https://prefetch.net/blog/ Recent content in Blog O' Matty on Prefetch Technologies Hugo -- gohugo.io en-us matty at prefetch dot net (Matty) matty at prefetch dot net (Matty) Copyright Matty 2002 - 2020 Tue, 14 Nov 2017 00:00:00 -0400 https://prefetch.net/blog/2022/05/08/using-terrascan-to-detect-compliance-and-security-violations/ Sun, 08 May 2022 00:00:00 -0500 matty at prefetch dot net (Matty) https://prefetch.net/blog/2022/05/08/using-terrascan-to-detect-compliance-and-security-violations/ Over the past several years I’ve read numerous horror stories about cloud deployments gone wrong. S3 buckets with PCI data left open to the raw Internet, EC2 instance profiles that weren’t scoped properly, misconfigured NSGs, etc. It takes a LOT of time to truly understand all the ins and outs of running workloads in the cloud, and making sure you get it “right”. This is one reason I’m always on the lookout for tools that can add additional guard rails to the infrastructure provisioning process. https://prefetch.net/blog/2022/05/01/understanding-cloud-spend-in-your-terraform-workflows/ Sun, 01 May 2022 00:00:00 -0500 matty at prefetch dot net (Matty) https://prefetch.net/blog/2022/05/01/understanding-cloud-spend-in-your-terraform-workflows/ Having worked in the “cloud” for several years, one thing that I’m super conscious about is our cloud bill. There are tons of subtleties associated with billing, such as AZ-to-AZ traffic costs or how VPC endpoints can reduce egress charges. If you utilize Terraform for infrastructure provisioning, you may want to look at infracost. Infracost can help you understand cloud spend for a green field deployment, or what it will cost to expand your existing infrastructure. https://prefetch.net/blog/2022/04/13/using-tfswitch-to-manage-terraform-versions/ Wed, 13 Apr 2022 00:00:00 -0500 matty at prefetch dot net (Matty) https://prefetch.net/blog/2022/04/13/using-tfswitch-to-manage-terraform-versions/ The growth of the Terraform community is absolutely astounding. New providers are constantly popping up, providers are being upgraded at a feverish pace, and amazing new features are constantly being added. With all of this change, deprecations and breaking changes periodically surface. One way to protect yourself from breaking changes is to pin providers and modules to specific versions. You can accomplish this by adding specific git hashes or tags to your source statements, and by adding version directives to your provider definitions: https://prefetch.net/blog/2022/04/08/using-the-kubernetes-can-i-subcommand-to-debug-authentication-issues/ Fri, 08 Apr 2022 01:00:00 -0500 matty at prefetch dot net (Matty) https://prefetch.net/blog/2022/04/08/using-the-kubernetes-can-i-subcommand-to-debug-authentication-issues/ When I was first getting started with Kubernetes, RBAC was one of the topics that took me the longest to grok. Not because the resources (Roles, ClusterRoles, etc) are hard to interpret, but learning how to scope your Roles to minimize access takes some practice. That and a lot of reading to understand the various API groups and what they contain. In a previous post I mentioned access-matrix, which is an incredible tool for visualizing the RBAC permissions an entity (User, SA, Group, etc. https://prefetch.net/blog/2022/04/08/ways-to-debug-kubernetes-pods-without-shells/ Fri, 08 Apr 2022 00:00:00 -0500 matty at prefetch dot net (Matty) https://prefetch.net/blog/2022/04/08/ways-to-debug-kubernetes-pods-without-shells/ Debugging production issues can sometimes be a challenge in Kubernetes environments. One specific challenge is debugging containers that don’t contain a shell. You may have seen the following when troubleshooting an issue: $ kubectl exec -it -n kube-system coredns-558bd4d5db-gx469 -- sh error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "4f053952703f78b51bdf38a26ed391d8c2bda4138b87f35170d3fc4ea14fc510": OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown Not including a shell in your base image is a best practice, and projects like distroless make it super easy to package your applications with a small shell-less footprint.