DEVOPS WEEKLY ISSUE #559 - 12th September 2021
A few good hindsight design posts this week, both on API design and on data storage cost control. As with lots of decisions, you can apply some patterns too early, but knowing you’ll need to change later if you succeed is useful to remember.
StackHawk sponsors Devops Weekly
Trying to figure out how to keep your APIs secure? You’re not the only one. See how DataRobot is automating API security testing with StackHawk.
https://sthwk.com/DataRobot-API-Security
News
A good post on the early decisions (in this case around data storage) that can lead to cost control discussions later. You can apply this to other systems as well.
https://medium.com/riskified-technology/over-pay-as-you-go-for-your-datastore-11a29ae49a8b
Details on combining ttl.sh (which provides anonymous and ephemeral container registries) and Cosign to sign the images. A few interesting use cases for this sort of thing.
https://blog.ediri.io/ttlsh-and-cosign-signing-an-anonymous-and-ephemeral-docker-image-registry
A critical review of the recently released Kubernetes security guidance from the NSA, including some up-to-date recommendations.
https://research.nccgroup.com/2021/09/09/nsa-cisa-kubernetes-security-guidance-a-critical-review/
Authentication of the Docker socket is all or nothing, but you can always use a reverse proxy for finer-grained control. A good example using Caddy.
https://raesene.github.io/blog/2021/09/05/restricting-docker-access-with-a-proxy/
An interesting observation about the relationship between observability and the needs of auditors for compliance.
https://vc-sree.medium.com/security-observability-compliance-501f308dcab1
Whenever you’re building a new API, or consuming an API of another system, you quickly build up opinions about what a good API feels like. This post has some good advice for both processes, practices and principles.
https://slack.engineering/how-we-design-our-apis-at-slack/
Tools
SLO Tracker is a dashboard application for displaying SLO and error budget information, based on integration to gather SLI data from Prometheus, Grafana, Datadog and other monitoring tools.
https://github.com/roshan8/slo-tracker
https://slotracker.com
EKS Anywhere is an option to run AWS EKS (the AWS Kubernetes service) on your own infrastructure. The main use case is to standardise the management side of operating a service like this.
https://github.com/aws/eks-anywhere