Skip to content

Instantly share code, notes, and snippets.

View IngussNeilands's full-sized avatar

Inguss Neilands IngussNeilands

View GitHub Profile
0002a8365afe4ada8663a73e4a09a244
76561198113225245
@IngussNeilands
IngussNeilands / node-custom-setup.yaml
Created November 28, 2019 12:51 — forked from jjo/node-custom-setup.yaml
Run commands at Kubernetes *nodes* via `privileged` DaemonSet + `nsenter` hack, very useful for setups requiring base packages pre-installed at nodes. Please take a moment to understand what it does, and *don't* use it for *production*. Grab the logs with: kubectl logs -n kube-system -l k8s-app=node-custom-setup -c init-node
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: kube-system
name: node-custom-setup
labels:
k8s-app: node-custom-setup
annotations:
command: &cmd apt-get update -qy && apt-get install -qy tgt ceph-fs-common ceph-common xfsprogs
@IngussNeilands
IngussNeilands / kubectl-root-in-host-nopriv.pks.sh
Created November 28, 2019 09:59 — forked from jjo/kubectl-root-in-host-nopriv.sh
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
#!/bin/sh
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged`
# admission controller.
# Pod command in turn runs a privileged container using node's /var/run/docker.sock.
#
# Tweaked for PKS nodes, which run their docker stuff from different
# /var/vcap/... paths
node=${1}
case "${node}" in
# set Digital Ocean token with:
# export TF_VAR_do_token="..."
variable "do_token" {}
# set health check port
variable "hc_port" {
default = 8000
}
# Initialize provider
@IngussNeilands
IngussNeilands / gist:10e42e24338d09c12c289d70d25fce53
Created August 22, 2018 12:47 — forked from aws-scripting-guy/gist:884ffa9d44bd14f7493a670543284552
AWS EC2 metadata. Check attached IAM role from EC2 instance. Get temporary credentials.
# Get IAM Role name from Instance Profile Id
curl http://169.254.169.254/latest/meta-data/iam/info
# Get credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
# More info
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
@IngussNeilands
IngussNeilands / PackerPolicy.json
Created March 2, 2018 15:42 — forked from MattSurabian/PackerPolicy.json
Minimum IAM policy required by AWS for Packer to do its thing. https://github.com/mitchellh/packer Permissions are broken out by API functionality and a resource array has been defined with a wild card for each group. For tighter security resource level permissions can be applied per this documentation: http://aws.typepad.com/aws/2013/07/resourc…
{
"Statement": [
{
"Sid": "PackerSecurityGroupAccess",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
@IngussNeilands
IngussNeilands / es-dump-index.py
Created November 8, 2017 10:40 — forked from spikeekips/es-dump-index.py
The simple script to dump the data from ElasticSearch for inserting by bulk API.
# -*- coding: utf-8 -*-
"""
################################################################################
Dump ElasticSearch index for inserting BULK
################################################################################
requires `rawes`.
for more details, run `-h` to show help message.
@IngussNeilands
IngussNeilands / 00_README.md
Created November 6, 2017 16:19 — forked from CrackerJackMack/00_README.md
ansible fact caching redis password different port

Everything I've read is that redis fact caching in ansible doesn't support db/password/ports, but that is untrue. It's undocumented and it will most likely change in the future but here is how it works. it takes the fact_caching_connection and split's it on the colon and passes it as *args to redis.StrictRedis. Db is typically 0 if you weren't sure. If you aren't sure if the ansible version you are using supports this, just check the plugins/redis.py for how it passes the connection string to StrictRedis. Works with 2.2.0.0 at least.

# hostname:port:db:password
localhost:6379:0:secret
public_ip:293451:0:supersercretnobodycanguessthis
# Count metrics that have received samples in the last 5 minutes:
topk(100, count by (__name__, job)({__name__=~".+"}))