Image for post
Image for post

A hands-on coding journey to implement ‘Policy As Code’ and validate the fitness of your Kubernetes Application against the cluster policies.

Image for post
Image for post

Policy as Code is an idea where we attempt to keep the policy generation and validation under source control by expression policies as code.

Why Policy As Code?

The policies we have to manage and organize our apps are continuously evolving with changing business and technology landscape. The landscape is changing responding to Growth Opportunities, Competition, Team Maturity, Technology Disruptions, New Engineering Practices, Compliance, and Security Threats.

Generally, when an application or a infrastructure is created as a greenfield work, we plan and implement the policies well. But it tends to decay over time with manual policy governance.

These policies are a mix of authorization rules, network policies, architecture characteristics, best practices, and operational concerns. The policies are contributed and validated by different stakeholders like Developers, Operators, Security Engineers, Architects, and Product Owners. Multidimensional policies contributed and validated by many stakeholders, makes it challenging to keep the production ecosystem in sync with evolving…


It was quite a bit learning from different sources to launch my first personal website with Google Kubernetes Engine and Wordpress. It’s worthwhile to document the knowledge for the community to benefit.

Image for post
Image for post
https://microlearninghub.com/

Putting across a website end to end with Kubernetes, Google Cloud, and Wordpress involves many moving parts. If you need support in setting up your Wordpress website, feel free to reach me at imarunrk@gmail.com

Image for post
Image for post
  • Purchase a Domain
  • Set up a free Google Cloud account
  • Launch a Google Kubernetes Engine
  • Deploy Wordpress into Kubernetes
  • Generate an HTTPs certificate and a Static IP for the Ingress Load Balancer
  • Create a Google DNS configuration to map the static IP and Name Server configuration with the domain
  • Setup Load Balancer to allow only HTTPs Traffic, and redirect HTTP traffic to HTTPs

Purchase A Domain

There are many websites to purchase a domain. I did my purchases with GoDaddy (microlearninghub.com). Irrespective of where you purchase the domain, you almost go through the same set of steps. We have to setup Name Server (NS) and Digital Signature (DS) Record against the purchased Domain name. …


Let’s start by exploring the API gateway architecture pattern and then slowly deep dive into the details of running a production-grade Kong API gateway.

Image for post
Image for post

Generally with many organizations the backend APIs are consumed by multiple front-facing applications like the mobile app, web, and other kiosk applications. In addition to this, many other internal and external integrators may have a need to consume these APIs. We will end up applying some of the below architecture characteristics to every individual APIs to support the above requirements. That will be a hell lot of work.

  1. Authentication/Authorization
  2. Monitoring
  3. Logging
  4. Traffic control
  5. Caching
  6. Audit and Security
  7. API Administration

API Gateway Architecture Pattern

API gateway architecture pattern attempts to take away all these cross-cutting concerns in managing these APIs and put them all across in a single plane. …


Microservices are not the answer to all the problems. It’s the job of an architect, to understand the context and identify the tradeoffs to build a story on monolith vs microservice.

Image for post
Image for post

In the last 4 years of working with microservices, I have seen a wide range of stories in the path of microservices adoption. While many of these stories are successful ones to celebrate, some of them have really created chaotic situations.

If I look back and see, why did we failed in some of these instances? It all turns out to be a bad design decision to choose a microservice when the context has demanded a monolithic. Let us look at this with an example. Assume that we have got a requirement to build a payment module for an E-commerce application. …


The developers, application/cluster operators, architects, and security team wants to contribute to the Kubernetes YAML continuously to keep the Infrastructure matching to the evolving organization strategy and policy, which demands a workflow.

Image for post
Image for post

The software systems we build are always expected to be in a state of dynamic equilibrium. This dynamic equilibrium generally happens in two dimensions a) Fast phased technology changes b) The rapidly evolving business landscape. Artificial Intelligence, Docker, Cloud, Kubernetes, Istio / Other service Mesh, Helm, Microservices architecture pattern, Serverless are some of the examples of Technology changes. Airbnb, iPhone, Amazon, Zomoto, Netflix, Cloud Kitchens, Uber, COVID 19 some of the examples of Business Landscape changes. These changes result in a continuous change of organization strategies, structure, policies, and business models.

While the code needs to evolve continuously adapting to these changes, there is also a need to find a way where developers, testers, application/cluster operators, architects, and security teams can collaborate efficiently to adapt to these evolving changes. …


Continuous GitOps, the new age DevOps practice to increase the delivery velocity by achieving an end to end “Git source of truth” with Zero manual changes into the Kubernetes cluster 🏄

Image for post
Image for post

It’s been 10 years now from the time, when we first heard of the word Continuous Delivery. It’s Humble Jez and Farley David talked about Continuous Delivery during 2010 through their book “Continuous Delivery: Reliable Software Releases Through Build, Test and Deployment Automation”. In the last decade, Continuous Delivery has changed the way we do Software Releases. Now with a new set of tools evolving around the Kubernetes ecosystem, we are taking yet another leap in the Continuous Delivery journey. These tools revolve around the concept of Continuous GitOps. This blog is an attempt to demystify the Why? What? and How? …


Customize the YAML’s to enforce policies from application operators, security operators, and cluster operators. ✊

Image for post
Image for post

Kubernetes let us to declaratively specify our intent on how the applications should be deployed in the underlying infrastructure through YAML. These YAML’s will have application definition, tags needed for governance, tags needed for cross-cutting concerns like logging, application security context definitions, application resource dependencies, etc. The moment we start scaling our Kubernetes to ten’s and hundred’s of pods, it will become a nightmare to manage all YAML’s.

To put us in perspective these declarative configs can be classified into three main categories

  1. Application Packaging
  2. Application Config
  3. Runtime Config
Image for post
Image for post

Can’t Helm help do this already with ease? why do we need a new tool? What is that the new tool can bring to the table? How Helm and Kustomize can together enable some of the powerful use-cases? Lets attempt to answer all these questions throughout this blog. …


How to store sensitive information into the cluster with kubernetes secrets ㊙️

Image for post
Image for post

I wish you all a Very Happy New Year! Let your certification dreams come true this year 🏄

Kubernetes secrets are one of the high-value questions in the CKA exam. I don’t think that there is another question in the exam where the concept is simple but the marks are maximum. One cannot afford to get this question wrong. Lets quickly look into the basics of Kubernetes secrets and various ways in which you may face an exam question.

What are Kubernetes secrets?

Do you have a small amount of sensitive data that can not be exposed in a pod specification or ConfigMaps, then Kubernetes secrets is the way to store them in the cluster. …


Init Container is the way to do some setup task before the actual container starts 🏄‍♀

Image for post
Image for post

Init container is an important concept for the exam. There is a very high chance that this is one of your 24 questions. This blog will attempt to make you aware of the traps that you may get into and answer any form of init container question.

Init container containers are specialized containers that run before the normal containers in a Pod. Init containers generally contain setup scripts, that we are not able to make it as a part of our standard container. So when do we use init container? let’s look at a real-time example.

Init containers can be used to delay app container startup until a set of preconditions are met. Say we have to download a security key from the key vault, which we do not wish to make it as the past of our regular container for security reasons, then init container is the best choice. The below picture represents the above-mentioned scenarios. …


Track your cloud cost 🏄

Image for post
Image for post

I follow Thoughtworks technology radar, as I find it very useful. Noticed a new technique named “Cost as Architecture Fitness Function” is introduced in the trial ring of Thoughtworks technology radar. I thought of sharing with you all about my findings.

Agile Infrastructure Provisioning ⏩

New age software development practices like Agile/DevOps provide product teams instant access to the cloud infrastructure and services in a button click or a simple API call. Although cost is an impact factor getting considered on any architecture change, generally cloud cost explodes with agile infrastructure provisioning with no or inappropriate governance. …

About

Arun Ramakani

#ContinuousDevOps #Kubernetes #Microservices #CloudNativeApps #DevOps #Agile

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store