$ cosign verify registry.k8s.io/kube-apiserver-amd64:v1.25.2
https://github.com/jonjohnsonjr/apkrane
$ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz --latest --full
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>KeepAlive</key> | |
<true/> | |
<key>Label</key> | |
<string>my.gitsign-credential-cache</string> | |
<key>ProgramArguments</key> | |
<array> |
#!/bin/bash | |
# Set the IFS variable to a newline character | |
IFS=$'\n' | |
# Get the list of docker images | |
images=$(docker images -a) | |
# Loop through the list of images | |
for image in $images; do |
$ cosign verify registry.k8s.io/kube-apiserver-amd64:v1.25.2
https://github.com/jonjohnsonjr/apkrane
$ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz --latest --full
export $(grep -v '^#' /etc/etcd.env | xargs -d '\n')
etcdctl
etcdctl endpoint health status --cluster -w table && etcdctl endpoint status --cluster -w table
In containerd, there is actually a garbage collector which can be found here: https://github.com/containerd/containerd/blob/master/docs/garbage-collection.md. In the cleanup phase, only objects that are not associated (i.e. have no image reference) are removed - those marked as "dirty" are kept. To clean up unused images and running/stopped containers, this can be used.
While not yet production-ready, the tool at https://github.com/Azure/eraser could be used to achieve this. However, it may be difficult and complex to run this on all nodes. Descheduler cannot solve this problem as it does not run as a daemonset, but kubelet garbage collection can be used instead (checking if it is enabled in the current configs): https://kubernetes.io/docs/concepts/architecture/garbage-collection/#containers-images.
It seems that containerd does not support log rotation. I found a solution that involves using kubelet (as described in containerd/containerd#3351 (comment), also pr: https
package: | |
name: kubevela | |
version: 1.7.0 | |
epoch: 0 | |
description: KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable | |
target-architecture: | |
- all | |
copyright: | |
- license: Apache-2.0 | |
paths: |
Bolt operations are copy-on-write. When a page is updated, it is copied to a completely new page. The old page is added to a "freelist", which Bolt refers to when it needs a new page. This means that deleting large amounts of data will not actually free up space on disk, as the pages are instead kept on Bolt's freelist for future use. In order to free up this space to disk, you will need to perform a defrag.
The process of defragmentation releases this storage space back to the file system. Defragmentation is issued on a per-member so that cluster-wide latency spikes may be avoided.
setup
$ kind create cluster
install zot with minimal image for security-minded dist-spec-only
$ helm upgrade zot zot/zot --set image.repository=ghcr.io/project-zot/zot-minimal-linux-amd64
#!/usr/bin/env bash | |
set -euox pipefail | |
TAG=v1.26.0-rc.1 | |
URL=https://dl.k8s.io/release/$TAG/bin/linux/amd64 | |
BIN=kubectl | |
for EXT in "" .sig .cert; do | |
FILE=$BIN$EXT | |
curl -sSfL --retry 3 --retry-delay 3 $URL/$FILE -o $FILE |
Got some answers from #sig-auth: https://kubernetes.slack.com/archives/C0EN96KUY/p1667201299188199
{
"iss": "https://idp.example",
"aud": "some-audience",