Skip to content

Instantly share code, notes, and snippets.

View jjo's full-sized avatar
🏠
Working from home

JuanJo Ciarlante jjo

🏠
Working from home
154 followers · 0 following
View GitHub Profile
@jjo
jjo / jjo-raspi-metallb.yaml
Created April 4, 2018 15:56
See https://github.com/cloudnativelabs/kube-router/issues/242
---
# Source: metallb/templates/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: metallb-system
---
# Source: metallb/templates/rbac.yaml
# Roles
@jjo
jjo / jjo-bitnami-oauth2_proxy-Dockerfile
Created April 18, 2018 15:31
FROM bitnami/minideb-extras:jessie-r14-buildpack as build
ARG SRC_REPO=github.com/bitly/oauth2_proxy
ARG SRC_TAG=v2.2
ARG BINARY=oauth2_proxy
RUN bitnami-pkg install go-1.8.7-0 --checksum b4f95f751cfee5dfc82820327089c7a9afd09ecadb41894189e5925ed61c1390
RUN install_packages ca-certificates
ENV GOPATH=/gopath
@jjo
jjo / kube-proxy-cleanup.ds.yaml
Last active January 31, 2019 21:00
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: kube-system
name: kube-proxy-cleanup
labels:
k8s-app: kube-proxy-cleanup
spec:
selector:
matchLabels:
@jjo
jjo / jjo-nginx.deploy-cm-ing.yaml
Last active June 4, 2018 01:06
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
app: mideploy
name: mideploy
spec:
replicas: 3
selector:
@jjo
jjo / nginx-sts-pvc.yaml
Created June 11, 2018 13:08
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: nginx-sts-pvc
spec:
replicas: 3
serviceName: nginx-sts
updateStrategy: {type: RollingUpdate}
template:
metadata:
@jjo
jjo / mysql-helm-deploy-w-pvc.out
Created June 11, 2018 13:17
$ helm fetch stable/mysql
$ helm template mysql-0.6.0.tgz
---
# Source: mysql/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: RELEASE-NAME-mysql
labels:
app: RELEASE-NAME-mysql
@jjo
jjo / kubectl-root-in-host.sh
Last active May 11, 2023 15:34
#!/bin/sh
# Launch a Pod ab-using a privileged=true to land on a Kubernetes node cluster as root,
# uses `privileged: true` to then nsenter init mount its (root) namespace,
# hostPID and hostNetwork already set for the Pod.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}sudo-any
;;
@jjo
jjo / kubectl-root-in-host-nopriv.sh
Last active February 5, 2024 23:07
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
#!/bin/sh
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged`
# admission controller.
# Pod command in turn runs a privileged container using node's /var/run/docker.sock.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}docker-any
@jjo
jjo / pod-privileged.yaml
Last active August 8, 2018 14:45
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: jjo-alp
name: jjo-alp
spec:
initContainers:
- args:
@jjo
jjo / kubespray-pr3532-output-example.log
Created October 17, 2018 00:38
test-some_distros-most_CNIs.env-01.out:INFO: [2018-10-15T19:22:05+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}] START: file_out=./out/test-some_distros-most_CNIs.env-01.out
test-some_distros-most_CNIs.env-01.out:PASS: [2018-10-15T19:26:03+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}]}: dind-nodes
test-some_distros-most_CNIs.env-01.out:PASS: [2018-10-15T19:46:38+00:00] debian[kube_network_plugin=calico {"kubeadm_enabled":true}]}: kubespray
test-some_distros-most_CNIs.env-01.out:kube-system calico-kube-controllers-84b474f7c5-mn99n 1/1 Running 0 2m1s
test-some_distros-most_CNIs.env-01.out:kube-system calico-node-248sq 1/1 Running 0 2m25s
test-some_distros-most_CNIs.env-01.out:kube-system calico-node-4t2mq 1/1 Running 0 2m25s
test-some_distros-most_CNIs.env-01.out:kube-system calico-node-74xdj 1/1 Running 0 2m24s