nyrahul

#!/usr/bin/env bash

annotate()
{
    ns_ignore_list=("kube-system" "explorer" "cilium" "kubearmor")
    while read line; do
        depnm=${line/ */} 
        depns=${line/* /}
        [[ " ${ns_ignore_list[*]} " =~ " ${depns} " ]] && continue
        echo "Applying KubeArmor visibility annotation for namespace=[$depns], $1=[$depnm]"

nyrahul

# -------[ Cilium installation on GKE ]---------
NATIVE_CIDR="$(gcloud container clusters describe "cluster-core-backend" --zone "us-central1-c" --format 'value(clusterIpv4Cidr)')"

# with hubble-relay
helm install cilium cilium/cilium --version 1.9.6 \
    --namespace kube-system \
    --set nodeinit.enabled=true \
    --set nodeinit.reconfigureKubelet=true \
    --set nodeinit.removeCbrBridge=true \
    --set cni.binPath=/home/kubernetes/bin \

nyrahul

#!/bin/bash

# Usage: $0 <pod> [tcpdump-filter]

[[ "$1" == "" ]] && echo "Usage: $0 <pod> [tcpdump-filter]" && exit 1

ep_id=`kubectl get cep -A -o jsonpath="{.items[?(@.metadata.name==\"$1\")].status.id}"`
iface=`cilium endpoint get $ep_id -o jsonpath="{[*].status.networking.interface-name}"`
shift

nyrahul

ssh -L 6060:127.0.0.1:6060 vagrant@192.168.34.11

golang pprof tool by default starts the pprof web server on localhost:6060. My pprof was running inside a VM and I needed to access the web server from the host. I could ssh to the VM. Thus I needed to enable port-forwarding on the host to the VM (remote).

ssh -L 6060:127.0.0.1:6060 vagrant@192.168.34.11
         |      |       |  |-------v------------|
         |      |       |           \--------------- remote ssh user@hostname
         |      |       |
         |      |       \--------- remote port to forward
         |      |

nyrahul

#include <stdio.h>

#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2 * !!(condition)]))

int main(void)
{
    struct t { 
        int x;
        int y;
        int z;

nyrahul

# Generate ssh keys
ssh-keygen -t rsa

# Add my pub key as an authorized key on the remote host rahul@vbox20
cat ~/.ssh/id_rsa.pub | ssh rahul@vbox20 'mkdir -p .ssh && cat >> .ssh/authorized_keys'

nyrahul

#!/bin/bash

ignore_evts="futex switch clock_gettime io_getevents sched_getaffinity getrusage nanosleep rt_sigaction rt_sigprocmask ioctl sched_yield sigreturn times"
declare -A map

[[ "$1" == "" ]] && echo "Need container name as input" && exit 1
[[ $UID -ne 0 ]] && echo "Need to exec as root" && exit 1
[[ ! -x "$(which jq)" ]] && echo "Need jq command (try, apt install jq)" && exit 1
[[ ! -x "$(which sysdig)" ]] && echo "Need sysdig command (try, apt install sysdig)" && exit 1

nyrahul

#! /usr/bin/env python

# Aim of this script is to send a vxlan tunneled HTTP request with spoofed
# identity and pass through the authz checks implemented in cilium-ebpf.

# Configuration you need to set correct:
# 1. The target pod address (dip, dport) to which you want to make unauthorized access
# 2. The source identity (identity = 8849 below) to spoof. Use `cilium identity
#    list` to check valid identity values.
# 3. The target node's vxlan IP address (vxlan_ip) and port (vxlan_port = 8472

nyrahul

#!/bin/bash
# Switch all the remotes from https to git
# e.g, https://github.com/username/reponame.git -> git@github.com:username/reponame.git

switch4remote()
{
    url=`git remote get-url $1`
    [[ ! $url =~ ^https ]] && echo "Remote [$1] might be on git already" && return 0

    path=`echo $url | sed -Ene 's#https://github.com/(.*)#\1#p'`

nyrahul

❯ sudo perf stat -e 'syscalls:sys_enter_*' iperf -c localhost 2>&1 | awk '$1 != 0'
------------------------------------------------------------
Client connecting to localhost, TCP port 5001
TCP window size: 2.50 MByte (default)
------------------------------------------------------------
[  3] local 127.0.0.1 port 41332 connected with 127.0.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  66.0 GBytes  56.7 Gbits/sec

 Performance counter stats for 'iperf -c localhost':