Forbidden

Access Any Kubernetes Secret

You can gain access to any secret that you want in Kubernetes even if you don’t have RBAC permissions to get, list or view that secret. All you need is permission that allows you to do anything on pods and an ability to guess the names of secrets. With these two ingredients, here is how you can access any secret out there. Nasty User Here is a user called nastyuser who can only do stuff on pod objects. Everything else is forbidden. The user cannot list secrets, namespaces or deployments: ...

May 8, 2021 Â· 5 min Â· Suraj Deshmukh
Node Exporter

Monitor your PC with Prometheus Grafana stack

How do you monitor your own computer? Of course, using Prometheus, node-exporter and Grafana. You might ask why would you wanna do that when you can simply use the operating system provided, “System Monitor”. Well, yes, you can use that. But the data you get from the OS System Monitor is coarse-grained. OS system monitor is not configurable, but this stack is. It is like running htop but where you can go back in history, unlike htop, which only shows the current state. Using this stack of Prometheus, node-exporter, and Grafana is a proactive approach than being reactive to the problems that occur on a PC. Instead of digging later to figure out what went wrong, you are already collecting metrics so you can see on dashboards what went wrong. ...

April 2, 2021 Â· 2 min Â· Suraj Deshmukh
CKA logo

Kubernetes The Hard Way in "Vagrant"?

If you are studying for the Certified Kubernetes Administrator (CKA) exam, you might have come across folks recommending Kelsey Hightower’s Kubernetes the Hard Way. It is an excellent first step for someone who has no idea about the components that form a Kubernetes cluster. As the name suggests, it is created so that you learn the Kubernetes building blocks the “hard way”. But all that can be intimidating to someone who hasn’t played with Kubernetes ever. Also, the guide uses Google Cloud as a platform to install everything, which mandates you to have a Google Cloud account. But don’t worry, there is a version of Kubernetes the Hard Way, which runs locally, hence free. Enter Kubernetes the Hard Way Vagrant! ...

March 23, 2021 Â· 2 min Â· Suraj Deshmukh
Bootstrap token

Enable TLS bootstrapping in a Kubernetes cluster

This blog is a recap of my old blog “Add new node to Kubernetes cluster with bootstrap token”. Like the aforementioned blog, we will look at how to enable TLS bootstrapping on an existing Kubernetes cluster at control plane level and add a new node (or modify existing ones) to the cluster using bootstrap tokens. At the end of this blog, you will learn what specific steps to take to enable TLS bootstrapping on any custom-built Kubernetes cluster. ...

February 6, 2021 Â· 5 min Â· Suraj Deshmukh
Image Source: [Flatcar Linux is now open to the public.](https://kinvolk.io/blog/2018/04/flatcar-linux-is-now-open-to-the-public/)

Kubernetes Cluster using Kubeadm on Flatcar Container Linux

This blog shows a simple set of commands to install a Kubernetes cluster on Flatcar Container Linux based machines using Kubeadm. You might wonder why this blog when one can go to the official documentation and follow the steps? Yep, you are right. You can choose to do that. But this blog has a collection of actions specific to Flatcar Container Linux. These steps have been tried and tested on Flatcar, so you don’t need to recreate and test them yourself. There are some nuances related to the read-only partitions of Flatcar, and this blog takes care of them at the control plane level and the CNI level both. ...

January 29, 2021 Â· 4 min Â· Suraj Deshmukh

Exec in container environment

If you use exec in your container script, then the container or Kubernetes pod might exit after the command that is exec-ed into has exited. But if that’s what you wanted, then it’s okay. This blog tries to explain how to pass the signals to the applications, how they work differently when invoked uniquely and what to do if the application does handle them. What are the “Signals”? Signals are messages one process can send to another process, mostly used in UNIX like operating systems. ...

January 23, 2021 Â· 4 min Â· Suraj Deshmukh

Mental models for understanding Kubernetes Pod Security Policy

PodSecurityPolicy (PSP) is hard to get right in the first attempt. There has never been a situation when I haven’t banged my head to get it working on the cluster. It is a frustrating experience, but it is one of the essential security features of Kubernetes. Some applications have started shipping the PSP configs with their helm charts, but if a helm chart does not ship a PSP config, it must be handcrafted by the cluster-admin to make the application work reliably in the cluster. ...

January 16, 2021 Â· 6 min Â· Suraj Deshmukh