Infrastructure

K8s Intermediate #2: PV / PVC / StorageClass — The Persistent Data Model
18 min read

K8s Intermediate #2: PV / PVC / StorageClass — The Persistent Data Model

Through [K8s Basics #6](/en/posts/k8s-basics-6) we pulled config and secrets out of the manifest into external objects, but one dimension remains — the data itself. The container filesystem disappears with the container, but DB data, user uploads, and metric time series have to outlive the Pod. This post fills that gap with the triangle of PersistentVolume, PersistentVolumeClaim, and StorageClass — static and dynamic provisioning, accessModes, reclaimPolicy, volumeBindingMode, and what StatefulSet's volumeClaimTemplates from [#1](/en/posts/k8s-intermediate-1) actually produces on top of all this.

AWS Intermediate #5: Route 53 — domains and DNS
9 min read

AWS Intermediate #5: Route 53 — domains and DNS

AWS's managed DNS, Route 53. Domain registration and Hosted Zones, the difference between A / AAAA / CNAME / Alias records, and Simple / Failover / Latency / Geolocation routing policies.

Docker Advanced #4: SBOM and Signing — The Entry to Supply Chain Security
7 min read

Docker Advanced #4: SBOM and Signing — The Entry to Supply Chain Security

Make a machine-readable bill of materials (SBOM) of what is in this image, and verify who built it with a cosign signature. The supply chain security toolkit that became standard after the xz incident.

K8s Intermediate #1: StatefulSet / DaemonSet / Job / CronJob — Controllers Beyond Deployment
16 min read

K8s Intermediate #1: StatefulSet / DaemonSet / Job / CronJob — Controllers Beyond Deployment

The [Deployment](/en/posts/k8s-basics-4) from K8s Basics #4 sits on a stateless model — multiple identical Pods that come back the same way when they die. But databases that need identity and disks, agents that need exactly one per node, migrations that should run once, daily backups — none of these fit Deployment. This post covers the four controllers that fill those gaps in one pass: StatefulSet, DaemonSet, Job, CronJob.

RHEL Intermediate #6: Job Scheduling — cron, systemd timer, at
12 min read

RHEL Intermediate #6: Job Scheduling — cron, systemd timer, at

Four tools for running time-based tasks in RHEL 9, from an operational perspective. Traditional cron and user crontab, anacron that catches up missed jobs when the machine was off, at for one-shot scheduling, and systemd timer as the modern replacement for cron — with a guide on which tool to use in which situation.

AWS Intermediate #4: RDS — managed DB, backups, parameter groups
9 min read

AWS Intermediate #4: RDS — managed DB, backups, parameter groups

AWS's managed relational database, RDS. Comparison vs DB-on-EC2, automated backups and snapshots and PITR, Multi-AZ, parameter / option groups, and how to handle minor vs major upgrades operationally.

Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans
8 min read

Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans

A practical toolkit for container security. Dropping to a non-root USER, read-only root with tmpfs, dropping capabilities, narrowing the attack surface with distroless, scanning known CVEs with Trivy/Grype, and linting Dockerfiles with hadolint.

K8s Basics #7: Namespaces and Labels — Organizing the Cluster
13 min read

K8s Basics #7: Namespaces and Labels — Organizing the Cluster

One thing slipped past quietly through this series — every Pod, Deployment, Service, ConfigMap, and Secret we created landed in the default namespace. And labels have been with us since [#4](/en/posts/k8s-basics-4)'s selector but never got their own pass. This post wraps the series with the two tools — Namespace and labels — that turn a cluster into something a human can read, and previews the next track (K8s Intermediate).

AWS Intermediate #3: S3 — static hosting and presigned URLs
9 min read

AWS Intermediate #3: S3 — static hosting and presigned URLs

AWS's oldest object storage, S3. The shape of a bucket and the global uniqueness of names, policies and Public Access Block, static site hosting, presigned URLs, and how to lower cost with storage classes.

Docker Advanced #2: Multi-Architecture Images — amd64 and arm64 Together
7 min read

Docker Advanced #2: Multi-Architecture Images — amd64 and arm64 Together

The "image built on Apple Silicon doesn't run on the production server" incident vanishes with one multi-arch build line. The shape of a manifest list, the cost of QEMU emulation, native ARM builders, and verifying results with docker buildx imagetools.

K8s Basics #6: ConfigMap and Secret — Splitting Out Configuration
15 min read

K8s Basics #6: ConfigMap and Secret — Splitting Out Configuration

Through [#5](/en/posts/k8s-basics-5), one thing in our manifest is still awkward — image tags, ports, and domains are written directly into it. This post pulls those out into two objects: ConfigMap and Secret. The K8s way to apply the 12-factor "store config in the environment" rule, three injection methods (env / envFrom / volume), the one-line caveat that Secret is not actually encryption, and why a Pod restart is needed when config changes.

RHEL Intermediate #5: Log Management — journald, rsyslog, log rotation
11 min read

RHEL Intermediate #5: Log Management — journald, rsyslog, log rotation

RHEL 9 uses journald as the primary log tool and rsyslog as the secondary, with text log files rotated automatically by logrotate. This post covers journald's retention policy and disk usage control, rsyslog's continuing role as the old-guard standard, the flow of collecting logs on a central server, and how to write logrotate rules from scratch — all from an operational perspective.