First, this looks amazing, congrats! The primary reason I've held off on buying an eink tablet (remarkable/kindle scribe) is because much of the non-leisure reading I do for work requires enterprise-friendly features like MDM and encryption, and even with that plugging into a laptop to sync every document is a major UX hurdle.
Are you thinking about this primarily as a consumer device with, or do you want to go after those business applications sooner than later?
Disclosure: I work at AWS, own a Kindle Oasis, but have nothing to do with Kindle or devices.
I would not say a pure coincidence. Whilst Aidan has been hanging out for this for quite a while, he was tipped off as to the imminence of the feature by GitHub's response in your thread[1].
Amazon EKS | Sr Software Engineer | Remote (US/Canada) | Full Time
As a Senior Software Engineer in the Elastic Kubernetes Service (EKS) team you will help us deliver the mission of making AWS the best place to run containers. You will be part of an exceptional team that is moving the needle towards making containers as the next generation compute platform. This is an opportunity to engineer systems on a massive scale, and to gain top-notch experience in distributed systems and cloud computing.
(Disclosure: I work on Kubernetes/EKS Security at AWS)
I'm curious why they didn't look into using Kubernetes ProjectedVolumeTokens for authenticating to Vault? The tokens Kubernetes issues are not stored in etcd, and they contain pod-specific metadata so they are invalidated as soon as the pod dies (when using TokenReview). Alternatively, they can be used to directly authenticate with Vault since they're OIDC-valid tokens [1].
The semantics around secrets in Kubernetes aren't nearly as robust as Vault, so I was surprised to not see this more clearly called out (ex: list secrets == get all keys and values). Even if you use KMS/AES encryption (which they reference) that doesn't help with access control.
This is on our radar and I think they can now be used directly with the kubernetes Auth plugin, although I've not heard much about it. This is a very recent change. We could have possibly got the same functionality with the jwt plugin, with some added complexity (and no tokenreview)
We don't allow read or list of secrets by any human, although of course that's not a perfect control.
I remember the order for ln -s because the third argument is optional. If you omit the third argument the command will create a symbolic link in the current directory with the same filename as the original.
In theory, you could replace the CNI on worker nodes, but is that something that is practically useful (when it can't be done on master nodes in EKS) and supported? How would the kube-apiserver, for example, communicate to the metrics-server if it is not connected to the Calico network?
You are correct that the API server is only aware of the VPC network, and not any overlays. One solution to the metrics-server or other webhooks is to use host-networking mode so the API server can have connectivity.
Service IP configurability is a very common ask, and as you’ve linked, is on our roadmap along with a slew of other control plane configuration options.
You can delete the AWS VPC CNI DaemonSet and install any CNI plugin you’d like.
EKS regularly backs up etcd and has automatic restore in the case of a failure. Manually restoring to an old snapshot would be quite disruptive. What is your use case, and what would be the interface you’d like to see?
One of the things about blender that was frustrating for me when I last tried it ~3 years ago was the inability to use a different python REPL (ex: iPython) or easily import the blender python libraries in a non-blender python process. Can anyone say if this has gotten better?
Almost all of bpy is a simple generated wrapper around builtin C functions but you can (or could, dunno how well its been maintained?) build blender as a python module to import into CPython. Some experimental CMake setting IIRC.
A year ago I moved from Chattanooga, TN (mentioned in the article) to Bellevue, Wa to work in “Cloud City” Seattle to take a job at AWS. It used to cost me a total $59/mo for 100MB fiber up and down, no contract, with _amazing_ customer service (I seriously have stories to tell about how great EPB is).
My only real option at my new residence is Comcast at $79/mo which went up to $94/mo after 1 year for a hypothetical 100down/5up, with frequent network drops.
It was quite disappointing to find zero options for fiber, and this convinces me that this kind of corruption by ISPs and legislators needs to be severely curbed.
I had a friend who worked for a cable company (several decades ago). He would tell me that for cable customers, frequently the cost of infrastructure was recovered during the install, if not within the first month or two.
When you look at the gross profit margin for ISPs and cellphone companies, it is frequently > 60%
Being the only game in town really has some tangible benefits.
Are you thinking about this primarily as a consumer device with, or do you want to go after those business applications sooner than later?
Disclosure: I work at AWS, own a Kindle Oasis, but have nothing to do with Kindle or devices.