After configuring Istio with STRICT mTLS and using a ClusterIP service, pod-to-pod communication breaks. Problem Pods configured to use ClusterIP as Service stop communicating with each other after configuring Istio PeerAuthentication to use STRICT mTLS. In the following sections, let’s simulate the error and how to reestablish inter-pod communication. Test Environment The test…

A K8s Pod can return an Error when trying to reach the network before the Istio Sidecar is Running. Many applications execute commands or checks during startup, which require network connectivity. This can cause application containers to hang or restart if the istio-proxy sidecar container is not ready. This article…

Use a Gateway to manage inbound and outbound traffic for your mesh, letting you specify which traffic you want to enter or leave the Istio mesh. In a previous article, I explained the concept of a Service Mesh. This article demonstrates how to expose Kubernetes services deployed in the Service…

How Trivy helps us scan Docker images, Kubernetes, and Terraform code to detect potential configuration issues and minimise the risk of attack. Vulnerabilities are everywhere! I’d like to describe how I’m using Trivy to scan Docker images, Kubernetes configuration files, and Terraform code to find vulnerabilities before deploying them in…

It is a Dockerfile best practice to keep the images minimal. Create a distroless image and avoid including unnecessary packages or exposing ports to reduce the attack surface. Distroless image This article contains the instructions on how to build a minimal Docker image with only the tmp folder making, it a "Distroless…

Learn about the HashiCorp Terraform Module Testing Experiment configuration and how to use it to run tests against infrastructure. Testing is vital to understand if the infrastructure code we created is doing what they are supposed to. Running a terraform plan helps, but it’s not a guarantee. …

The goal of this article is to present a terraform code that creates multiple buckets, in multiple locations, and with multiple IAM permissions. This piece of code was used to solve the problem described in the Problem Statement section. The implementation strategy may vary from one case to the other…

Use Docker Buildkit to securely configure your Docker image to access private resources Challenges in accessing protected information Accessing private resources like a Nexus or a GitHub repository from within a Docker image and not leaking any security-related information it’s greatly appreciated. Firstly, we will never include credentials or any other secure information directly in…

Network Policies are an application-centric construct that allows you to specify how a pod is allowed to communicate with various network “entities” Prerequisite This tutorial is a continuation of my previous articles: How to automate the setup of a Kubernetes cluster on GCP. Automation: Deploying an app in GKE using Ansible …