In a world where code generation is cheap, why use untyped languages?
Types add confidence, stricter interfaces, and most likely a better runtime performance.
Firecracker has more tooling, but setting ist up and managing it is also more complicated, at least for k8s workloads. Libkrun is so easy for k8s! Compile crun with Libkrun support, crate a symlink of crun with the name krun, done. Works like any normal pod. Firecracker with kata-containers is a lot more brittle and complicated. I've invested quite some time getting this running for a talk I'm working on
Yeah, kind of. Lidl and Kaufland is owned by the Schwarz Group. They have been busy replicating the AWS orgin story. Their cloud is called StackIT. I've worked with them. Still some room to grow but a solid foundation. I like that competition is back on
I'm happy that there will be more tooling, but the reason for that (and the target audience) should not be ai agents. It should be a good experience for humans!
Tools should be tested and quality assured. Something that was utterly missing for cloudflare's unusable v5 terraform provider.
Quality over quantity with a ux that has humans in mind!
I switched our entire container build setup to buildkit. No kaniko, no buildah, no dind. The great part is that you can split buildkitd and the buildctl.
Everything runs in its own docker runner. New buildkitd service for every job. Caching only via buildkit native cache export. Output format oci image compressed with zstd.
Works pretty great so far, same or faster builds and we now create multi arch images. All on rootless runners by the way
It is a know problem. The strange part for me is that they fixed it in v1.35 with the FeatureGate AuthorizePodWebsocketUpgradeCreatePermission for pods but not for nodes which have a far greater attact vector. The author also references this:
> The same behavior was fixed elsewhere
It is a problem, but in order to exploit it you need a valid token and have public kubelet endpoints or need to compromise an service within the cluster that has the required RBAC permissions. So cluster admins can cat and check their RBAC
Thanks for the write up. It is indeed a simple and good solution for smaller workloads and as already pointed out it has some limitations.
For devs the explicit configuration of that HTTP_PROXY is annoying, so the last time I did an egress proxy on OpenShift I wrote a small mutating webhook that injects that envs automatically in all pods. OpenShift does this already automatically but only for some system pods.
Right now I explore Cilium's Egress-Gateway since this also handles none HTTP connections and is directly within the routing layer, but it has a learning curve
Great way to apply your gathered Kubernetes knowledge!
But I find the pricing tough and I don't like to give 3rd party tools that level of access to my clusters.
I know its early state but I see several problems: Right now it seems to be GH only, a lot of people are on selfhosted GitLab. Does it only support helm or also kustomize and raw extra manifests. What about GitOps?
I've build similar solution for clints, mostly only CI based. Often with Flux/ArgoCD support. The thing I found difficult was to show the diff of the rendered manifest also while applying the app. Since I'm not a fan of the rendered manifest pattern this often involved extra branches. Is this handled by the app?
It has gotten way worse since the Ai rise. Before it was the "how to be a winner" mindset now everything gets posted. Mostly AI garneted slop with glitchy AI images that advertise just plain false information. No one corrects stuff and barley anyone actually clicks a link an a post - no one cares.
Just mindless self fap,fap,fap, like TikTok but for "professional" and business people
Author here.
I know the old way still works and I respect that. Given the history I ask myself how long will it work, since ist not the default anymore.
I tried podman for multiple times. Normal testing & sandox stuff just works and you really can do alias docker=podman. But ass soon as you add nertworking me broke for me. And for me it is really just a tool and I need my tools working. So I switched back.
Recently I did the GitLab Runner migration for a company and switched to rootless docker. Works perfectly, all devs did not notice all there runs now use rootless docker and buildkit for builds. All thanks to rootless kit. No podman problems, more secure and no workflow change needed