Skip to content

Instantly share code, notes, and snippets.

View jaimegag's full-sized avatar

Jaime Gonzalez Aguilar jaimegag

17 followers · 11 following
View GitHub Profile
@jaimegag
jaimegag / flowshema-gkp.yaml
Last active August 15, 2024 14:01
apiVersion: flowcontrol.apiserver.k8s.io/v1
kind: FlowSchema
metadata:
name: limit-pods-namespace-appteam1
spec:
distinguisherMethod:
type: ByNamespace # so that requests originated from the same namespace are grouped together
# into the same flow so that workloads in the “bad” namespace can’t overwhelm
# those in another namespace.
matchingPrecedence: 8000 # to be adjusted based on other existing FlowSchemas configured in the cluster
@jaimegag
jaimegag / gist:8ec6978ca1985c8f925c9d7ed1b773c8
Created November 3, 2021 20:38
TKGm Enable PodSecurityPolicy Admission Controller
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#! Enable PodSecurityPolicy Admission Controller.
#@overlay/match missing_ok=True,by=overlay.subset({"kind":"KubeadmControlPlane"})
---
spec:
kubeadmConfigSpec:
#@overlay/match missing_ok=True
clusterConfiguration:
@jaimegag
jaimegag / fluent-bit-configmap-kafka.yaml
Created June 26, 2020 03:25
FluentBit ConfigMap with audit logs for Kafka Output
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: tanzu-system-logging
labels:
k8s-app: fluent-bit
data:
# Configuration files: server, input, filters and output
# ======================================================
@jaimegag
jaimegag / fluent-bit-configmap.yaml
Created June 24, 2020 01:41
FluentBit ConfigMap with audit logs
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: tanzu-system-logging
labels:
k8s-app: fluent-bit
data:
# Configuration files: server, input, filters and output
# ======================================================
@jaimegag
jaimegag / KubeadmControlPlane.yaml
Last active June 24, 2020 01:40
KubeadmControlPlane with audit logs
apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
kind: KubeadmControlPlane
metadata:
name: '${ CLUSTER_NAME }-control-plane'
namespace: '${ NAMESPACE }'
spec:
infrastructureTemplate:
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
kind: VSphereMachineTemplate
name: '${ CLUSTER_NAME }-control-plane'
@jaimegag
jaimegag / CFCR_cert_rotation_multi-master-multi-az.md
Last active July 16, 2019 15:46

CFCR Certificate Rotation for Multi-Master Multi-AZ deployments

This approach attempts to rotate all certificates at once, then update all ETCD (Master) nodes at the same time. Unfortunately, Bosh can't update all Master nodes at the same time if they are deployed across AZs. So the procedure here is to reduce the number of Master nodes to one, and then expand again as we update all certificates across all VMs. This is faster but a bit riskier since we have the cluster with only one master node for a few minutes.

An alternative to this is to follow a more graceful approach to first roll out a new CA concatenated with the old CA and then regenerate leaf certificates for the ETCD servers. Then remove the old CA. This requires 3 passes (cluster updates) so it is slower but it is safer and allows Bosh to update Master nodes one at a time. This gist does not go into the details on how to do that.

@jaimegag
jaimegag / ingress-rbac-allinone.yml
Last active January 29, 2018 06:31
All In One NGINX Ingress Controller with RBAC and sample service
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount