jeesmon’s gists

jeesmon / ossm-forbid-unknown-egress.md

Created February 28, 2022 14:34

Istio can be configured to forbid the routing of addresses unknown to the mesh. Normally, if an application attempts to open a connection to an address that is unknown to the mesh, Istio would use DNS to resolve the address and execute the request. With the global.outboundTrafficPolicy mode option set to REGISTRY_ONLY, we can configure Istio to only allow connections to known addresses (that is, addresses for which a ServiceEntry is defined)

You can set outboundTrafficPolicy in OpenShift ServiceMesh by adding the following to ServiceMeshControlPlane:

spec:
....
  proxy:
    networking:
      trafficControl:

jeesmon / kubectl-multiple-clusters-connection.md

Created February 28, 2022 14:32

Ever needed an option to connect to multiple OpenShift/Kubernetes clusters at the same time? You can do it with from multiple Terminal sessions

Terminal 1

export KUBECONFIG=~/.kube/cluster1
kubectl login ...

Terminal 2

jeesmon / roks-satellite-ingress.md

Created February 28, 2022 14:26

endpointPublishingStrategy is used to publish the Ingress Controller endpoints to other networks, enable load balancer integrations, and provide access to other systems.

If not set, the default value is based on infrastructure.config.openshift.io/cluster .status.platform:

Azure: LoadBalancerService (with external scope)
ROKS on Satellite: LoadBalancerService (with external scope)

To view current endpointPublishingStrategy:

jeesmon / kubectl-rollout.md

Created February 28, 2022 14:22

Ever wondered how oc/kubectl rollout restart works for Deployment/StatefulSet/DaemonSet? It is simple as setting an annotation kubectl.kubernetes.io/restartedAt with current time on the resource. Controller of the resource will take care of the restart once the resource spec is changed by oc/kubectl.

Source code is here: https://github.com/kubernetes/kubectl/blob/3874cf79897cfe1e070e592391792658c44b78d4/pkg/polymorphichelpers/objectrestarter.go#L32

jeesmon / roks-cnv.md

Created February 28, 2022 14:20

ROKS clusters use RHEL 7.x hosts instead of RHCOS in a standard OCP install. Also, ROKS uses Calico overlay network instead of default OpenShiftSDN. These two changes cause trouble for OpenShift Container Native Virtualization (CNV) on ROKS.

[1] RHEL 7.x doesn’t support q35 machine types. It is the supported machine type in CNV. For CNV to work in ROKS, we need to use legacy i440fx machine types. Support for legacy machine types are not enabled by default in CNV. We need to explicitly enable it in CNV.

oc -n openshift-cnv edit cm kubevirt-config

# Add the following under data

emulated-machines: pc-q35*,pc-i440fx-*

jeesmon / openshift-docs.md

Created February 28, 2022 14:17

Install specific version of an operator https://docs.openshift.com/container-platform/4.8/operators/admin/olm-adding-operators-to-cluster.html#olm-installing-specific-version-cli_olm-adding-operators-to-a-cluster
Graceful shutdown/restart of OCP cluster: https://docs.openshift.com/container-platform/4.7/backup_and_restore/graceful-cluster-shutdown.html https://docs.openshift.com/container-platform/4.7/backup_and_restore/graceful-cluster-restart.html
Disaster recovery steps https://docs.openshift.com/container-platform/4.7/backup_and_restore/disaster_recovery/about-disaster-recovery.html
Recovering from expired controlplane certificates https://docs.openshift.com/container-platform/4.7/backup_and_restore/disaster_recovery/scenario-3-expired-certs.html
Debugging OpenShift web console, OperatorHub, internal registry, and other components

jeesmon / operator-subscription-config.md

Created February 28, 2022 14:13

You can configure operator deployed by OLM using Subscription Config. This will be handy for cluster administrators if there is a need to tweak the operator deployment based on cluster state. For example, you can update resource requests/limits of an OOMKilled operator pod, add a nodeSelector for operator, etc.

More details are here: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md

jeesmon / kubectl-with-sa-token.md

Last active July 19, 2022 19:27

Ever needed an option to run oc or kubectl command from within a pod in the cluster with proper permissions and without hard coding your (short-lived) token? With right RBAC, you can do the authn for oc/kubectl using your service account token. This token will be automatically mounted on the pod together with CA cert and you can login to oc/kubectl like this:

oc login --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  --server='https://kubernetes.default' \
  --certificate-authority='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'

Another option:

jeesmon / kube-commands.md

Last active February 28, 2022 14:16

Show container runtime

oc get no -o custom-columns=NAME:.metadata.name,CONTAINER-RUNTIME:.status.nodeInfo.containerRuntimeVersion

OR

oc get no -o wide

jeesmon / kube-tools.md

Created February 28, 2022 14:07

Kubescape: https://github.com/armosec/kubescape
g: https://github.com/stefanmaric/g
Reloader: https://github.com/stakater/Reloader
Kyverno: https://kyverno.io/
Kubeplus: https://github.com/cloud-ark/kubeplus
stern: https://github.com/wercker/stern

Jeesmon Jacob jeesmon