Kubernetes LDAP Authentication

Recently I had a chance to work on implementing LDAP authentication for Kubernetes. This post will describe my experience and some underwater stones that I’ve faced on my way to it. What tool should I choose? There a lot of tools and blog posts/videos that can help you to add LDAP authentication for your Kubernetes cluster: dex from CoreOS - I don’t know anything about the future of this project because of the fact that CoreOS was acquired by RedHat.

Taints and Tolerations in Kubernetes

Welcome back! Today we’re going to talk about Taints and Tolerations in Kubernetes. If you use kubeadm you’re probably familiar with them, if not - this blog post was written especially for you! Taints in Kubernetes Taints allow a Kubernetes node to repel a set of pods. In other words, if you want to deploy your pods everywhere except some specific nodes you just need to taint that node.

How to Enable Kubernetes Auditing with Kubeadm

Welcome back! In this post, I want to describe how you can enable auditing in Kubernetes cluster that is going to be deployed with kubeadm. Auditing is really important in case you’re actively using Kubernetes cluster and you want to know what’s really happenening behind the curtains. With auditing you can answer the following questions: what happened? when did it happen? who initiated it? on what did it happen?

How to Clear your Docker Certified Associate Exam

Hi! In this post, I will try to describe what is Docker Certified Associate Exam (DCA) is all about, why it is a good idea to learn Docker through it, and how can you prepare yourself for this exam. At the end of the post, you can find some useful resources that will help you during the preparations. So, let’s get started. What is DCA According to the official website:

Using Ingress Controller in Kubernetes (part II)

This is the second part in the Kubernetes Ingress series. Please refer to the first one for the basic setup and the info about Ingresses in Kubernetes. Today we’re going to talk about Multiple Services and how to handle HTTPS traffic with Ingress. Let’s start with Multiple Services: Multiple Services Let’s create a second app, it’s basically the same NodeJS code but with a slightly different output: const http = require('http'); const os = require('os'); console.

Do Golang Web Apps Dream of Docker Images?

Hello there! In my last blog post, I used a simple NodeJS application for testing Kuberentes Ingress. I was thinking that it can be useful to write a similar app in another backend programming language. As you can see from the title of this post I chose Golang, mostly because I really like its syntax. I’m going to deploy the app with docker, so this blog post will be useful for those of you who were wondering how to deploy a Golang web app with Docker.

Using Ingress Controller in Kubernetes (part I)

Recently, I played a bit with Kubernete Ingresses. I found some “underwater stones” on my path, so I was thinking that it’s a good idea to share my experience with the community through this blog post. So, today let’s talk about Ingresses. Ingress - the action or fact of going in or entering; the capacity or right of the entrance. Synonyms: entry, entrance, access, means of entry, admittance, admission;

Hygiene of Docker Images

As you probably know, 17 malicious Docker container images have been deleted from Docker Hub. The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today’s exchange rate. I wanted to share my thoughts and examples of how you can secure yourself and your infrastructure from the mining of cryptocurrency for some folks over there. First, the obvious one Never-ever-ever download and run the unknown Docker Image from the internet.

How to Change the Time Zone in Kubernetes

In the previous post I’ve shown you how to change the time zone in a single Docker container or in your stack of Docker containers. But what if you’re already using Kubernetes for management of containerized applications? First, let’s find out which time zone our pods are using: imagine we have the following pod description (by the way, you should not create the pod from the yaml file directly, use deployment instead)

How to Change the Time Zone in Docker Containers

Time is money … or so they say. This blog post will help you to change the time zone in your docker containers easily. The term time zone can be used to describe several different things, but mostly it refers to the local time of a region or a country. On Linux or MacOS you can check your time zone via $ date Mon Jun 11 19:26:35 CEST 2018 On Linux, you can go further and check timezone via

The Strange Case of Frequent Abnormal Restarts of kube-apiserver

You probably heard that if you want to secure your Kubernetes cluster you should turn off the anonymous requests via adding anonymous-auth=false to apiserver’s options… I’m not saying that you should not do that, but I highly recommend you to read this blogpost before taking any action :) Introduction First thing first, you should probably read this article to understand why we should add anonymous-auth=false option to kube-apiserver. TL;DR: “If your users have network access to your nodes, then the kubelet API is a full featured unauthenticated API backdoor to your cluster” At least it was like this before Kubernetes developers have introduced RBAC by default.

How to Use Notary

Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers With Notary anyone can provide trust over arbitrary collections of data. Using The Update Framework (TUF) as the underlying security framework, Notary takes care of the operations necessary to create, manage, and distribute the metadata necessary to ensure the integrity and freshness of your content.

Why I Chose VMWare Harbor

Let me start with the statement that I’m a huge fan of Portus and of everything that folks from Container Team @SUSE do. I made some talks about Portus on couple of conferences and meetups to spread the info about this project, but this blogpost will be mostly about Harbor, another project with the same goals and ideas (and even with almost the same logo (just compare the images below) and why I chose it for production usage.

Integration Kuberentes with Vault - auth

in version 0.8.3 HashiCorp has announced that they support Kuberentes as the auth backend in Vault. This blogpost is intended to be a point of knowledge for those of you who is curious how to “glue” these two things together Intro 1 Before we go further, please go and read this document first - Kubernetes Authentication no, really! Go and read it now, it’s important to understand these concepts.

Docker Brno Meetup

my experience as the speaker on Docker Brno Meetup, 01/12/16 “There are always three speeches, for every one you actually gave. The one you practiced, the one you gave, and the one you wish you gave.” - Dale Carnegie Organized this time in the wine cellar of Kiwi.com office, Docker Brno Meetup began really interesting and unusual for me from the very beginning… My story as a speaker for this meetup began with the e-mail from one of the co-organizers of meetup - Eliška Slobodová, she asked if I want to be a speaker on one of their docker meetups in Brno.

PyCon CZ 2016 - day 2

My experience as an attendant on PyCon CZ 2016, day 2 “The pursuit of knowledge is never-ending. The day you stop seeking knowledge is the day you stop growing” - Brandon Travis Ciaccio “The Great Fork” Second day on PyCon CZ was started with keynote by Benny Doan - “The Great Fork “. At the beginning he was talking about his life, how he traveled across half of the world in 6 months, how he met amazing people and how he shared his knowledge… OK back to Python: Benny mentioned that it is really important to know base of PEPs and meta-PEPs.

PyCon CZ 2016 - day 1

My experience as an attendant on PyCon CZ 2016, day 1 “Somewhere, something incredible is waiting to be known” - Carl Sagan. PyCon CZ aims to be the largest annual gathering for the Python community in the Czech Republic. It’s focused on honoring and supporting awesome people teaching, learning and innovating with Python in Czech Republic and surrounding EU. My plan for the first day of the PyCon CZ was to attend as much Test related talks as possible.

Common Linked Lists VS Linux Kernel Linked Lists

Recently I started to read a pretty old but still really good kernel book Linux Kernel Development It was written by Robert Love (you can find more info about this great guy here) I wanted to share some useful information about kernel internals from his book I believe that this info can be useful for many Linux folks. Common linked lists VS Linux Kernel linked lists. Let’s assume that we have date structure that describes a cat:

Hackweek 14 at SUSE

For those of you who doesn’t know what’s Hackweek thing is all about, please go here During Hackweek #14 at SUSE I’ve got my hands dirty with automation testing. Long story short: we’re spending a lot of time on web-application tests in cloud QAM team at SUSE. We need to run all tests basically twice: before and after each update and, let’s be honest with ourselves here: it’s boring. So I decided to automate all this stuff in Python because I’ve spent a lot of time with this programming language in the last couple of months.