Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot of time with integrating Kubernetes in both Cloud environment as well as in on-premise (Elastic Kubernetes Service in AWS, AKS, GKE, Kops and Rancher - RKE, K3S, kubeadm). I have dealt with ELK stack (Elasticsearch, Logshash and Kibana) to a complex infrastructure monitoring. I’m dealing with dockerized Grafana and Prometheus setup in Kubernetes. Postgraduate student in a field of Optoelectronics (Free Space Optics communications). Engineer graduated in field of Info-electronics with five years of experience on System Administration and application administration as well as other related fields.

:date_long

How to pass curl --data-raw in a nice form

There are some situation when one can have credentials to some web page that does not have API properly exposed and TOKEN can not be used.

:date_long

Check permissions for users and service account in GCP via gcloud

[arch:tmp ] gcloud projects get-iam-policy <project-name> \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.

:date_long

How to process raw html page via pup and jq to get ratings

The friend of mine wrote Bash script that parses raw HTML page using grep and loops to find images with rating higher

:date_long

How to assemble project name based on yaml content using jq

If you have multiple files without proper names, you can generate project names based on the values in the YAML files.

:date_long

How to conditionally add key value to Terraform map

This code will conditionally add or ommit netapp-cleaner block based on prefix local variable.

:date_long

How to use regexp with jq

How to use regexp within jq when selecting documents PROJECT_NAMES="one|two|there" REGEXP_SOL_PROJ="^prefix-${ENVIRONMENT}-(${PROJECT_NAMES}).

:date_long

How to pass --url-query to curl

This is a nice way how to multiline query parameters when using curl

:date_long

How to deduplicate elements using jq

####### Input file some: awesome: members: - green - yellow - blue - red - green ####### Deduplication

:date_long

How to select entries with sso_team_id using jq

Goal How to choose only records that have sso_team_id key defined?

:date_long

How to GCP Private Service Connect PSC between two VPCs within different projects

Create 2 new GCP Projects in Free Tier Account gcloud projects create consumer-cmd --name="consumer-cmd" --enable-cloud-apis gcloud projects create producer-cmd --name="producer-cmd" --enable-cloud-apis # verify creation [arch:devopsinuse main()U] gcloud projects list PROJECT_ID NAME PROJECT_NUMBER .

:date_long

How to detect duplicates using jq

yq -o=json eval data/aaa/bbb.yaml | jq '.ldap.ldap.members | group_by(.) | map(select(length>1) | .

:date_long

GCP PCA certification notes

Using multiple gcloud configurations/profile v ~/.config/gcloud/configurations/config_profile1 ... [core] custom_ca_certs_file = /Users/AAAA/Documents/proxyCA.

:date_long

Useful Vim Commands

Find all yaml files that satisfy pattern, open them in Vim and delete each line that has some string in it v organization/*/*/*/*/XZY*.

:date_long

My Tmux setup

I have been using tmux for quite a while now. Despite the fact that, I sometimes felt weird because of all the other colleagues use VSCODE I never thought of coming back to one of these fameous IDEs.

:date_long

Azure az behind corporate proxy

Url that solves that problem https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively?tabs=bash%2Cbash2 # https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively?tabs=bash%2Cbash2 cat ~/Documents/proxyCA.crt >> /usr/local/Cellar/azure-cli/2.

:date_long

Oneliner to compare software versions

export _tags=$(git tag --list | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+') export _current=$(curl -s https://api.

:date_long

How to use Google AppScript for docs templating at presonal Google Drive

I have recently had a requirement to create write quite a bit of letters.

:date_long

How to replace text in lots of file via sed and find

I have recently decided to change the way how my code blocks look like at this blog.

:date_long

How to use jq as PRO

curl -s \ --header "Authorization: Bearer $TOKEN" \ --header "Content-Type: application/vnd.

:date_long

Drone CICD on Rancher Desktop MAC Kubernetes

Drone CICD at Rancher on Desktop at Mac Setup /etc/hosts file vim /etc/hosts .

:date_long

CKS testing mock

kube-apiserver manifest with PodSecurityPolicy, ImagePolicyWebhook, Auditing cat /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: kubeadm.

:date_long

How to ommit optional block in terrafrom resource based on input variable

The goal is to create azurerm_virtual_hub_connection which might or might not have an optional block called static_vnet_route section under routing {} block.

:date_long

CKS Istio notes

Work in progress on Istio Do not forget to restart CoreDNS after you install Callico since there was already crio basic CNI activated!

:date_long

Hwo to change wrong author within last git commit

git commit --amend --author="Surname Name CCCCC <name.surname@external.company.com>"

:date_long

CKS Kubernetes CNI

Container infor passed by kubelet to stdin of CNI bash plugin CNI_CONTAINERID=b552f9.

:date_long

Podman commands

Assuming there are more containers running in a single Podman pod some backend service 9011 phpMyAmdin at port 80 (interpreted by Apache2 inside container) podman create --restart=always --pod=some-pod-name --name=phpmyadmin -e PMA_ABSOLUTE_URI="https://some.

:date_long

How to transfer gitlab calculated variable into trigger section

One has to used artifacts section combined with reports child keyword and save a variable with its value to build.

:date_long

Kaniko

Kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

:date_long

CKS run kubernetes with cri-o

How to run Kubernetes with cri-o https://computingforgeeks.com/install-cri-o-container-runtime-on-ubuntu-linux/ OS=xUbuntu_20.04 CRIO_VERSION=1.23 echo "deb https://download.

:date_long

CKS simulator

k get pods -A -o jsonpath='{range .items[*]}{.spec.nodeName}{"\t\t\t\t"}{.spec.containers[*].image}{"\t"}{"\n"}{end}' | sort | grep cluster1-worker1

:date_long

CKS Reduce Attack Surface

Overview only purpose (remove unneceassary services) node recycling (should be ephemeral, created from images) ubuntu, centos systemctl list-units | grep <service-name> systemctl list-units --type=service | grep <service-name> systemctl list-units --type=service --state=running | grep <service-name>

:date_long

CKS Kernel Hardening Tools

Requirements for Apparmor container runtime needs to support Apparmor Apparmor needs to be installed on every node Apparmor profiles need to be available on every node Apparmor profiles are specified per container (done via annotations) not per pod!

:date_long

CKS Audit logging via kube-api server

Important Kubernetes request stages What events should be recorded Audit log from Mushad course

:date_long

CKS Immutability of containers at runtime

advanced deployment methods easy rollback more reliability better security (on container level) Interesting example of how ‘‘startupProbe’’ can be used to make container a bit more secure root@cks-master:~# cat immutable.

:date_long

CKS behavioral analytics falco

Explore strace root@scw-k8s:~# strace -cw ls / bin etc initrd.

:date_long

CKS Secure supply chain - ImagePolicyWebhook

If you want to pull from a docker registry you need to docker login first.

:date_long

CKS Trivy and Clair - Vulnerability Scanner for Containers and other Artifacts

There are Clair and Trivy trivy (run one command - very convinient)

:date_long

CKS Kubesec - Security risk analysis for Kubernetes resources

Static Analysis manual approach kubesec OPA Conftest Notes can be incorporated in CI/CD system looks at source code and text files check against rules enforce rules e.

:date_long

CKS Image Footprint

run specific version do not run as root not shell read only filesystem This would be an ideal example of Dockerfile

:date_long

OPA - Gatekeeper

OPA is not Kubenretes specific general purpose policy engine An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

:date_long

CKS mTLS

mTLS - Mutual TLS mutual authentication two-way (bilateral) authentication two parties authenticating each other at the same time

:date_long

CKS OS Level Security Domains

Define privilege and access control for Pod/Container userID and GroupID run privileged or unprivileged Linux Capabilities Run a simple container and check user and group root@scw-k8s:~# k run pod --image=busybox --command -oyaml --dry-run=client -- sh -c 'sleep 1d' > bb.

:date_long

How to pre-commit hook

How to create pre-commit hooks in git repos: - repo: https://github.

:date_long

CKS container runtimes

# go inside of a container and call root@scw-k8s:~# k exec -it pod -- sh / # uname -r 5.

:date_long

CKS secrets

k create secret generic secret1 --from-literal=jano=jano k create secret generic

:date_long

CKS upgrade kubernetes

major minor patch 1 . 24 . 0 Upgrade Master Node procedure drain and cordon (make it unschedulable) node kubeadm kube-apiserver controller-manager scheduler then:

:date_long

CKS Restrict API server

There is an flag when starting kube-aoiserver called: kube-apiserver --anonymous-auth=true|false The default value for this option is true because some liveness and readiness probes needs it.

:date_long

Jenkins seed

sudo nerdctl run --name jenkins -p 8080:8080 -v $PWD/initial.xml:/var/jenkins_home/jobs/seed/config.xml -v $PWD/controller-configuration-jobDSL-orig.

:date_long

CKS serviceaccount

SesrviceAccount (SA) are namespaces SA “default” in every namespace automatically mounted to a pod can be used to talk to Kubernetes API k create sa accessor k run accessor --image=nginx:alpine -o yaml --dry-run=client > accessor.

:date_long

Kubernetes RBAC

There are namespaced and non namespaced resources in Kubernetes. Role (namespaced) -> RoleBinding ClusterRole (non namespaced) -> ClusterRoleBinding Be extra careful with ClusterRole and ClusterRoleBinding because these are not only assigned to currently existing namespaces but also to namespaces created in future.

:date_long

Verify binaries

One has to compare the binary version which is currently running at the Kubernetes master and later on find out the PID of kubelet process.

:date_long

cks-benchmakring.md

CSI Kubernetes Benchmark 1.6.0 (at the time) Make sure to check CSI vs.

:date_long

Protect Kubernetes node metadata

Deny all traffic to google’s metadata server Study this rule carefully - it takes time to understand it :)

:date_long

Kubernetes dashboard

Kubectl proxy creates a proxy server between localhost and the Kubernetes API Server uses connection as configured in the kubeconfig Run kubectl proxy command at your master node cks-master Kubectl port-forward Install kubenretes dashboard kubectl apply -f https://raw.

:date_long

Kubernetes Ingress

Services in Kubernetes ClusterIP (points to a pod via labels selectors) NodePort (in addition a port is exported at each node) Loadbalancer (in addition creates LB at cloud provider) Deploy Nginx ingress controller # Install NGINX Ingress kubectl apply -f https://raw.

:date_long

Lima

# Deploy kubernetes via kubeadm. # $ limactl start ./k8s.yaml # $ limactl shell k8s sudo kubectl # It can be accessed from the host by exporting the kubeconfig file; # the ports are already forwarded automatically by lima: # # $ export KUBECONFIG=$PWD/kubeconfig.

:date_long

How to count numbers from pdf

user@machine tax2021 % for i in $(ls *.pdf); do \ pdftotext $i - | grep -E '^\+.

:date_long

How to recover keyvault

A simple way how to recover Azrue keyvault if needed

:date_long

My NVIM init file

" plugins" curl -fLo ~/.config/nvim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vimcall plug#begin("~/.config/nvim/plugged")" Plugin SenohlsearchctionPlug 'ryanoasis/vim-devicons'Plug 'morhetz/gruvbox'Plug 'neoclide/coc.

:date_long

My zshrc file

HISTFILE=~/.zsh_history HISTSIZE=10000 SAVEHIST=10000 setopt appendhistory # source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh # source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.

:date_long

Kubernetes network policies

Here is an example of network policies k taint node scw-k8s-cks node-role.

:date_long

CKS setup Scaleway kubernetes cluster at Ubuntu 18.04

Create SSH key pair to be used for Kubernetes master and node machine

:date_long

Linux Namespaces

Namespaces isolates processess restricts what processes can see. PID namespace:

:date_long

Kubernetes SSL certificates

There are many SSL certificates used by different Kubenretes components.

:date_long

How to preview images in Ranger file manager with iTerm and Tmux

I have been avare of ranger as a file system browser for quite some time.

:date_long

Tanicka a jej vyroky

Sa hnevam, ze mi dal jednu piskotku, mi mal dat vela ten kocur mi zjedol vsetky piskoty do vecera budem stastna (Tato mi dal piskotku)

:date_long

How to open support ticket at Udemy

Please use link below: https://support.udemy.com/hc/en-us/requests/new https://www.viewmyforms.com/account mail/L…tax

:date_long

Git clone with private key

git clone git@github.com:autocloudmaniacs/red-queen-appl.git --config core.sshCommand="ssh -i ~/.ssh/erste" Create ~/.ssh/config file

:date_long

Ansible debug variables

- name: xyz vars: msg: | Module Variables ("vars"): -------------------------------- {{ vars | to_nice_json }} Environment Variables ("environment"): -------------------------------- {{ environment | to_nice_json }} GROUP NAMES Variables ("group_names"): -------------------------------- {{ group_names | to_nice_json }} GROUPS Variables ("groups"): -------------------------------- {{ groups | to_nice_json }} HOST Variables ("hostvars"): -------------------------------- {{ hostvars | to_nice_json }} debug: msg: "{{ msg.

:date_long

Ansible k3sup installation

Setup DD WRT /etc/hosts ssh root@192.168.1.1 ~ vi /etc/hosts .

:date_long

Destroy terrafrom project -backend-config

export AWS_SECRET_ACCESS_KEY="..." export AWS_ACCESS_KEY_ID="..." export AWS_DEFAULT_REGION="us-west-2" export TF_VAR_project_name=hruska cd terraform/k3s terraform init -backend-config="path=/home/jantoth/Documents/sbx/ml/data/hruska/terraform.

:date_long

docker ansible

export CI_REGISTRY=docker.io docker login -u "devopsinuse" -p "..." $CI_REGISTRY docker push devopsinuse/ansible-ml:v2.

:date_long

Install Raspberry Pi OS (Raspberry Pi 3)

https://www.raspberrypi.org/documentation/installation/installing-images/linux.md Check SD card presence at your laptop lsblk -p NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT /dev/sda 8:0 0 1G 0 disk /var/lib/kubelet/pods/d6fe24f2-3dc7-4291-90f5-8c7dbb4e8382/volu /dev/mmcblk0 179:0 0 14.

:date_long

Install Ubuntu 20.04 (Raspberry Pi 3)

Install Ubuntu at Raspberry Pi 3 xz --decompress --stdout ~/Downloads/ubuntu-20.04.1-preinstalled-server-arm64+raspi.img.xz | sudo dd of=/dev/mmcblk0 bs=4M conv=fsync status=progress Ubuntu at Raspberry Pi WIFI setup vim /run/media/jantoth/system-boot/network-config .

:date_long

Install Ubuntu 20.04 (Raspberry Pi 4 8GB)

1. Install Ubuntu at Raspberry Pi 3 xz --decompress --stdout ~/Downloads/ubuntu-20.

:date_long

IPSec Tunnel

# LAPTOP cat /etc/ipsec.conf config setup conn laptop authby=secret pfs=yes auto=start keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear ikelifetime=8h ikev2=no keylife=1h #phase2alg=aes128-sha1;modp1024 #ike=aes128-sha1;modp1024 type=tunnel left=%defaultroute leftsubnet=192.

:date_long

List VirtualBox bridge family interfaces names

List VirtualBox bridge family interfaces names VBoxManage list bridgedifs

:date_long

Nvidia Jetson installation

Download SD card image https://developer.download.nvidia.com/assets/embedded/downloads/jetson-nano-4gb-jp441-sd-card-image/jetson-nano-4gb-jp441-sd-card-image.zip Create SD card for NVIDIA Jetson Nano unzip -p ~/Downloads/jetson-nano-4gb-jp441-sd-card-image.

:date_long

OpenVPN (Site to Site)

‘‘Setup’’ routing table at EC2 ubuntu@ip-172-31-49-24:/etc/openvpn/server$ ip r default via 172.

:date_long

Apache Spark

helm3 install spark \ --set master.webPort=8081 bitnami/spark NAME: spark LAST DEPLOYED: Mon Sep 7 15:25:26 2020 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: 1.

:date_long

AWS EKS aws-auth configmap mapUsers

Take a backup of ‘‘aws-auth’’ config map in ‘‘kube-system’’ namespace kubectl get cm aws-auth -n kube-system -o yaml > aws-auth.

:date_long

AWS EKS ML

aws eks --region us-west-2 update-kubeconfig --name ml-eks --profile jan-toth-ml kubectl apply -f https://raw.

:date_long

Create more configMaps via Go templating

{{ range $path, $_ := .Files.Glob "dashboards/*.json" }} {{- $dashboardName := trimSuffix ".

:date_long

Create Pod on the fly

kubectl run -i --tty busybox --image=gcr.io/kubernetes-e2e-test-images/dnsutils:1.3 --restart=Never -- sh kubectl run -i --tty busybox --image=busybox --restart=Never -- sh

:date_long

Dask

https://docs.dask.org/en/latest/setup/kubernetes-helm.html#launch-kubernetes-cluster cat extra-config.yaml worker: replicas: 4 resources: limits: cpu: 1 memory: 0.

:date_long

Delete AWS ENI via cmd

echo $t error waiting for EKS Node Group (eks-mlflow:eks-mlflow-cpu-ng) deletion: Ec2SecurityGroupDeletionFailure: DependencyViolation - resource has a dependent object.

:date_long

Drain node from K3S

Deleted node from K8s kubectl drain k3s-ubuntu-18-04 --ignore-daemonsets --delete-local-data kubectl delete node k3s-ubuntu-18-04

:date_long

Drill

helm package drill curl -XPOST --data-binary "@drill-1.1.0.tgz" http://127.0.0.1:31458/api/charts NAME="archlinux" RANCHER_URL="https://$NAME:30111" APITOKEN=$(curl -sk "${RANCHER_URL}/v3-public/localProviders/local?

:date_long

Force delete pods

kubectl delete pod drillcluster1-drillbit-0 zk-0 --grace-period=0 --force kubectl patch pod drillcluster1-drillbit-0 zk-0 -p '{"metadata":{"finalizers":null}}'

:date_long

Grafana dashboard loading

helm repo add grafana https://grafana.github.io/helm-charts helm template \ --show-only templates/configmap-dashboard-provider.yaml \ --show-only templates/deployment.

:date_long

Grafana dashboard via curl

do not forget to add “id: null” encapsulate to {“dashboard”: …} curl -L \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -X POST \ -uadmin \ --data @/tmp/path/dashboards/dashboard.

:date_long

Install K3S with Rancher UI

Adjust your /etc/hosts file # Adjust your /etc/hosts file cat /etc/hosts .

:date_long

K3S with Nvidia GPU

mkdir $HOME/.kube/ curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 644 --write-kubeconfig $HOME/.

:date_long

kubectl sort by

kubectl get pods -o wide -n prod --sort-by=.spec.nodeName

:date_long

Login to Rancher

NAME="rancher.web.ui" RANCHER_URL="https://$NAME:10443" APITOKEN=$(curl -sk "${RANCHER_URL}/v3-public/localProviders/local?action=login" \ -H "content-type: application/json" \ --data-binary "{\"username\":\"admin\",\"password\":\"admin\"}" 2>/dev/null | jq -r .

:date_long

PostgreSQL RDS AWS

psql -h mldb-postgres.cgpyiy4kedtv.us-west-2.rds.amazonaws.com -U postgres -d mldb kubectl exec pod-demo-0 -it -- \ sh -c "echo 'DROP DATABASE fgh;' | PGPASSWORD=$PGPASSWORD /usr/bin/psql -h 127.

:date_long

Remove taint

kubectl taint node archlinux node.kubernetes.io/disk-pressure:NoSchedule-

:date_long

Superset

helm install superset --set service.type=NodePort stable/superset values.yaml initFile: |- if [ "$1" == "development-mode" ]; then /usr/local/bin/superset-init --username admin --firstname admin --lastname user --email admin@fab.

:date_long

Delete database entries via bash alias

alias delprn='psql "host=127.0.0.1 port=5432 sslmode=disable user=rednetwork password=password" <<< "delete from port_range_networks where id between 1 and 10000;"'

:date_long

flask commands

with app.app_context(): # needed to make CLI commands work @app.cli.command("reset") def reset_db(): """Drops and Creates fresh database""" db.

:date_long

newman

newman run \ -d postman/vlans-post.json \ --reporters=cli,htmlextra \ --env-var access_token=$TOKEN \ --folder '/vlans-post' \ --reporter-htmlextra-export newman/network.

:date_long

newman open html reports

open "$(greadlink -f "$(ls -tr newman/* | tail -n 1 )")"

:date_long

Concat mp4 file with ffmpeg

**Concatenated'' video files (e.g. *.mp4) specified in *.txt file ‘‘created’’ on the file

:date_long

Determine the length of mp4 file

for i in file1.mp4 file2.mp4 file3.mp4 ; do t=$(ffmpeg -i $i 2>&1 | grep Duration | awk '{print $2}' | tr -d ,); echo " $t: $i"; done

:date_long

How to cut a portion of video

ffmpeg \ -t 4:12 \ -i <input-file>.mp4 \ -ss 4:07 \ <output-file>.

:date_long

kickstart Centos 8

**Centos 8 ISO location'' wget http://merlin.fit.vutbr.cz/mirrors/centos/8.2.2004/isos/x86_64/CentOS-8.2.2004-x86_64-dvd1.iso **Run this command''

:date_long

Connecting to PostgreSQL via Cloud SQL Proxy

**Download a postgresql cloud sql proxy binary'' https://cloud.google.com/sql/docs/postgres/connect-admin-proxy?authuser=1&_ga=2.119700096.-903944264.1624478760 wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy chmod +x cloud_sql_proxy **Open this tunnel in one terminal window''

:date_long

Google cloud

**Terraform in my wadzpay-dev'' GOOGLE_APPLICATION_CREDENTIALS=/home/jantoth/.google-cloud-keys/wadzpay-dev-cdb0bf1613d2.json gcloud auth list gcloud config set account jan.

:date_long

Google cloud pipeline example

**cloudbuild.yaml'' steps: - id: 'Get wadzpay docker image tag from build.

:date_long

Access Google's metadata

Access Google’s metadata curl http://metadata.google.internal/computeMetadata/v1/instance/id -H "Metadata-Flavor: Google"

:date_long

All syscalls

**Learn about syscalls and seccomp'' # Each and every syscall explained grep -w 35 /usr/include/asm/unistd_64.

:date_long

Authentication forms

**Authentication'' against KUBE-API server --basic-auth-file=/path/to/some.csv and use this flag for ‘‘kubeapi-server’’ configuration (not recommended)

:date_long

Backup ETCD

export ETCDCTL_API=3 etcdctl snapshot save /opt/snapshot-pre-boot.db --cert=/etc/kubernetes/pki/etcd/server.crt --cacert=/etc/kubernetes/pki/etcd/ca.crt --key=/etc/kubernetes/pki/etcd/server.key

:date_long

ckad study materials

Make sure you check out these tips and tricks from other students who have cleared the exam:

:date_long

CKS - Mock test 1

controlplane $ cat 1.yaml apiVersion: v1 kind: Pod metadata: labels: run: nginx name: frontend-site namespace: omni annotations: container.

:date_long

CKS Mock test 2 - Q1

**1. A pod called redis-backend has been created in the prod-x12cs namespace.

:date_long

CKS Mock test 2 - Q2

**A few pods have been deployed in the apps-xyz namespace. There is a pod called redis-backend which serves as the backend for the apps app1 and app2.

:date_long

CKS Mock test 2 - Q3

**3. A pod has been created in the gamma namespace using a service account called cluster-view.

:date_long

CKS Mock test 2 - Q4

**4. A pod in the sahara namespace has generated alerts that a shell was opened inside the container.

:date_long

Container Runtimes

docker run --runtime kata -d nginx docker run --runtime runsc -d nginx ~ [img[container-runtime.

:date_long

Create John user in Kuberentes

kubectl create role developer --verb=create,list,get,update,delete --resource pods --namespace development kubectl create rolebinding john-role-binding --role developer --user john --namespace development apiVersion: certificates.

:date_long

DaemonSet

controlplane $ cat ds.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: elasticsearch namespace: kube-system labels: app: elasticsearch spec: selector: matchLabels: name: elasticsearch template: metadata: labels: name: elasticsearch spec: tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if your masters can't run pods - key: node-role.

:date_long

Deployments

kubectl set image deployment/frontend *=kodekloud/webapp-color:v2 --dry-run=server --record controlplane $ kubectl rollout history deployment frontend deployment.

:date_long

Docker layers

cat Dockerfile FROM ubuntu ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update -y && apt-get install golang-go -y COPY app.

:date_long

Game of Pods - App Gallery

for i in $(ls *.yaml); do echo filename: $i;echo "---" ;cat $i; done filename: ingress.

:date_long

Game of Pods - Redis cluster

for i in {1..6}; do ssh node01 mkdir /redis0${i}; done ssh node01 ls /redis* for i in $(ls *.

:date_long

Game of Pods - Tyro

kubectl config set-context --current --cluster=kubernetes --namespace=development --user=drogo kubectl config use-context developer --cluster=kubernetes --namespace=development --user=drogo kubectl config current-context cat ~/.

:date_long

Game of Pods - Voting app

for i in $(ls *.yaml); do echo filename: $i;echo "---" ;cat $i; done filename: db-depl.

:date_long

Immutable infrastructure (readOnlyRootFilesystem,privileged)

Set ‘‘UID’’ and ‘‘GID’’ within ‘‘securityContext’’ for pod and verify results (‘‘runAsUser’’ and ‘‘runAsGroup’')

:date_long

Jobs and CronJobs

Job # Create job skeleton kubectl create job throw-dice-job --image=kodekloud/throw-dice --dry-run=client -o yaml > job.

:date_long

JSON PATH

kubectl get deploy -o custom-columns=DEPLOYMENT:.metadata.name,CONTAINER_IMAGE:.spec.template.spec.containers[*].image,READY_REPLICAS:.status.readyReplicas,NAMESPACE:.metadata.namespace --sort-by=.metadata.name > /opt/admin2406_data kubectl get nodes -o jsonpath="{range .

:date_long

kubectl commands

kubectl sort by kubectl get pods -A --sort-by=.metadata.name NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-854c77959c-m972h 1/1 Running 0 5h38m kube-system helm-install-traefik-hx29s 0/1 Completed 0 5h38m kube-system local-path-provisioner-7c458769fb-s2xww 1/1 Running 3 5h38m kube-system metrics-server-86cbb8457f-ndxlz 1/1 Running 0 5h38m default nginx 1/1 Running 0 3m11s kube-system svclb-traefik-gb64t 2/2 Running 0 5h38m kube-system traefik-6f9cbd9bd4-xlslc 1/1 Running 0 5h38m Custom columns kubectl get pod -A -o=custom-columns="YZZ:.

:date_long

Kubernetes docker-registry like secret

**Create a Secret by providing credentials on the command line''

:date_long

Lightening Lab - CKA

Some other notes kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE alpha-claim Bound alpha-pv 1Gi RWO slow 4s controlplane $ kubectl get pods NAME READY STATUS RESTARTS AGE alpha-mysql-74ffffd5df-k55wj 0/1 ContainerCreating 0 9s controlplane $ watch kubectl get pods controlplane $ controlplane $ controlplane $ controlplane $ controlplane $ controlplane $ watch kubectl get pods^C controlplane $ cat 5.

:date_long

Lightening lab 1

apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null labels: app: nginx-deploy name: nginx-deploy spec: replicas: 4 selector: matchLabels: app: nginx-deploy strategy: {} template: metadata: creationTimestamp: null labels: app: nginx-deploy spec: containers: - image: nginx:1.

:date_long

Lightening lab 2

**Commands'': controlplane $ for i in $(ls *.yaml); do echo filename: $i;echo "---" ;cat $i; done filename: 2.

:date_long

Linux Capabilities

You cannot change system time even though you are not using APPARMOR or SECCOMP.

:date_long

Metric server

wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml sed -iE 's/^(.*--kubelet-use-node-status-port)/\1 \n - --kubelet-insecure-tls/' components.yaml kubectl create -f components.

:date_long

Mock exam 2

controlplane $ for i in $(ls *.yaml); do echo filename: $i;echo "---" ;cat $i; done filename: 1svc.

:date_long

MOCK EXAM 2 CKA

kubectl run dns -it --image=busybox:1.28 --restart Never -- nslookup resolver-service.default.svc > CKA/nginx.

:date_long

MOCK TEST 3 CKA

controlplane $ for i in $(ls *.yaml); do echo -e "$i\n\n"; cat $i; done 03.

:date_long

Multi-Container Pods

apiVersion: v1 kind: Pod metadata: labels: name: app name: app namespace: elastic-stack spec: containers: - image: kodekloud/event-simulator name: app volumeMounts: - mountPath: /log name: log-volume - mountPath: /var/run/secrets/kubernetes.

:date_long

networkPolicy

# allow incoming traffic to pod "run: np-test-1" to port 80 from everywhere apiVersion: networking.

:date_long

Node Affinity

Match node ‘‘label’’ app: blue strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: app: blue spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: color operator: In values: - blue containers: - image: nginx imagePullPolicy: Always name: nginx resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File

:date_long

PodSecurityPolicy

**Setup API server to allow PodSecurityPolicy Admission controller'' cat /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: kubeadm.

:date_long

ReadOnlyRootFilesystem

root@cks-master:~# k delete po immutable --grace-period 0 --force root@cks-master:~# k create -f immutable.

:date_long

ResourceQuota

kubectl create quota myrq --hard=cpu=1,memory=1G,pods=2 -o yaml --dry-run=client apiVersion: v1 kind: ResourceQuota metadata: creationTimestamp: null name: myrq spec: hard: cpu: "1" memory: 1G pods: "2" status: {}

:date_long

RuntimeClass GAdvisor and Kata containers

**Prepare runtimeClass yaml specification'' k get runtimeclasses.node.k8s.io -A NAME HANDLER AGE gvisor runsc 2m58s kata-containers kata-runtime 2m57s vim runtimeclass.

:date_long

Securing docker daemon

**Best practices'' export DOCKER_HOST=192.1681.2 <---- insecure /var/run/docker.sock < --- secure export DOCKER_TLS=true

:date_long

ServiceAccount token from inside of pod

curl https://kubernetes -k -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)"

:date_long

taint and tolerations

taints are set to ‘‘Nodes’’ toleration are set to ‘‘PODS’’ taints: kubectl taint nodes arch app=blue:NoSchedule node/arch tainted Other ‘‘taint’’ options:

:date_long

Useful links

**Istio'': [[https://istio.io/latest/blog/2019/data-plane-setup/|Istio]]

:date_long

Volumes

at file.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: webapp name: webapp spec: volumes: - name: my-volume hostPath: path: /var/log/webapp containers: - image: kodekloud/event-simulator name: webapp resources: {} volumeMounts: - name: my-volume mountPath: /log dnsPolicy: ClusterFirst restartPolicy: Always status: {} Storage classes controlplane $ for i in `ls *.

:date_long

Copy store.php to websupport linuxinuse.com via sftp

scp -o PubkeyAuthentication=no store.php linuxinuse.com@linuxinuse.com:web/tw/ sftp -o HostKeyAlgorithms=ssh-rsa devopsinuse.com@devopsinuse.com

:date_long

Generate SSH kyes for websupport gitlab

ssh-keygen -t rsa -b 4096 -f ~/.ssh/websupport-ssh -C "toth.janci@gmail.com" git remote add sshorigin git@gitlab.

:date_long

Keep SSH active

**Make this part of your SSH config file'' worker ~ $ cat ~/.

:date_long

Remove tiddlywiki backup files from websupport

sftp linuxinuse.com@linuxinuse.com << EOF rm web/tw/index.20200430.153755.html exit EOF Take an advantage of ‘‘regular expressions’’

:date_long

SSH config examples

vim ~/.ssh/config ... Host git-codecommit.*.amazonaws.com User A...SVRJMWFPY IdentityFile ~/.ssh/kops-aws Host 1.

:date_long

SSH to AWS instances - use SSH tunnel 30111

How to ‘‘SSH’’ and open a tunnel for port 30111

:date_long

SSH tunnel to Samba server via hron

How to ‘‘SSH’’ to river eval `ssh-agent` # add SSH key to keering ssh-add ~/.

:date_long

Go apply and applyProcess hands on 11

package main import ( "net/http" "html/template" ) var tpl *template.Template func init() { tpl = template.

:date_long

Go arrays <TITLE><TITLE> slices

package main import ( "fmt" // "strconv" // "math" ) func arrays() { grade1 := 97 grade2 := 85 grade3 := 93 grades := [3]int{11,22,33} // [.

:date_long

Go concurency

// package main // import ( // "fmt" // // "strconv" // // "math" // // "reflect" // // "net/http" // // "log" // ) // // define interface // type Writer interface { // Write([]byte) (int, error) // } // type ConsoleWriter struct {} // func (cw ConsoleWriter) Write(data []byte) (int, error) { // n, err := fmt.

:date_long

Go constants

func constants() { // it is a constant because it should not change its value !

:date_long

Go cookies

package main import ( "fmt" "io" "net/http" "strconv" ) func main() { http.

:date_long

Go create file on server

package main import ( "fmt" "html/template" "io/ioutil" "net/http" "os" "path/filepath" ) var tpl *template.

:date_long

Go defer

package main import ( "fmt" // "strconv" // "math" // "reflect" // "math" "io/ioutil" "log" "net/http" ) func simpleFunc() { fmt.

:date_long

Go explore ResponseWriter and Request

package main import ( "fmt" "html/template" "log" "net/http" "net/url" ) var tpl *template.

:date_long

Go funcMaps

package main import ( "os" // "io" "fmt" "log" "strings" "text/template" ) var tpl *template.

:date_long

Go functions

package main import ( "fmt" // "strconv" // "math" // "reflect" // "net/http" // "log" ) func sayMessage(msg string, idx int) { greetings := "Hello" fmt.

:date_long

Go HandlerFunc()

package main import ( "io" "net/http" ) func dogs(w http.ResponseWriter, r *http.

:date_long

Go HandlerFunc() review

package main import ( "html/template" "net/http" ) var tpl *template.Template func init() { tpl = template.

:date_long

Go http.FileServer()

import ( "io" "net/http" ) func main() { http.Handle("/", http.FileServer(http.Dir("."))) http.

:date_long

Go http.NewServerMux()

package main import ( "io" "net/http" ) type pageDog int func (pd pageDog) ServeHTTP(w http.

:date_long

Go http.Redirect(...) http.StatusMovedPermanently 301

package main import ( "fmt" "net/http" ) // Redirects: // - StatusMultipleChoices = 300 // RFC 7231, 6.

:date_long

Go http.Redirect(...) http.StatusSeeOther 303

package main import ( "fmt" "html/template" "net/http" ) // Redirects: // - StatusMultipleChoices = 300 // RFC 7231, 6.

:date_long

Go http.Redirect(...) http.StatusTemporaryRedirect 307

package main import ( "fmt" "html/template" "net/http" ) // Redirects: // - StatusMultipleChoices = 300 // RFC 7231, 6.

:date_long

Go http.Redirect(...) set redirection manually with headers

package main import ( "fmt" "html/template" "net/http" ) // Redirects: // - StatusMultipleChoices = 300 // RFC 7231, 6.

:date_long

Go if else statements

package main import ( "fmt" // "strconv" // "math" // "reflect" ) func ifelsestatements() { statePopulation := make(map[string]int) statePopulation = map[string]int{ "California": 2341232, "Texas": 3341232, "Florida": 4341232, "New York": 5341232, "Illinois": 6341232, "Ohio": 7341232, } fmt.

:date_long

Go include template

package main import ( "os" // "time" "fmt" "log" // "math" "text/template" ) var tpl *template.

:date_long

Go interfaces

:date_long

Go loop

package main import ( "fmt" // "strconv" // "math" // "reflect" // "math" ) func basicLoop() { for i := 0; i < 5; i++ { fmt.

:date_long

Go maps

func maps() { statePopulation := make(map[string]int) statePopulation = map[string]int{ "California": 2341232, "Texas": 3341232, "Florida": 4341232, "New York": 5341232, "Illinois": 6341232, "Ohio": 7341232, } fmt.

:date_long

Go methods

package main import ( "fmt" // "strconv" // "math" // "reflect" // "net/http" // "log" ) type greeter struct { greeting string name string } func (g greeter) greet() { fmt.

:date_long

Go methods templates and composition

package main import ( "log" "os" "text/template" ) type person struct { Name string Age int } // Start -Let's define several methods for struct person func (p person) SomeProcessing() int { return 7 } func (p person) AgeDbl() int { return p.

:date_long

Go NotFoundHandler()

package main import ( "fmt" "io" "net/http" ) func main() { http.

:date_long

Go panic() recover() and defer()

package main import ( "fmt" // "strconv" // "math" // "reflect" "net/http" "log" ) func simplePanic() { a, b := 1, 0 ans := a/b fmt.

:date_long

Go pointers

package main import ( "fmt" // "strconv" // "math" // "reflect" // "net/http" // "log" ) func simple() { a := 42 // b will be a brand new variable with it's place in memory b := a fmt.

:date_long

Go primitives

// Primitives func primitives() { var n bool = true v := 1 == 1 x := 3 == 2 // signed int16 (-65 535, 65 535) var c int16 = 2 // unsigned int16 (0, 65 535) var f uint16 = 10 fmt.

:date_long

Go r.Body.Read()

package main import ( "net/http" "html/template" "log" ) var tpl *template.

:date_long

Go request.FormValue('x') with ExecuteTemplate(...)

package main import ( "net/http" "html/template" "log" ) var tpl *template.

:date_long

Go request.FormValue('xyz')

package main import ( "fmt" "io" "net/http" ) func main() { http.

:date_long

Go rune type

func arrays() { // !!! if declating string -> use double quotes "" s := "this is a string" b := []byte(s) fmt.

:date_long

Go serve files

package main import ( "io" "log" "net/http" "os" ) func main() { http.

:date_long

Go serving files hands on 1

package main import ( "html/template" "io" "log" "net/http" ) func main() { http.

:date_long

Go serving files with StripPrefix() hands on

package main import ( "html/template" "log" "net/http" ) func main() { http.

:date_long

Go sessions

package main import ( "fmt" "html/template" "io" "log" "net/http" uuid "github.

:date_long

Go simple multiplexer by me

package main import ( "fmt" "log" "net" "bufio" "strings" ) func main() { li, err := net.

:date_long

Go simple mux

package main import ( "io" // "html/template" "log" "net/http" // "net/url" ) // var tpl *template.

:date_long

Go simple TCP hands on

package main import ( "bufio" "fmt" "log" "net" "time" "strings" ) func main() { li, err := net.

:date_long

Go simple TCP server

package main import ( "fmt" "time" "log" "net" "bufio" ) func main() { li, err := net.

:date_long

Go StripPrefix()

package main import ( "io" "net/http" ) func main() { http.

:date_long

Go StripPrefix() cumbersome one hands on 9

package main import ( "html/template" "log" "net/http" ) var tpl *template.

:date_long

Go structs

package main import ( "fmt" // "strconv" // "math" "reflect" ) // general way how to define struct type Doctor struct { // if you capitalize key names -> these will be visible for all the other packages Number int ActorName string Companion []string } // anonymous struct // bDoctor := struct{name string}{name: "John Dou"} func structs() { a := Doctor{ Number: 3, ActorName: "Jon Dou", Companion: []string{ "one", "two", "three", }, } fmt.

:date_long

Go switch statement

package main import ( "fmt" // "strconv" // "math" // "reflect" // "math" ) func simpleSwitch() { switch 212 { case 1: fmt.

:date_long

Go template

package main import ( "os" // "io" "fmt" "log" // "strings" "text/template" ) var tpl *template.

:date_long

Go template hotels

package main import ( "os" "log" "text/template" ) type hotel struct { Name string Address string City string Zip []int Region string } var tpl *template.

:date_long

Go templates pipelines

package main import ( "os" "time" "fmt" "log" "math" "text/template" ) var tpl *template.

:date_long

Go upload file

package main import ( "fmt" "io" "io/ioutil" "net/http" ) func main() { http.

:date_long

Go using DefaultMux with nil

package main import ( "io" "net/http" ) type pageDog int func (pd pageDog) ServeHTTP(w http.

:date_long

Go variables

package main import ( "fmt" "strconv" ) // if declaring vatiable over here // you can't use a := 10 var ( a int = 42 actorName string = "Elisabeth Salden" companion string = "Sarah Elisabeth Salden" // example of acronym theHTTP string = "https://google.

:date_long

Go write to file

package main import ( "os" "io" "fmt" "log" "strings" ) func main() { // strongly typed channel name := "Jan" tpl := ` <html> <body> <h1>Hi, this is:` + name + ` </h1> </body> </html> ` fmt.

:date_long

Get Storage Account Keys

az storage account keys list --resource-group erste-dev-slack-rg --account-name erstedevstorage

:date_long

PowerShell

Connet to Azure via PowerShell # Connet to Azure via PowerShell Connect-AzAccount

:date_long

AWS ENV Credentials

export AWS_ACCESS_KEY_ID="..." export AWS_SECRET_ACCESS_KEY="..." export AWS_DEFAULT_REGION="eu-central-1"

:date_long

create ACM certificate

https://medium.com/@Ahmed_Ansar/how-to-setup-aws-vpn-endpoint-8b15e78fd8b0 git clone https://github.com/OpenVPN/easy-rsa.git cd easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca nopass .

:date_long

Delete AWS ENI via cmd

echo $t error waiting for EKS Node Group (eks-mlflow:eks-mlflow-cpu-ng) deletion: Ec2SecurityGroupDeletionFailure: DependencyViolation - resource has a dependent object.

:date_long

How to aws cli with SSO

(venv) [arch:Downloads ] aws configure sso SSO start URL [None]: https://devopsinuse.

:date_long

SSH to AWS instances - use SSH tunnel 30111

How to ‘‘SSH’’ and open a tunnel for port 30111

:date_long

Docker push to remote registry via self signed SSL certificate

‘‘CA (Certificate Authority)’’ to your local and copy/paste it to a proper location download from your server scp root@vm027.

:date_long

EID

yay -S pcsc-tools pcsc-light pcsc_scan sudo systemctl start pcscd.service ~/bin/eid/opt/disig/websigner/bin/WebSignerTray & ~/bin/eid/usr/bin/EAC_MW_klient ~/bin/eid/opt/QSign_eSigner/esigner keby neslo spustit tak doinstaluj este aur/eidklient Ohlasovanie voľnej, remeselnej a viazanej živnosti - fyzická osoba

:date_long

How to trust self-signed SSL/TLS certificates linux

How to enable system wide trust for the private Docker registry: create the symlink:

:date_long

How to use cryptsetup while installing archlinux

Kriskoviny # boot arch iso and set root passwd passwd systemctl start sshd ssh -l root 192.

:date_long

Notebook serial number

Ak by ste chceli vediet model a seriove cislo svojho notebooku: Serial Number: PF24KS2B $ sudo dmidecode | grep -i serial Serial Number: 00000000 Serial Number: 2C153768 Serial Number: None Serial services are supported (int 14h) Serial Number: PF24KS2B Serial Number: L1HF0B201Z7 Serial Number: PF24KS2B SBDS Serial Number: 0A4A Model: ThinkPad T15 Gen 1 $ sudo dmidecode | grep -i sku Consumer SKU SKU Number: LENOVO_MT_20S6_BU_Think_FM_ThinkPad T15 Gen 1 SKU Number: Not Specified

:date_long

Pacman setup mirrors and refresh keys

# refresh gpg keys if needed sudo pacman-key --refresh-keys sudo pacman-key --populate archlinux # setup closest mirrors reflector --country Slovakia --country Czechia --protocol https --age 12 --sort rate --save

:date_long

Ranger preview images

https://unix.stackexchange.com/questions/632529/alacritty-ranger-w3m-images-are-not-showing-or-disappear-after-few-seconds?newreg=05e6c4f5bf2345e48c22340fd7bee222 I got it working with ueberzug, even inside tmux set preview_images true set use_preview_script true set preview_images_method ueberzug yay -S alacritty sudo pacman -S ueberzug

:date_long

Search

//... // define globale variables var idx, searchInput, searchResults = null var documents = [] function renderSearchResults(results){ if (results.

:date_long

Setup Ubuntu Mono font

yay -S ttf-ubuntu-font-family ln -s /usr/share/fontconfig/conf.avail/11-lcdfilter-default.conf /etc/fonts/conf.d/ ln -s /usr/share/fontconfig/conf.avail/10-sub-pixel-rgb.conf /etc/fonts/conf.

:date_long

VPN in Archlinux

sudo pacman -S networkmanager-openconnect openconnect openssl

:date_long

Day 1

package main import ( "fmt" "io/ioutil" "os" "strconv" "strings" ) func main() { content, err := ioutil.

:date_long

Day 2

package main import ( "fmt" "io/ioutil" "strconv" "strings" ) type Password struct { min int // max int // letter string // pass string // } func (p Password) Check() bool { occurance := strings.

:date_long

Day 3

package main import ( "fmt" "io/ioutil" "strings" ) func HitTrees(data []string, right int, down int) int { var treesCount int = 0 for nr, v := range data { //fmt.

:date_long

Day 4

package main import ( "fmt" "io/ioutil" "os" "regexp" "strconv" "strings" ) func IsValidPartOne(p map[string]interface{}) bool { items := []string{"byr", "iyr", "eyr", "hgt", "hcl", "ecl", "pid"} var count int for _, i := range items { if _, ok := p[i]; ok { count++ } } if count == 7 { return true } return false } func IsValidPartTwo(p map[string]interface{}) bool { items := []string{"byr", "iyr", "eyr", "hgt", "hcl", "ecl", "pid"} var count int for _, i := range items { //fmt.

:date_long