Kubernetes-Cluster „einfach“ erklärt

https://andreas-moor.de/kubernetes-cluster-einfach-erklaert/

Kubelet is the honey badger of Kubernetes. It DGAF.

#kubernetes #kubelet #kubecon

Больше не нужен рестарт: как Kubernetes позволяет менять ресурсы контейнеров «на лету»

Теперь ресурсы контейнеров в Kubernetes можно менять «на лету» — без перезапуска и простоев. В статье рассказываем, как работает in-place resize, где эта функция реально спасает приложения от перегрузки и какие ограничения стоит учитывать на практике.

https://habr.com/ru/companies/flant/articles/936724/

#kubernetes #autoscaling #vpa #kubelet #resources #ресайз_ресурсов #автоскейлинг #k8s #нехватка_памяти

Backend devs working with containers, catch Andrew Pruski at #WebExpo for advanced & practical exploration of #Kubernetes:
🔎 Core components – API server, scheduler, #Kubelet and more
💡 High availability strategies
💪 Real-world #SQL Server deployment

https://webexpo.net/prague2025/sessions/a-deep-dive-into-kubernetes/

#BSI WID-SEC-2024-3515: [NEU] [hoch] #Kubernetes (#kubelet): Schwachstelle ermöglicht Codeausführung

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Kubernetes ausnutzen, um beliebigen Programmcode auszuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3515

Since I'm having trouble figuring it out on my own, and the docs are useless, and the comments in the code are tautological:

Does anyone on here know how frequently kubelet scrapes the CPU usage metrics from the filesystem?

#kubernetes #k8s #cadvisor #kubelet

Why is this service not working? Config correct, memory limit correct, cpu quotas correct, it runs but then is killed... ohhhhh, no, #kubelet was stupid: the integrated liveness probe thought that the service runs on IPv4, because the host does have 1 IPv4 address. No dear kubelet, the host primarily uses #IPv6. Added --node-ip to the kubelet parameters and now the next #kubernetes router is ready to roll.

"After starting the kubelet process, it is going to restart every few seconds, as it waits in a crashloop for kubeadm to tell it what to do. This crashloop is expected and normal."

Ok, maybe it is expected, that is the way you wrote it to work, but it hardly seems "normal". Why on earth doesn't it just idle like any other daemon?

Can't find any info on why, all search results are just about adjusting/troubleshooting CrashLoopBackoff

#k8s #kubernetes #kubelet #daemon

[Перевод] Как объяснить суть Kubernetes таксисту

Не так давно я побывала на конференции Kubecon 2023 в Чикаго. Готовясь к конференции, я почитала статьи в блогах, а на самой конференции посетила несколько семинаров для начинающих (в жанре «101»). Но всё равно не могла сказать, что уверенно понимаю эту технологию. Хуже всего прошёл последний день конференции. Я решила добираться в отель на такси и вызвала Uber. И водитель спрашивает: «А о чём была конференция»? Я ему отвечаю: «О Kubernetes». Попыталась объяснить, но почти сразу поняла, что двух слов на эту тему связать не смогу. Только представьте себе: уезжать с трёхдневной конференции, но быть не в силах рассказать таксисту о той технологии, которая на ней обсуждалась. Фейспалм. Поэтому теперь попытаюсь реабилитироваться и пофантазировать, как следовало бы рассказать о Kubernetes таксисту Uber.

https://habr.com/ru/companies/timeweb/articles/775984/

#timeweb_статьи_перевод #Kubernetes #Uber #оркестрация #Nodejs #MongoDB #ЦП #YAML #Kubelet #Go #API

I wrote a blog post: Pulling container images from private registries (including Docker Hub) with a #Kubernetes #Kubelet Credential Provider
https://jon.sprig.gs/blog/post/3172

"⚠️ #KubernetesAlert: High-Severity Flaws Target Windows Endpoints! ⚠️"

Three critical vulnerabilities have been unearthed in Kubernetes, enabling remote code execution on Windows nodes within clusters. These flaws, identified as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, boast CVSS scores of 8.8. Akamai's Tomer Peled, who responsibly disclosed these issues, emphasized, "Attackers only need to apply a malicious YAML file on the cluster to exploit." Major cloud platforms like AWS, Google Cloud, and Microsoft Azure have all issued advisories. The root cause? A glaring oversight in input sanitization in the Windows-specific Kubelet porting.

Source: The Hacker News

Tags: #Kubernetes #Cybersecurity #Vulnerability #WindowsNodes #RemoteCodeExecution #CloudSecurity #Akamai #AWS #GoogleCloud #Azure #Kubelet

🔗 MITRE CVE-2023-3676
🔗 MITRE CVE-2023-3893
🔗 MITRE CVE-2023-3955

Talk 1 title: Smashing the #Kubernetes Layers: What if the Autoscaler and Scheduler could talk?

Talk 2 title: Running Large-Scale Scheduling Simulations with Virtual #Kubelet

#AKS #Kubernetes updates with #terraform suck, if you use custom #kubelet config. Sometimes (not always!) a delete & recreate of the the default nodepool via azure cli and a reimport of the terraform aks cluster state is needed. So anyoing. Hopefully #azure gets that handled someday.

This is still in the realms of dirty hacks, but might actually be useful to people now :)

I refactored my #Kubelet configuration dumping utility to use the /configz endpoint via the #Kubernetes API Server proxy.

This means you can dump the configuration of any Kubelet regardless of the distribution in use.

The previous method relied on starting pods on the nodes and reading files but that's error prone as they are put in different paths depending on the distro.

The endpoint is a bit unsupported/undocumented, but for now at least it works fine :)

https://github.com/raesene/kubelet_dumper

#KubeCon #KubeConEU

(toujours dans le track Security 🔒)

Hacker's Guide to Kubernetes

Démo d'une intrusion d'une application tournant dans un cluster Kubernetes

#security #hacking #kubernetes #kubelet

Realy nice that it's possible to monitor #kubelet via #VictoriaMetrics #VMNodeScrape, withtout the need to have some selectorless #k8s service where you need additional software, like #prometheus operator, to create the endpoints :)

https://docs.victoriametrics.com/operator/api.html?highlight=VMNodeScrape#vmnodescrapespec

Des gens qui font du #kubernetes ont déjà changé le répertoire par défaut de #kubelet (/var/lib/kubelet) ?
J'arrive à le faire avec le flag --root-dir mais je me prend des permissions de denied dans tous les sens côté containers :-/

Analysis of a #Kubernetes #hack — Backdooring through #kubelet
https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c

Inkscape, GTK, glibc Updates Arrive in Tumbleweed https://news.opensuse.org/2019/02/14/inkscape-gtk-glibc-updates-arrive-in-tumbleweed/ #getcpuwrapperfunction #MozillaThunderbird #openSUSETumbleweed #Announcements #libstorage-ng #Epsonprinter #Tumbleweed #WeeklyNews #DuckDuckGo #mailclient #WeTransfer #FileLink #kubelet #libzypp #ruby2.6 #32-bit #faster #google #Kubic #cri-o #GlibC #Linux #dbus #NUMA #c++ #GCC #GNU #GTK

Kubernetes 1.12 is here, with #Kubelet TLS Bootstrap & #Azure Virtual Machine Scale Sets (VMSS) moving to general availability 🔗 https://kubernetes.io/blog/2018/09/27/kubernetes-1.12-kubelet-tls-bootstrap-and-azure-virtual-machine-scale-sets-vmss-move-to-general-availability/