7 messages
rohitalmost 2 years ago
still fairly new to k8s, but wracking my brain on a small issue:
we have a main app service that will have a sidecar container. this sidecar container provides a "broker" (of sorts) to facilitate writing / getting secrets from a customer's external secrets management system. this sidecar container allows the main app to make requests to get / write / delete secrets.
we have a k8s job that provisions a database (db, tables, schemas, grants, etc). this job will need to also get secrets from this sidecar container.
i think it's possible to expose ports for the main app and sidecar container. that way we have this setup:
is it possible for another pod or k8s job to interact with this sidecar container by using the main service's DNS + port for the sidecar?
i currently we have this secrets-broker as it's own service/pod so other pods (that support our product) can communicate with it and fetch/write secrets. but getting pushback and told this needs to be a sidecar.
i am open to any suggestions to improve our security posture here.
we have a main app service that will have a sidecar container. this sidecar container provides a "broker" (of sorts) to facilitate writing / getting secrets from a customer's external secrets management system. this sidecar container allows the main app to make requests to get / write / delete secrets.
we have a k8s job that provisions a database (db, tables, schemas, grants, etc). this job will need to also get secrets from this sidecar container.
i think it's possible to expose ports for the main app and sidecar container. that way we have this setup:
main-service.svc.cluster.local:8443 - main appmain-service.svc.cluster.local:6666 - sidecaris it possible for another pod or k8s job to interact with this sidecar container by using the main service's DNS + port for the sidecar?
i currently we have this secrets-broker as it's own service/pod so other pods (that support our product) can communicate with it and fetch/write secrets. but getting pushback and told this needs to be a sidecar.
i am open to any suggestions to improve our security posture here.
rohitalmost 2 years ago
Does anyone know how we can have our pods authenticate to an external vault (hashicorp) to fetch credentials, without having to use or provide a VAULT_TOKEN via kubernetes secrets? is there a more secure way?
jaysunalmost 2 years ago
hey there, curious how people are handling pre-deploy checks in CICD these days. I think we’ll end up using conftest for terraform-related tasks, but still looking for the best option for our argocd+kubernetes deployments. I think conftest works here too (evaluate the k8s manifests on PR opening) but looking for some advice. Thanks!
rohitalmost 2 years ago
What are people using to map IAM roles to pods in non-cloud k8s clusters? kube2iam?
rohitalmost 2 years ago
Does anyone know if kube2iam or kiam works for a kubernetes job? I've been searching to no avail...
Ashutosh Apurvaalmost 2 years ago
how to configure multiple backend api into ingress resources? Please suggest on this. Also, share some template of values.yaml file on the same.
Johnalmost 2 years ago
Hey there, I m having an issue with external-dns in my k8s cluster. It does not create routes in route53 and exhausted all my troubleshooting options. Here what I have verified
1. role_arn has the right permissions and the logs from the external-dns show that it can authenticate to update route53
1. There is connectivity from the pod to aws services
2. No errors in the pod
3. The sources to watch for are
4. there is annotation for my ingress to add to external-dns
any help is welcome, ran out of options why the routes are not added in route53. Thank you
1. role_arn has the right permissions and the logs from the external-dns show that it can authenticate to update route53
time="2024-03-27T00:10:27Z" level=info msg="Applying provider record filter for domains: [<http://sbx.myexample.io|sbx.myexample.io>. .sbx.myexample.io.]"
time="2024-03-27T00:10:27Z" level=info msg="All records are already up to date"1. There is connectivity from the pod to aws services
2. No errors in the pod
3. The sources to watch for are
service,ingress4. there is annotation for my ingress to add to external-dns
annotations:
<http://external-dns.alpha.kubernetes.io/include|external-dns.alpha.kubernetes.io/include>: "true" any help is welcome, ran out of options why the routes are not added in route53. Thank you