Security

Introduction and motivation Terraform has been the most widely adopted tool for managing cloud infrastructure for a while now, and managing EKS is no exception. The majority of companies I’ve talked to use it. However, I’ve noticed that many are at least exploring alternatives, especially in the context of managing EKS - and there are valid reasons for that. Most of the time when you’re interacting with Kubernetes, you do so declaratively: you define the desired state (resource manifests) and rely on various controllers to update the “world” to match what’s defined. This approach is typically used to manage app configuration, deployments, networking, secrets, and more. However, when it comes to cluster configuration or application dependencies, it quickly falls short, and people resort back to good-old Terraform. Many will continue using Terraform whenever they deal with AWS API and only use Kubernetes for what “originally” belongs there. Some will identify bottlenecks and seek alternatives to improve operational efficiency or solve other problems. ...

Introduction One of the supported runtimes for AWS Lambda is containers. AWS offers a set of base images with a Lambda Interface Client built-in, which is required to run your code in the context of AWS Lambda. The actual usage varies depending on your language of choice. The Runtime Interface Client (RIC) is available as a library that you either call directly in your application’s entrypoint (in case of Go), or you use the provided entrypoint and pass a name to your handler, which is the case for Python or NodeJS. ...

Introduction The control plane is a set of components that together form the management layer of Kubernetes. These components manage the cluster’s state, coordinate between nodes, and provide APIs for interacting with the cluster. The security of this API component, known as the API Server, is the focus of today’s post. Ensuring the security of the API Server is critical because it serves as the interface to your cluster. It is used by both users and automation tools to interact with the cluster. Whether it’s kubectl, Helm, ArgoCD, or any other tool, they all communicate with the cluster via the API. Unauthorized access can lead to a complete or partial cluster compromise, data breaches, or service disruptions. ...