news

APIServer dry-run and kubectl diff

Declarative configuration management, also known as configuration-as-code, is one of the key strengths of Kubernetes. It allows users to commit the desired state of the cluster, and to keep track of the different versions, improve auditing and automation through CI/CD pipelines. The Apply working-group is working on fixing some of the gaps, and is happy to announce that Kubernetes 1.13 promoted server-side dry-run and kubectl diff to beta. These two features are big improvements for the Kubernetes declarative model.
Read more

Sidestepping Dependency Ordering with AppSwitch

We are going through an interesting cycle of application decomposition and recomposition. While the microservice paradigm is driving monolithic applications to be broken into separate individual services, the service mesh approach is helping them to be connected back together into well-structured applications. As such, microservices are logically separate but not independent. They are usually closely interdependent and taking them apart introduces many new concerns such as need for mutual authentication between services.
Read more

Kubernetes Operators—When, how and the gotchas to keep in mind

Kubernetes Operators have now become mainstream. An Operator is essentially a Kubernetes Custom Controller managing one or more Custom Resources. The term Operator has become popular as it succinctly captures end result of what Custom Controller+Custom Resource combination is typically defined for, e.g.—declaratively managing a stateful software on Kubernetes (e.g.: databases, off-the-shelf web applications, ML workloads, etc.). In technical terms, Custom Controller+Custom Resource combination is called ‘Custom Resource Definition’ (CRD).
Read more

Netflix Play API: Building an Evolutionary Architecture

At QCon SF, Suudhan Rangarajan presented ‘Netflix Play API: Why We Built an Evolutionary Architecture’. Key takeaways from the talk included: services that have a single identity/responsibility are easier to maintain and upgrade; engineers should spend time identifying core decisions that need to be made when building a service, and determine whether these are ‘Type 1’ or ‘Type 2’ decisions which require thorough deliberation or rapid experimentation, respectively; and designing an ‘evolutionary architecture’, using tools like fitness functions, provides many benefits.
Read more

Fitness function-driven development

Test-driven development, or TDD, involves writing tests first then developing the minimal code needed to pass the tests. TDD is an established practice for feature development that can improve code quality and test coverage. What about other, non-functional requirements such as scalability, reliability, observability, and other architectural “-ilities”? How do we ensure operability and resiliency of features when they go to production? How can we encourage teams to build in these architectural standards, just as test-driven development builds in code quality and test coverage?
Read more

Open for event based tracing?

In OpenTracing the fundamental concept for representing distributed traces is the (time) span: something that starts and then finishes, can be annotated with key-value pairs and can be “causally” related. This representation gained popularity with Google’s Dapper paper and triggered open-source tracing implementations like Zipkin and Jaeger and eventually the OpenTracing specification, but according to the academic literature it is not the only one. In spite its popularity, the span based trace representation has some shortcomings that limit its applicability.
Read more

CVE-2018-18264 Privilege escalation through Kubernetes dashboard

A recently disclosed vulnerability in Kubernetes dashboard (CVE-2018-18264) exposes secrets to unauthenticated users. In this blog post we’ll explore some key takeaways regarding monitoring privilege escalation on Kubernetes. The Kubernetes dashboard is a web based user interface that allows users to manage applications and resources within the cluster. This service has a login functionality starting from Kubernetes 1.7.0. Since then, users are able to authenticate with a kubeconfig file or an access token.
Read more

New AWS services launch with HIPAA, PCI, ISO, and SOC

Our security culture is one of the things that sets AWS apart. Security is job zero — it is the foundation for all AWS employees and impacts the work we do every day, across the company. And that’s reflected in our services, which undergo exacting internal and external security reviews before being released. From there, we have historically waited for customer demand to begin the complex process of third-party assessment and validating services under specific compliance programs.
Read more

NLP with a fashion twist: Zalando’s natural language processing framework

Zalando research brings the latest flair to the scene. (Yes, that Zalando. The German-based fashion and beauty online shop operates in fifteen different European countries.) Flair is a simple framework for state-of-the-art natural language processing. It builds on top of Pytorch – a popular deep learning platform, which makes it easy to use. A powerful NLP library. Flair allows you to apply our state-of-the-art natural language processing (NLP) models to your text, such as named entity recognition (NER), part-of-speech tagging (PoS), sense disambiguation and classification.
Read more

The Guardian’s Migration from MongoDB to PostgreSQL on Amazon RDS

The Guardian migrated their CMS’s datastore in 2018 from a self-managed MongoDB cluster to PostgreSQL on Amazon RDS for a fully managed solution. The team did an API-based migration without any downtime. Guardian’s in-house CMS – called Composer – which stores articles, blog content, photo galleries and video was originally built on top of MongoDB as a datastore. This was preceded by a vendor software backed by an Oracle database.
Read more