Tag Archives: Cloud

Running gVisor on Azure Kubernetes Service for sandboxing containers

gVisor is one option beside Kata Containers or Firecracker for sandboxing containers to minimize the risk when running untrusted workloads on Kubernetes. -> https://gvisor.dev/ Currently, the only managed Kubernetes service which supports gVisor in dedicated node pools per default is Google Kubernetes Engine. But with a bit of an effort this is doable as well on Azure Kubernetes Service. At Read more [...]

Using Conftest for Azure Policy for Kubernetes

Conftest is a tool that lets you write tests against structure data like Kubernetes templates. -> https://www.conftest.dev/ So, why should you use Conftest when you already established your policies with Azure Policy for Kubernetes? As Azure Policy for Kubernetes uses Gatekeeper the OPA implementation for Kubernetes under the hood it uses Gatekeeper constraint templates written in Rego. Read more [...]

Mitigating slow container image pulls on Azure Kubernetes Service

It might happen that you experience slow container image pulls on your Azure Kubernetes Service nodes. First thought might be the Azure Container Registry is the root cause. Even when using the ACR without the geo-replication option enabled, image pulls from an ACR in Europe to AKS nodes running in Australia are fast. Therefore, it can be the ACR especially when you do not use the Premium SKU as the Read more [...]

Azure Policy for Kubernetes – custom policies on Azure Arc enabled Kubernetes

On September 1st Microsoft announced the public preview of the custom policy support for Azure Policy for AKS. -> https://azure.microsoft.com/en-us/updates/custom-aks-policy-support-now-public-preview/ I am already using the public preview on my AKS cluster and was curious about if this would work as well with Azure Arc enabled Kubernetes. The short answer is yes, but with some minor adjustments. Configuration First Read more [...]

Local Kubernetes setup with KinD on Podman

In one of my last blog posts I walked you through the setup how to run Podman on macOS with Multipass as Docker for Desktop alternative. -> https://www.danielstechblog.io/running-podman-on-macos-with-multipass/ Today I briefly show you the local Kubernetes setup with KinD on Podman. Even the Podman support of KinD is in an experimental state it runs stable enough for the daily usage. The Read more [...]

Running Podman on macOS with Multipass

Several months ago, I worked on a little side project during my spare time but instead of writing a blog post I set it aside till today. Since the announcement that Docker made yesterday on what has changed in the Docker Subscription Service Agreement my side project got my attention again. -> https://www.docker.com/blog/updating-product-subscriptions/ For most of us nothing will change Read more [...]

Remove dangling container manifests from Azure Container Registry

The Azure Container Registry offers three different SKUs which differentiate from each other not only from the feature set. Each SKU comes with included storage starting at 10 GB up to 500 GB. Depending on the usage pattern the included storage fills up quickly. This can be due to a lot of different container manifests from successful build pipelines or from failed pipelines pushing the container Read more [...]

Monitor the Envoy Proxy ratelimit service with Azure Monitor for containers

The last two blog posts of this series covered the setup of the Envoy Proxy ratelimit service and its implementation with Istio. -> https://www.danielstechblog.io/run-the-envoy-proxy-ratelimit-service-for-istio-on-aks-with-azure-cache-for-redis/ -> https://www.danielstechblog.io/implement-rate-limiting-with-istio-on-azure-kubernetes-service/ In today’s post I walk you through on how Read more [...]

Implement rate limiting with Istio on Azure Kubernetes Service

In my last blog post I walked you through the setup of the rate limiting reference implementation: The Envoy Proxy ratelimit service. -> https://www.danielstechblog.io/run-the-envoy-proxy-ratelimit-service-for-istio-on-aks-with-azure-cache-for-redis/ Our today’s topic is about connecting the Istio ingress gateway to the ratelimit service. The first step for us is the Istio documentation. -> Read more [...]

Detecting SNAT port exhaustion on Azure Kubernetes Service

Running applications on an Azure Kubernetes Service cluster which make a lot of outbound calls might led to a SNAT port exhaustion. In today’s blog article I walk you through how to detect and mitigate a SNAT port exhaustion on AKS. What is a SNAT port exhaustion? It is important to know what a SNAT port exhaustion is to apply the correct mitigation. SNAT, Source Network Address Translation, Read more [...]