The problem Containerised applications running in Kubernetes frequently require access to other services running within the cluster as well as external AWS services, such as Amazon RDS or Amazon Elasticache Redis. On AWS, controlling network level access between services is often accomplished via EC2 security groups. …

Problem statement The problem statement for this piece of work was as follows: As a platform engineer I want our workloads to be as secure as possible So that we don’t leave ourselves open to explotation Recommended Tooling A slight tangent, but I would recommend using the following tooling to help secure your cluster…

Setting the scene So imagine you have a cluster with publically accessible endpoints and you’re using a mixture of NGINX Ingress Controller and OAuth2 Proxy to provide Single Sign-On capabilities to these endpoints. https://github.com/kubernetes/ingress-nginx https://github.com/oauth2-proxy/oauth2-proxy The flow for accessing these endpoints is as follows:

Problem statement The problem statement for this piece of work was as follows: As a platform engineer I want to lock down flux permissions to “just enough” So that we keep the cluster as secure as possible What is Flux? Flux is a tool that automatically ensures that the state of a cluster matches the…

Feature statement Providing the ability to snapshot Elasticsearch clusters to S3 on a regular cadence. For reference, we are using the managed Elasticsearch service in AWS and are currently on Elasticsearch version 6.4.2. We decided to write a Golang command-line tool to perform the snapshotting, Our proposed solution / problem However, we wanted to validate our tool…

Problem statement The problem statement for this piece of work was as follows: As an engineer I want to be confident in my HelmRelease before they are deployed. So that deploys are more likely to succeed than fail in Kubernetes. The current problem At Mettle, as discussed before, we follow GitOps principles religiously when deploying…

Problem Statement The problem statement for this piece of work was as follows: As a platform engineer I want new chart versions to be available as quickly as possible across all envs. So that HelmReleases don’t fail on startup because the version does not exist. …