• OpenShift: Assign SCC to a SA

    3 min read

    SecurityContextConstraint OpenShift ServiceAccount Pod

    If you try to create a pod with some privileges using the securityContext you are going to find out that it's not going to work on OpenShift as it would on a vanilla Kubernetes:

    $ kubectl describe sts example-no-scc
Name:               example-no-scc
(...)

Events:
  Type     Reason        Age                 From                    Message
  ----     ------        ----                ----                    -------
  Warning  FailedCreate  18s (x13 over 38s)  statefulset-controller  create Pod example-no-scc-0 in StatefulSet example-no-scc failed error: pods "example-no-scc-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[0].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, spec.containers[1].securityContext.capabilities.add: Invalid value: "DAC_OVERRIDE": capability may not be added, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

    08/09/2022

    Read more...

  • Kubernetes Secrets: Install External Secrets Operator

    2 min read

    Kubernetes Secret ExternalSecret Operator SecretStore

    The Kubernetes External Secrets have evolved into an Operator: External Secrets Operator What does it bring to the table?

    05/09/2022

    Read more...

  • OpenShift: The difference between Project and Namespace

    3 min read

    project namespace difference OpenShift

    In OpenShift instead of working with Namespaces it uses Projects, but by creating a Project it going to create a Namespace under the hood. What's the difference?

    $ oc get project
NAME                                               DISPLAY NAME   STATUS
(...)
demo                                                              Active
$ oc get ns
NAME                                               STATUS   AGE
(...)
demo                                               Active   29d

    02/09/2022

    Read more...

  • kubectl: Retrieve a list of object names

    2 min read

    kubectl jsonpath

    If we need to write some script to retrieve a certain information that kubectl can provide, we can always add the option to remove headers and use something like awk to narrowit down. There's also a better way than doing this:

    kubectl get ns --no-headers | awk '{ print $1 }'

    31/08/2022

    Read more...

  • OpenShift CRC: Customize admin password

    1 min read

    When setting up a CRC cluster we might want to be able to set a specific admin password instead of having to retrieve it using crc console.

    30/08/2022

    Read more...

More recent...

Older content...

Kubernetes:
container orchestration
kubernetes
Categories
tags related to this category
Linkerd Argo Rollouts Rollouts Capsule Pod MutatingAdmissionPolicy MutatingAdmissionPolicyBinding kind kubectl plugin custom command Argo Workflows CronWorkflow StatefulSet Workflow Kaniko WorkflowTemplate install kubernetes security Pod Security Standards port-forward socat operator-sdk golang Pushgateway RBAC Rule troubleshooting APIRequestCount affinity topologySpreadConstraints Route ExternalSecret Secret jsonpath ServiceAccount Ingress k3s letsencrypt tcpdump ssh CRD additionalPrinterColumns Velero query PV Operator Role ClusterRole web-console operator oc-mirror Secrets Manager tekton context Policy enforcement Rules Project ConfigMap Environment ROSA IngressRoute redirect RDS psql API server S3 patch file apply selector minikube arm64 colima EKS-connector SecurityContextConstraint SecretStore scripting CRC credentials Deployment valueFrom setup helm StorageClass tagging EBS externalDNS ALB HPA convert API version example shipwright ECR imagePullSecrets ENI subnet krew blame cloud provider etcd availability zones CoreDNS backend state podAntiAffinity Composite images GKE activeDeadlineSeconds Job lifetime bestby IRSA label annotation PersistentVolume Volume fsGroup vpa cluster autoscaler Karpenter provider kubernetes_manifest fsGroupChangePolicy container escape spot instances termination handler persistentVolumeReclaimPolicy fieldPath upgrade privileged network NetworkPolicy bash ps longhorn ASCP QoD raspberry pi drain evict uncordon kubeconfig config view logs admission controller hook postStart preStop deprecations gp3 get-all taints securityGroup probe readinessProbe livenessProbe tolerations explain MutatingWebhook startupProbe RollingUpdate Recreate PDB emptyDir netstat ss autoscale Kubeconfig initContainers DNS tree DaemonSet stern tail LimitRange resource limits restartPolicy system-upgrade-controller rolling update history undo Volumes awsElasticBlockStore change-cause set image imperative hostAliases imagePullPolicy metrics-server Service overlay agent nodes declarative ELB HTTPS alpine package nodeSelector scheduler kubie api-versions events multiple containers SecretKeyRef ReplicaSet NodePort Pod restart rollout deployment nginx-contoller ValidatingWebhookConfiguration error recovery httpHeaders uid securityContext exec interactive LoadBalancer IAM scale replicas nodeName externalName namespace Cronjob multinode template yaml unused-volumes diff