Skip to content

Instantly share code, notes, and snippets.

View george-angel's full-sized avatar

George Angel george-angel

View GitHub Profile
george-angel / rs-ns
Last active February 8, 2018 16:40
Kubernetes resources per namespace
## usage: ./rs-ns <kube-context> | sort -h -k 2 -r
export env=${1}
total() {
echo "${ns} $(kubectl --context=${env} -n${ns} top pod | tail -n +2 | awk '{print $3}' | cut -d'M' -f1 | paste -s -d+ - | bc) "
george-angel /
Created January 8, 2020 09:44
AWS IAM role boundary excpection example

We have an s3 bucket with an inline resource-based policy granting full access to an iam user and an iam role. Both principals (user and role) have no identity-based policies and are bounded by a policy allowing only sts:GetCallerIdentity. Since resource-based policies are not affected by permissions boundaries, both principals should be able to get objects from the bucket. However, only the user can, the role gets "Access Denied". If we remove the permission boundary from the role, then it can get the object without issue. This is the behaviour we find confusing

We are assuming the role via aws cli, so I don't think session policies are getting in the way (plus removing the boundary from the role fixes the problem, so the boundary seems to be the entity blocking access).

Below are the details of the scenario. Let me know if you need anything else, either by email or slack. Thanks!


Bucket policy:

george-angel /
Last active July 23, 2020 12:22
2020-07 kube-applier spec

kube-applier v3


applied namespace

george-angel /
Last active June 19, 2024 07:23
Kubernetes new CA announcement

Hello :megaphone:

dev-merit has a new CA certificate, please update locally running $ make ca-certs-install from inside kubernetes-manifests/ (must be on PA VPN/Wiresteward)

Verify new expiry date:

$ make ca-certs-dates | grep -A1 dev-merit
 Not After : Jan 22 00:35:00 2026 GMT
george-angel /
Created June 19, 2024 11:28
So you want to run an operator

So you want to deploy an Operator

You might be exploring a tool and find a section to "Run this as an operator in your Kubernetes cluster". That sounds swell, you run one magic command, some make install and now you can define some config to just make things work.

On paper that sounds good, but there are few unspoken considerations.