작성자: seungsoo

$ git remote add upstream https://github.com/accuknox/KubeArmor.git
$ git fetch upstream
$ git merge upstream/master
$ git push

delete from network_flow; delete from discovered_policy;

select count(*) from discovered_policy where rule like '%CIDR%';
select count(*) from discovered_policy where status="latest";
select count(*) from discovered_policy where status="outdated";
select * from discovered_policy where status="outdated"\G
select * from discovered_policy where name="autopol-egress-vxitcdpetakyjtx"\G
select count(*) from discovered_policy where (rule not like '%FQDN%' and rule not like '%CIDR%');
select count(*) from network_flow;

desc network_flow;

select * from network_flow limit 1\G
select * from discovered_policy WHERE name="autopol-egress-mvoiglopbuopedk"\G
select * from discovered_policy WHERE name="autopol-egress-hgcmdflittqwlue"\G
select * from network_flow WHERE name=autopol-egress-hgcmdflittqwlue\G
select * from discovered_policy limit 1\G

SELECT * FROM network_flow ORDER BY id DESC LIMIT 1\G
SELECT time FROM network_flow ORDER BY id DESC\G
SELECT count(*) FROM network_flow where time >= 0 and time < 1607601663\G

$ kubectl port-forward kafka-0 -n kafka 9094

$ kafkacat -b localhost:9094 -L

$ kafkacat -P -b localhost:9094 -t topic1
$ kafkacat -C -b localhost:9094 -t topic1

$ kafkacat -C -b localhost:9094 -t topic1 \
 -f 'Key is %k, and message payload is: %s \n'

https://github.com/Yolean/kubernetes-kafka

$ dpkg -l | grep -i docker

$ sudo apt-get purge -y docker-engine docker docker.io docker-ce docker-ce-cli
$ sudo apt-get autoremove -y --purge docker-engine docker docker.io docker-ce

$ sudo rm -rf /var/lib/docker /etc/docker
$ sudo rm /etc/apparmor.d/docker
$ sudo groupdel docker
$ sudo rm -rf /var/run/docker.sock

NAMESPACE=<namespace to be deleted>
kubectl get namespace $NAMESPACE -o json > $NAMESPACE.json
sed -i -e 's/"kubernetes"//' $NAMESPACE.json
kubectl replace --raw "/api/v1/namespaces/$NAMESPACE/finalize" -f ./$NAMESPACE.json

The port-forward command, Forwards one (or more) local ports to a pod.

This command is very useful for example in blue/green deployments where you would want to troubleshoot a misbehaving pod.

To take things even further, you could even execute some preliminary tests to the pods you feel could be more error-prone right inside your CI/CD pipeline in Jenkins by using multiple conditions, declarative pipeline.

Usage examples:

Listen on port 8888 locally, forwarding to 5000 in the pod

kubectl port-forward pod/mypod 8888:5000

Listen on port 8888 on all addresses, forwarding to 5000 in the pod

kubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000

Listen on a random port locally, forwarding to 5000 in the pod

kubectl port-forward pod/mypod :5000

Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod

kubectl port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000

Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod

kubectl port-forward pod/mypod 5000 6000

Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment

kubectl port-forward deployment/mydeployment 5000 6000

Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the service

kubectl port-forward service/myservice 5000 6000

$ vi ~/.gitconfig

[alias]
    co = checkout
    rb = rebase -i
    st = status
    ci = commit
    pl = pull
    ps = push
    lg = log --graph --abbrev-commit --decorate --format=format:'%C(cyan)%h%C(reset) - %C(green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(yellow)%d%C(reset)' --all
    ad = add
    tg = tag -n
    df = diff
    br = branch

char fmt[] = "skb %p len %d\n";
bpf_trace_printk(fmt, sizeof(fmt), skb, len);

cat /sys/kernel/debug/tracing/trace_pipe

no Auth Provider found for name "gcp"

Add

_ “k8s.io/client-go/plugin/pkg/client/auth/gcp”

! Power off vmware vitrual machine.
Go to “edit virtual machine settings”
Go to processors. There are three checkboxes there.
Check second checkbox (enable VT-x/AMD-V)
Power on machine.

1. bare metal vm

$ sudo apt-get update
$ sudo apt-get -y upgrade
$ sudo apt-get -y autoremove
$ sudo apt-get autoclean
$ sudo apt-get install -y build-essential

2. install virtualbox

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] http://download.virtualbox.org/virtualbox/debian $(lsb_release -cs) contrib"
$ sudo apt-get update
$ sudo apt-get install virtualbox-6.0

3. install vagrant

$ wget https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb
$ sudo dpkg -i vagrant_2.2.9_x86_64.deb
$ sudo apt install nfs-kernel-server

4. git clone

$ git clone https://github.com/cilium/cilium.git

5. start vagrant

$ contrib/vagrant/start.sh
or
$ RUNTIME=containerd K8S=1 NWORKERS=1 contrib/vagrant/start.sh

if you see the error as below,

 "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=1177896bebde79915fe5f9092409bf0254084b4e" -X "github.com/cilium/cilium/pkg/datapath/loader.DatapathSHA=9a5b6a084b4265a833469d70b09adcdf055c3b0c" -extldflags -Wl,-soname,libcilium.so.1' -tags=osusergo,lockdebug  -o libcilium.so.1 -buildmode=c-shared
    runtime1: go: RLock /home/vagrant/go/src/github.com/cilium/cilium/go.mod: no locks available
    runtime1: Makefile:15: recipe for target 'libcilium.so' failed
    runtime1: make[1]: Leaving directory '/home/vagrant/go/src/github.com/cilium/cilium/proxylib'
    runtime1: make[1]: *** [libcilium.so] Error 1
    runtime1: Makefile:135: recipe for target 'proxylib' failed
    runtime1: make: *** [proxylib] Error 2
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

$ sudo systemctl enable rpc-statd  # Enable statd on boot
$ sudo systemctl start rpc-statd  # Start statd for the current session