Skip to content

Instantly share code, notes, and snippets.

View saschagrunert's full-sized avatar

Sascha Grunert saschagrunert

888 followers · 114 following
View GitHub Profile
@saschagrunert
saschagrunert / examples.yaml
Created May 16, 2023 08:49
---
# Verify signed image using a public key without a fulcio issued certificate.
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
metadata:
name: image-is-signed
spec:
images:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
@saschagrunert
saschagrunert / api.go
Created May 16, 2023 08:17
package api
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type ImagePolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ImagePolicySpec `json:"spec"`
@saschagrunert
saschagrunert / Vagrantfile
Last active October 30, 2023 13:35
Environment for building Red Hat packages
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrant box for testing
Vagrant.configure("2") do |config|
config.vm.box = "fedora/35-cloud-base"
memory = 6144
cpus = 4
config.vm.provider :virtualbox do |v|
@saschagrunert
saschagrunert / mc.yml
Created December 5, 2022 10:13
MachineConfig for using https://github.com/saschagrunert/backingFsBlockDev
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: recreate-backingfsblockdev
spec:
config:
ignition:
version: 3.2.0
@saschagrunert
saschagrunert / kubernetes-verify.sh
Created December 1, 2022 14:13
Verifying Kubernetes binary artifacts
#!/usr/bin/env bash
set -euox pipefail
TAG=v1.26.0-rc.1
URL=https://dl.k8s.io/release/$TAG/bin/linux/amd64
BIN=kubectl
for EXT in "" .sig .cert; do
FILE=$BIN$EXT
curl -sSfL --retry 3 --retry-delay 3 $URL/$FILE -o $FILE
@saschagrunert
saschagrunert / seccomp.json
Created November 14, 2022 10:39
seccomp profile for the default nginx container
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"],
"syscalls": [
{
"names": [
"accept4",
"access",
"arch_prctl",
"bind",
@saschagrunert
saschagrunert / Vagrantfile
Last active March 2, 2022 09:37
Rocky Linux 8 - Kubernetes
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "generic/rocky8"
memory = 6144
cpus = 4
config.vm.provider :virtualbox do |v|
v.memory = memory
@saschagrunert
saschagrunert / deploy.sh
Last active June 14, 2021 12:20
#!/usr/bin/env bash
set -euo pipefail
OUTPUT=deploy.yaml
# Deploy cert-manager (not requried in final version because certificates
# should be bootstrapped by the installer)
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
kubectl wait --for condition=ready \
-n cert-manager pod -l app.kubernetes.io/instance=cert-manager
@saschagrunert
saschagrunert / crio-metrics.yml
Created June 9, 2021 11:13
# Before deploying this, run:
# oc adm policy add-scc-to-user hostnetwork -z crio-metrics -n crio-metrics
---
# Only required for demoing purposes because the ServiceMonitor is part of the
# user monitoring and should move to the system level later on.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
@saschagrunert
saschagrunert / google.go
Last active March 18, 2020 10:23
package main
// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Cloud Resource Manager API
// and check the quota for your project at
// https://console.developers.google.com/apis/api/cloudresourcemanager
// 2. This sample uses Application Default Credentials for authentication.
// If not already done, install the gcloud CLI from
// https://cloud.google.com/sdk/ and run