jjo
/ psp.jsonnet
Last active
June 14, 2019 19:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local kube = (import "lib/kube.libsonnet") { | |
| PodSecurityPolicy(name):: kube._Object("policy/v1beta1", "PodSecurityPolicy", name) { | |
| metadata+: { | |
| assert !std.objectHas(self, "namespace"): "PSPs are not namespaced", | |
| }, | |
| }, | |
| }; | |
| { |
jjo
/ sapito-docker-compose-debug.out
Created
May 13, 2019 18:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jjo@sapito:~/coro/clases-devops/c01/p01/api_jwt$ docker-compose up | |
| Starting api_jwt_init_1 ... done | |
| Starting api_jwt_main_1 ... done | |
| Starting api_jwt_test_1 ... done | |
| Attaching to api_jwt_init_1, api_jwt_main_1, api_jwt_test_1 | |
| init_1 | fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz | |
| test_1 | fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz | |
| init_1 | fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz | |
| main_1 | Server started at 3001 | |
| init_1 | v3.8.4-63-g0ce51efa7e [http://dl-cdn.alpinelinux.org/alpine/v3.8/main] |
jjo
/ resourceConfigAddCmd
Created
March 1, 2019 20:56
https://github.com/bitnami-labs/kubewatch/pull/165 feedback for cmd/resource.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var resourceConfigAddCmd = &cobra.Command{ | |
| Use: "add", | |
| Short: "adds specific resources to be watched", | |
| Long: `adds specific resources to be watched`, | |
| Run: func(cmd *cobra.Command, args []string) { | |
| conf, err := config.New() | |
| if err != nil { | |
| logrus.Fatal(err) | |
| } | |
| flags := []struct { |
jjo
/ docker-runc-cve-replace.sh
Last active
February 15, 2019 08:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Workaround CVE-2019-5736 via patched runc provided by | |
| # https://github.com/rancher/runc-cve | |
| # The script does: | |
| # 1) find "docker-runc" executable and docker version | |
| # 2) download corresponding patched runc | |
| # 3) dpkg-divert (ie "permanently move") pkg installed runc and replace it by 2) | |
| # | |
| # Run with "-n" for dry-run. |
jjo
/ kube-router.ds.yaml
Created
January 11, 2019 22:38
kube-router v0.2.4 DaemonSet running on a Raspberry PI B+ cluster (ARMv7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Output from: | |
| # kubectl get ds --namespace=kube-system kube-router -oyaml | |
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| creationTimestamp: "2018-12-04T20:17:44Z" | |
| generation: 2 | |
| labels: | |
| k8s-app: kube-router | |
| tier: node |
jjo
/ kube-router.ds.yaml
Created
January 11, 2019 22:37
kube-router v0.2.4 DaemonSet running on a Raspberry PI B+ cluster (ARMv7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| creationTimestamp: "2018-12-04T20:17:44Z" | |
| generation: 2 | |
| labels: | |
| k8s-app: kube-router | |
| tier: node | |
| name: kube-router |
jjo
/ node-custom-setup.yaml
Last active
January 28, 2023 03:23
Run commands at Kubernetes *nodes* via `privileged` DaemonSet + `nsenter` hack, very useful for setups requiring base packages pre-installed at nodes. Please take a moment to understand what it does, and *don't* use it for *production*. Grab the logs with: kubectl logs -n kube-system -l k8s-app=node-custom-setup -c init-node
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| namespace: kube-system | |
| name: node-custom-setup | |
| labels: | |
| k8s-app: node-custom-setup | |
| annotations: | |
| command: &cmd apt-get update -qy && apt-get install -qy tgt ceph-fs-common ceph-common xfsprogs |
jjo
/ kubespray-pr3532-output-example.log
Created
October 17, 2018 00:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| test-some_distros-most_CNIs.env-01.out:INFO: [2018-10-15T19:22:05+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}] START: file_out=./out/test-some_distros-most_CNIs.env-01.out | |
| test-some_distros-most_CNIs.env-01.out:PASS: [2018-10-15T19:26:03+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}]}: dind-nodes | |
| test-some_distros-most_CNIs.env-01.out:PASS: [2018-10-15T19:46:38+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}]}: kubespray | |
| test-some_distros-most_CNIs.env-01.out:kube-system calico-kube-controllers-84b474f7c5-mn99n 1/1 Running 0 2m1s | |
| test-some_distros-most_CNIs.env-01.out:kube-system calico-node-248sq 1/1 Running 0 2m25s | |
| test-some_distros-most_CNIs.env-01.out:kube-system calico-node-4t2mq 1/1 Running 0 2m25s | |
| test-some_distros-most_CNIs.env-01.out:kube-system calico-node-74xdj 1/1 Running 0 2m24s |
jjo
/ pod-privileged.yaml
Last active
August 8, 2018 14:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| run: jjo-alp | |
| name: jjo-alp | |
| spec: | |
| initContainers: | |
| - args: |
jjo
/ kubectl-root-in-host-nopriv.sh
Last active
February 5, 2024 23:07
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root | |
| # without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged` | |
| # admission controller. | |
| # Pod command in turn runs a privileged container using node's /var/run/docker.sock. | |
| node=${1} | |
| case "${node}" in | |
| "") | |
| nodeSelector='' | |
| podName=${USER+${USER}-}docker-any |