This is a quick example of how to use OPA as a Mutating Admission Controller in Kubernetes 1.9.
- Register OPA as a MutatingAdmissionWebhook
- Load a policy to test mutation
- Exercise the policy
Jesse Sanford jessesanford
mustafakirimli
/ enable_vmx.sh
Last active
December 15, 2022 20:02
Enable nested virtualization on GKE (be careful when running)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # $IG_URLS as env | |
| # GET auth token to be used in curl/rest api | |
| AUTH_TOKEN=$(gcloud auth print-access-token) |
jessesanford
/ ssl.sh
Last active
February 23, 2021 20:35
— forked from alex-leonhardt/ssl.sh
Create signed SSL cert with K8S CA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| set -o errexit | |
| export APP="${1:-mutateme}" | |
| export NAMESPACE="${2:-default}" | |
| export CSR_NAME="${APP}.${NAMESPACE}.svc" | |
| echo "... creating ${app}.key" | |
| openssl genrsa -out ${APP}.key 2048 |
Piotr1215
/ k8s-bookmarks-CKA-CKAD.html
Last active
January 4, 2024 18:15
K8s bookmarks for CKA, CKAD and CKS exams
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE NETSCAPE-Bookmark-file-1> | |
| <!-- This is an automatically generated file. | |
| It will be read and overwritten. | |
| DO NOT EDIT! --> | |
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> | |
| <TITLE>Bookmarks</TITLE> | |
| <H1>Bookmarks</H1> | |
| <DL><p> | |
| <DT><H3 ADD_DATE="1626629115" LAST_MODIFIED="1626629462" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3> | |
| <DL><p> |
MCMrARM
/ 91-pulseaudio-custom.rules
Created
August 30, 2019 19:22
System configuration files for the T2 audio driver (https://github.com/MCMrARM/mbp2018-bridge-drv/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SUBSYSTEM!="sound", GOTO="pulseaudio_end" | |
| ACTION!="change", GOTO="pulseaudio_end" | |
| KERNEL!="card*", GOTO="pulseaudio_end" | |
| SUBSYSTEMS=="pci", ATTRS{vendor}=="0x106b", ATTRS{device}=="0x1803", ENV{PULSE_PROFILE_SET}="apple-t2.conf" | |
| LABEL="pulseaudio_end" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| set -o errexit | |
| export APP="${1:-mutateme}" | |
| export NAMESPACE="${2:-default}" | |
| export CSR_NAME="${APP}.${NAMESPACE}.svc" | |
| echo "... creating ${app}.key" | |
| openssl genrsa -out ${APP}.key 2048 |
jessesanford
/ .chunkwmrc
Created
January 3, 2019 19:05
— forked from shihanng/.chunkwmrc
chunkwm + skhd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # NOTE: specify the absolutepath to the directory to use when | |
| # loading a plugin. '~' expansion is supported. | |
| # | |
| chunkc core::plugin_dir /usr/local/opt/chunkwm/share/chunkwm/plugins | |
| # |
jjo
/ kubectl-root-in-host-nopriv.sh
Last active
February 5, 2024 23:07
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root | |
| # without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged` | |
| # admission controller. | |
| # Pod command in turn runs a privileged container using node's /var/run/docker.sock. | |
| node=${1} | |
| case "${node}" in | |
| "") | |
| nodeSelector='' | |
| podName=${USER+${USER}-}docker-any |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| VAULT_PATH=$1 | |
| ROLE=$2 | |
| DURATION=$3 | |
| if [ -z "$VAULT_ADDR" ]; then | |
| echo "Missing VAULT_ADDR env variable" | |
| exit 1 | |
| fi | |
| if [ -z "$VAULT_PATH" ]; then |
tsandall
/ mutating.md
Created
February 21, 2018 17:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # NOTE: specify the absolutepath to the directory to use when | |
| # loading a plugin. '~' expansion is supported. | |
| # | |
| chunkc core::plugin_dir /usr/local/opt/chunkwm/share/chunkwm/plugins | |
| # |
NewerOlder