

  9. kubernetes.io kubernetes.io
    1. even if it is being drained of workload applications.

      Q: 那岂不是会出问题? 有什么事件会被触发吗?

    2. Pods that are part of a DaemonSet tolerate being run on an unschedulable Node.

      Q: 标记node为不可调度本来就不会驱逐正在运行的node吧 A: daemonset中的pod是可以在后面动态添加的

    3. Path to credentials to authenticate itself to the API server.

      那为为什么叫 kubeconfig?而不是kube-credentials-path? 参见 https://github.com/zecke/Kubernetes/blob/master/docs/user-guide/kubeconfig-file.md kubeconfig 就是存鉴权信息地方

    4. Kubernetes keeps the object for the invalid Node and continues checking to see whether it becomes healthy.You, or a controller, must explicitly delete the Node object to stop that health checking.


  10. Jan 2021
  11. Dec 2020
  12. Nov 2020
  13. Oct 2020
    1. 貌似是另一个 k8s 的 dashboard,页面全但是感觉使用比较复杂





  14. Sep 2020
    1. To me, abandoning all these live upgrades to have only k8s is like someone is asking me to just get rid of all error and exceptions handling and reboot the computer each time a small thing goes wrong.

      the Function-as-a-Service offering often have multiple fine-grained updateable code modules (functions) running within the same vm, which comes pretty close to the Erlang model.

      then add service mesh, which in some cases can do automatic retry at the network layer, and you start to recoup some of the supervisor tree advantages a little more.

      really fun article though, talking about the digital matter that is code & how we handle it. great reminder that there's much to explore. and some really great works we could be looking to.

  15. Sep 2019
    1. 编排之争

      docker 和 kubernetes 的编排之争,前提是 docker 不安于现状,不想仅仅做提供应用程序打包发布的 “幕后英雄”,而是想要进军完整的 “PaaS”,而完整的 "PaaS" 不仅仅需要应用程序,还需要提供一种 编排集群管理负载均衡 的能力,所以,docker composeswarm 的出现也是必然,为了应对 docker Paas 化的冲击,kubernetes 应运而生

  16. Aug 2019
    1. Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services. It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.

      Rook将分布式存储系统转变为自我管理,自我扩展,自我修复的存储服务。<br> 它可以自动执行存储管理员的任务:

      • 部署,
      • 引导,
      • 配置,
      • 配置,
      • 扩展,
      • 升级,
      • 迁移,
      • 灾难恢复,
      • 监控
      • 资源管理。




    1. ReplicationController(简称RC)是确保用户定义的Pod副本数保持不变

      Replication Controller -- RC<br> 确保用户定义的Pod副本数保持不变,也就是说<br> 如果pod增多,则ReplicationController会终止额外的pod,如果减少,RC会创建新的pod

  17. Jun 2019