Skip to content

Instantly share code, notes, and snippets.

View erictune's full-sized avatar
💭
I may be slow to respond.

Eric Tune erictune

💭
I may be slow to respond.
209 followers · 2 following
View GitHub Profile
@erictune
erictune / README.txt
Last active June 25, 2020 22:54
How Condition Types are defined across various types.go files that follow the Kubernetes Resource Model (KRM)
Advice on how to use conditions in Kubernetes types has varied over time and is interpreted differently by different people.
I'm interested in how people who chose to use conditions, and how they define condition type names.
I've previously crawled github to find definitions of conditions in types.go files. Here I present 364 code
snippets from various types.go files which are go `const` blocks, which match the substring `ConditionType`.
The data is in YAML format (I think). `example_url` is a github url for a file that contains this code snippet. It is
_not_ necessarily the canonical location for this file. The link is to the first line of the constant definition block.
The `approx_popularity` is a measure of how many times I saw this block across non-identical types.go files, so a rough
@erictune
erictune / README.md
Last active December 2, 2018 02:41
Next Steps for viewers of "Kubernetes Extensibility", presented at Dockercon SF 2018 by Eric Tune and Tim Hockin
@erictune
erictune / gist:9dc7ae4b22505b9a8c20ad9cd03a45cc
Created December 13, 2016 18:59
Notes on use of --anonymous-auth
The `--anonymous-auth=` flag is new in 1.5. It is an option on `kube-apiserver`, `federations-apiserver` and `kubelet`.
When it is set to `true`, users who are not authenticated using another means are authenticated as user `system:anonymous`.
This flag is true by default in 1.5.0. For certain common configurations, true is safe. However, for other configurations
it is not safe, and in some cases, upgrading to 1.5.0 may result in any user on your network being able to access some or all
of the API. This is mentioned in the release notes. However, in version 1.5.1 we changed the default to `false`.
The purpose is to allow for certain api endpoints on the apiserver to be accessible to unauthenticated
users. For example, a client might need to determine the server's version by accessing the `/version` endpoint before
@erictune
erictune / gist:d1ffe2c7847a03ac380210356e818e0e
Created December 13, 2016 18:59
Notes on use of --anonymous-auth
The `--anonymous-auth=` flag is new in 1.5. It is an option on `kube-apiserver`, `federations-apiserver` and `kubelet`.
When it is set to `true`, users who are not authenticated using another means are authenticated as user `system:anonymous`.
This flag is true by default in 1.5.0. For certain common configurations, true is safe. However, for other configurations
it is not safe, and in some cases, upgrading to 1.5.0 may result in any user on your network being able to access some or all
of the API. This is mentioned in the release notes. However, in version 1.5.1 we changed the default to `false`.
The purpose is to allow for certain api endpoints on the apiserver to be accessible to unauthenticated
users. For example, a client might need to determine the server's version by accessing the `/version` endpoint before
@erictune
erictune / gist:e3a7b08e524c979da18a
Created February 6, 2016 00:31
--- FAIL: TestDiscoveryAtAPIS (0.33s)
Error Trace: master_test.go:288
Error: Not equal: "extensions" (expected)
!= "batch" (actual)
Error Trace: master_test.go:289
Error: Not equal: []unversioned.GroupVersionForDiscovery{unversioned.GroupVersionForDiscovery{GroupVersion:"extensions/v1beta1", Version:"v1beta1"}} (expected)
!= []unversioned.GroupVersionForDiscovery{unversioned.GroupVersionForDiscovery{GroupVersion:"batch/v1", Version:"v1"}} (actual)
Diff:
@erictune
erictune / kubernetes-sig-auth.txt
Last active April 14, 2016 19:27
Kubernetes SIG-Auth
Kubernetes Special Interest Group for Authentication and Authorization
Goals for this SIG:
Discuss improvements Kubernetes Authorization and Authentication, and cluster security policy.
Not in scope for this SIG:
To report specific vulnerabilities in Kubernetes, please report using these instructions: http://kubernetes.io/v1.1/docs/reporting-security-issues.html
General discussion of Linux security, or of containers is better directed to a non-Kubernetes mailing list.
Proactive or general security discussion about Kubelet should go to [email protected].
@erictune
erictune / conformance.log
Last active August 29, 2015 14:27
Kubernetes conformance test result for GKE cluster at v1.0.1
Conformance test using current-context of /Users/etune/.kube/config
Conformance test run date:Wed Aug 12 23:32:12 PDT 2015
Conformance test SHA:09b33467347d1afddcdaff2a722cedb6308f30cd
Conformance test version tag(s):
Conformance test checking conformance with Kubernetes version 1.0
Conformance test: not doing test setup.
I0812 23:32:13.520763 97990 e2e_test.go:97] The --provider flag is not set. Treating as a conformance test. Some tests may not be run.
>>> testContext.KubeConfig: /Users/etune/.kube/config
INFO: Waiting up to 10m0s for all pods (need at least 0) in namespace 'kube-system' to be running and ready
@erictune
erictune / conformance.log
Created July 8, 2015 22:04
Kubernetes conformance test result for GCE cluster
Conformance test using /Users/etune/.kube/config against master at 104.154.73.106
Conformance test run date:Wed Jul 8 14:10:22 PDT 2015
Conformance test SHA:98f57a65144926a8191c3e86b203844331909782
Conformance test version tag(s):
Conformance test checking conformance with Kubernetes version 1.0
Conformance test: not doing test setup.
export PATH=/Users/etune/go/src/github.com/GoogleCloudPlatform/kubernetes/_output/local/bin/darwin/amd64:/Users/etune/google-cloud-sdk/bin:/usr/local/git/current/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/X11/bin:/usr/local/go/bin:/usr/local/go/bin:/Users/etune/go/bin:/Users/etune/bin:/Users/etune/go-tools/bin:/usr/local/Cellar/node/0.12.4/libexec/npm/bin/
/Users/etune/go/src/github.com/GoogleCloudPlatform/kubernetes/_output/local/bin/darwin/amd64/ginkgo --skip=Cadvisor|MasterCerts|Density|Cluster\slevel\slogging|Etcd\sfailure|Load\sCapacity|Monitoring|Namespaces.*seconds|Pod\sdisks|Reboot|Restart|Nodes|Scale|Services.*load\sbalancer|Services.*NodePo
@erictune
erictune / gist:19d96228c25609f0d20b
Created July 7, 2015 20:44
Failure in a kubernetes e2e test
^[[32m• [SLOW TEST:16.033 seconds]^[[0m
Networking
^[[90m/go/src/github.com/GoogleCloudPlatform/kubernetes/_output/dockerized/go/src/github.com/GoogleCloudPlatform/kubernetes/test/e2e/networking.go:254^[[0m
should provide Internet connection for containers
^[[90m/go/src/github.com/GoogleCloudPlatform/kubernetes/_output/dockerized/go/src/github.com/GoogleCloudPlatform/kubernetes/test/e2e/networking.go:81^[[0m
^[[90m------------------------------^[[0m
^[[0mServices^[[0m
^[[1mshould be able to change the type and nodeport settings of a service^[[0m
^[[37m/go/src/github.com/GoogleCloudPlatform/kubernetes/_output/dockerized/go/src/github.com/GoogleCloudPlatform/kubernetes/test/e2e/service.go:492^[[0m
[BeforeEach] Services