bjethwan

IPVS on AWS EC2

ip_vs & ipvsadm

Note: ipvsadm is just the cli tools for interacting with the IP virtual server table in the kernel. 
"ip_vs" is the kernel module that does the actual connection manipulating.

ipvsadm command options:
Either long or short options are allowed.
  --add-service     		-A        add virtual service with options

bjethwan

# Dump certs (client.crt, client.key, & ca.crt) in a directory called c3certs

export KUBECONFIG_PATH=/home/ec2-user/.kube/config
sudo cat $KUBECONFIG_PATH | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d > c3certs/client.crt
sudo cat $KUBECONFIG_PATH | grep client-key-data | cut -f2 -d : | tr -d ' ' | base64 -d > c3certs/client.key
sudo cat $KUBECONFIG_PATH | grep certificate-authority-data | cut -f2 -d : | tr -d ' ' | base64 -d > c3certs/ca.crt

# Load the above certificates as ConfigMap in Kubernetes running with CoreNS Kubernetai plugin
kubectl -n kube-system create cm c3certs --from-file=/home/ec2-user/c3certs

bjethwan

Example setup for making OPA work for both validating and mutating policies.

This would require two webhook (dynamic admission controller) configurations - MutatingWebhookConfiguration & ValidatingWebhookConfiguration

Replace the caBundle field below with ca cert you have used for generating certs for OPA.

Check the att in the path. It will be used later in the ConfigMap carrying OPA config.

kind: MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
 name: opa-mutating-webhook