Sunday, June 30, 2019

Error:cannot list resource "deployments" in API group "apps" at the cluster scope

Symptom:

    We have operator running in the cluster, it error out when creating deployment. The error is like
cannot list resource "deployments" in API group "apps" at the cluster scope

Solution:

It is due to the clusterrole granted to the operator lack of permssion to create deployment.... We need to add such permission in the role as well as statefulsets, secrects ....... The sample of clusterrole is below

- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  - services
  - configmaps
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - deployments
  - statefulsets
  verbs:
  - '*'

Monday, June 24, 2019

How To Run Docker Without Sudo


  • sudo groupadd docker
  • sudo usermod -aG docker <username>
  • logout all sessions , not only terminals but also desktop
  • login again
  • to test:   docker run hello-world 

Saturday, June 15, 2019

Error: expected ';', found '{' in Golang

Symptom:

When we write go code for kubernetes OwnerReference , we get such error
expected ';', found '{' 
code is like
var oradbownerref = []metav1.ObjectMeta.OwnerReference{{
Kind:       apexords.TypeMeta.Kind,
APIVersion: apexords.TypeMeta.APIVersion,
Name:       apexords.ObjectMeta.Name,
UID:        apexords.ObjectMeta.UID,
}}

Solution:

It is due to OwnerReference  is on metav1 level ,not metav1.ObjectMeta level.
Correct code is
var oradbownerref = []metav1.OwnerReference{{
Kind:       apexords.TypeMeta.Kind,
APIVersion: apexords.TypeMeta.APIVersion,
Name:       apexords.ObjectMeta.Name,
UID:        apexords.ObjectMeta.UID,
}}

Thursday, June 13, 2019

Example of Pod Struct with ConfigMap ImagePullSecrets in Client-GO

typeMetadata := metav1.TypeMeta{
Kind:       "Pod",
APIVersion: "v1",
}
objectMetadata := metav1.ObjectMeta{
Name: "ordspod",
Namespace:    o.UserSpecifiedNamespace,
}
configmapvolume := &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{Name: "test-configmap"},
}
podSpecs := corev1.PodSpec{
ImagePullSecrets: []corev1.LocalObjectReference{{
Name: "test-secret",
}},
Volumes:  []corev1.Volume{{
Name: "ords-config",
VolumeSource: corev1.VolumeSource{
ConfigMap: configmapvolume,
},
}},
Containers:    []corev1.Container{{
Name: "ordspod",
Image: "ords:v19",
VolumeMounts: []corev1.VolumeMount{{
Name: "ords-config",
MountPath: "/mnt/k8s",
}},
}},
}
pod := corev1.Pod{
TypeMeta:   typeMetadata,
ObjectMeta: objectMetadata,
Spec:       podSpecs,
}

Tip to Redirect Root of a Domain Url

Requirement:

 Sometimes we need to redirect <domain.com> (only the root)  to  <domain.com>/apex  or <domain.com>/apps

Solution:

Use RedirectMatch
examples:
RedirectMatch ^/$ /apex  or  RedirectMatch ^/$ /apps

Monday, June 10, 2019

Error: the server could not find the requested resource

Symptom:

We follow the https://book.kubebuilder.io/ and create an example
It error out when we do "make run"
the server could not find the requested resource (put cronjobs.batch.mycrontab cronjob-sample)"}

Solution:

After i check cronjob_types.go , add below, issue is fixed

// +kubebuilder:subresource:status
type CronJob struct {

Tip to Understand Stateless and Stateful Firewall Security Rules

Stateful firewall rules keep session state, so it allows two way traffic (both inbound and outbound)

Stateless firewall rules is one way check ACL, control one way traffic
normally it has pair on inbound and outbound rules together

Here is copy of web link

STATELESS Firewalls

Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They’re not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for.

A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.

Purpose of Stateless Firewall Filters

The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.


STATEFUL Firewall

Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established). It can tell if the MTU has changed and whether packets have fragmented. etc.

Neither is really superior and there are good arguments for both types of firewalls. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.

Tip to Verify KubeDNS is Working From Host

Requirement:

Sometimes we need to verify KubeDNS is working from host OS( ie VM ).

Solution:

  • Find KubeDNS service IP address via command
kubectl run -i --tty busybox --image=busybox --restart=Never -- cat /etc/resolv.conf
  • install nc if necessary. ie yum install nc
  •  ie the IP address is 10.96.5.5 , then run while loop to check each KubeDNS pod is responding. You may get timeout or can't resolve error if one of the pods is not working
while true;do nc -vz 10.96.5.5 53;sleep 3; done
  • More debug details please refer K8S doc 

Tip Example to Create Tablespace in the Same Location


Requirement:

 We need to create a new tablespace. Default datafile will be created on Oracle DB Home if  db_create_file_dest is not set . We don't wanna that happen, we would like to use the existing datafile location for the new tablespace.

Solution:

sample sql we use is 
declare v_datafile VARCHAR2(100);
begin
select  ((select  regexp_substr(name,'^.*/\')  from v$datafile where rownum = 1)||'livesqldata01.dbf')
into v_datafile   from dual;
execute immediate 'create tablespace LIVESQL datafile '''||v_datafile||''' size 50M reuse autoextend on';
end;

/