Skip to content

Instantly share code, notes, and snippets.

View toszo's full-sized avatar

Tomasz Szostak toszo

11 followers · 9 following
View GitHub Profile
@toszo
toszo / docker-volume.sh
Created May 25, 2019 10:02
docker run -v /home/toszo/shared:/shared
@toszo
toszo / readiness.yaml
Created April 30, 2019 20:23
#httpGet
#...
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 15
periodSeconds: 15
#...
#exec
@toszo
toszo / liveness.yaml
Last active April 30, 2019 20:23
#httpGet
#...
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 15
periodSeconds: 15
#...
#exec
@toszo
toszo / kube-bench-node.txt
Created April 8, 2019 07:37
[INFO] 2 Worker Node Security Configuration
[INFO] 2.1 Kubelet
[FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[FAIL] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[FAIL] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored)
[FAIL] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[FAIL] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
@toszo
toszo / kube-bench-example.txt
Created April 8, 2019 07:31
[FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
...
== Remediations ==
1.1.1 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_ALLOW_PRIV parameter to "--allow-privileged=false"
1.1.2 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to "--anonymous-auth=false"
...
@toszo
toszo / master-sec-benchmark-result.txt
Created April 8, 2019 07:19
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
[FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 1.1.3 Ensure that the --basic-auth-file argument is not set (Scored)
[PASS] 1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored)
[PASS] 1.1.5 Ensure that the --kubelet-https argument is set to true (Scored)
[PASS] 1.1.6 Ensure that the --insecure-bind-address argument is not set (Scored)
[PASS] 1.1.7 Ensure that the --insecure-port argument is set to 0 (Scored)
[PASS] 1.1.8 Ensure that the --secure-port argument is not set to 0 (Scored)
@toszo
toszo / run-kube-bench-node.sh
Created April 8, 2019 06:52
sudo docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v $(which kubectl):/usr/bin/kubectl aquasec/kube-bench:latest node
@toszo
toszo / run-kube-bench.sh
Created April 8, 2019 06:34
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v $(which kubectl):/usr/bin/kubectl aquasec/kube-bench:latest master
@toszo
toszo / gist:545d671c7aba85ea1779e4acadae6e67
Created April 6, 2019 08:29
K8s kubeadm setup
# Exec on Master
# Master init
kubeadm init --pod-network-cidr 10.244.0.0/16
# Wynikiem tej komendy będzie token (TWOJ_JOIN_TOKEN) i discovery token (TWOJ_DISCO_TOKEN), który będzie wykorzystany do dołączania worker Node'ów.
# Deployment pluginu sieciowego na Masterze.
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml
# Exec on Node
@toszo
toszo / k3s on raspberry pi demo
Created March 31, 2019 19:48
# Raspbian download
# https://www.raspberrypi.org/downloads/
# OS Flash on USB - Etcher
# https://www.balena.io/etcher/
# All nodes
sudo raspi-config # Change User Password, Network Options/Hostname, Advances Options/Memory Split