Skip to content

Instantly share code, notes, and snippets.

eBPF is the future

Liz Rice lizrice

eBPF is the future
View GitHub Profile
lizrice / who-can.yaml
Created Jul 13, 2020
Role & RoleBinding as an example for who-can
View who-can.yaml
kind: Role
namespace: default
name: pod-runner
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["create", "delete", "get", "watch", "list"]
lizrice / stars.html
Created Jun 15, 2020
Stargazer count
View stars.html
<!DOCTYPE html>
<html lang="en">
<script src=""></script>
<p>Project <span id="repo">aquasecurity/trivy</span> <span id="starcount"></span></p>
function getStarcount(repo, resultElement) {
lizrice / metadata
Last active Nov 4, 2019
Trivy project CLA
View metadata
"name": {
"title": "Full Name",
"type": "string",
"githubKey": "name"
"email": {
"title": "E-Mail",
"type": "string",
"githubKey": "email",
lizrice / variable.go
Created Aug 17, 2019
Variables in functions in Go
View variable.go
func main() {
x := 1
f := func() {
fmt.Printf("x is %d\n", x)
x = 2
lizrice /
Last active Aug 22, 2019
Contributor License Agreement

I hereby irrevocably assign all of my right, title and interest in and to my past, present and future contributions to the Name of project Open Source project (“Contributions”) to Recipient, and irrevocably waive and release all rights and claims in respect thereof (including all moral rights or similar rights), without the right to receive any compensation or royalties.

I hereby represent and warrant that I am the sole author of the Contributions, which are my original creations, that I have the legal right to make the assignment set forth above, and that no Contributions are subject to any claim of ownership or otherwise by my employer or any other organization with which I may be affiliated in any way.

lizrice /
Last active Aug 20, 2021
eBPF hello world
from bcc import BPF
from time import sleep
# This outputs a count of how many times the clone and execve syscalls have been made
# showing the use of an eBPF map (called syscall).
program = """
lizrice / Vagrantfile
Created Mar 7, 2019
Openshift single-node cluster Vagrantfile
View Vagrantfile
$ cat Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
$script = <<-SCRIPT
cat > /etc/docker/daemon.json << EOF
"insecure-registries": [
lizrice / Vagrantfile
Last active Jul 13, 2020
Preventative Kubernetes Security demo
View Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# After loading this
# Install a pod network
# $ kubectl apply -f$(kubectl version | base64 | tr -d '\n')
# Allow pods to run on the master node
# $ kubectl taint nodes --all
lizrice /
Last active Sep 21, 2021
Checking Kubelet API access

Accessing Kubelet API

curl -sk https://localhost:10250/pods/
  • If --anonymous-auth is turned off, you will see a 401 Unauthorized response.
  • If --anonymous-auth is true and --authorization-mode is Webhook you'll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
  • If --anonymous-auth is true and --authorization-mode is AlwaysAllow you'll see a list of pods.
lizrice / Vagrantfile
Last active Jul 13, 2021
Vagrant file for setting up a single-node Kubernetes cluster that I can access from my desktop. Read more:
View Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# This script to install Kubernetes will get executed after we have provisioned the box
$script = <<-SCRIPT
# Install kubernetes
apt-get update && apt-get install -y apt-transport-https
curl -s | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list