Skip to content

Instantly share code, notes, and snippets.

View ralvares's full-sized avatar
🏠
Working from home

Rodrigo Alvares ralvares

🏠
Working from home
32 followers · 48 following
  • My Own Repo :)
  • Dubai - AE
View GitHub Profile
@ralvares
ralvares / secured-cluster.yaml
Created February 17, 2023 09:17
rhacs yaml definition adding proxy configuration
apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
name: stackrox-secured-cluster-services
namespace: stackrox
spec:
admissionControl:
bypass: BreakGlassAnnotation
contactImageScanners: DoNotScanInline
listenOnCreates: true
@ralvares
ralvares / rhacs-image-puller-serviceaccount.yaml
Created February 17, 2023 09:06
Integrating RHACS scanner with the internal ocp registry
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: stackrox
name: stackrox-image-puller
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: stackrox-image-puller-clusterrolebinding
@ralvares
ralvares / disable_default_policies.sh
Created February 6, 2023 13:17
Disable all the default policies from RHACS
#!/bin/bash
if [[ -z "${ROX_ENDPOINT}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi
if [[ -z "${ROX_API_TOKEN}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
@ralvares
ralvares / Deploy ACS on non-ocp.txt
Last active April 5, 2023 09:50
adding kubernetes ask/esk instance to acs
4 simple steps
- Create namespace
- Create secret ( it is required )
- Generate cluster-init-bundle.
- Install secured-cluster using helm.
# Create namespace and Pull-Secret from cloud.redhat.com
kubectl create namespace stackrox
@ralvares
ralvares / nfs-provisioner.yaml
Created November 7, 2022 13:54
nfs-provisioner
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: nfs-client-provisioner
message: 'NFS storage class ${STORAGE_CLASS} created.'
metadata:
annotations:
description: nfs-client-provisioner
openshift.io/display-name: nfs-client-provisioner
openshift.io/provider-display-name: Tiger Team
@ralvares
ralvares / dnsmasq.txt
Last active October 7, 2022 13:20
### libvirt lab network ###
cat > /root/lab.xml << EOF
<network connections='8'>
<name>lab</name>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
@ralvares
ralvares / gist:9165194993a11842eff1532a418fc70f
Created October 4, 2022 09:37
sno-staticip version 4.11.5
# Updated for OCP 4.11.5
# https://gist.github.com/ralvares/976dce493b43c498cf781f8b8dff28d3
## Download Artifacts
# housekeep old vm if necessary
virsh destroy master-sno
virsh undefine master-sno
## openshift-client
@ralvares
ralvares / gist:ccdd35ddde0fce18084524f48001c0d4
Created September 23, 2022 07:55
venafi - certmangager
kubectl create secret generic cloud-secret \
--namespace='sock-shop' \
--from-literal=apikey='xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'
----
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cloud-venafi-issuer
namespace: sock-shop
spec:
@ralvares
ralvares / gist:9eda4c59880c23667eabda01d0f56cf5
Created July 21, 2022 13:04
tekton patch sa
kubectl create secret docker-registry regcred --docker-password=TOKEN --docker-username=USERNAME --docker-server=quay.io -n workshop
kubectl patch serviceaccount pipeline -p '{"secrets": [{"name": "regcred"}]}'
@ralvares
ralvares / policy-anyuid-enforce.yaml
Last active June 23, 2022 05:35
policy-anyuid-enforce
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-anyuid-enforce
namespace: default
annotations:
policy.open-cluster-management.io/categories: AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
policy.open-cluster-management.io/standards: NIST SP 800-53
spec: