Blog

There are many options for building and deploying Go applications using containers and believe me, I have tried most of them on my journey to find the right balance of fast build times, small containers, and security. After trying lots of different options, I believe I have landed on the optimal solution. My first priority is security. I want to make sure the container only contains the things I need to run my application and runs as a non-priveleged user.

One the drawbacks of debugging go code with VSCode is that when you make a change, the project should recompile automatically and start debugging. Enter air. Air provides live reload for go apps and has made developing go applications much easier. As our applications have gotten more complex, we wanted to integrate air with the VSCode debugging process. It was a bit tricky to setup, so I thought I would share our configuration.

Over the last 2 years, I have been doing most of the development at Takt in Go. We chose Go due to its versatility for web services and background process code. Our team uses VSCode as our editor of choice and have tweaked our VSCode setup to meet our needs. In a future blog post I will talk about how we use Github Actions to deploy Go containers. Obviously, “Best” is subjective and each editor setup needs to fit the individual and/or the team.

If you are running in a corporate environment or are migrating a Kubernetes cluster from an overlay network to Amazon EKS, you most likely have a question: “What do you mean the Pods and EC2 Instances are given IPs out of the same CIDR range?” First, this is perfectly natural. Amazon EKS leverages all of the features, security, and simplicity of the Amazon VPC. This is an advantage for customers becaues you can leverage all of your existing security tooling that is running within your network and simplify routing between pods and your wider network.

JupyterHub is a multi-user notebook that enables multiple users to develop, research, and create. In this post, I am going to cover deploying JupyterHub to Amazon EKS with single user persistent storage backed by Amazon EBS and TLS termintation using the AWS Certificate Manager (ACM). Before we dive in, make sure you have eksctl, kubectl, and Helm installed on your local machine. We will be using these tools to deploy the Kubernetes cluster and JupyterHub.

In many enterprise environments, all outbound traffic needs to be routed through an HTTP proxy. This requires setting the http_proxy, https_proxy, and no_proxy environment variables inside the pods. This can be difficult to manage. Below is a simple way, to configure the proxy settings in a central location for all pods. Run the following command, updating the values with the values that apply to your setup. This will create a Kubernetes Secret in the default namespace (you will need to create this config map in all namespaces where you deploy pods).

Amazon Elastic Kubernetes Service (EKS) recently launched in AWS GovCloud (US) enabling public sector customers with FedRAMP, DoD CC SRG, ITAR, etc to run fully-managed Kubernetes clusters. Amazon EKS in AWS GovCloud (US) has one difference from it’s standard region counterpart deployments. When a cluster is in Private Mode the private IP addresses are not advertised over public DNS. In the standard regions, the private IP addresses of the Kubernetes API server are advertised over public DNS to integrate with on-premises DNS providers.

In a previous post, I covered how to enable FIPS 140-2 mode on hosts and within containers. Organizations building applications for FedRAMP or DoD CC SRG compliance need to enable end to end encryption of data in transit. In a containerized environment, this can be difficult. Most containerized applications terminate TLS at the cloud load balancer, such as an Application Load Balancer. This post will walk through terminating the TLS connection within the Pod or Task using NGINX.

In my last post, I covered how to deploy a Kubernetes cluster to AWS GovCloud (US). In this post, I will cover how to add authentication using AWS IAM using aws-iam-authenticator. The AWS IAM Authenticator runs a DaemonSet on all of the master nodes within the cluster and uses a webhook to integrate with the Kubernetes API Server. AWS IAM Authenticator also runs on your local machine via your local kubeconfig to create a temporary token used for authentication.

AWS GovCloud (US) is an isolated instance of AWS designed for customers with specific US compliance requirements. AWS GovCloud(US) does have some differences from the commercial regions when it comes tooling. AWS GovCloud (US) gives government customers and their partners the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

This post details the development and purpose behind the Custom AMIs for Amazon EKS available on the AWS Github. Whether you are in a highly regulated industry, the government, or a security conscious organization you are most likely running hardened virtual machines within your environment. As more organizations, such as the United States Department of Defense, are adopting Kubernetes organization wide, their is a need for hardened AMIs that work with Amazon EKS and meet compliance requirements.

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). Containers support running on hosts with SELinux enabled. If you are just getting started with SeLinux, I highly recommend watching “Security-Enhanced Linux for mere mortals by Thomas Cameron”. In the cloud, if you are looking to run containers on SELinux you will need to run on top of CentOS or Red Hat Enterprise Linux.

The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptography used in the US Federal Government systems. This standard has been adopted by other organizations such as the Canadian Government, PCI, and many other highly regulated industries. FIPS 140-2 consists of multiple levels combining software and hardware validation. In this post, we will be focusing on a Software Only implementation. FIPS 140-2 essentially defines a set of validated cryptography functions that can be used for encrypting data in transit such as TLS or SSH.

Wordpress is a common Content Management System (CMS) for building websites and blogs. Scaling Wordpress can be difficult, especially in the cloud due to the shared file system requirement for uploads, plugins, and themes. AWS publishes a document with best practices for running highly scalable Wordpress installations on AWS. This document follows Wordpress’ recommendation for putting the entire Wordpress codebase in an Elastic File System (EFS) mount. This means every request is relying an NFS backed application.

This past weekend I setup my Fios service to work with my own router. The below guide should walk you through how to setup your Fios Quantum router with your own router. For my home setup, I have 3 Google Wifis in a mesh. Off of the main Google Wifi (router) I have a switch with a number of Smarthome devices plugged in. I wanted my set top boxes (STBs) to show up on my network because they have built-in Chromecast support.

In September 2019, AWS announced the ability to map IAM Roles to Kubernetes Service accounts (IRSA). This enables a finer grain of control for pods running on EC2 instances. Previously, customers had to deploy and configure kube2iam to wrap pods with IAM credentials. However, this was confusing and not deeply integrated with the platform. Without kube2iam, pods inherited the underlying permissions of the EC2 host which means pods could potentially have more privileges than they should.

Kubernetes has been gaining steam since it was open sourced in 2014. Containers have been on the rise within the enterprise of late. While many startups and engineering focused organizations have been using Kubernetes for a long time, (maybe even since the beginning) enterprises have taken a little longer to join the hype-train. I have been working in the “container space” for over four years now (which seems like forever) and in last year have seen my conversations with customers change from “what are containers?

Logging with Docker can be tricky, and often times there are constraints around where logs can be sent. Especially in an enterprise environment, popular logging providers may not be a possibility. Not to mention, configuring logging at the daemon level isn’t supported by all of the Docker tools and products, which can throw a major monkey wrench into your plans. The sidecar approach side steps all of these issues by running just like another container on the machine and forwarding the logs to the destination of your choosing.

Another successful year at DockerCon for Docker and the enterprise. Docker is making large investments to make the platform easier to setup, more secure, and simpler to manage. A lot of the benefits for the enterprise are rooted in the open source project. Day 1 saw many announcements on the open source side that eluded to many exciting announcements for the enterprise on Day 2. Here are the highlights: Open Container Initiative — Docker released the first OCI compatible Docker Engine with ContainerD and RunC.