October 2020

newsletter.jpg

What’s New?

ECR Image Scanning

Though deploying applications as Docker images makes it easy to manage dependencies and ensure you’ve got full control over your application’s runtime environment, it’s often unclear what actually goes into your container images. How do you know that the images you’re using don’t contain vulnerabilities? ECR offers container image scanning… for free. 

Some additional information on using ECR image scanning: 

  • It costs nothing to enable image scanning for an ECR repository

  • ECR only scans installed Linux packages that are part of your Docker image. Items such as Node.js or Python packages included in your application is out-of-scope

  • Enabling scanning does not slow down or block existing CI/CD pipelines. Scans run after the image is pushed to the repository and the image is still available as soon as it’s pushed

  • You can periodically re-scan images to check for new vulnerabilities that may have been discovered since the image was first uploaded for ECR. This is useful for letting you know if an infrequently-deployed application needs to be updated

  • The underlying tool being run by ECR to scan your images is Clair: https://github.com/quay/clair 

Let us know if you’d like help setting up and configuring ECR image scanning for your applications!

Fine-Grained Kubernetes & AWS Access Policies

As your business grows, typically the number of employees who will need to access and manage your systems grows too. Developers require a different set of privileges than system administrators. Co-op students require different permissions than data scientists. In an ideal world, each employee only has permission to access and manage the resources that they are required to access (often referred to as the “principle of least privilege”). You don’t want people using personal accounts for shared system resources, and replacing personal accounts with automated service accounts ensures that there will be no unknown side effects if a personal account is deactivated after a user leaves the company.

Although every business has different structures and needs, we can help you:

  • Set up service accounts to automate infrastructure provisioning on Terraform Cloud and limit infrastructure access to different environments to different teams within your organization

  • Setup fine-grained AWS IAM access policies so that people only see the things they need to

  • Create differing access rules and roles on your Kubernetes cluster to ensure each team can do what it needs to without risk of accidentally impacting another team’s namespace or shared cluster infrastructure

Useful Reading

  • Do you wish it was a little easier to write Deployments for Kubernetes? This tool may come in handy: https://k8syaml.com/. This site provides a nice point and click builder for Kubernetes Deployments.

  • One of the big drawbacks of Kubernetes is how frequently new versions are released and APIs are removed and deprecated (for example: Kubernetes 1.16 removed a significant number of APIs). Beginning with Kubernetes 1.19, Kubernetes will include a number of built-in tools and options to help warn you of API deprecations before they cause issues in a cluster. At stack.io we are always happy to let you know what’s in store for the next upgrade.

  • Do you prefer to manage your Kubernetes objects using Terraform instead of kubectl? K2tf can be used to convert Kubernetes yaml files to Terraform files automatically for you (instead of needing to convert Kubernetes manifests manually).

Fun Stuff

The naming of many tech companies can be pretty questionable - it’s often difficult to tell the difference between the “next big thing” and the stuff of kids TV shows. You can test your knowledge of things with the game: “Pokemon or Big Data”: https://pixelastic.github.io/pokemonorbigdata/ 

Getting bored of just doing the same stuff at home all the time during Covid-19? Want to try something new? Rosalind is a set of biology-related programming problems you can work through at your own pace using any programming language you want: http://rosalind.info/problems/locations/. Even if you aren’t interested in bioinformatics, working through the Rosalind problems is a great way to practice and learn a new programming language!

Mess up a command in the terminal? Just type the “magic word” and this program will automatically fix the last command you ran: https://github.com/nvbn/thefuck