George Goh georgegoh

## gist:24d0dc5c56e596a573d6af96596dc5e2
kubectl get role -A -o json | jq '.items[] | . as $role | .rules[] | .resources | if any(. == "podsecuritypolicies") then $role else empty end' \
| jq --arg psp $PSP 'try . as $role | .rules[] | .resourceNames | if any(. == $PSP) then $role else empty end'

## privileged_psps.sh
kubectl get psp -o json | jq -r '.items[] | if .spec.privileged or .spec.allowPrivilegeEscalation then .metadata.name else empty end'

## gist:d3ccd5662a3709b179a585d488cec012
# (vSphere w/ Tanzu) allow any service account to run pods with restricted privileges.
kubectl create clusterrolebinding all:psp:restricted \
               --clusterrole=psp:vmware-system-restricted \
               --group=system:serviceaccounts

## gist:dc8af5b81ea17a63bde1f16fd0df650b
ETCDCTL_API=3 /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/18/fs/usr/local/bin/etcdctl \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  get /registry/secrets/default/secret1

## get_images.sh
yq e '.. | select(has("repository")) | .repository + "/" + .name + ":" + .tag' values.yaml

## gist:044da30fb053110c755246ea330a75b2
kubectl get nodes -o=go-template --template='{{range .items}}{{range .status.addresses}}{{if eq .type "ExternalIP" }}{{.address}}{{printf "\n"}}{{end}}{{end}}{{end}}'

## debug-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: debug
  name: debug
  namespace: default
spec:
  containers:
  - args:

## clusterctl-config.sh
clusterctl --config=clusterctl.yaml config cluster k8s-quickstart \
    --infrastructure vsphere:v0.6.0-rc.2 \
    --kubernetes-version v1.17.3 \
    --control-plane-machine-count 1 --worker-machine-count 3 > cluster.yaml

## clusterctl.yaml
## -- Controller settings -- ##
VSPHERE_USERNAME: "k8s-admin@vsphere.local".                  # The username used to access the remote vSphere endpoint
VSPHERE_PASSWORD: "Demo123!"                                  # The password used to access the remote vSphere endpoint

## -- Required workload cluster default settings -- ##
VSPHERE_SERVER: "vcenter.lab.spodon.com"                      # The vCenter server IP or FQDN
VSPHERE_DATACENTER: "Datacenter"                              # The vSphere datacenter to deploy the management cluster on
VSPHERE_DATASTORE: "ssd01"                                    # The vSphere datastore to deploy the management cluster on
VSPHERE_NETWORK: "VM Network"                                 # The VM network to deploy the management cluster on
VSPHERE_RESOURCE_POOL: "*/Resources"                          # The vSphere resource pool for your VMs

## clusterctl-kind-bootstrap.sh
kind create cluster --name=clusterapi

clusterctl --config=clusterctl.yaml init \
  --core cluster-api:v0.3.0-rc.3 \
  --bootstrap kubeadm:v0.3.0-rc.3 \
  --control-plane kubeadm:v0.3.0-rc.3 \
  --infrastructure vsphere:v0.6.0-rc.2
	kubectl get role -A -o json \| jq '.items[] \| . as $role \| .rules[] \| .resources \| if any(. == "podsecuritypolicies") then $role else empty end' \
	\| jq --arg psp $PSP 'try . as $role \| .rules[] \| .resourceNames \| if any(. == $PSP) then $role else empty end'
	# (vSphere w/ Tanzu) allow any service account to run pods with restricted privileges.
	kubectl create clusterrolebinding all:psp:restricted \
	--clusterrole=psp:vmware-system-restricted \
	--group=system:serviceaccounts
	ETCDCTL_API=3 /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/18/fs/usr/local/bin/etcdctl \
	--cacert=/etc/kubernetes/pki/etcd/ca.crt \
	--cert=/etc/kubernetes/pki/etcd/server.crt \
	--key=/etc/kubernetes/pki/etcd/server.key \
	get /registry/secrets/default/secret1
	apiVersion: v1
	kind: Pod
	metadata:
	labels:
	run: debug
	name: debug
	namespace: default
	spec:
	containers:
	- args:
	clusterctl --config=clusterctl.yaml config cluster k8s-quickstart \
	--infrastructure vsphere:v0.6.0-rc.2 \
	--kubernetes-version v1.17.3 \
	--control-plane-machine-count 1 --worker-machine-count 3 > cluster.yaml
	## -- Controller settings -- ##
	VSPHERE_USERNAME: "k8s-admin@vsphere.local". # The username used to access the remote vSphere endpoint
	VSPHERE_PASSWORD: "Demo123!" # The password used to access the remote vSphere endpoint

	## -- Required workload cluster default settings -- ##
	VSPHERE_SERVER: "vcenter.lab.spodon.com" # The vCenter server IP or FQDN
	VSPHERE_DATACENTER: "Datacenter" # The vSphere datacenter to deploy the management cluster on
	VSPHERE_DATASTORE: "ssd01" # The vSphere datastore to deploy the management cluster on
	VSPHERE_NETWORK: "VM Network" # The VM network to deploy the management cluster on
	VSPHERE_RESOURCE_POOL: "*/Resources" # The vSphere resource pool for your VMs
	kind create cluster --name=clusterapi

	clusterctl --config=clusterctl.yaml init \
	--core cluster-api:v0.3.0-rc.3 \
	--bootstrap kubeadm:v0.3.0-rc.3 \
	--control-plane kubeadm:v0.3.0-rc.3 \
	--infrastructure vsphere:v0.6.0-rc.2