- https://kubernetes.io/docs/user-guide/kubectl-cheatsheet/
- https://github.com/devoriales/kubectl-cheatsheet
- https://learncloudnative.com/blog/2022-05-10-kubectl-tips
- https://itnext.io/tips-tricks-for-cka-ckad-and-cks-exams-cc9dade1f76d
- https://cloud.google.com/anthos/gke/docs/on-prem/reference/cheatsheet
(still a work-in-progress)
Secrets such as aws key and secret, google service account json, database id and password etc. can be easily encrypted and decrypted with https://cloud.google.com/kms/. Cloud KMS does not directly store secrets. It can encrypt secrets that you store elsewhere, i.e. the key itself is stored within KMS.
Let's illustrate with a real world example step by step. We can encrypt and decrypt a service account json file for compute instances. These instances are a part of an elasticsearch cluster. The google cloud admin creates the service account. The service account is used by the Terraform to provision the compute instances as shown in https://www.terraform.io/docs/providers/google/r/compute_instance.html. The developers want a copy of the service account 's json file so that they can develop & test with the elasticsearch cluster. The google cloud admin creates the plain text service json file, where and how to store it safely and securely? Storing on admin's laptop is not 100% safe and secur
- Create a bastion vm in your data center or in cloud with connectivity set up (usually vpn) to the on prem data center.
- Install tinyproxy on the bastion vm and pick a random port as it would be too easy for spam bot with default 8888, set up as systemd service according to https://nxnjz.net/2019/10/how-to-setup-a-simple-proxy-server-with-tinyproxy-debian-10-buster/. Make sure it works by validating with
curl --proxy http://127.0.0.1:<tinyproxy-port> https://httpbin.org/ip
. And I don't use any user authentication for proxy, so I locked down the firewall rules with my laptop IP/32. - Download the kubeconfig file for the k8s cluster to your laptop
- From your laptop, run
HTTPS_PROXY=<bastion-external-ip>:<tinyproxy-port> KUBECONFIG=my-kubeconfig kubectl get nodes
- https://www.linuxtrainingacademy.com/systemd-cheat-sheet/
- https://www.linux.com/training-tutorials/understanding-and-using-systemd/
- https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units
- https://www.digitalocean.com/community/tutorials/systemd-essentials-working-with-services-units-and-the-journal
- https://www.youtube.com/watch?v=ZUX9Fx8Rwzg&index=9&list=PLCq0ZVVxGP0Y-xlum2pnhqwsrIf61J6Ka
- https://www.youtube.com/watch?v=AtEqbYTLHfs
#!/usr/bin/env bash | |
# REF: https://cloud.google.com/armor/docs/integrating-cloud-armor#with_ingress | |
# REF: https://cloud.google.com/armor/docs/configure-security-policies | |
# REF: https://cloud.google.com/iap/docs/load-balancer-howto | |
# REF: https://cloud.google.com/sdk/gcloud/reference/compute/url-maps/add-path-matcher | |
# REF: https://cloud.google.com/load-balancing/docs/https/setting-up-url-rewrite | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_USER=$(gcloud config get-value core/account) # set current user |
Some useful resources regarding Kubernetes Operators, CRDs, etc.
- Kubernetes sample controller: https://github.com/kubernetes/sample-controller
- Joe Beda's TGIK sample repo and YouTube videos: https://github.com/jbeda/tgik-controller
- Thomas Stringer's blog post: https://medium.com/@trstringer/create-kubernetes-controllers-for-core-and-custom-resources-62fc35ad64a3
- Kube-controller-demo by Aaron Levy: https://github.com/aaronlevy/kube-controller-demo
- Analyzing value of Operator Framework for Kubernetes community: https://itnext.io/analyzing-value-of-operator-framework-for-kubernetes-community-5a65abc259ec
- Steps to generate CRD/Operator code: cloud-ark/kubeplus#14
- kubebuilder: https://github.com/kubernetes-sigs/kubebuilder
- CoreOS operator framework: https://coreos.com/blog/introducing-operator-framework
- A thread on Reddit: https://www.reddit.com/r/kubernetes/comments/8ien90/if_i_were_to_build_an_operator_what_should_i_use/
#!/usr/bin/env bash | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain | |
export GCP_REGION="us-east1" # CHANGEME (OPT) | |
export GCP_ZONE="us-east1-c" # CHANGEME (OPT) | |
export NETWORK_NAME="default" |