Derek Olsen someword

## rego test
package authorization

import data.k8s.matches

deny[{
	"id": "user-kube-system",
	"resource": {
		"namespace": namespace,
	},
	"resolution": {"message": "Permission denied"},

## node drain
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: node-drain
rules:
  - apiGroups:
      - extensions
    resources:
      - daemonsets

## kiamy
[ec2-user@ip-10-52-26-160 ~]$ aws sts assume-role --role-arn=arn:aws:iam::XXXXXXXXXXXXX:role/kiam-pod-test-role --role-session-name test9
{
    "AssumedRoleUser": {
        "AssumedRoleId": "XXXXXXXXXXXXXXXXXXXX:test9",
        "Arn": "arn:aws:sts::XXXXXXXXXXXXXXXXXX:assumed-role/kiam-pod-test-role/test9"
    },
    "Credentials": {
        "SecretAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
        "SessionToken": "XXXXXXXXXXXXXXXX///////////wEaDMvhdnnYjlHLaROoJSLpAULGH/quc+aOMfHlXFsCxP5O5Uyqlb1dN4zi/IOCwS/AB9n6QJ3mY6y0q5KRrXcooLxRiL4eDi8uYwyQtJuocdamLYgsmStjUH56o5j+8B7HaQ1HPGmOkXIaAMm+TvBX7IB1zQ21wLrshujrMxEaIohkoeHk+uyeSMxNVZdh+rswzcxsH/YQbopNFJjj83LCVyCVJy+DVJ6pSg+ScS/ZCGWU0AzsvKlbrJj7ymietwtfj+UEmgBCpv4ZLqdGJIQMuuEw8XDjipKyHtoVJHfywNYFrjbhpLTkCwzJAFc4G0mySFhOBSCKUKpZKL3qy9wF",
        "Expiration": "2018-09-07T23:01:33Z",

## gist:f2f9eb04ed7886e5675ce5a197e0c8dc
go get github.com/coreos/etcd
[TRUNCATED OUTPUT]

git checkout v3.2.9                                                                                               master
Note: checking out 'v3.2.9'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

## benchmark build
env GOOS=linux go build -o benchmark -v .                                                                                                                                                                                                                     master
runtime/internal/sys
runtime/internal/atomic
runtime
errors
internal/race
sync/atomic
math
unicode/utf8
crypto/subtle

## gist:40ad0e86b211ce65829f16b6cd4cfd01
# TYPE etcd_disk_wal_fsync_duration_seconds histogram
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.001"} 76848
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.002"} 97194
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.004"} 99219
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.008"} 99663
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.016"} 99906
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.032"} 99970
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.064"} 100017
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.128"} 100030
etcd_disk_wal_fsync_duration_seconds_bucket{le="0.256"} 100037

## kube-dns errors
error querying dnsmasq from metrics side car

ERROR: logging before flag.Parse: W0510 22:10:31.083563       1 server.go:53] Error getting metrics from dnsmasq: read udp 127.0.0.1:60188->127.0.0.1:53: read: connection refused

kube-dns errors
I0510 20:36:49.107543       1 logs.go:41] skydns: failure to forward request "read udp 172.20.23.5:46695->10.40.0.2:53: i/o timeout"

## gist:e124d591bf2a93d4b5c9b98f6a024621
<filter docker.*>
  @type concat
  key log
  multiline_start_regexp /{\\"message\\":/
  multiline_end_regexp /\\"service_name\\":/
  continuous_line__regexp /^(\\"message\\":|\\"service_name\\":)/
</filter>

## docker logs
{"log":"{\"message\":\"LOGSPEWPREFIXSIZE17408:pu0m<TRIMMED ABOUT 15K HERE>if324z54fn5lj5d74oka9kobybin8othqolng51czs7rcdkzta3w3ithgfu2okdcy0lxmi2g3pygvqkcddevql1x9b9eydnuge2f0hdayi825f4z5xw2idhds13js86w1rlfm74c88k6j3w5ksx0hrjel8czdwxeuo6yaq6odnu4ar8ycjz3f6s17ibs5pw4swhka6lwpak5qm3v3dkr3dyvwm6ssodzsmonj66ksmuixr6rjqi78lddvgr90zgx2pguynyt794hurodceoem9aaiznqj29n0h524ynug84py19wouy8jnzinljtjj26wn0xw19mda7z5h4bimct4lohf8nbc3xooo8kok0mpot3himbe5bcter78toc0v1749sohhbehq1vdznn4uodgm9lqwl8b59n3x6lg9jydxd0hvs1h29413i1dxnes","stream":"stdout","time":"2017-04-27T21:13:32.984794623Z"}
{"log":"r5g7h0evfxkxxao41gn4wsmrxwgajjjym3aikvivfbwf3pq3ve98nwqqugasgz7f5srm7uycn0z6fekbr39fyy3b6287z3rsegkjk512jarc4z19es7irfj3dbozn3t019k3waqi6um1fws8w7cxpr8jgop8k4dvg3dxbv7yfvubakxmw182z4nvi14oeirx153qqzx71gxp6brfak0oxb2ch4iziivmhictwhhmo93hu275l7tr8j2xodizti2kvffmqnzc5379b5zj3g0k9q8h2zfs66830on4vilk2fbe1vsc1yt8lb305jmbi8ts6zz34bd6390nsq05t9a1sgfuuex8oxpgel2w2ozg29xpiukj1f9392fkr4wko3xgc3qkdk4wzn91zv6adjjhsuo2l9gsze2hf0gs49w1ngm42r4a906x

## gist:603f9b830f4cda697441b82d4fbe884c
        args:
        - --cache-size=1000
        - --no-resolv
        - --server=/cluster.local/ec2.internal/127.0.0.1#10053
        - --server=169.254.169.253
        - --server=8.8.8.8
        - --log-facility=-
        - --log-queries
        - --address=/com.cluster.local/com.svc.cluster.local/com.kube-system.svc.cluster.local/vevo.com.cluster.local/vevo.com.svc.cluster.local/vevo.com.kube-system.svc.cluster.local/com.ec2.internal/ec2.internal.kube-system.svc.cluster.local/ec2.internal.svc.cluster.local/ec2.internal.cluster.local/
	package authorization

	import data.k8s.matches

	deny[{
	"id": "user-kube-system",
	"resource": {
	"namespace": namespace,
	},
	"resolution": {"message": "Permission denied"},
	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: node-drain
	rules:
	- apiGroups:
	- extensions
	resources:
	- daemonsets
	[ec2-user@ip-10-52-26-160 ~]$ aws sts assume-role --role-arn=arn:aws:iam::XXXXXXXXXXXXX:role/kiam-pod-test-role --role-session-name test9
	{
	"AssumedRoleUser": {
	"AssumedRoleId": "XXXXXXXXXXXXXXXXXXXX:test9",
	"Arn": "arn:aws:sts::XXXXXXXXXXXXXXXXXX:assumed-role/kiam-pod-test-role/test9"
	},
	"Credentials": {
	"SecretAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
	"SessionToken": "XXXXXXXXXXXXXXXX///////////wEaDMvhdnnYjlHLaROoJSLpAULGH/quc+aOMfHlXFsCxP5O5Uyqlb1dN4zi/IOCwS/AB9n6QJ3mY6y0q5KRrXcooLxRiL4eDi8uYwyQtJuocdamLYgsmStjUH56o5j+8B7HaQ1HPGmOkXIaAMm+TvBX7IB1zQ21wLrshujrMxEaIohkoeHk+uyeSMxNVZdh+rswzcxsH/YQbopNFJjj83LCVyCVJy+DVJ6pSg+ScS/ZCGWU0AzsvKlbrJj7ymietwtfj+UEmgBCpv4ZLqdGJIQMuuEw8XDjipKyHtoVJHfywNYFrjbhpLTkCwzJAFc4G0mySFhOBSCKUKpZKL3qy9wF",
	"Expiration": "2018-09-07T23:01:33Z",
	go get github.com/coreos/etcd
	[TRUNCATED OUTPUT]

	git checkout v3.2.9   master
	Note: checking out 'v3.2.9'.

	You are in 'detached HEAD' state. You can look around, make experimental
	changes and commit them, and you can discard any commits you make in this
	state without impacting any branches by performing another checkout.
	env GOOS=linux go build -o benchmark -v .   master
	runtime/internal/sys
	runtime/internal/atomic
	runtime
	errors
	internal/race
	sync/atomic
	math
	unicode/utf8
	crypto/subtle
	# TYPE etcd_disk_wal_fsync_duration_seconds histogram
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.001"} 76848
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.002"} 97194
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.004"} 99219
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.008"} 99663
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.016"} 99906
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.032"} 99970
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.064"} 100017
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.128"} 100030
	etcd_disk_wal_fsync_duration_seconds_bucket{le="0.256"} 100037
	error querying dnsmasq from metrics side car

	ERROR: logging before flag.Parse: W0510 22:10:31.083563 1 server.go:53] Error getting metrics from dnsmasq: read udp 127.0.0.1:60188->127.0.0.1:53: read: connection refused

	kube-dns errors
	I0510 20:36:49.107543 1 logs.go:41] skydns: failure to forward request "read udp 172.20.23.5:46695->10.40.0.2:53: i/o timeout"
	<filter docker.*>
	@type concat
	key log
	multiline_start_regexp /{\\"message\\":/
	multiline_end_regexp /\\"service_name\\":/
	continuous_line__regexp /^(\\"message\\":\|\\"service_name\\":)/
	</filter>
	args:
	- --cache-size=1000
	- --no-resolv
	- --server=/cluster.local/ec2.internal/127.0.0.1#10053
	- --server=169.254.169.253
	- --server=8.8.8.8
	- --log-facility=-
	- --log-queries
	- --address=/com.cluster.local/com.svc.cluster.local/com.kube-system.svc.cluster.local/vevo.com.cluster.local/vevo.com.svc.cluster.local/vevo.com.kube-system.svc.cluster.local/com.ec2.internal/ec2.internal.kube-system.svc.cluster.local/ec2.internal.svc.cluster.local/ec2.internal.cluster.local/