Kubernetes Dashboard is a cool web UI for Kubernetes clusters. It supports the token authentication and you can enter a token on the startup screen.

Startup screen of the Kubernetes Dashboard

It is best practice to use your own token for security. For example,

Do not share a token of a service account because it may break security principle. You can use OpenID Connect authentication or cloud provider based authentication such as aws-iam-authenticator or Azure AD.

This article introduces the kauthproxy to access the Kubernetes Dashboard with role based access control (RBAC).

Getting Started

Set up

Deploy the Kubernetes Dashboard to the cluster from…


Kubernetes provides great plugin architecture. You can extend kubectl with your plugins.

If you are an author of a plugin, you need to do the following steps on each release.

How boring! You may want to automate this process.

This article assumes you write a plugin in Go and you are using GitHub and CircleCI.

Make

Let’s create a Makefile.

TARGET := kubectl-hello
VERSION := v1.0.0

(1) Build

Build the plugin for…


gradleupdate is a service which provides continuous update of Gradle in your GitHub repositories.

Recently new version of Gradle is released every 1~2 months. gradleupdate allows automated tests with the latest version by CI. It is useful for Gradle plugin authors.

Getting Started

You need to add the following badge to README in a repository.

[![Gradle Status](https://gradleupdate.appspot.com/YOUR/REPO/status.svg)](https://gradleupdate.appspot.com/YOUR/REPO/status)

Here is an example of badge.

An example of Gradle status badge

And then gradleupdate will send a pull request for the latest version of Gradle wrapper if it is out-of-dated.

Here is an example of pull request.


GitHub provides GraghQL API as well as REST API. This article introduces some example queries.

You can try a query on https://developer.github.com/v4/explorer/.

Users

We can know about the current user by the following query:

{
viewer {
login
name
avatarUrl
url
}
}

It will return the following response:

{
"data": {
"viewer": {
"login": "int128",
"name": "Hidetake Iwata",
"avatarUrl": "https://avatars0.githubusercontent.com/u/321266?v=4",
"url": "https://github.com/int128"
}
}
}

Pull Requests

We can find pull requests by head and base branch name:

{
repository(owner: "octocat", name: "Spoon-Knife") {
pullRequests(states: [OPEN, CLOSED, MERGED], first: 1, headRefName: "example", baseRefName: "master") {
nodes {
number
}
}
}
}


TL;DR

Kubernetes supports EBS Persistent Volumes by default. It also supports EFS Persistent Volumes by the external efs-provisioner.

This article introduces EFS Persistent Volumes (EFS PVs) and explains how we can use it and migrate to it.

EBS vs EFS

The article “When to Choose Amazon EFS” says:

Amazon EFS provides shared file storage for use with compute instances in the AWS Cloud and on-premises servers. Applications that require shared file access can use Amazon EFS for reliable file storage delivering high aggregate throughput to thousands of clients simultaneously.

Amazon EBS is a cloud block storage service that provides direct access from a single…


Atlassian JIRA and Confluence server supports single sign on (SSO) by using plugins.

JIRA and Confluence have user management and LDAP integration, but you can integrate them with an identity manager such as Keycloak. It allows that an user types the password just once and login to many sites such as GitLab or Mattermost. As well as it allows that an administrator can set a password policy.

This article introduces how to integrate JIRA and Confluence with Keycloak.

JIRA SSO

There are many SAML plugins on Atlassian Marketplace. This article introduces the following plugin:

https://marketplace.atlassian.com/plugins/com.bitium.jira.SAML2PluginJira/server

It is free and open source. The…


kops does not support changing size or type of etcd volumes after cluster creation. It is inconvenient when you created too large volumes.

If your etcd volumes are gp2 or io1 type, you can extend the volumes easily in the AWS management console.

You can shrink the volumes by the following steps:

Steps to shrink volumes

It assumes your cluster has single master. If your cluster has multiple masters, shrink to single master in advance.

(1) Stop Kubernetes master

Connect to the master instance:

ssh -i your_ssh_key…


Atlassian JIRA Software and Confluence are a nice agile management tool. We can start using JIRA and Confluence on Atlassian Cloud in a few minutes but we still need a private server in some cases.

Atlassian JIRA Software

I just published Kubernetes Helm charts for JIRA and Confluence. You can easily deploy JIRA and Confluence on your Kubernetes cluster.

Getting Started

Install tools

Make sure you can access to the cluster using helm command.

brew install kubernetes-helm
helm init

In this article, we use Helmfile for configuration management.

curl -L -o ~/bin/helmfile https://github.com/roboll/helmfile/releases/download/v0.17.0/helmfile_darwin_amd64
chmod +x ~/bin/helmfile

Deploy JIRA

Get the repository of the chart.

git clone https://github.com/int128/devops-kompose
cd devops-kompose


Golang provides a simple HTTP server in http package.

Now let’s think how to shutdown the HTTP server when it receives a request to the endpoint such as http://localhost:8000/shutdown.

1. Simply shutdown HTTP server

http.Server provides Shutdown method for graceful shutdown.

We can simply shutdown the HTTP server by calling Shutdown method in the handler as follows:

func main() {
m := http.NewServeMux()
s := http.Server{Addr: ":8000", Handler: m}
m.HandleFunc("/shutdown", func(w http.ResponseWriter, r *http.Request) {
s.Shutdown(context.Background())
})
if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed {
log.Fatal(err)
}
log.Printf("Finished")
}

Run a server and send a request to /shutdown, then the server…


TL;DR

Kubernetes supports various authentication methods including OpenID Connect. OpenID Connect allows single sign on (SSO) to a Kubernetes cluster and other development tools.

Kubernetes authentication with Google Identity Platform

In this article, we will configure the following stack:

Note: This article has been updated for the latest kubelogin on Sep 26, 2019.

Getting Started

1. Setup your OpenID Connect Provider

At first setup an OpenID Connect Provider such as Keycloak, Google Identity Provider, Azure AD and so on.

And then create a client as follows:

If you are using Keycloak, see…

Hidetake Iwata

Software Engineer at https://github.com/int128

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store