Photo by Quinten de Graaf on Unsplash


The concept of Reconciliation loop is used for kubernetes to keep the state as defined in the manifest. Roughly speaking, observation, analysis, and execution are repeated in the form shown in the picture below.

Photo by chris panas on Unsplash


In continuation to the previous post about Docker Bench for Security, this time we are handle secure the Daemon Docker.

Result of Docker Bench for Security

Let’s start

🚨 2.1 — Ensure network traffic is restricted between containers on the default bridge

  • Edit file /lib/systemd/system/docker.service
  • Change ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock to ExecStart=/usr/bin/dockerd -H fd:// -containerd=/run/containerd/containerd.sock --config-file=/etc/docker/daemon.json
  • Create file /etc/docker/daemon.json with below content
root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
"icc": false
  • Reload daemon and restart docker service
root@vagrant:/home/vagrant# systemctl daemon-reload
root@vagrant:/home/vagrant# systemctl restart docker

⚠️ Keep in mind that this requires an option to connect the containers to the network

🚨 2.5 — Ensure aufs storage driver is not used

  • Check if aufs storage is not used
root@vagrant:/home/vagrant# sudo docker info | grep Storage
WARNING: No swap limit support
Storage Driver: aufs
  • Update…


I usually like used Nginx as proxy to host multiple services on the same server, but however, when we need to use a quick and simple configuration, it is good to use Traefik as our proxy server.

So let’s use Traefik !

What exactly is Traefik ???

An open-source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology.

Basically traefik is a reverse proxy and load balancer for HTTP / TCP apps . Is linked with various technologies and can be easily installed in any stack.

Photo by frank mckenna on Unsplash


In this short post, I would like to introduce the K3S and the MicroK8s. K3s which is developed by Rancher, has become a hot topic as lightweight Kubernetes, but Ubuntu Canonical also develops a lightweight Kubernetes called Micro K8s because it is attached with Micro, it is lighter than normal Kubernetes. Both allow you to run Kubernetes without using a virtual machine like Minikube. I would like to compared what kind of function it has and how it differs.

General Information

k3s — Lightweight Kubernetes

k3s is developed by Rancher Labs, as Rancher says it is good for small devices such as IoT. I think the…

Photo by AbsolutVision on Unsplash


I think so curl is fun, I had many opportunities to play with curl by POSTing, or for example reading session from cookies, so would like to summarized it.

Test Environment

Let’s start

  • Simple docker-compose for Jenkins
version: '3.7'
image: jenkins/jenkins:lts
privileged: true
user: root
- 8081:8080
- 50000:50000
container_name: jenkins
- /tmpy:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
- /usr/local/bin/docker:/usr/local/bin/docker
  • Run command docker-compose up -d and after starting the container, go to the address http: //<IP-ADDRESS>: 8081. We will need password from container we can get it with this command docker exec…

Memo with syntax that is often used in the find command

Grep Recursive

vagrant@vagrant:~$ find ./ -name '*' | xargs grep example

If the extension is only txt, we can narrow it down when we find it.

vagrant@vagrant:~$ find ./ -name '*.txt' | xargs grep example

Total file size in gigabytes from one year ago to now

Can be used to estimate the amount of space after deletion while deleting previous files to reduce disk capacity.

root@vagrant:/# find ./ -mtime -365 -type f -printf "%s\n" |awk '{sum += $1; printf("\r%d",sum/1024/1024/1024) }; END{print""};'

Find files older than 1 year

root@vagrant:/# find ./ -mtime +366 -type f

Delete files older than 1 year

root@vagrant:/# find ./ -mtime +366 -type f -exec rm {} \;

Search for files with recent updates

With below command…


Using containers offers great benefits, increasing the environment also means making difficult choices. We need to think what orchestration tools are the best for our situation and how to monitor the our system. Docker is the standard for container runtimes, but you have multiple options to choose from from container orchestration tools. For now Leaders in this case there are CNCF’s Kubernetes and AWS ECS. According to a 2020 survey, 83% of companies use Kubernetes as their container orchestration solution.

More info we can find in this survey

In this article, I will focus to compare ECS and Kubernetes…


In K8s sometimes when we run pods, due to lack of resources like memory or CPU or some application error pods get evicted. In this case Kubernetes will try restart these evicted pods but , if there are still no resources left or the application has any errors, the pod will still be in evicted state.

Should we care about this?

Definitely yes, when we have many evicted pod in the cluster it can lead to a serious network load as each pod, although evicted, is connected to the network and is blocking the IP address which can lead to exhaustion. …


At the beginning

With minikube addons enable ingress we can easy to get started with Ingress in Minikube. We can resolve the host name set in Ingress on the local name server to use it more comfortably. It’s also easy to use nginx-ingress-controller instead of Minikube’s standard Ingress Controller, which is more comfortable with a custom Cluster Add-on. If you are using Ingress in production, you want to use Ingress to verify the operation on your local Minikube.

To use Ingress, you need an Ingress Controller that configures L7 LB based on the created Ingress object. For example in GKE, there is an…



CronJob in Kubernetes is good for handling Deployment like Cron, but it is difficult to understand because there are many API fields. So I would like to organized it, next, show how it works.

CronJobSpec API fields

All information about API fields we can find in link below:

The concurrencyPolicy is a little difficult to understand, so I added it.


If a job takes 2 minutes to execute, but cron is set to be executed every minute, jobs will occur at the same time.

⚠️ Allow is an option that allows it, Forbid prohibits it, and Replace gives priority to new jobs.


DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store