Skip to content

Instantly share code, notes, and snippets.

View janeczku's full-sized avatar

Jan B janeczku

324 followers · 5 following
View GitHub Profile
@janeczku
janeczku / rancher-argocd.md
Created June 10, 2020 14:10
How to register Rancher managed Kubernetes clusters in Argo CD

How to register Rancher managed Kubernetes clusters in Argo CD

Registering Rancher managed clusters in Argo CD doesn't work out of the box unless the Authorized Cluster Endpoint is used. Many users will prefer an integration of Argo CD via the central Rancher authentication proxy (which shares the network endpoint of the Rancher API/GUI). So let's find out why registering clusters via Rancher auth proxy fails and how to make it work.

Hint: If you are just looking for the solution scroll to the bottom of this page.

Why do i get an error when running argocd cluster add?

Service Account tokens and the Rancher authentication proxy

@janeczku
janeczku / 01-multus-k3s.md
Last active April 16, 2024 03:48
Multus CNI with k3s and RKE

Using Multus CNI in K3S

By default, K3S will run with flannel as the CNI and use custom directories to store CNI plugin binaries and config files(You can inspect the kubelet args K3S uses via journalctl -u k3s|grep cni-conf-dir). So you need to configure that properly When deploying Multus CNI.

For example given the official Multus manifests in https://github.com/intel/multus-cni/blob/36f2fd64e0965e639a0f1d17ab754f0130951aba/images/multus-daemonset.yml, the following changes are needed:

volumes:
 - name: cni
@janeczku
janeczku / rancher-url-change.md
Last active March 18, 2024 17:37
Change the hostname/URL and certificate of an existing Rancher installation

Steps to change the URL of Rancher installation and switch from a self-signed certificate to a certificate signed by recognized CA.

  1. Change the Rancher server-url setting to the new URL:
    • Navigate to https://<old_rancher_hostname>/g/settings/advanced
    • Edit server-url to https://<new_rancher_hostname>
  2. Clear the private CA certificate for the old certificate
    • Navigate to https://<old_rancher_hostname>/g/settings/advanced
    • Next to cacerts click context menu -> View in API
    • Click Edit
    • Clear the content of the value field
@janeczku
janeczku / mac-os-trust-custom-ca.md
Last active March 18, 2024 12:30
How to trust custom, self-signed certificates by adding the CA cert to the macOS keychain

Method 1: Add the CA cert to the system certificate store

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt

Method 2: Add the CA cert to the user's local keychain only

$ sudo security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ca.crt
@janeczku
janeczku / k8s-coredns-configmap.md
Last active February 20, 2024 11:59
K8s External Service Example

Customizing CoreDNS configmap

Generally you should use K8s services objects to define custom DNS mappings. However some advanced DNS setups might not be possible then, for example if you need to create wildcard DNS aliases.

In this case, you can create custom DNS records in the cluster's internal DNS service (kube-dns) by editing the coredns configmap like below. Here we are adding the file plugin to describe an authoritative zone containing a wildcard A record and we also create the required zone file.

apiVersion: v1
kind: ConfigMap
@janeczku
janeczku / nv-trck.md
Created February 13, 2024 18:49
Neuvector Trickkiste

Insiderwissen NeuVector

Zero Drift

  • So while in zero drift mode if the process that you are blocking is either pid 1 or is started by pid 1 then Neuvector will not block it
  • Zero drift is more permissive that basic mode! :-P
  • Zero drift mode would seem to enforce more secure configurations? Do you know why it allows for more permissive actions?
  • NeuVector will not block processes that are also used by Kubernetes.
  • https://open-docs.neuvector.com/policy/processrules#zero-drift-process-protection
@janeczku
janeczku / remove-finalizers.sh
Created February 13, 2024 11:50
Batch delete finalizers Kubernetes
#!bin/bash
N=20
task(){
kubectl patch -n hobbyfarm instances.ec2.cattle.io $1 \
--type json \
--patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'
}
RESOURCES=$(kubectl -n hobbyfarm get instances.ec2.cattle.io --no-headers -o custom-columns=":metadata.name")
for n in $RESOURCES
do
@janeczku
janeczku / ganesha-nfs.md
Last active February 2, 2024 15:04
User-space NFS Server for deployment in Kubernetes (Note: NFSv4 only, non-standard NFS port 32049/tcp)

Usage

  1. Deploy NFS server to a K8s cluster
kubectl apply -f https://t.ly/m-flt
  1. In the same or a different cluster create a NFS backup target in Longhorn:
    a) Navigate to Longhorn UI -> Settings -> General -> Backup target
    b) Enter the following URL, replacing with the IP address of any node of the K8s cluster running the NFS server, then click 'Save':
@janeczku
janeczku / clusterflow-archive.yaml
Last active January 15, 2024 09:31
Banzai Cluster Logging Elasticsearch Example
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterFlow
metadata:
name: archive
spec:
match:
- select: {}
outputRefs:
- s3
@janeczku
janeczku / 01-k3s-rpi-single-node.md
Created May 29, 2020 11:43
Configuration of k3s for single-node clusters to optimize performance on low power Raspberry Pi devices

Requirements

  • Raspberry Pi 3b+, CM3 or 4
  • 16GB+ SDHC card certified A1 or A2 grade to provide sufficient IO performance. Example: SanDisk Extreme microSDHC

Installation Steps

  1. Flash Ubuntu 18.04 LTS 64-bit Raspberry Pi disk image to the SD-card
  2. Either mount the boot partition on the same machine used to flash the image (Hint: sudo mkdir -p /mnt/rpi-boot && sudo mount -t vfat -o uid=root /dev/mmcblk0p1 /mnt/rpi-boot) or boot the Raspberry Pi once to apply the configuration changes below.
  3. Enable the missing cgroups by appending two arguments to /boot/firmware/nobtcmd.txt: