Categories: kubernetes

Exclude certain namespaces from a OPA gatekeeper rule

2 min read

While some policies can be safely applied to all the namespaces of a cluster, some other can become problematic since they can interfere with the normal operations of certain controllers. When we create a constrain rule we can exclude some namespaces using the spec.match.excludedNamespaces attribute

18/11/2022
Read more...
Kubernetes: Configure privilege escalation using the escalate and bind verbs

2 min read

The RBAC API prevents privilege escalation at the API level when creating or updating ClusterRole, ClusterRoleBinding, Role and RoleBinding. However, we can configure it to allow privilege escalation using the escalate and bind verbs.

15/11/2022
Read more...
External Secrets Operator: Generate secrets using a template

2 min read

We can use the External Secrets Operator to retrieve secrets from some backend and push it into a vanilla Kubernetes Secrets to be consumed as usual as a key-value. Not all applications work in the same way so we might need to format it in a way that the application is able to consume it.

08/11/2022
Read more...
OPA gatekeeper: Create a rule to warn the users

2 min read

OPA gatekeeper is most commonly used to block retain objects from getting into the Kubernetes cluster, but we can use it to warn the user as well

07/11/2022
Read more...
Openshift: Project object contains (some) immutable fields

2 min read

There are just slight differences between a Project and a Namespace in OpenShift, what can be shocking is the fact that Project's metadata is (with exceptions) immutable.

04/11/2022
Read more...

Kubernetes:
container orchestration

tags related to this category

yq kubectl Linkerd Argo Rollouts Rollouts Capsule Pod MutatingAdmissionPolicy MutatingAdmissionPolicyBinding kind plugin custom command Argo Workflows CronWorkflow StatefulSet Workflow Kaniko WorkflowTemplate install kubernetes security Pod Security Standards port-forward socat operator-sdk golang Pushgateway RBAC Rule troubleshooting APIRequestCount affinity topologySpreadConstraints Route ExternalSecret Secret jsonpath ServiceAccount Ingress k3s letsencrypt tcpdump ssh CRD additionalPrinterColumns Velero query PV Operator Role ClusterRole web-console operator oc-mirror Secrets Manager tekton context Policy enforcement Rules Project ConfigMap Environment ROSA IngressRoute redirect RDS psql API server S3 patch file apply selector minikube arm64 colima EKS-connector SecurityContextConstraint SecretStore scripting CRC credentials Deployment valueFrom setup helm StorageClass tagging EBS externalDNS ALB HPA convert API version example shipwright ECR imagePullSecrets ENI subnet krew blame cloud provider etcd availability zones CoreDNS backend state podAntiAffinity Composite images GKE activeDeadlineSeconds Job lifetime bestby IRSA label annotation PersistentVolume Volume fsGroup vpa cluster autoscaler Karpenter provider kubernetes_manifest fsGroupChangePolicy container escape spot instances termination handler persistentVolumeReclaimPolicy fieldPath upgrade privileged network NetworkPolicy bash ps longhorn ASCP QoD raspberry pi drain evict uncordon kubeconfig config view logs admission controller hook postStart preStop deprecations gp3 get-all taints securityGroup probe readinessProbe livenessProbe tolerations explain MutatingWebhook startupProbe RollingUpdate Recreate PDB emptyDir netstat ss autoscale Kubeconfig initContainers DNS tree DaemonSet stern tail LimitRange resource limits restartPolicy system-upgrade-controller rolling update history undo Volumes awsElasticBlockStore change-cause set image imperative hostAliases imagePullPolicy metrics-server Service overlay agent nodes declarative ELB HTTPS alpine package nodeSelector scheduler kubie api-versions events multiple containers SecretKeyRef ReplicaSet NodePort Pod restart rollout deployment nginx-contoller ValidatingWebhookConfiguration error recovery httpHeaders uid securityContext exec interactive LoadBalancer IAM scale replicas nodeName externalName namespace Cronjob multinode template yaml unused-volumes diff

Exclude certain namespaces from a OPA gatekeeper rule

Kubernetes: Configure privilege escalation using the escalate and bind verbs

External Secrets Operator: Generate secrets using a template

OPA gatekeeper: Create a rule to warn the users

Openshift: Project object contains (some) immutable fields

Kubernetes:container orchestration

Categories

tags related to this category

Kubernetes:
container orchestration