Author Archives: danielstechblog

Running Podman on macOS with Multipass

Several months ago, I worked on a little side project during my spare time but instead of writing a blog post I set it aside till today. Since the announcement that Docker made yesterday on what has changed in the Docker Subscription Service Agreement my side project got my attention again. -> https://www.docker.com/blog/updating-product-subscriptions/ For most of us nothing will change Read more [...]

Identify the max capacity of ephemeral OS disks for Azure VM sizes

Back in 2019 Microsoft introduced the ephemeral OS disk option for Azure VMs and VMSS. -> https://azure.microsoft.com/en-us/updates/azure-ephemeral-os-disk-now-generally-available/ Instead of storing and persisting the OS disk to the Azure remote storage the ephemeral OS disk is stored onto the VM’s cache. Hence, ephemeral OS disks are perfect for stateless workloads like Azure Kubernetes Read more [...]

Remove dangling container manifests from Azure Container Registry

The Azure Container Registry offers three different SKUs which differentiate from each other not only from the feature set. Each SKU comes with included storage starting at 10 GB up to 500 GB. Depending on the usage pattern the included storage fills up quickly. This can be due to a lot of different container manifests from successful build pipelines or from failed pipelines pushing the container Read more [...]

Monitor the Envoy Proxy ratelimit service with Azure Monitor for containers

The last two blog posts of this series covered the setup of the Envoy Proxy ratelimit service and its implementation with Istio. -> https://www.danielstechblog.io/run-the-envoy-proxy-ratelimit-service-for-istio-on-aks-with-azure-cache-for-redis/ -> https://www.danielstechblog.io/implement-rate-limiting-with-istio-on-azure-kubernetes-service/ In today’s post I walk you through on how Read more [...]

Implement rate limiting with Istio on Azure Kubernetes Service

In my last blog post I walked you through the setup of the rate limiting reference implementation: The Envoy Proxy ratelimit service. -> https://www.danielstechblog.io/run-the-envoy-proxy-ratelimit-service-for-istio-on-aks-with-azure-cache-for-redis/ Our today’s topic is about connecting the Istio ingress gateway to the ratelimit service. The first step for us is the Istio documentation. -> Read more [...]

Detecting SNAT port exhaustion on Azure Kubernetes Service

Running applications on an Azure Kubernetes Service cluster which make a lot of outbound calls might led to a SNAT port exhaustion. In today’s blog article I walk you through how to detect and mitigate a SNAT port exhaustion on AKS. What is a SNAT port exhaustion? It is important to know what a SNAT port exhaustion is to apply the correct mitigation. SNAT, Source Network Address Translation, Read more [...]

Distribute your application across different availability zones in AKS using Pod Topology Spread Constraints

This is the last blog post of a series of posts covering the topic about increasing the application availability on Azure Kubernetes Service / Kubernetes. Today we cover the pod topology spread constraints. What are pod topology spread constraints? In the first post of the series, I talked about the pod disruption budget. The PDB guarantees that a certain amount of your application pods is available. The Read more [...]

Run the Envoy Proxy ratelimit service for Istio on AKS with Azure Cache for Redis

The Istio sidecar proxy uses Envoy and therefore supports two different rate limiting modes. A local one targeting only a single service and a global one targeting the entire service mesh. The local rate limit implementation only requires Envoy itself without the need for a rate limit service. In contrast the global rate limit implementation requires a rate limit service as its backend. Looking Read more [...]

Cloud Native Club – Kubernetes Policies

Last week I had the pleasure of being the guest of the fifth episode of the Cloud Native Club run by my former colleague Robin-Manuel Thiel. We talked about the topic Kubernetes policies covering the Open Policy Agent, Gatekeeper and Azure Policy for Kubernetes. The Cloud Native Club format is in German and hence no English version of the recording is available. -> Folge 5: Kubernetes Policies Read more [...]

Evaluating Gatekeeper policies with the Rego Playground

Writing and evaluating Gatekeeper policies can be hard sometimes. Especially the testing part of a newly created policy. There are different approaches to tackle this like having a dedicated test Kubernetes cluster for it. An alternative we used was a script starting a single node KinD cluster on Docker for Mac and installing Gatekeeper onto it. The advantage of this approach you see how the Read more [...]