https://ferkakta.dev/tags/kubernetes/Recent content in Kubernetes on ferkakta.devHugoen-USCopyright fizz.Fri, 27 Mar 2026 00:00:00 -0500https://ferkakta.dev/one-module-block-per-service-per-tenant/Fri, 27 Mar 2026 00:00:00 -0500https://ferkakta.dev/one-module-block-per-service-per-tenant/<p>Every tenant on my platform gets three services: an API server, an auth service, and a frontend. Each one is a single module block in Terraform that creates a Kubernetes deployment, a ClusterIP service, an ALB ingress, IRSA for AWS access, ESO-synced secrets from SSM, and a feature flag discovery mechanism. The module is the same for all three services. The variables are different.</p> <p>I extracted it into an open source module because I kept explaining the design decisions to people who asked &ldquo;how do you deploy services to EKS?&rdquo; and the answer was always &ldquo;let me show you the module.&rdquo; The module is the answer.</p>https://ferkakta.dev/from-feature-flags-import-star/Wed, 25 Mar 2026 21:00:00 -0500https://ferkakta.dev/from-feature-flags-import-star/<p>A colleague needed a feature flag enabled on one tenant. <code>FEATURE_FLAG_ENABLE_AGENTS=True</code> — one environment variable, one pod. I added it to the K8s secret manually, restarted the pod, and he was unblocked in two minutes.</p> <p>Then I realized: the next terraform apply would overwrite that secret without the flag. The ExternalSecret syncs from SSM, and the flag wasn&rsquo;t in SSM through any path terraform knew about. My manual fix had a shelf life of one deploy.</p>https://ferkakta.dev/orderly-eks-kubeflow-upgrade-path/Fri, 27 Feb 2026 00:00:00 +0000https://ferkakta.dev/orderly-eks-kubeflow-upgrade-path/<p>When EKS extended-support pricing is on the horizon, upgrade planning gets emotional fast.</p> <p>The worst time to discover platform ambiguity is when finance and timelines are both tightening.</p> <p>Our first impulse was to ask, &ldquo;how quickly can we upgrade?&rdquo;</p> <p>The better question was, &ldquo;what order of operations prevents us from compounding hidden drift during upgrade churn?&rdquo;</p> <h2 id="why-one-shot-upgrades-fail-in-controller-heavy-stacks">Why one-shot upgrades fail in controller-heavy stacks</h2> <p>On paper, &ldquo;upgrade EKS then bump Kubeflow&rdquo; sounds linear.</p>https://ferkakta.dev/drift-is-an-availability-bug/Fri, 27 Feb 2026 00:00:00 +0000https://ferkakta.dev/drift-is-an-availability-bug/<p>I used to think of drift as a config hygiene issue.</p> <p>Annoying, expensive, embarrassing — but fundamentally administrative.</p> <p>Then I watched two control-plane components fall into <code>CrashLoopBackOff</code> inside a production incident and realized the framing was wrong.</p> <p>Drift is not a paperwork problem. Drift is an availability bug.</p> <h2 id="the-incident-looked-like-random-failure">The incident looked like random failure</h2> <p>We were already deep in one fire: a Kubeflow Pipelines frontend image that kept reverting to an old tag.</p>https://ferkakta.dev/kubeflow-is-a-version-matrix-not-a-version/Fri, 27 Feb 2026 00:00:00 +0000https://ferkakta.dev/kubeflow-is-a-version-matrix-not-a-version/<p>&ldquo;What version of Kubeflow are we on?&rdquo;</p> <p>That looks like a simple platform inventory question.</p> <p>In practice, it was one of the most misleading questions in our incident.</p> <p>We had already fixed one visible symptom — image reconciliation behavior that kept reverting a frontend component — when we started asking version questions to prevent recurrence.</p> <p>The expected answer was one number.</p> <p>The real answer was a matrix.</p> <h2 id="the-false-confidence-moment">The false confidence moment</h2> <p>The dangerous moment was not when something failed. It was when everything looked green enough to stop looking.</p>https://ferkakta.dev/when-a-namespace-owns-your-deployment/Fri, 27 Feb 2026 00:00:00 +0000https://ferkakta.dev/when-a-namespace-owns-your-deployment/<p>I spent a Friday morning trying to update one image tag.</p> <p>Old image: <code>gcr.io/ml-pipeline/frontend:2.0.5</code>. New image: <code>ghcr.io/kubeflow/kfp-frontend:2.5.0</code>.</p> <p>The deployment accepted the edit. Then it snapped back. I edited again. It snapped back again.</p> <p>At first, I treated this as a normal ownership chain problem: <code>Deployment -&gt; ReplicaSet -&gt; Pod</code>. If my edit is getting reverted, some higher-level controller must be writing the deployment. Fair enough. Find the controller, patch the source, move on.</p>https://ferkakta.dev/kopf-operator-idempotency-three-layer-check/Fri, 20 Feb 2026 12:00:00 -0500https://ferkakta.dev/kopf-operator-idempotency-three-layer-check/<p>Our tenant operator provisions databases, cache users, and credentials for each tenant in a multi-tenant SaaS platform. PostgreSQL roles on shared RDS, ElastiCache RBAC users, SSM parameters with generated passwords. It worked exactly once per tenant. The second time it ran, it regenerated every password and overwrote every SSM parameter. Running services holding the old credentials immediately lost their database and cache connections.</p> <p>This was the blocker for auto-deploy.</p> <h2 id="every-deploy-was-a-coordinated-outage">Every deploy was a coordinated outage</h2> <p>The orchestrator runs <code>terraform apply</code> for each tenant on every deploy. Terraform reconciles the Tenant CRD, which fires Kopf&rsquo;s <code>on_tenant_create</code> handler. The handler doesn&rsquo;t distinguish between &ldquo;new tenant&rdquo; and &ldquo;existing tenant whose CRD was re-applied.&rdquo; It generates fresh passwords, creates new PostgreSQL roles (which fail because the role exists, or worse, succeed and orphan the old one), and overwrites SSM parameters with credentials that no running pod knows about.</p>