• Kubernetes: Search the specific rule granting a given permission

    2 min read

    kubernetes role clusterrole rule search kubectl

    Sometimes might be difficult to tell how some subject (User, ServiceAccount, ...) is able to perform a certain task: What's the Role or ClusterRole granting some permission?

    For this we can use the searchrule plugin.


  • Monitoring APIRequestCount in OpenShift

    2 min read

    OpenShift APIRequestCount monitoring API usage

    Openshift provides an object that tracks the number of requests made to the Kubernetes API server. It provides insights into the load on the cluster, the performance of applications, and helps in capacity planning. By monitoring APIRequestCount, you can identify potential bottlenecks, detect unusual spikes in traffic, and optimize resource allocation.

    $ kubectl get apirequestcounts
    NAME                                                                           REMOVEDINRELEASE   REQUESTSINCURRENTHOUR   REQUESTSINLAST24H
    alertmanagerconfigs.v1alpha1.monitoring.coreos.com                                                6                       1706
    alertmanagers.v1.monitoring.coreos.com                                                            20                      2891
    apiservices.v1.apiregistration.k8s.io                                                             994                     99521


  • Kubernetes: Configuring Topology Spread Constraints to tune Pod scheduling

    2 min read

    kubernetes pod affinity Topology Spread Constraints

    Ensuring high availability and fault tolerance in a Kubernetes cluster is a complex task: One important feature that allows us to addresses this challenge is Topology Spread Constraints.


  • OpenShift 3.11 - custom default route certificate failing with certificate has expired or is not yet valid

    2 min read

    OpenShift Route certificate has expired or is not yet valid default router-certs

    After trying to set a custom default certificate for the OpenShift routes we might see how it's Pods starts crashing:

    $ kubectl get pods
    NAME                          READY   STATUS             RESTARTS   AGE
    router-10-rh8vf               1/1     Running            0          32m
    router-10-f2dt2               0/1     CrashLoopBackOff   6          7m
    router-10-m45b7               1/1     Running            0          31m

    Checking it's logs we'll get a quite misleading message:

    $ kubectl logs router-10-f2dt2 -n default
    Error from server: Get https://some.openshift.cluster:10250/containerLogs/default/router-10-f2dt2/router: x509: certificate has expired or is not yet valid


  • ExternalSecret: Partially load a secret

    2 min read

    Kubernetes ExternalSecret

    Sometimes we might have a secret stored in the AWS Secrets Manager with multiple properties but we don't really need all the data stored in the secret. We can tell External Secrets Operator to use just a specific key instead of using the whole secret.



More recent...

Older content...

container orchestration
tags related to this category
kubectl operator-sdk golang Pushgateway RBAC Rule troubleshooting APIRequestCount Pod affinity topologySpreadConstraints Route ExternalSecret Secret jsonpath ServiceAccount Ingress k3s letsencrypt tcpdump ssh CRD additionalPrinterColumns Velero query PV Operator Role ClusterRole web-console operator oc-mirror Secrets Manager tekton context Policy enforcement Rules Project ConfigMap Environment ROSA IngressRoute redirect RDS psql kind API server S3 patch file apply selector minikube arm64 colima EKS-connector SecurityContextConstraint SecretStore scripting CRC credentials Deployment valueFrom setup helm StorageClass tagging EBS externalDNS ALB HPA plugin convert API version example custom command shipwright ECR imagePullSecrets ENI subnet krew blame cloud provider etcd availability zones CoreDNS backend state Kaniko podAntiAffinity Composite images GKE activeDeadlineSeconds Job lifetime bestby IRSA label annotation PersistentVolume StatefulSet Volume fsGroup vpa cluster autoscaler Karpenter provider kubernetes_manifest fsGroupChangePolicy container escape spot instances termination handler persistentVolumeReclaimPolicy fieldPath upgrade privileged network NetworkPolicy bash ps longhorn ASCP QoD raspberry pi drain evict uncordon kubeconfig config view logs admission controller hook postStart preStop deprecations gp3 get-all taints securityGroup probe readinessProbe livenessProbe tolerations explain MutatingWebhook startupProbe RollingUpdate Recreate PDB emptyDir socat netstat ss autoscale Kubeconfig initContainers DNS tree DaemonSet stern tail LimitRange resource limits restartPolicy system-upgrade-controller rolling update history undo Volumes awsElasticBlockStore change-cause set image imperative port-forward hostAliases imagePullPolicy metrics-server Service overlay agent nodes declarative ELB HTTPS alpine package nodeSelector scheduler kubie api-versions events multiple containers SecretKeyRef ReplicaSet NodePort Pod restart rollout deployment nginx-contoller ValidatingWebhookConfiguration error recovery httpHeaders security uid securityContext exec interactive LoadBalancer IAM scale replicas nodeName externalName namespace Cronjob multinode template yaml unused-volumes diff