$ git remote add upstream https://github.com/accuknox/KubeArmor.git
$ git fetch upstream
$ git merge upstream/master
$ git push
작성자: seungsoo
bookmark_border[mysql] reference
delete from network_flow; delete from discovered_policy;
select count(*) from discovered_policy where rule like '%CIDR%';
select count(*) from discovered_policy where status="latest";
select count(*) from discovered_policy where status="outdated";
select * from discovered_policy where status="outdated"\G
select * from discovered_policy where name="autopol-egress-vxitcdpetakyjtx"\G
select count(*) from discovered_policy where (rule not like '%FQDN%' and rule not like '%CIDR%');
select count(*) from network_flow;
desc network_flow;
select * from network_flow limit 1\G
select * from discovered_policy WHERE name="autopol-egress-mvoiglopbuopedk"\G
select * from discovered_policy WHERE name="autopol-egress-hgcmdflittqwlue"\G
select * from network_flow WHERE name=autopol-egress-hgcmdflittqwlue\G
select * from discovered_policy limit 1\G
SELECT * FROM network_flow ORDER BY id DESC LIMIT 1\G
SELECT time FROM network_flow ORDER BY id DESC\G
SELECT count(*) FROM network_flow where time >= 0 and time < 1607601663\G
bookmark_border[kafka] reference
$ kubectl port-forward kafka-0 -n kafka 9094
$ kafkacat -b localhost:9094 -L
$ kafkacat -P -b localhost:9094 -t topic1
$ kafkacat -C -b localhost:9094 -t topic1
$ kafkacat -C -b localhost:9094 -t topic1 \
-f 'Key is %k, and message payload is: %s \n'
https://github.com/Yolean/kubernetes-kafka
bookmark_border[docker] completely uninstall docker
$ dpkg -l | grep -i docker
$ sudo apt-get purge -y docker-engine docker docker.io docker-ce docker-ce-cli
$ sudo apt-get autoremove -y --purge docker-engine docker docker.io docker-ce
$ sudo rm -rf /var/lib/docker /etc/docker
$ sudo rm /etc/apparmor.d/docker
$ sudo groupdel docker
$ sudo rm -rf /var/run/docker.sock
bookmark_border[k8s] how to delete namespace in stuck
NAMESPACE=<namespace to be deleted>
kubectl get namespace $NAMESPACE -o json > $NAMESPACE.json
sed -i -e 's/"kubernetes"//' $NAMESPACE.json
kubectl replace --raw "/api/v1/namespaces/$NAMESPACE/finalize" -f ./$NAMESPACE.json
bookmark_border[k8s] kubectl port-forward
The port-forward command, Forwards one (or more) local ports to a pod.
This command is very useful for example in blue/green deployments where you would want to troubleshoot a misbehaving pod.
To take things even further, you could even execute some preliminary tests to the pods you feel could be more error-prone right inside your CI/CD pipeline in Jenkins by using multiple conditions, declarative pipeline.
Usage examples:
Listen on port 8888 locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod 8888:5000
Listen on port 8888 on all addresses, forwarding to 5000 in the pod
kubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000
Listen on a random port locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod :5000
Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod
kubectl port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod
kubectl port-forward pod/mypod 5000 6000
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment
kubectl port-forward deployment/mydeployment 5000 6000
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the service
kubectl port-forward service/myservice 5000 6000
bookmark_border[git] useful alias
$ vi ~/.gitconfig
[alias]
co = checkout
rb = rebase -i
st = status
ci = commit
pl = pull
ps = push
lg = log --graph --abbrev-commit --decorate --format=format:'%C(cyan)%h%C(reset) - %C(green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(yellow)%d%C(reset)' --all
ad = add
tg = tag -n
df = diff
br = branch
bookmark_border[eBPF] printk
char fmt[] = "skb %p len %d\n";
bpf_trace_printk(fmt, sizeof(fmt), skb, len);
cat /sys/kernel/debug/tracing/trace_pipe
bookmark_border[k8s] go-client auth troubleshooting
no Auth Provider found for name "gcp"
Add
_ “k8s.io/client-go/plugin/pkg/client/auth/gcp”
bookmark_border[cilium] dev setup on Ubuntu 18.04.5
! Power off vmware vitrual machine.
Go to “edit virtual machine settings”
Go to processors. There are three checkboxes there.
Check second checkbox (enable VT-x/AMD-V)
Power on machine.
1. bare metal vm
$ sudo apt-get update
$ sudo apt-get -y upgrade
$ sudo apt-get -y autoremove
$ sudo apt-get autoclean
$ sudo apt-get install -y build-essential
2. install virtualbox
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] http://download.virtualbox.org/virtualbox/debian $(lsb_release -cs) contrib"
$ sudo apt-get update
$ sudo apt-get install virtualbox-6.0
3. install vagrant
$ wget https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb
$ sudo dpkg -i vagrant_2.2.9_x86_64.deb
$ sudo apt install nfs-kernel-server
4. git clone
$ git clone https://github.com/cilium/cilium.git
5. start vagrant
$ contrib/vagrant/start.sh
or
$ RUNTIME=containerd K8S=1 NWORKERS=1 contrib/vagrant/start.sh
if you see the error as below,
"github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=1177896bebde79915fe5f9092409bf0254084b4e" -X "github.com/cilium/cilium/pkg/datapath/loader.DatapathSHA=9a5b6a084b4265a833469d70b09adcdf055c3b0c" -extldflags -Wl,-soname,libcilium.so.1' -tags=osusergo,lockdebug -o libcilium.so.1 -buildmode=c-shared
runtime1: go: RLock /home/vagrant/go/src/github.com/cilium/cilium/go.mod: no locks available
runtime1: Makefile:15: recipe for target 'libcilium.so' failed
runtime1: make[1]: Leaving directory '/home/vagrant/go/src/github.com/cilium/cilium/proxylib'
runtime1: make[1]: *** [libcilium.so] Error 1
runtime1: Makefile:135: recipe for target 'proxylib' failed
runtime1: make: *** [proxylib] Error 2
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.
$ sudo systemctl enable rpc-statd # Enable statd on boot
$ sudo systemctl start rpc-statd # Start statd for the current session