Veit Sanner's Blog

Running Minikube on Apple Silicon with Corporate VPN

Tue, 29 Nov 2022 21:35:00 +0100

After changing my company laptop to a MacBook Pro with Apple silicon, I had to overcome difficulties setting up a working Minikube environment. A combination of two factors created the challenges:

Supported drivers: Once you remove the drivers, which do not have support for Apple Silicon or require a separate license for commercial use, only QEMU and SSH remain as possible options.
Cisco AnyConnect VPN with Umbrella: Cisco AnyConnect installs a local dns proxy listening on port 53. Unfortunately, QEMU has issues with the Cisco AnyConnect setup. (see QEMU stops working with minikube. The suggested workaround to install socket_vmnet is marked as experimental, and I couldn’t get it to work on my machine.

Create a Custom Linux Setup for WSL2

Tue, 08 Mar 2022 11:15:00 +0100

I just came across the amazing Windows Subsystem for Linux 2 (WSL2) feature which allows you to create a consistent Linux environment.

If you have not came across WSL2 yet, Microsoft advertises it as:

The Windows Subsystem for Linux lets developers run a GNU/Linux environment – including most command-line tools, utilities, and applications – directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup.

Although, Microsoft provides some Linux distributions through its Windows Store, this leaves the question open what you should do if your favorite distro is not available over this channel, and how to achieve a consistent setup.

Enforce Non-Root Pods with Pod Security Standards

Tue, 21 Dec 2021 17:45:00 +0100

In my post Friends don’t let friends run containers as root, I took a simplified view that Kubernetes does not add any security policies. I went for this simplified statement because, when I wrote the post, Kubernetes 1.22 was moving away from Pod Security Policies, and there had not been any replacement in a released version.

Beginning with Kubernetes 1.23, Pod Security Standards are introduced to replace Pod Security Policies. Kubernetes administrators can choose between the policy profiles privileged, baseline, and restricted. The policies are cumulative, which means that baseline contains all the rules from privileged, and restricted has all rules from privileged and from baseline.

How Snapshots Saved My Time Machine Backups

Tue, 30 Nov 2021 08:30:00 +0100

Until last year I kept my Time Machine backups on a USB drive next to my computer. And although everything worked fine, I didn’t feel comfortable with so much data stored on a single disk. Hence, during summer 2020, I bought myself a DiskStation DS1520+ to put my Time Machine backups on a much more secure and reliable solution. The DS1520+ supports a RAID. Consequently, my data would not be lost caused by a single disk error. Synology has excellent documentation, how you can enable Time Machine backups to a NAS over SMB.

Encrypt Service Traffic with OpenShift CA

Tue, 23 Nov 2021 08:15:00 +0100

Did you know that you can make use of the OpenShift CA to encrypt traffic between services or between a route and the service? I know you think service mesh, but there is also a small-scale solution available if you don’t have a service mesh you can use.

Encrypt Ingress Traffic

So let’s say that you want to deploy a web app, and you need to encrypt the traffic between HAProxy as the route entry point and a web app. Usually, the OpenShift operations team has you covered, and they have configured HAProxy with TLS, so you don’t have to worry about public TLS. But once you are past the route as an entry point to OpenShift, you will get HTTP without TLS.

Friends don't let friends run containers as root

Thu, 11 Nov 2021 12:30:00 +0100

Introduction

In my daily work, I encounter different container engines tools during the development process. For the development of the container image, I use a local container engine like Docker for Desktop or Podman. After developing on my local machine, the image is staged from the development environment, over test stages to production. In those environments, Kubernetes or Red Hat Openshift is the container platform of choice.

Unfortunately, the platforms use different approaches with which user ID the container process is started. This can be incredibly frustrating if you start with an official Docker image that just won’t run in Openshift due to stricter security policies.