Skip to content

Instantly share code, notes, and snippets.

View robscott's full-sized avatar

Rob Scott robscott

133 followers · 16 following
View GitHub Profile
@robscott
robscott / kube-controller-manager.log
Created July 31, 2020 00:24
EndpointSliceTracker Cache Wait
I0730 23:05:18.651529 8 replica_set.go:559] "Too few replicas" replicaSet="default/scale-100ka-6cfcd99778" need=100 creating=100
I0730 23:05:18.654472 8 event.go:291] "Event occurred" object="default/scale-100ka" kind="Deployment" apiVersion="apps/v1" type="Normal" reason="ScalingReplicaSet" message="Scaled up replica set scale-100ka-6cfcd99778 to 100"
I0730 23:05:18.662513 8 event.go:291] "Event occurred" object="default/scale-100ka-6cfcd99778" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: scale-100ka-6cfcd99778-fcpd8"
I0730 23:05:18.679879 8 event.go:291] "Event occurred" object="default/scale-100ka-6cfcd99778" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: scale-100ka-6cfcd99778-vc47l"
I0730 23:05:18.680321 8 event.go:291] "Event occurred" object="default/scale-100ka-6cfcd99778" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Crea
@robscott
robscott / endpointslices.json
Created July 28, 2020 06:01
Duplicate EndpointSlices
{
"metadata":{
"name":"example-named-port-f7vq5",
"generateName":"example-named-port-",
"namespace":"endpointslice-5911",
"selfLink":"/apis/discovery.k8s.io/v1beta1/namespaces/endpointslice-5911/endpointslices/example-named-port-f7vq5",
"uid":"ddee4d2c-6de4-42f0-a9c1-8fbdd685ab70",
"resourceVersion":"11288",
"generation":1,
"creationTimestamp":"2020-07-28T04:57:51Z",
@robscott
robscott / kube-proxy-iptables-probability.md
Last active April 19, 2020 21:59
kube-proxy iptables probability

This shows the probabilities generated by kube-proxy 1.16 and rendered by iptables for the first 20 of 10k endpoints.

-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-JPQESVWHRDCVFZWN
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-43X62NTQK7P33IRX
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-RO4MGPWQFAAAQSOM
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-U4U4WCN32VCO5JFK
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-C4TELCOQRZ66JRHV
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-ARSDZGCR5JG6RCWU
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-QN4E7AOM7AQ62UWM
-A KUBE-SVC-DXWK7ADUC7EUTU7Z -m statistic --mode random --probability 0.00009999983 -j KUBE-SEP-3XQQML7Z2W4L2AI
@robscott
robscott / iptables repetitive probability
Created September 27, 2019 23:59
This file has been truncated, but you can view the full file.
# Generated by iptables-save v1.6.1 on Fri Sep 27 23:47:14 2019
*nat
:PREROUTING ACCEPT [17:972]
:INPUT ACCEPT [14:792]
:OUTPUT ACCEPT [2:120]
:POSTROUTING ACCEPT [5:300]
:DOCKER - [0:0]
:IP-MASQ - [0:0]
:KUBE-FW-DXWK7ADUC7EUTU7Z - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
@robscott
robscott / gke-iam-roles.md
Created October 2, 2018 20:20
GKE IAM Roles Compared

GKE IAM Roles

On GKE, there's an interesting overlap between what the IAM roles grant you for Kubernetes clusters. In general, the roles in the tables below line up with each other, but there are some strange exceptions. In each of the tables below are the results of a diff between related IAM roles (only the container.* permissions are included in these results).

Project Owner GKE Admin
container.hostServiceAgent.use
Project Editor GKE Developer
@robscott
robscott / rbac-lookup-output.txt
Created September 5, 2018 02:04
rbac-lookup output
rbac-lookup rob
SUBJECT SCOPE ROLE
rob@example.com cluster-wide ClusterRole/view
rob@example.com nginx-ingress ClusterRole/edit
@robscott
robscott / rbac-lookup-wide-output.txt
Last active September 5, 2018 02:06
rbac-lookup wide output
rbac-lookup ro -owide
SUBJECT SCOPE ROLE SOURCE
User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view
User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit
User/ross@example.com cluster-wide ClusterRole/admin ClusterRoleBinding/ross-admin
User/ron@example.com web ClusterRole/edit RoleBinding/ron-edit
ServiceAccount/rops infra ClusterRole/admin RoleBinding/rops-admin
@robscott
robscott / sample-rbac-definition.yaml
Last active June 25, 2018 03:34
RBAC Definition Example
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: rbac-manager-config
rbacBindings:
- name: user-a-example
subjects:
- kind: User
name: A
roleBindings:
@robscott
robscott / sample-role-bindings.yaml
Created June 15, 2018 14:31
Role Binding Examples
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example
namespace: web
subjects:
- kind: User
name: A
apiGroup: rbac.authorization.k8s.io
roleRef:
@robscott
robscott / cidrs-to-ovpn.py
Created February 15, 2018 22:30
Simple script that gets all CloudFront CIDRs and prints them out as OpenVPN routes
import urllib.request
import json
import socket
import struct
def cidr_to_netmask(cidr):
network, net_bits = cidr.split('/')
host_bits = 32 - int(net_bits)
netmask = socket.inet_ntoa(struct.pack('!I', (1 << 32) - (1 << host_bits)))
return network, netmask