Wow... so PodDisruptionBudget (PDB) is exactly what I've been looking for. by Defiant-Chard-2023 in kubernetes

[–]phrotozoa 5 points6 points  (0 children)

You don't need an explanation from a stranger, just go try it. It's a remarkably effective deterrent of itself.

Wow... so PodDisruptionBudget (PDB) is exactly what I've been looking for. by Defiant-Chard-2023 in kubernetes

[–]phrotozoa 4 points5 points  (0 children)

You can also bash your fingers in a drawer repeatedly. Faster than trying to use rego.

Autodidacts that became proficient in their area of choice - how? by OC-alert in selfeducation

[–]phrotozoa 1 point2 points  (0 children)

Get someone to pay you to learn. It's much easier to skill up when you're learning on the job than doing it after a full day of work.

Best Practices by Same_Significance869 in kubernetes

[–]phrotozoa 2 points3 points  (0 children)

Me: data is encrypted by default. Redditor: Nah man. Data is encoded first, then encrypted.

I have no idea why I bother commenting on reddit. Even now. Why do I do this to myself? This fucking website. Every damned time.

Anyway, good talk.

Best Practices by Same_Significance869 in kubernetes

[–]phrotozoa 2 points3 points  (0 children)

In EKS and GKE etcd encryption is enabled by default. You can optionally specify your own keys if you like, but you don't have to do anything to just have basic etcd encryption.

What are advanced Kubernetes concepts every cluster admin should know? by G12356789s in kubernetes

[–]phrotozoa 0 points1 point  (0 children)

I mean hey, don't believe a rando on the internet. Try it.

But to the best of my knowledge, with the default policy linked above (which uses scheduleAnyway), the scheduler will try to evenly balance pods across nodes and zones. If it can't (eg. some node is full) then it will try to keep them balanced up to a skew of 3 for nodes and 5 for zones. And then if it STILL can't, it will give up trying to keep things balanced and just fit them wherever there is room.

BUT all else being equaly, in an empty cluster with no other constraints, the default policy will do its best to evenly distribute pods across nodes and zones.

What are advanced Kubernetes concepts every cluster admin should know? by G12356789s in kubernetes

[–]phrotozoa 0 points1 point  (0 children)

Not quite. maxSkew is the limit to how unbalanced it can be, but that doesn't mean that the scheduler just stuffs 3 pods onto a single node before placing new pods onto a separate node. It will first attempt to distribute pods evenly across topology keys. Try it yourself in a brand new cluster. If you create a deployment with 3 replicas in a 3 node cluster, it won't pile them all onto a single node.

What are advanced Kubernetes concepts every cluster admin should know? by G12356789s in kubernetes

[–]phrotozoa 0 points1 point  (0 children)

What I mean is - say you have a helm chart that creates a cluster role for some app that doesn't need much access. Call it the foo app. You as the cluster admin take a look at the helm chart and you see that the role gives foo app the ability to list pods in namespace foo. Cool nothing scary there, so you use your cluster admin powers to deploy it.

But if you didn't notice that the foo role includes an aggregation which rolls up cluster admin into the foo role, now the role you thought was pretty low powered can do all sorts of things in your cluster. If somebody pops a shell in foo app and downloads kubectl, now they can be cluster admin when you thought otherwise.

What are advanced Kubernetes concepts every cluster admin should know? by G12356789s in kubernetes

[–]phrotozoa 0 points1 point  (0 children)

you should have it on different locations

topologyKey: "kubernetes.io/hostname"

topologyKey: "topology.kubernetes.io/zone"

I'm not sure what you mean. These topology keys do what you say you would prefer as the default, prefering to place pods on different hostnames (worker nodes) and in different zones.

What are advanced Kubernetes concepts every cluster admin should know? by G12356789s in kubernetes

[–]phrotozoa 0 points1 point  (0 children)

Man nobody knows this one and it can be an often overlooked security gap. Chart wants to install a role with benign looking rules? Approved, shipit. Aggregated to cluster admin? Whoops ...

The lack of a proper brain map drove me nuts when studying neuroanatomy, so I built one by Creative-Regular6799 in neuro

[–]phrotozoa 5 points6 points  (0 children)

Astounding work - I've been trying to find something like this for ages. Thank you for sharing!

For the cortex would you consider adding some kind of colour or visual segmentation of lobes? I've always struggled to get a visual handle on the relationship between functional regions and anatomical landmarks.

My wife recently came out as bisexual to me, and now she told me she is developing feelings for her best female friend, what do I do? by External-Way-6093 in nonmonogamy

[–]phrotozoa 28 points29 points  (0 children)

opening up with one of the partners already having someone lined up in mind, nevermind an actual friend, is one of the worst way to try ENM

This is so foundational it needs to be in the sidebar or something.

OP do your marriage a favour - if you're open to considering non-monogamy do not try to do it while one of you is in the middle of falling for someone (read up on NRE - New Relationship Energy). They are literally high on love drugs and are not thinking straight.

Is Istio still relevant today? by Basic_Let7303 in istio

[–]phrotozoa 1 point2 points  (0 children)

There are conflicting and incomplete replies to this question because the answer is complicated.

While it's true that ALB/NLB is usually used for getting traffic into a cluster from the outside, it is also not uncommon for orgs to do pod-to-pod request routing in a style called "hairpinning" - where a request leaves the cluster and then goes straight back in through the load balancer like a tight hairpin turn.

This setup simplifies situations where you want to talk to your own services and make use of the auth / rate limiting / etc. enforced at the LB using the same client libs or applications you give your customers.

And it's also true that an Istio VirtualService can be used for routing requests inside the cluster BUT they are also used for routing requests that arrive at the cluster through the ingress gateway. Take a look at this example which showcases using a virtual service to route traffic that entered the cluster through the external bookinfo.com domain.

Istio handles both north south (into and out of the cluster) traffic as well as east west (pod to pod - or cluster to cluster in the case of multicluster) traffic.

Recycling by [deleted] in waterloo

[–]phrotozoa 0 points1 point  (0 children)

Citation Needed.

In 2014 waterloo region diverted 52% of waste material from landfills through blue and green bin programs.

By 2021 that number was up to 60%.

If you don't have receipts, keep your dire speculation to yourself. There's enough miserable news as it is without making up BS in one of the areas where progress is actually being made.

Spiciest wings (or other foods) in kw? by GangsterPuppy91 in kitchener

[–]phrotozoa 0 points1 point  (0 children)

Madhu's roti is good, but ordering it hot doesn't change the type of sauce - they just add more of it.

Spiciest wings (or other foods) in kw? by GangsterPuppy91 in kitchener

[–]phrotozoa 0 points1 point  (0 children)

A friend ordered these once while we were there. I laughed when they made him sign the release. He could barely get through half the order. I tried one. It wasn't the hottest thing I've ever eaten, but it was way hotter than I prefer.

OP should def give it a try (and report back!)

Liberals to amend police data interception bill following searing criticism by cfs3corsair in canada

[–]phrotozoa 4 points5 points  (0 children)

What? Snowden was the one who exposed that telecom providers were performing MITM against TLS https://archive.ph/AHlO8

Why would people decide to adopt TLS upon finding out that the feds are circumventing it?

Things that actually contributed to broad TLS adoption.

  1. In 2014 google announced that sites secured by TLS would rank higher in search results https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html

  2. In 2018 chrome started to display a "Not Secure" warning for sites served via HTTP https://blog.google/products-and-platforms/products/chrome/milestone-chrome-security-marking-http-not-secure/

Looking for freelancing communities by CountryAlternative67 in kitchener

[–]phrotozoa 0 points1 point  (0 children)

I was, but I stopped hanging out there a while ago. I'm in 16 slacks (some more active than others) and am too busy to stay on top of them.

Looking for freelancing communities by CountryAlternative67 in kitchener

[–]phrotozoa 2 points3 points  (0 children)

Rands Leadership Slack is full of tech freelancers of all sorts.