Joshua Hoblitt jhoblitt

How to disable Kube-Proxy in RKE2

Example use case: Running the Cilium CNI without any kube-proxy

On all RKE2 servers (master nodes), add the following configuration to your /etc/rancher/rke2/config.yaml file:

disable-kube-proxy: "true"

Now the important step: If you already had stared the RKE2 service before (without this flag and with kube-proxy enabled), ensure to also delete the kube-proxy.yaml static pod manifest:

Introduction

Did you know that you can have multiple helm tillers running in a cluster?
This may actually be useful to us for both security as well as isolating what our cluster ops team does from what our customers can do.

Background

Current Helm Access Control

Helm security is such that "If you can talk to tiller, you can use that tiller" To be able to contact tiller, one needs to be able to create a pod in the namespace tiller resides in. Otherwise you will get an error message like:

	package config

	import (
	"errors"
	"io/ioutil"

	"gopkg.in/yaml.v2"
	)

	type Config struct {

	package main

	/*
	Golang SSHAgent Usage
	https://orebibou.com/2019/03/golang%E3%81%A7ssh-agent%E3%81%8B%E3%82%89%E9%8D%B5%E3%82%92%E5%8F%96%E5%BE%97%E3%81%97%E3%81%A6ssh%E6%8E%A5%E7%B6%9A%E3%81%99%E3%82%8B/
	*/

	import (
	"fmt"
	"golang.org/x/crypto/ssh"

	-- https://www.howtoforge.com/tutorial/ubuntu-desktop-devilspie-2/

	debug_print("--------------------------------------------------------------------------------")
	debug_print("Window Name: ".. get_window_name());
	debug_print("Application name: "..get_application_name())
	debug_print("--------------------------------------------------------------------------------")

	editor_workspace = 1
	browser_workspace = 2
	terminal_workspace = 1

	# Use dig to find out about the k8s records
	# dig +vc -p 5300 @127.0.0.1 cluser.local

	# Use dig to retrieve an A Record
	# dig +vc -p 5300 @127.0.0.1 A cb-example-0000.default.svc.cluster.local

	# Use dig to do a reverse lookup (-x flag)
	#dig +vc -p 5300 @127.0.0.1 -x 10.0.50.156

	# Add the port forward

	# make sure crypt module in use
	sudo modprobe dm-crypt

	# Find out which drive it was with the following command:
	sudo fdisk -l

	# You must mount /dev/sda3 myvolume
	# use cryptsetup, device is accessible under /dev/mapper/myvolume
	sudo cryptsetup luksOpen /dev/sde3 myvolume

	#!/usr/bin/env python3
	"""
	License: MIT License
	Copyright (c) 2023 Miel Donkers

	Very simple HTTP server in python for logging requests
	Usage::
	./server.py [<port>]
	"""
	from http.server import BaseHTTPRequestHandler, HTTPServer

	// A Declarative Pipeline is defined within a 'pipeline' block.
	pipeline {

	// agent defines where the pipeline will run.
	agent {
	// This also could have been 'agent any' - that has the same meaning.
	label ""
	// Other possible built-in agent types are 'agent none', for not running the
	// top-level on any agent (which results in you needing to specify agents on
	// each stage and do explicit checkouts of scm in those stages), 'docker',

	If you are trying to decide between this and the MySQL version, this is better.
	I've tried to document what I learned setting up pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from https://github.com/pwm-project/pwm, an LDAP self-service java webapp on Oracle Linux 6. RHEL or CentOS should work exactly the same.
	My lastest attempt as of 2/22/17, worked on Oracle Linux 7 (should work exatly the same on CentOS 7 or RHEL 7) _updating to_ the file pwm-1.8.0-SNAPSHOT-2017-02-19T20:34:49Z-pwm-bundle.zip from https://github.com/pwm-project/pwm

	For the impatient:
	DONT RUN TOMCAT UNMODIFIED on your FreeIPA server. FreeIPA uses its own Tomcat.
	Install java 7, tomcat 7 from binaries at the Apache website (don't use distro's packages), and deploy the pwm.war file.
	Adjust your firewall to open TCP 8080, if using default Tomcat settings.
	The guided configuration wizard doesn't work because you have to adjust the unique ID attribute name, use manual configuration.
	Choose OpenLDAP for the configuration type.