Skip to content

Instantly share code, notes, and snippets.

View ivanthelad's full-sized avatar

Ivan Mc Kinley ivanthelad

45 followers · 22 following
  • Microsoft
  • Munich
View GitHub Profile
@ivanthelad
ivanthelad / 0.policy.security.yaml
Created February 14, 2023 08:22
A insecure setup demo with policy on azure
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: nginx:latest
securityContext:
privileged: true
@ivanthelad
ivanthelad / deployaks.sh
Created October 24, 2022 11:33
SimpleAKS
#!/bin/bash
## neable app insights https://github.com/microsoft/Application-Insights-K8s-Codeless-Attach
source ./env.sh
uuid=$(openssl rand -hex 32 | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1)
clusternameparam=$1
function isempty ()
{
paramname="$1"
paramvalue="$2"
@ivanthelad
ivanthelad / disableautomounting.md
Last active February 25, 2022 10:22
approaches to secure token usage in aks

Recommendation when ensuring a workload adheres to automountServiceAccountToken" policy

if using azure policy on aks you can get tripped up with automountServiceAccountToken been violated by most containers

If container does not need to access API

@ivanthelad
ivanthelad / costanalysis.json
Created February 9, 2022 12:32
Cost Analysis Dashboard: A dashboard to highlight which microservices cost the most in a aks log analytics based cluster
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspacesubscriptionid": {
"defaultValue": "Insert_Subscription_Id",
"type": "String",
"metadata": {
"description": "Subscription id of the log analytics workspace is deployed. Can be found under 'Log Analytics Workspace -> Overview' "
}
@ivanthelad
ivanthelad / step1.sh
Created January 28, 2021 15:23
demo MSI and webapps
#Variables
location="westus"
RG_Name="UA-TEST-RG2"
ASP_Name="UA-TEST-ASP2"
Web_Name="UA-TEST-Web-1012"
ACR_Name="UAtestACR2"
ID_Name="UA-TEST-Identity2"
#Resource Creation
@ivanthelad
ivanthelad / Dockerfile
Created January 15, 2021 14:28
Dockerfile
FROM locustio/locust:1.4.1
##e TARGET_URL=http://localhost:8080 runtest:latest
## can be master, slace, standalone
## run on ACIU using , where -f i referencing runs/errors.py
## az container create --registry-username $registry_username --registry-password $registry_password -g $RG --image $IMAGE --ports 8089 5557 -l $LOCATION --name $MASTER_NAME --ip-address public --dns-name-label $DNS_LABEL -e URL=$URL URLPATH=$URLPATH --command-line="locust --master -f ${locustfile} "
EXPOSE 5557 8089
## tell the slace how to connect
#ENV LOCUST_MASTER_HOST=
ENV URL="http://192.168.1.115:8080"
@ivanthelad
ivanthelad / keepingpublicip.md
Last active November 12, 2020 17:41
Ensuring business critical IPs are not deleted by an kubernetes deployments/deletes

Ensuring business critical IPs are not deleted by an kubernetes deployments/deletes

Background:

Kubernetes azure cloud provider will dynamically create public IPs when a service of type=Loadbalancer is created. From the Kubernetes cloud provider perspective it owns this dynamically created IP, meaning it is responsible for updates and deletes to this IP. If I delete the service in Kubernetes the cloud provider will cascade the delete by deleting also the Public IP in Azure. (The cloudprovider calls this process reconciliation). Once an IP is deleted in azure it is returned to azures global pool of IP. You have no guarantees that you will get this IP again

This behaviour unfortunately can cause challenges if your application now relies on this public IP and it is accidentally deleted. To ensure a system critical Azure IP is not deleted when modifying deployments in Kubernetes the following steps should be performed.

@ivanthelad
ivanthelad / README.md
Last active August 17, 2020 09:01
Steps to use the CSI Driver in AKS when the network cannot directly talk to internet

using the csi secret driver with a private registry

Pull and push images

Images need to be pulled from public repos and pushed to private repo. these will be referenced in the chart late

docker pull   quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
docker pull  us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12 
docker pull quay.io/k8scsi/livenessprobe:v2.0.0

docker tag   quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 $IMAGE_REPO/k8scsi/csi-node-driver-registrar:v1.2.0
docker tag  us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12 $IMAGE_REPO/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12
@ivanthelad
ivanthelad / aci-helloworld.yaml
Created June 19, 2020 21:46
---
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
creationTimestamp: null
labels:
run: helloworld
name: helloworld
@ivanthelad
ivanthelad / dashboardtemplate.json
Created May 8, 2020 07:42
Azure AKS template to show breakdown of log costs from application controllers
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspacesubscriptionid": {
"defaultValue": "Insert_Subscription_Id",
"type": "String",
"metadata": {
"description": "Subscription id of the log analytics workspace is deployed. Can be found under 'Log Analytics Workspace -> Overview' "
}