Henry Xie 's blog
Thursday, November 10, 2022
Apex Ords Operator for Kubernetes
Tuesday, November 08, 2022
OKE Admission Control Webhook Sample
Requirement:
Solution:
- Please refer github repo
- git clone https://github.com/HenryXie1/oke-admission-webhook
- go build -o oke-admission-webhook
- docker build --no-cache -t repo-url/oke-admission-webhook:v1 .
- rm -rf oke-admission-webhook
- docker push repo-url/oke-admission-webhook:v1
- ./deployment/webhook-create-signed-cert.sh --service oke-admission-webhook-svc --namespace kube-system --secret oke-admission-webhook-secret
- kubectl replace --force -f deployment/validatingwebhook.yaml
- kubectl replace --force -f deployment/deployment.yaml
- kubectl replace --force -f deployment/service.yaml
Demo:
Thursday, April 08, 2021
Tip: error: failed to load key pair tls: failed to parse private key
Symptom:
When we kubectl create secret tls ..., we hit below error
error: failed to load key pair tls: failed to parse private key
Reason:
It is likely the private key file is encrypted with a passphrase.
Use openssl to unencrypt it and use the new key for kubectl
openssl rsa -in encrypted-private.key -out unencrypted.key
Enter pass phrase for ......
Wednesday, April 07, 2021
Tip: Pods keep crashloopbackoff
Symptom:
Pods always crashloopbackoff
"kubectl describe pod..." does not give meaningful info, as well as "kubectl get events"
Reason:
One of the likely reason is related to pod security policy. My situation is the existing pod security policy does not allow Nginx or Apache to run. It does not have
allowedCapabilities:
- NET_BIND_SERVICE
# apache or nginx need escalation to root to function well
allowPrivilegeEscalation: true
So the pods keep crashloopbackoff. To fix it is to add the above into the pod security policy.
Saturday, April 03, 2021
Tip: Istio TLS secrets, Gateway, VirtualService namespace scope
There is some confusion about where we should put istio objects. Is it in the istio-system or users namespace?
Here are some tips:
For TLS,mTLS CA, certs, key management in istio, the Kubernetes secrets should be created in the istio-system. Not in users' namespace
Gateway and VirtualService need to be created on the users' namespace