2 min read
When configuring RBAC permissions we might want to make sure we are configuring them correctly by checking what an user (or ServiceAccount) can do. We can use kubectl auth can-i for this.
29/11/2022
Read more...2 min read
To be able to expose a service externally on OpenShift we can use the Route object. Generally speaking, Routes can be either secured or unsecured, in case we choose to use a secured route we can configured it to work in three different ways: edge, passthrough and reencrypt.
28/11/2022
Read more...2 min read
A Pod can fail to run with the following error:
standard_init_linux.go:178: exec user process caused "exec format error"
24/11/2022
Read more...2 min read
To prevent OPA Gatekeeper to apply rules to some namespaces we can add exclusions at the rule level but this can be very inconvenient since we would need to add it to every single rule. A change on these exclusion list can be a pain as well.
We can configure the ValidatingWebhookConfiguration to restrict it globally to namespaces that have a some label.
23/11/2022
Read more...2 min read
To be able to test permissions it can be convenient to have our own user being able to impersonate other users (and ServiceAccounts as well). To do we we'll have to use the impersonate verb as follows:
- apiGroups: [""]
resources: ["users", "groups", "serviceaccounts"]
verbs: ["impersonate"]
22/11/2022
Read more...