Suraj Deshmukh

Blog

containers, packaging, programming, hacks, kubernetes, openshift, fedora, centos

Watch Container Traffic Without Exec

How to watch the traffic of a container or a pod without execing into the pod/contaienr?

Suraj Deshmukh

4-Minute Read

For the reasons of security, many container deployments nowadays run their workloads in a scratch based image. This form of implementation helps reduce the attack surface since there is no shell to gain access to, especially if someone were to break out of the application.

Writing your own Seccomp profiles for Docker

Understanding the seccomp profile json format

Suraj Deshmukh

3-Minute Read

A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications. Seccomp filtering provides a means for a process to specify a filter for incoming system calls.

Add new Node to k8s cluster with Bootstrap token

Use this technique to add new node to the cluster without providing any certificates and without having to restart the kube-apiserver

Suraj Deshmukh

4-Minute Read

Few days back I wrote a blog about adding new node to the cluster using the static token file. The problem with that approach is that you need to restart kube-apiserver providing it the path to the token file. Here we will see how to use the bootstrap token, which is very dynamic in nature and can be controlled by using Kubernetes resources like secrets.

Add new Node to k8s cluster with cert rotation

Use this technique to add node to the cluster without providing any certificates

Suraj Deshmukh

3-Minute Read

The setup here is created by following Kubernetes the Hard Way by Kelsey Hightower. So if you are following along in this then do all the setup till the step Bootstrapping the Kubernetes Worker Nodes. In this just don’t start the kubelet, start other services like containerd and kube-proxy.

Recent Posts

categories

About

I am a Software Engineer at Kinvolk, working on various tooling around container technology like Docker, Kubernetes.