snyk test docker --fail-on= workaround

I’m running Snyk to scan docker images and break the build if they have high or critical vulnerabilities:

snyk test --severity-threshold=high --docker $IMAGE_NAME

However sometimes the upstream image has high or critical vulnerabilities (e.g. at the times of writing this, debian), so there is very little action one can take (other than moving to a different base image, which is usually not easy). Thus I only want to break the build if there are high or critical vulnerabilities AND they can be fixed by ugrading the base image.

Read more

Multi-cluster multi-primary istio on AWS EKS

Recently I was working on setting up istio in a multi-cluster setup following the Install Multi-Primary on different networks guide on EKS clusters. Everything seemed to work (no errors in logs), until I reached the verification step, where requests didn’t go to the other mesh: in CLUSTER1 I always got a response from Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv, while in CLUSTER2 always from Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8.

Read more

Terraform's kubernetes_secret giving 'Error: Provider produced inconsistent result after apply'

I’m creating a new kubernetes_secret via Terraform for an existing service account like this:

resource "kubernetes_secret" "my_service_account_token" {
  metadata {
    name = "my-service-account-token"
    namespace = "example"
    annotations = {
      "kubernetes.io/service-account.name" = "my-service-account"
    }
  }
  type = "kubernetes.io/service-account-token"
}

so that then I can use this token elsewhere like: kubernetes_secret.my_service_account_token.data["token"].

Read more

How to setup Azure AD authentication with AWS EKS kubernetes clusters

I recently worked on setting up Azure Active Directory (AAD from now) authentication with kubernetes clusters running on AWS EKS (Amazon Elastic Kubernetes Service). The goal was to let users of the kubernetes cluster authenticate using their AAD identities, and assing permissions using the usernames and also AAD groups. Here is how I did it.

Read more

How to download the latest release from a Github repository

We often want to download the latest release of an application from Github, however it used to be hard without knowing the latest version. But now we can do the followings: