Technology Short Take 145

Welcome to Technology Short Take #145! What will you find in this Tech Short Take? Well, let’s see…stuff on Envoy, network automation, network designs, M1 chips (and potential open source variants!), a bevy of security articles (including a couple on very severe vulnerabilities), Kubernetes, AWS IAM, and so much more! I hope that you find something useful here. Enjoy!

Networking

• Adam Kotwasinski walks readers through deploying Envoy and Kafka to collect broker-level metrics.
• Ivan Pepelnjak shares some links and thoughts on configuring the NSX-T firewall with a CI/CD pipeline built on GitHub Actions and Terraform Cloud.
• Author “JulioPDX” (I couldn’t find the author’s real name on any of their online profiles) has an article on integrating Nornir with FastAPI.
• Vincent Bernat provides some feedback on Cisco pyATS and Genie Parser.
• Russ White shares some thoughts on the collapsed spine network design.
• Justin Pietsch talks about simplifying networks and the resulting engineering trade-offs.

Servers/Hardware

• Howard Oakley of The Eclectic Light Company discusses some details on Apple’s M1 chip and what it does differently than other chips. Also included in this post are links to other articles with even more details—very helpful.
• Are open source M1-style chips a possibility? This article seems to think so.

Security

• The last several weeks haven’t been very nice to Azure with respect to security issues. First there was a vulnerability in the CosmosDB database that, according to this Reuters article, exposed “keys that control access to databases held by thousands of companies.” Following that incident came news of “Azurescape,” billed as the first cross-account container takeover in the public cloud. Finally, I recently saw this news about a “minor privilege escalation” within Azure AD.
• Colm MacCárthaigh discusses AWS SIGv4 and SIGv4A and some of the details and differences between the two.
• The AWS WorkSpaces client had a remote code execution flaw (versions before 3.1.9 are affected). See more details here.
• This isn’t good. Better patch your vCenter Server instances, as VMware released a security advisory with a long list of CVEs, including one with a severity score of 9.8/10.

Cloud Computing/Cloud Management

• For reasons that I won’t go into here (maybe later), I was recently pointed toward the vcluster project (for running virtual Kubernetes clusters in a namespace of an actual cluster). See the vcluster web site or the GitHub repository for more information. If I do end up using/testing it, I’ll share more information via a future blog post.
• Nathan Peck has a really interesting article on using Inlets for access to ECS Anywhere from anywhere.
• Sebastian Radloff has a two-part series on Gatekeeper and Kubernetes (part 1, part 2). Although I’ve been doing some work with Open Policy Agent (OPA) and Envoy, I’m still wrapping my head around Gatekeeper and how all the CRDs fit together.
• Eric Shanks outlines how to configure a private registry for Tanzu Kubernetes Clusters.
• Lydia Leong takes aim at the saying “The cloud is just someone else’s computer” in this post on cloud risk and resilience.
• Ben Kehoe takes AWS to task for shortcomings in the AWS IAM documentation. He also takes some time to explain principals in AWS IAM, apparently in a single-handed effort to address some of the documentation woes. Thank you, Ben!

Operating Systems/Applications

• This is a quite old post (from 2014!), but it may still be useful for folks who are now switching over to macOS: here’s a list of eight terminal-based utilities the author feels every user should know.
• James Kindon has a post on Citrix UPM and Microsoft FSLogix. This space is way outside my area of expertise, but in reviewing James’ article he provides some guidelines to help folks decide which of these two solutions is most appropriate based on certain requirements.
• Canonical has announced an extension to the lifecycle for Ubuntu 14.04 LTS “Trusty Tahr” and Ubuntu 16.04 LTS “Xenial Xerus”, making it a total of ten years. See their announcement for details.
• Quentin Monnet has a post on bpftool that aims to expose some commands and features of using this tool for working with eBPF.

Storage

• Rather than trying to curate my own list of storage-related links this time around, I’ll point you to this list instead, curated by none other than Dr. J Metz himself.

Virtualization

• Arnon Rotem-Gal-Oz writes about replacing Docker Desktop with HyperKit and Minikube.

That’s all for this time around! If you have any feedback for me—additional sites I should monitor for content, or other topics I don’t cover that you think would be useful to readers—I’d love to hear from you! The easiest way to get in touch with me is via Twitter, but I’m also accessible via e-mail (my address isn’t too hard to find) or Slack (I frequent several different Slack communities). Feel free to reach out.