Skip to content

Instantly share code, notes, and snippets.

View lizrice's full-sized avatar

Liz Rice lizrice

3.1k followers · 3 following
View GitHub Profile
@lizrice
lizrice / main.go
Created August 25, 2016 10:02
Container from scratch
package main
// @lizrice, mostly copied from @doctor_julz: https://gist.github.com/julz/c0017fa7a40de0543001
import (
"fmt"
"os"
"os/exec"
"syscall"
)
@lizrice
lizrice / hello_map.py
Last active July 19, 2023 08:20
eBPF hello world
#!/usr/bin/python
from bcc import BPF
from time import sleep
# This outputs a count of how many times the clone and execve syscalls have been made
# showing the use of an eBPF map (called syscall).
program = """
BPF_HASH(syscall);
@lizrice
lizrice / vpc-fargate.yaml
Created January 23, 2018 18:01
Cloudformation template for setting up VPC and subnets for Fargate
# Usage:
# aws cloudformation --region <region> create-stack --stack-name <stack name> --template-body file://vpc-fargate.yaml
# This template will:
# Create a VPC with:
# 2 Public Subnets
# 2 Private Subnets
# An Internet Gateway (with routes to it for Public Subnets)
# A NAT Gateway for outbound access (with routes from Private Subnets set to use it)
#
@lizrice
lizrice / kubelet-api.md
Last active March 15, 2023 12:13
Checking Kubelet API access

Accessing Kubelet API

curl -sk https://localhost:10250/pods/
  • If --anonymous-auth is turned off, you will see a 401 Unauthorized response.
  • If --anonymous-auth is true and --authorization-mode is Webhook you'll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
  • If --anonymous-auth is true and --authorization-mode is AlwaysAllow you'll see a list of pods.
@lizrice
lizrice / Vagrantfile
Last active February 3, 2023 02:21
Vagrant file for setting up a single-node Kubernetes cluster that I can access from my desktop. Read more: https://medium.com/@lizrice/kubernetes-in-vagrant-with-kubeadm-21979ded6c63
# -*- mode: ruby -*-
# vi: set ft=ruby :
# This script to install Kubernetes will get executed after we have provisioned the box
$script = <<-SCRIPT
# Install kubernetes
apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
@lizrice
lizrice / gist:28ffe1d26ebf17b2713b76624aba15f3
Created March 16, 2022 19:49
Delete all the Cilium BPF things
sudo docker run -v /sys/fs/bpf:/sys/fs/bpf --privileged --net=host cilium/cilium:stable cilium cleanup -f --all-state
@lizrice
lizrice / who-can.yaml
Created July 13, 2020 17:36
Role & RoleBinding as an example for who-can
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-runner
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["create", "delete", "get", "watch", "list"]
---
@lizrice
lizrice / Vagrantfile
Last active July 13, 2020 03:38
Preventative Kubernetes Security demo
# -*- mode: ruby -*-
# vi: set ft=ruby :
# After loading this
# Install a pod network
# $ kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')
# Allow pods to run on the master node
# $ kubectl taint nodes --all node-role.kubernetes.io/master-
@lizrice
lizrice / stars.html
Created June 15, 2020 18:11
Stargazer count
<!DOCTYPE html>
<html lang="en">
<head>
<script src="https://unpkg.com/axios/dist/axios.min.js"></script>
</head>
<body>
<p>Project <span id="repo">aquasecurity/trivy</span> <span id="starcount"></span></p>
</body>
<script>
function getStarcount(repo, resultElement) {
@lizrice
lizrice / Vagrantfile
Created March 7, 2019 16:23
Openshift single-node cluster Vagrantfile
$ cat Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
$script = <<-SCRIPT
cat > /etc/docker/daemon.json << EOF
{
"insecure-registries": [
"172.30.0.0/16"