Scraping Envoy Metrics Using the Prometheus Operator

On a recent customer project, I recommended the use of Heptio Contour for ingress on their Kubernetes cluster. For this particular customer, Contour’s support of the IngressRoute CRD and the ability to delegate paths via IngressRoutes made a lot of sense. Of course, the customer wanted to be able to scrape metrics using Prometheus, which meant I not only needed to scrape metrics from Contour but also from Envoy (which provides the data plane for Contour). In this post, I’ll show you how to scrape metrics from Envoy using the Prometheus Operator.

First, I’ll assume that you’ve already installed and configured Prometheus using the Prometheus Operator, a task which is already fairly well-documented and well-understood. If this is something you think would be helpful for me to write a blog post on, please contact me on Twitter and let me know.

The overall process looks something like this:

  1. Modify the Envoy DaemonSet (or Deployment, depending on your preference) to add a sidecar container and expose additional ports.
  2. Modify the Service for the Envoy DaemonSet/Deployment to expose the ports you added in step 1.
  3. Add a ServiceMonitor object (a CRD added by the Prometheus Operator) to tell Prometheus to scrape Continue reading

Weekend Reads 020119

I think that the data center industry has reached a point of equilibrium and stabilization where the players for cloud service have been defined, the large mega applications (like Facebook and Google) have become a monopoly on their respective businesses, and there has been slow but sustained growth in all of these markets. —Yuval Bacher

How many times in the software industry have you heard developers fight over which programming language is better? How many times have you heard about that one pattern that will fix all of our problems moving forward? —Marco Palladino

What’s clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance — and much work remains to be done to secure computing devices from this type of compromise. —Micah Lee, Henrik Moltke

But when designing underlying cyber protections, too many architects are taking zero trust to be the primary objective. This is a misinterpretation. In the first instance, we should look to protect our resources from attack. What zero trust reminds us is that we are fallible, and that we should put in place backup plans in the form of monitoring and incident response for the (hopefully rare) cases where our protection Continue reading

Advanced Solutions Customer Story Part 1: Why NSX-T?

 

Customer Overview

Advanced Solutions, a DXC Technology company, was formed in 2004 and employs about 500 staff to support the government of the Canadian province of British Columbia and other public sector customers with IT and business process solutions. For government agencies and services to continue operating efficiently and effectively, it is essential that the IT resources that they require are provided quickly and accurately.

Key Pain Points

All IT organizations are acutely familiar with the wide range of pain points and obstacles that can stand in the way of delivering resources to empower their businesses to move with speed and agility. One of the most common hindrances to IT, and therefore business agility is painfully slow provisioning processes, which can take weeks just to provision an application. The most common bottleneck within these processes is provisioning networking and security services. This is a key pain point for Advanced Solutions, but one that VMware is helping them solve with the VMware NSX Data Center network virtualization platform.

Dan Deane, Solutions Lead at Advanced Solutions says, “The key IT pain points that VMware solutions are helping us solve are around networking and provisioning.”

New Use Cases

Advanced Solutions was Continue reading

Check Point GAiA as Personal Firewall on Linux – Part1

Check Point GAiA is the next generation Secure Operating System for all Check Point appliances, open servers and virtualized gateways. In this tutorial we will create a network infrastructure which supports usage of Gaia Qemu VM as a personal firewall on Ubuntu Linux. We will also go through the entire installation of Gaia on Qemu VM. This firewall appliance can be used up to 15 days period covered by a free trial Gaia license (no registration needed).

Hardware:  Asus K55VM laptop:
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
- RAM - 2 x Kingston DDR3 8192MB,
- HDD - ST1000LM024 HN-M101MBB 1000GB

Hardware requirements:
- Gaia QEMU VM: RAM - 4096MB, HDD - 15GB
- Windows 7 QEMU VM: RAM 2048MB, HDD - 15 GB

Software:
Host - Kubuntu Linux 18.04.1 LTS with installed QEMU emulator version 3.0.0 and KVM module
Guest 1 - Checkpoint GAiA R80.10, OS build 462, OS kernel version 2.6.18-92cpx86_64
Guest 2 - Windows 7 Home Premium, x86 with installed Smart Console R80.10 Build 991140073

Credentials - username/password:
- Gaia web portal: admin/check123point
- Gaia expert mode: check123point
- Windows 7: no password Continue reading

Helping To Build Cloudflare, Part 3: Audacity, Diversity and Change

This is part 3 of a six part series based on a talk I gave in Trento, Italy. To start from the beginning go here.

After Cloudbleed, lots of things changed. We started to move away from memory-unsafe languages like C and C++ (there’s a lot more Go and Rust now). And every SIGABRT or crash on any machine results in an email to me and a message to the team responsible. And I don’t let the team leave those problems to fester.

Making 1.1.1.1

So Cloudbleed was a terrible time. Let’s talk about a great time. The launch of our public DNS resolver 1.1.1.1. That launch is a story of an important Cloudflare quality: audacity. Google had launched 8.8.8.8 years ago and had taken the market for a public DNS resolver by storm. Their address is easy to remember, their service is very fast.‌‌

But we thought we could do better. We thought we could be faster, and we thought we could be more memorable. Matthew asked us to get the address 1.1.1.1 and launch a secure, privacy-preserving, public DNS resolver in a couple of months. Continue reading

Stuff The Internet Says On Scalability For February 1st, 2019

Wake up! It's HighScalability time:

 

Memory module for the Apollo Guidance Computer (Mike Stewart). The AGC weighed 70 pounds and had 2048 words of RAM in erasable core memory and 36,864 words of ROM in core rope memory. It flew to the moon.

 

Do you like this sort of Stuff? Please go to Patreon and do what comes natural. Need cloud? Stand under Explain the Cloud Like I'm 10 (35 nearly 5 star reviews).

 

  • $10.9B: Apple's Q1 services revenue;  5 million: homes on Airbnb; 2.5-5%: base64 gzipped files close to original; 60MB/s: Dropbox per Kafka broker throughput limit; 12%: Microsoft's increased revenues; 9: new datasets; 900 million: installed iPhones; $5.7B: 2018 game investment; way down: chip growth; 

  • Quotable Quotes:
    • Daniel Lemire: Most importantly, I claim that most people do not care whether they work on important problems or not. My experience is that more than half of researchers are not even trying to produce something useful. They are trying to publish, to get jobs and promotions, to secure grants and so forth, but advancing science is a secondary concern.
    • @da_667: The moral of Continue reading

Community Network Champions Take a Rural Dip in India

By Digital Empowerment Foundation

In the last 25 years, half the world has been connected to the Internet and the almost infinite opportunities it has to offer. Most of these, among the 3.5 billion connected individuals of the world, are people who are largely economically empowered, literate, and reside in urban or accessible areas. However, there is also half the world that is yet to get online and access what the Internet has to offer them.

The biggest barrier to widespread connectivity is the high cost of infrastructure. With many telecom companies unwilling or unable to build infrastructure in far flung and rural areas, large swathes of the world have remained in media darkness. Evidently, most of those who are excluded from digital ecosystems are people who are largely at the bottom of the pyramid and reside in rural or inaccessible areas. They are people who have not been connected by the mainstream Internet Service Providers (ISP) – and who may have to wait a long time to be connected.

So who will take the responsibility of connecting them?

It has to be the community themselves.

Over the years, community network providers have proved to be great enablers for Continue reading

Helping To Build Cloudflare, Part 1: How I came to work here

This is the text I prepared for a talk at Speck&Tech in Trento, Italy. I thought it might make a good blog post. Because it is 6,000 words I've split it into six separate posts.

Here's part 1:

I’ve worked at Cloudflare for more than seven years. Cloudflare itself is more than eight years old. So, I’ve been there since it was a very small company. About twenty people in fact. All of those people (except one, me) worked from an office in San Francisco. I was the lone member of the London office.

Today there are 900 people working at Cloudflare spread across offices in San Francisco, Austin, Champaign IL, New York, London, Munich, Singapore and Beijing. In London, my “one-person office” (which was my spare bedroom) is now almost 200 people and in a month, we’ll move into new space opposite Big Ben.

The original Cloudflare London "office"

The numbers tell a story about enormous growth. But it’s growth that’s been very carefully managed. We could have grown much faster (in terms of people); we’ve certainly raised enough money to do so.

I ended up at Cloudflare because I gave a really good talk at a conference. Well, Continue reading

National pen test execution standard would improve network security

As the number of cyber attacks increases, the demand for penetration tests – to determine the strength of a company’s defense – is also going up. People are worried about their companies’ networks and computer systems being hacked and data being stolen. Plus, many regulatory standards such PCI and HITRUST require these tests to be performed on at least an annual basis.The demand for these tests is only going to increase as attackers get more sophisticated. And it’s essential these tests catch all possible vulnerabilities.[ Also read: What to consider when deploying a next-generation firewall | Get regularly scheduled insights: Sign up for Network World newsletters ] Benefits and gaps of penetration tests Penetration tests involve live tests of computer networks, systems, or web applications to find potential vulnerabilities. The tester actually attempts to exploit the vulnerabilities and documents the details of the results to their client. They document how severe the vulnerabilities are and recommend the steps that should be taken in order to resolve them.To read this article in full, please click here

1 1,342 1,343 1,344 1,345 1,346 3,856