Latest Posts

My blog where I write about cloud, containers, kubernetes, and the technology industry.

Hardened Images for Amazon EKS

This post details the development and purpose behind the Custom AMIs for Amazon EKS available on the AWS Github. Whether you are in a highly regulated industry, the government, or a security conscious organization you are most likely running hardened virtual machines within your environment. As more organizations, such as the United States Department of Defense, are adopting Kubernetes organization wide, their is a need for hardened AMIs that work with Amazon EKS and meet compliance requirements.

Read more, Hardened Images for Amazon EKS

Using SELinux with Containers

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). Containers support running on hosts with SELinux enabled. If you are just getting started with SeLinux, I highly recommend watching “Security-Enhanced Linux for mere mortals by Thomas Cameron”. In the cloud, if you are looking to run containers on SELinux you will need to run on top of CentOS or Red Hat Enterprise Linux.

Read more, Using SELinux with Containers

Enable FIPS 140-2 Mode on Amazon Linux 2

The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptography used in the US Federal Government systems. This standard has been adopted by other organizations such as the Canadian Government, PCI, and many other highly regulated industries. FIPS 140-2 consists of multiple levels combining software and hardware validation. In this post, we will be focusing on a Software Only implementation. FIPS 140-2 essentially defines a set of validated cryptography functions that can be used for encrypting data in transit such as TLS or SSH.

Read more, Enable FIPS 140-2 Mode on Amazon Linux 2

Running Wordpress On AWS Elastic Kubernetes Service (EKS)

Wordpress is a common Content Management System (CMS) for building websites and blogs. Scaling Wordpress can be difficult, especially in the cloud due to the shared file system requirement for uploads, plugins, and themes. AWS publishes a document with best practices for running highly scalable Wordpress installations on AWS. This document follows Wordpress’ recommendation for putting the entire Wordpress codebase in an Elastic File System (EFS) mount. This means every request is relying an NFS backed application.

Read more, Running Wordpress On AWS Elastic Kubernetes Service (EKS)

Replace Fios Router with Your Router

This past weekend I setup my Fios service to work with my own router. The below guide should walk you through how to setup your Fios Quantum router with your own router. For my home setup, I have 3 Google Wifis in a mesh. Off of the main Google Wifi (router) I have a switch with a number of Smarthome devices plugged in. I wanted my set top boxes (STBs) to show up on my network because they have built-in Chromecast support.

Read more, Replace Fios Router with Your Router

Using IAM Roles for Service Accounts with the ALB Ingress Controller

In September 2019, AWS announced the ability to map IAM Roles to Kubernetes Service accounts (IRSA). This enables a finer grain of control for pods running on EC2 instances. Previously, customers had to deploy and configure kube2iam to wrap pods with IAM credentials. However, this was confusing and not deeply integrated with the platform. Without kube2iam, pods inherited the underlying permissions of the EC2 host which means pods could potentially have more privileges than they should.

Read more, Using IAM Roles for Service Accounts with the ALB Ingress Controller

Kubernetes is Eating the Enterprise

Kubernetes has been gaining steam since it was open sourced in 2014. Containers have been on the rise within the enterprise of late. While many startups and engineering focused organizations have been using Kubernetes for a long time, (maybe even since the beginning) enterprises have taken a little longer to join the hype-train. I have been working in the “container space” for over four years now (which seems like forever) and in last year have seen my conversations with customers change from “what are containers?

Read more, Kubernetes is Eating the Enterprise

Docker Sidecar Logging

Logging with Docker can be tricky, and often times there are constraints around where logs can be sent. Especially in an enterprise environment, popular logging providers may not be a possibility. Not to mention, configuring logging at the daemon level isn’t supported by all of the Docker tools and products, which can throw a major monkey wrench into your plans. The sidecar approach side steps all of these issues by running just like another container on the machine and forwarding the logs to the destination of your choosing.

Read more, Docker Sidecar Logging

DockerCon 2016 Round Up

Another successful year at DockerCon for Docker and the enterprise. Docker is making large investments to make the platform easier to setup, more secure, and simpler to manage. A lot of the benefits for the enterprise are rooted in the open source project. Day 1 saw many announcements on the open source side that eluded to many exciting announcements for the enterprise on Day 2. Here are the highlights: Open Container Initiative — Docker released the first OCI compatible Docker Engine with ContainerD and RunC.

Read more, DockerCon 2016 Round Up