janeczku

Customizing CoreDNS configmap

Generally you should use K8s services objects to define custom DNS mappings. However some advanced DNS setups might not be possible then, for example if you need to create wildcard DNS aliases.

In this case, you can create custom DNS records in the cluster's internal DNS service (kube-dns) by editing the coredns configmap like below. Here we are adding the file plugin to describe an authoritative zone containing a wildcard A record and we also create the required zone file.

apiVersion: v1
kind: ConfigMap

janeczku

Insiderwissen NeuVector

Zero Drift

• So while in zero drift mode if the process that you are blocking is either pid 1 or is started by pid 1 then Neuvector will not block it
• Zero drift is more permissive that basic mode! :-P
• Zero drift mode would seem to enforce more secure configurations? Do you know why it allows for more permissive actions?
• NeuVector will not block processes that are also used by Kubernetes.
• https://open-docs.neuvector.com/policy/processrules#zero-drift-process-protection

janeczku

#!bin/bash
N=20
task(){
  kubectl patch -n hobbyfarm instances.ec2.cattle.io $1 \
    --type json \
    --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'
}
RESOURCES=$(kubectl -n hobbyfarm get instances.ec2.cattle.io --no-headers -o custom-columns=":metadata.name")
for n in $RESOURCES
do

janeczku

Usage

1. Deploy NFS server to a K8s cluster

kubectl apply -f https://t.ly/m-flt

2. In the same or a different cluster create a NFS backup target in Longhorn:
   a) Navigate to Longhorn UI -> Settings -> General -> Backup target
   b) Enter the following URL, replacing with the IP address of any node of the K8s cluster running the NFS server, then click 'Save':

janeczku

1. Before installing RKE2 on the node create the following file:

# /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
 namespace: kube-system

janeczku

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cpu-stress
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: cpu-stress

janeczku

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:

janeczku

apiVersion: argoproj.io/v1alpha1
kind: EventSource
metadata:
  name: resource
spec:
  template:
    serviceAccountName: your-service-account
  resource:
    capi-cluster:
      namespace: fleet-default

janeczku

# Adding the following config stanza to all the Harvester create|join configs will create
# a custom cloud-config `/oem/95_user.yaml` during the (early) "initramfs" cloud-init stage
# of the initial Harvester boot.
# This cloud-config will be executed on each system (re-)boot during the (late) "boot" cloud-init
# stage and may contain any cloud-init directives supported by the cOS Toolkit:
# See https://rancher.github.io/elemental-toolkit/docs/reference/cloud_init/
# Additionally, any files added to the /oem folder in day-2 are persistent and won’t be overwritten
# during Harvester upgrades.

  write_files:

janeczku

# Filename: /oem/95_user.yaml
# Ref: https://rancher.github.io/elemental-toolkit/docs/customizing/stages/
name: "User Config"
stages:
  initramfs:
    - name: "Drop unit file"
      files:
      - path: /etc/systemd/system/update-ca.service
          content: |
          [Unit]