Summit:

Lightning Talks

About Me


Currently employed by Oteemo!

In IT since 1993 (with stops at Electronic Arts, Unisys, Red Hat, CoreOS)

Contact info:

NetworkPolicy Resources:

Proposed Best Practices for Charts

The Goal:

Allow users to easily implement secure NetworkPolicy for chart-installed apps

Constraints

(there are always a few...)

  • Principle of Least Surprise
  • Security the Easy Way
  • Composability with other policies in other apps

Proposal:

  • Master networkPolicy.enabled value: if false, no NetworkPolicy resources are created
  • Policy manifest per app component
  • Optional on-by-default flag for allowing external traffic (if false/unset, allow traffic only from specifically-labeled pods)
    • Dan Osborne (@ozdanborne) is already doing these, e.g. Prometheus, Redis charts
  • Optional off-by-default deny-all policy controlled by networkPolicy.defaultDenyAll

Proposed next steps:

  1. Document @ozdanborne's existing practices as best practices
  2. Look through stable chart NetworkPolicy implementations for other practices to add or deprecate
  3. Further discussion as needed
    • Egress filtering
    • NetworkPolicy changes in Kubernetes
    • etc.

By Any Other Name:

How Aliases, Dependencies and Value Mapping Should Work

The Goal:

Treat chart aliasing, dependencies and exporting values to child charts as part of a unified whole

Basic issues

  • Aliases don't work consistently with locally-stored subcharts vs. charts in a remote repo
  • Creating names that are unique and consistent across a chart dependency tree is hard
  • It would often be useful to set values to the same thing in a parent chart and its child charts
  • These things are all part of a single system and should work in a unified way

Proposal:

  • Aliased charts should always be referrable by their alias, whether local or remote
  • There should be an easy way to create values that are consistent for all charts in a chart tree
  • There should be a way to export values from the parent chart's value tree to child charts without repeating those values again in the child charts' value trees

Relevant GitHub issues

  • Can't refer to aliased subcharts by alias names in master chart (helm#2993)
  • proposal: Helm dynamic aliases (helm#3126)
  • Helm should allow easier "management" of child charts placed manually in `charts` (helm#3221)
  • Add 'export-values' to requirements (helm#3242)
  • Ability to read the parent Chart.yaml from Dependency (helm#3307)
  • [proposal] refactor aliases for subcharts (helm#3314)
  • Add a new stable chart "weave-scope" (charts/#1719)
    • Discussion of things I tried to do while writing my first chart that didn't work

Thanks to:

Oteemo for sending me here, and Sam Brown at Oteemo for suggesting I learn Helm!

Reinhard Nagele (@unguiculus) for helping me through my first chart PR, and the rest of the Helm community for being awesome and for accepting my talks!

and...

Thank you!

Slides:
http://bit.ly/2EYdadk+