api.neuvector.com // apiGroup for NeuVector
[resource display] [resource]
--------------------------------------------------
"All Permissions": nv-perm.all-permissions
"Admission Control": nv-perm.admctrl
"Audit Events": nv-perm.audit-events
"Authentication": nv-perm.authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "** installing required packages" | |
SUSEConnect -p sle-module-public-cloud/15.7/x86_64 | |
sudo zypper install cloud-init cloud-init-config-suse open-vm-tools open-iscsi | |
echo "** enabling services" | |
systemctl enable cloud-init-local.service | |
systemctl enable cloud-init.service | |
systemctl enable cloud-config.service | |
systemctl enable cloud-final.service | |
systemctl disable firewalld |
Generally you should use K8s services objects to define custom DNS mappings. However some advanced DNS setups might not be possible then, for example if you need to create wildcard DNS aliases.
In this case, you can create custom DNS records in the cluster's internal DNS service (kube-dns) by editing the coredns configmap like below.
Here we are adding the file
plugin to describe an authoritative zone containing a wildcard A record and we also create the required zone file.
apiVersion: v1
kind: ConfigMap
- So while in zero drift mode if the process that you are blocking is either pid 1 or is started by pid 1 then Neuvector will not block it
- Zero drift is more permissive that basic mode! :-P
- Zero drift mode would seem to enforce more secure configurations? Do you know why it allows for more permissive actions?
- NeuVector will not block processes that are also used by Kubernetes.
- https://open-docs.neuvector.com/policy/processrules#zero-drift-process-protection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!bin/bash | |
N=20 | |
task(){ | |
kubectl patch -n hobbyfarm instances.ec2.cattle.io $1 \ | |
--type json \ | |
--patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' | |
} | |
RESOURCES=$(kubectl -n hobbyfarm get instances.ec2.cattle.io --no-headers -o custom-columns=":metadata.name") | |
for n in $RESOURCES | |
do |
- Deploy NFS server to a K8s cluster
kubectl apply -f https://t.ly/m-flt
- In the same or a different cluster create a NFS backup target in Longhorn:
a) Navigate to Longhorn UI -> Settings -> General -> Backup target
b) Enter the following URL, replacing with the IP address of any node of the K8s cluster running the NFS server, then click 'Save':
- Before installing RKE2 on the node create the following file:
# /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: cpu-stress | |
namespace: default | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: cpu-stress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: test | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: test | |
template: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: argoproj.io/v1alpha1 | |
kind: EventSource | |
metadata: | |
name: resource | |
spec: | |
template: | |
serviceAccountName: your-service-account | |
resource: | |
capi-cluster: | |
namespace: fleet-default |
NewerOlder