Skip to content

Instantly share code, notes, and snippets.

View ams0's full-sized avatar
🏠
Working from home

Alessandro Vozza ams0

🏠
Working from home
315 followers · 94 following
View GitHub Profile
@ams0
ams0 / scan_all_k8s_images.sh
Created March 11, 2021 00:35
A script to scan all images in the current Kubernetes cluster with Trivy (https://github.com/aquasecurity/trivy) for high & critical vulnerabilities.
#/bin/bash
if [ ! -f /usr/local/bin/trivy ]; then
echo "Trivy not found! Please install it from https://github.com/aquasecurity/trivy"
fi
for image in `kubectl get pods --all-namespaces -o jsonpath="{..image}" |\
tr -s '[[:space:]]' '\n' |\
sort |\
uniq -c | awk '{print $2}'`; do trivy image -s HIGH,CRITICAL $image; done
@ams0
ams0 / git-rebase.sh
Created February 12, 2021 15:58
A script to rebase branch X from branch Y
#!/bin/bash
#Usage: gitrebase.sh <branch to rebase into> <branch to rebase from>
# $> gitrebase devel main
echo "Rebasing branch $1 from branch $2"
git checkout $1
git pull
@ams0
ams0 / backup-github.md
Last active January 12, 2021 13:11
Backup your Github account and start over

#Backup your github account

install the NPM package "repos"

npm install -g repos

get a list of all your repos

@ams0
ams0 / auditpolicy-kube-apiserver.yaml
Created January 10, 2021 03:18
...
spec:
containers:
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/audit.log
- --audit-log-maxsize=10
- --audit-log-maxbackup=7
@ams0
ams0 / check_storage_account_public_access_containers.sh
Last active January 7, 2021 01:03
Checks the current subscription for public access containers in all storage accounts
#!/bin/bash
red=`tput setaf 1`
reset=`tput sgr0`
subscription=$(az account show -o tsv --query id)
echo "Checking subscription $subscription"
for account in `az storage account list -o tsv --query [].name`
@ams0
ams0 / kubenet-azurecni-comparison.txt
Last active December 28, 2020 16:08
#Kubenet vs AzureCNI for Cilium investigation
az aks create -k 1.19.3 --enable-managed-identity -g k8s --network-plugin kubenet -s Standard_B4ms -c 2 -n kubenet --no-wait
az aks create -k 1.19.3 --enable-managed-identity -g k8s --network-plugin azure -s Standard_B4ms -c 2 -n cilium --no-wait
AzureCNI
# cat /etc/systemd/system/kubelet.service
[Unit]
Description=Kubelet
ConditionPathExists=/usr/local/bin/kubelet
@ams0
ams0 / kubeadm-containerd-audit.md
Last active January 29, 2021 13:36

Configure audit logging & troubleshooting containerd-based kubeadm

First, we'll need a VM. In one simple command, you can create a VM in azure and pass a cloud-init script that will install containerd and kubeadm, and will deploy a single node Kubernetes cluster:

wget https://gist.githubusercontent.com/ams0/0e57d15d53782c2c2259cce8545caa70/raw/d4e0686e4dc068ea146717af5d5a7be3dab97a4c/kubeadm-containerd.sh

az group create -n cks
az vm create -g cks -n cks --image  UbuntuLTS --ssh-key-values ~/.ssh/id_rsa.pub --admin-username cks --size Standard_B4ms --custom-data kubeadm-containerd.sh
@ams0
ams0 / azure-vote-all.yaml
Created December 23, 2020 22:35
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
@ams0
ams0 / kubeadm-containerd.sh
Last active December 22, 2020 23:53
#!/bin/bash
# Install kubeadm with containerd https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ & https://kubernetes.io/docs/setup/production-environment/container-runtimes/
#Prepare system for containerd
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
@ams0
ams0 / ## CKS notes December 2020.md
Last active November 12, 2021 10:51

CKS notes December 2020

General

Backup config files!!

alias k=kubectl

sudo runc --root /run/containerd/runc/k8s.io list