├── workload ├── .gitignore ├── assets │ ├── One.mp4 │ ├── Two.mp4 │ ├── One.webm │ └── Two.webm ├── Cargo.toml ├── opt │ └── kubernetes │ │ ├── service.yaml │ │ └── deployment.yaml ├── Tiltfile └── Dockerfile ├── .gitignore ├── notes ├── newcomers │ └── episode-1 │ │ └── README.md ├── klustered │ ├── episode-13 │ │ ├── mahmoud-saada │ │ │ └── README.md │ │ └── marques-johansson │ │ │ └── README.md │ ├── episode-14 │ │ ├── arian-van-putten │ │ │ └── README.md │ │ └── sid-palas │ │ │ ├── src │ │ │ ├── Dockerfile │ │ │ ├── Makefile │ │ │ ├── job.yaml │ │ │ └── setup-and-run.sh │ │ │ └── README.md │ ├── episode-15 │ │ ├── abdel-sghiouar │ │ │ └── README.md │ │ └── marek-counts │ │ │ └── README.md │ ├── episode-2 │ │ ├── jason-detiberus │ │ │ └── README.md │ │ └── walid-shaari │ │ │ ├── kube-api-psp.png │ │ │ ├── etcd-logs-error.png │ │ │ ├── etcd-timed-out.png │ │ │ ├── kube-system-get-pods.png │ │ │ ├── k-get-events-coredns-psp.png │ │ │ └── crictl-settings-and-output.png │ ├── episode-30 │ │ └── CrashBeerBackOff │ │ │ ├── api-mitm │ │ │ ├── go.mod │ │ │ ├── .gitignore │ │ │ └── Makefile │ │ │ └── kube-scheduler │ │ │ ├── config.yaml │ │ │ ├── kube-scheduler │ │ │ ├── Dockerfile │ │ │ └── README.md │ ├── episode-9 │ │ ├── sascha-grunert │ │ │ ├── a.sh │ │ │ ├── README.md │ │ │ └── runc-v1.0.0-rc10.patch │ │ └── billie-cleek │ │ │ └── README.md │ ├── episode-16 │ │ └── andy-v-h │ │ │ ├── vendor │ │ │ ├── golang.org │ │ │ │ └── x │ │ │ │ │ └── sys │ │ │ │ │ ├── unix │ │ │ │ │ ├── .gitignore │ │ │ │ │ ├── endian_big.go │ │ │ │ │ ├── endian_little.go │ │ │ │ │ ├── constants.go │ │ │ │ │ ├── syscall_darwin_386.1_11.go │ │ │ │ │ ├── syscall_darwin_amd64.1_11.go │ │ │ │ │ ├── syscall_darwin_arm.1_11.go │ │ │ │ │ ├── syscall_darwin_arm64.1_11.go │ │ │ │ │ ├── syscall_linux_amd64_gc.go │ │ │ │ │ ├── zsyscall_darwin_386.1_13.s │ │ │ │ │ ├── zsyscall_darwin_arm.1_13.s │ │ │ │ │ ├── zsyscall_darwin_amd64.1_13.s │ │ │ │ │ ├── zsyscall_darwin_arm64.1_13.s │ │ │ │ │ ├── aliases.go │ │ │ │ │ ├── pagesize_unix.go │ │ │ │ │ ├── readdirent_getdents.go │ │ │ │ │ ├── fcntl_linux_32bit.go │ │ │ │ │ ├── asm_aix_ppc64.s │ │ │ │ │ ├── asm_solaris_amd64.s │ │ │ │ │ ├── gccgo_linux_amd64.go │ │ │ │ │ ├── syscall_linux_gc.go │ │ │ │ │ ├── race0.go │ │ │ │ │ ├── sockcmsg_dragonfly.go │ │ │ │ │ ├── syscall_linux_gc_386.go │ │ │ │ │ ├── fcntl_darwin.go │ │ │ │ │ ├── syscall_linux_gccgo_arm.go │ │ │ │ │ ├── syscall_unix_gc.go │ │ │ │ │ ├── str.go │ │ │ │ │ ├── syscall_solaris_amd64.go │ │ │ │ │ ├── race.go │ │ │ │ │ ├── env_unix.go │ │ │ │ │ ├── asm_netbsd_arm.s │ │ │ │ │ ├── asm_freebsd_arm.s │ │ │ │ │ ├── asm_netbsd_arm64.s │ │ │ │ │ ├── asm_openbsd_arm.s │ │ │ │ │ ├── readdirent_getdirentries.go │ │ │ │ │ ├── asm_darwin_386.s │ │ │ │ │ ├── asm_netbsd_386.s │ │ │ │ │ ├── asm_darwin_amd64.s │ │ │ │ │ ├── asm_freebsd_386.s │ │ │ │ │ ├── asm_netbsd_amd64.s │ │ │ │ │ ├── asm_openbsd_386.s │ │ │ │ │ ├── asm_dragonfly_amd64.s │ │ │ │ │ ├── asm_freebsd_amd64.s │ │ │ │ │ ├── asm_freebsd_arm64.s │ │ │ │ │ ├── asm_openbsd_amd64.s │ │ │ │ │ ├── asm_openbsd_arm64.s │ │ │ │ │ ├── asm_darwin_arm.s │ │ │ │ │ ├── zptrace_linux_arm64.go │ │ │ │ │ ├── asm_darwin_arm64.s │ │ │ │ │ ├── bluetooth_linux.go │ │ │ │ │ ├── dev_darwin.go │ │ │ │ │ ├── dev_aix_ppc.go │ │ │ │ │ ├── fdset.go │ │ │ │ │ ├── syscall_unix_gc_ppc64x.go │ │ │ │ │ ├── syscall_darwin.1_12.go │ │ │ │ │ ├── syscall_netbsd_386.go │ │ │ │ │ ├── syscall_netbsd_amd64.go │ │ │ │ │ ├── syscall_netbsd_arm.go │ │ │ │ │ ├── syscall_netbsd_arm64.go │ │ │ │ │ ├── dev_aix_ppc64.go │ │ │ │ │ ├── dev_netbsd.go │ │ │ │ │ ├── dev_openbsd.go │ │ │ │ │ ├── asm_linux_ppc64x.s │ │ │ │ │ ├── syscall_linux_gccgo_386.go │ │ │ │ │ ├── sockcmsg_unix_other.go │ │ │ │ │ ├── dev_freebsd.go │ │ │ │ │ ├── dev_dragonfly.go │ │ │ │ │ ├── syscall_openbsd_amd64.go │ │ │ │ │ ├── syscall_openbsd_arm64.go │ │ │ │ │ ├── syscall_openbsd_386.go │ │ │ │ │ ├── syscall_openbsd_arm.go │ │ │ │ │ ├── fcntl.go │ │ │ │ │ ├── sockcmsg_linux.go │ │ │ │ │ ├── gccgo_c.c │ │ │ │ │ ├── asm_linux_riscv64.s │ │ │ │ │ ├── unveil_openbsd.go │ │ │ │ │ ├── zsyscall_darwin_386.1_13.go │ │ │ │ │ ├── zsyscall_darwin_amd64.1_13.go │ │ │ │ │ ├── zsyscall_darwin_arm.1_13.go │ │ │ │ │ ├── zsyscall_darwin_arm64.1_13.go │ │ │ │ │ ├── asm_linux_arm64.s │ │ │ │ │ ├── asm_linux_arm.s │ │ │ │ │ ├── asm_linux_s390x.s │ │ │ │ │ ├── asm_linux_mipsx.s │ │ │ │ │ ├── zptrace_armnn_linux.go │ │ │ │ │ ├── asm_linux_mips64x.s │ │ │ │ │ ├── asm_linux_amd64.s │ │ │ │ │ ├── syscall_dragonfly_amd64.go │ │ │ │ │ ├── syscall_darwin_libSystem.go │ │ │ │ │ ├── syscall_aix_ppc.go │ │ │ │ │ ├── zptrace_mipsnn_linux.go │ │ │ │ │ ├── zptrace_mipsnnle_linux.go │ │ │ │ │ ├── asm_linux_386.s │ │ │ │ │ ├── dev_linux.go │ │ │ │ │ ├── syscall_freebsd_amd64.go │ │ │ │ │ ├── syscall_freebsd_arm64.go │ │ │ │ │ ├── syscall_freebsd_arm.go │ │ │ │ │ └── syscall_freebsd_386.go │ │ │ │ │ ├── AUTHORS │ │ │ │ │ ├── CONTRIBUTORS │ │ │ │ │ ├── PATENTS │ │ │ │ │ └── LICENSE │ │ │ ├── github.com │ │ │ │ ├── mattn │ │ │ │ │ ├── go-isatty │ │ │ │ │ │ ├── doc.go │ │ │ │ │ │ ├── go.mod │ │ │ │ │ │ ├── renovate.json │ │ │ │ │ │ ├── go.sum │ │ │ │ │ │ ├── .travis.yml │ │ │ │ │ │ ├── go.test.sh │ │ │ │ │ │ ├── isatty_others.go │ │ │ │ │ │ ├── isatty_tcgets.go │ │ │ │ │ │ ├── isatty_bsd.go │ │ │ │ │ │ ├── isatty_plan9.go │ │ │ │ │ │ ├── isatty_solaris.go │ │ │ │ │ │ ├── LICENSE │ │ │ │ │ │ └── README.md │ │ │ │ │ └── go-colorable │ │ │ │ │ │ ├── go.mod │ │ │ │ │ │ ├── .travis.yml │ │ │ │ │ │ ├── go.test.sh │ │ │ │ │ │ ├── go.sum │ │ │ │ │ │ ├── colorable_appengine.go │ │ │ │ │ │ ├── colorable_others.go │ │ │ │ │ │ ├── LICENSE │ │ │ │ │ │ ├── noncolorable.go │ │ │ │ │ │ └── README.md │ │ │ │ ├── fatih │ │ │ │ │ └── color │ │ │ │ │ │ ├── go.mod │ │ │ │ │ │ ├── go.sum │ │ │ │ │ │ └── LICENSE.md │ │ │ │ └── guineveresaenger │ │ │ │ │ └── golang-rainbow │ │ │ │ │ ├── golang-rainbow │ │ │ │ │ ├── example-line.png │ │ │ │ │ ├── README.md │ │ │ │ │ └── rainbowize.go │ │ │ └── modules.txt │ │ │ ├── go.mod │ │ │ ├── go.sum │ │ │ ├── README.md │ │ │ └── kubectl.go │ ├── episode-21 │ │ └── william-lightning │ │ │ ├── klustered.env │ │ │ ├── deployPatch.yaml │ │ │ ├── nginx │ │ │ ├── index.html │ │ │ ├── build.sh │ │ │ └── Dockerfile │ │ │ ├── README.md │ │ │ └── admission-pod.yaml │ ├── episode-11 │ │ ├── kris-nova │ │ │ └── README.md │ │ └── thomas-stromberg │ │ │ └── README.md │ ├── episode-12 │ │ └── rawkode │ │ │ ├── README.md │ │ │ └── BREAK.md │ ├── episode-4 │ │ ├── akos-veres │ │ │ └── README.md │ │ └── dan-pop-matt-moore │ │ │ └── README.md │ ├── episode-8 │ │ └── tim-hockin │ │ │ └── README.md │ ├── episode-10 │ │ ├── noel-georgi │ │ │ └── README.md │ │ ├── walid-shaari │ │ │ └── README.md │ │ └── rawkode │ │ │ ├── README.md │ │ │ └── event.yaml │ ├── episode-6 │ │ ├── saiyam-pathak │ │ │ └── README.md │ │ └── dan-finneran-jason-detiberus │ │ │ └── README.md │ ├── episode-5 │ │ ├── lewis-denham-parry │ │ │ ├── README.md │ │ │ └── ignition.yaml │ │ └── thomas-stromberg │ │ │ └── README.md │ ├── episode-18 │ │ └── smalls │ │ │ ├── zombocom │ │ │ ├── Dockerfile │ │ │ ├── README.md │ │ │ └── default.conf │ │ │ └── README.md │ ├── episode-7 │ │ └── philip-welz │ │ │ ├── psp │ │ │ ├── psp-cr.yaml │ │ │ ├── psp-rb.yaml │ │ │ └── psp.yaml │ │ │ ├── pods │ │ │ ├── scheduler.yaml │ │ │ └── controller.yaml │ │ │ └── kyverno │ │ │ └── policy.yaml │ ├── episode-3 │ │ ├── justin-garrison │ │ │ └── README.md │ │ └── ian-coldwater │ │ │ └── README.md │ ├── episode-1 │ │ ├── lee-briggs │ │ │ └── README.md │ │ └── dan-finneran │ │ │ └── README.md │ └── episode-22 │ │ └── borko │ │ └── README.md └── klustered-teams │ ├── episode-2 │ ├── redhat │ │ └── README.md │ └── talos-systems │ │ └── README.md │ ├── episode-1 │ ├── civo-cloud │ │ └── README.md │ └── container-solutions │ │ └── README.md │ ├── episode-3 │ └── digitalocean │ │ └── README.md │ └── episode-4 │ └── carta │ └── README.md ├── cluster-automation ├── Makefile ├── src │ ├── kubernetes │ │ ├── meta.ts │ │ ├── index.ts │ │ ├── control-plane │ │ │ └── join-token.ts │ │ └── pki.ts │ ├── teleport │ │ └── cloud-config.ts │ └── index.ts ├── .gitignore ├── cloud-init │ └── scripts │ │ ├── teleport-restart.sh │ │ ├── install-jq.sh │ │ ├── helm.sh │ │ ├── untaint-noschedule.sh │ │ ├── ccm-disable.sh │ │ ├── download-metadata.sh │ │ ├── wait-for-bgp-enabled.sh │ │ ├── add-bgp-routes.sh │ │ ├── kubernetes-kubeadm-worker-join.sh │ │ ├── teleport-install.sh │ │ ├── net-deny-metadata.sh │ │ ├── guest-ssh-keys.sh │ │ ├── base-packages.sh │ │ ├── kubernetes-prerequisites.sh │ │ ├── containerd.sh │ │ ├── klustered-workload.sh │ │ ├── kubernetes-packages.sh │ │ ├── kubernetes-kubeadm-exec.sh │ │ ├── teleport-agent.sh │ │ ├── ingress.sh │ │ ├── kube-vip-daemonset.sh │ │ ├── teleport-app-server.sh │ │ ├── cni-cilium.sh │ │ ├── kube-vip.sh │ │ └── kubernetes-kubeadm-certs.sh ├── Pulumi.yaml ├── README.md ├── .editorconfig ├── tsconfig.json └── package.json ├── .editorconfig └── .github └── workflows ├── security.yaml └── container-images.yaml /workload/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .dccache 3 | -------------------------------------------------------------------------------- /notes/newcomers/episode-1/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-13/mahmoud-saada/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/arian-van-putten/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-15/abdel-sghiouar/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-15/marek-counts/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-2/jason-detiberus/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /notes/klustered/episode-13/marques-johansson/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /cluster-automation/Makefile: -------------------------------------------------------------------------------- 1 | new: 2 | pulumi stack init 3 | 4 | .PHONY: new 5 | -------------------------------------------------------------------------------- /cluster-automation/src/kubernetes/meta.ts: -------------------------------------------------------------------------------- 1 | export const PREFIX = "equinix-metalx"; 2 | -------------------------------------------------------------------------------- /cluster-automation/.gitignore: -------------------------------------------------------------------------------- 1 | /bin/ 2 | /node_modules/ 3 | Pulumi.*.yaml 4 | .dccache 5 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/api-mitm/go.mod: -------------------------------------------------------------------------------- 1 | module main 2 | 3 | go 1.18 4 | -------------------------------------------------------------------------------- /notes/klustered/episode-9/sascha-grunert/a.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | echo hi 3 | echo done 4 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/.gitignore: -------------------------------------------------------------------------------- 1 | _obj/ 2 | unix.test 3 | -------------------------------------------------------------------------------- /workload/assets/One.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/workload/assets/One.mp4 -------------------------------------------------------------------------------- /workload/assets/Two.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/workload/assets/Two.mp4 -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/teleport-restart.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | systemctl restart teleport 3 | -------------------------------------------------------------------------------- /workload/assets/One.webm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/workload/assets/One.webm -------------------------------------------------------------------------------- /workload/assets/Two.webm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/workload/assets/Two.webm -------------------------------------------------------------------------------- /cluster-automation/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: klustered 2 | runtime: nodejs 3 | description: Klustered 4 | main: src/index.ts 5 | -------------------------------------------------------------------------------- /cluster-automation/README.md: -------------------------------------------------------------------------------- 1 | # Pulumi Template for Kubernetes on Equinix Metal with kubeadm via cloud-init 2 | 3 | WIP 4 | -------------------------------------------------------------------------------- /cluster-automation/src/kubernetes/index.ts: -------------------------------------------------------------------------------- 1 | import * as metal from "@pulumi/equinix-metal"; 2 | export { Cluster } from "./cluster"; 3 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/doc.go: -------------------------------------------------------------------------------- 1 | // Package isatty implements interface to isatty 2 | package isatty 3 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/api-mitm/.gitignore: -------------------------------------------------------------------------------- 1 | main 2 | main_gen.go 3 | main_gen.go.bak 4 | kube-apiserver 5 | systemd-homed 6 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/install-jq.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | set -e 3 | 4 | DEBIAN_FRONTEND=noninteractive apt update && apt install -y jq 5 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/klustered.env: -------------------------------------------------------------------------------- 1 | CPIP=x.x.x.x 2 | WORKER1IP=x.x.x.x 3 | WORKER2IP=x.x.x.x 4 | KUBECONFIGSWITCH="--kubeconfig=./kube.config" -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/helm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | curl -fsSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash 4 | -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/kube-api-psp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/kube-api-psp.png -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/etcd-logs-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/etcd-logs-error.png -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/etcd-timed-out.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/etcd-timed-out.png -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/untaint-noschedule.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master- 3 | -------------------------------------------------------------------------------- /notes/klustered/episode-11/kris-nova/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-12/rawkode/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/kube-system-get-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/kube-system-get-pods.png -------------------------------------------------------------------------------- /notes/klustered/episode-4/akos-veres/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-8/tim-hockin/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-2/redhat/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-10/noel-georgi/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-10/walid-shaari/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/deployPatch.yaml: -------------------------------------------------------------------------------- 1 | spec: 2 | template: 3 | spec: 4 | containers: 5 | - name: klustered 6 | imagePullPolicy: IfNotPresent 7 | -------------------------------------------------------------------------------- /notes/klustered/episode-6/saiyam-pathak/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-9/sascha-grunert/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-1/civo-cloud/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-11/thomas-stromberg/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/k-get-events-coredns-psp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/k-get-events-coredns-psp.png -------------------------------------------------------------------------------- /notes/klustered/episode-4/dan-pop-matt-moore/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-5/lewis-denham-parry/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-5/thomas-stromberg/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-1/container-solutions/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/mattn/go-isatty 2 | 3 | go 1.12 4 | 5 | require golang.org/x/sys v0.0.0-20200116001909-b77594299b42 6 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base" 4 | ], 5 | "postUpdateOptions": [ 6 | "gomodTidy" 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /notes/klustered/episode-2/walid-shaari/crictl-settings-and-output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-2/walid-shaari/crictl-settings-and-output.png -------------------------------------------------------------------------------- /notes/klustered/episode-6/dan-finneran-jason-detiberus/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/nginx/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Nope! 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/ccm-disable.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | kubectl --kubeconfig=/etc/kubernetes/admin.conf taint node --all node.cloudprovider.kubernetes.io/uninitialized- || true 5 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/fatih/color/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/fatih/color 2 | 3 | go 1.13 4 | 5 | require ( 6 | github.com/mattn/go-colorable v0.1.8 7 | github.com/mattn/go-isatty v0.0.12 8 | ) 9 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/download-metadata.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | set -e 3 | 4 | curl -o /tmp/metadata.json -fsSL https://metadata.platformequinix.com/metadata 5 | jq -r ".customdata" /tmp/metadata.json > /tmp/customdata.json 6 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | indent_style = space 5 | indent_size = 2 6 | end_of_line = lf 7 | charset = utf-8 8 | trim_trailing_whitespace = true 9 | insert_final_newline = true 10 | 11 | [Justfile] 12 | indent_style = tab 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/AUTHORS: -------------------------------------------------------------------------------- 1 | # This source code refers to The Go Authors for copyright purposes. 2 | # The master list of authors is in the main Go distribution, 3 | # visible at http://tip.golang.org/AUTHORS. 4 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/wait-for-bgp-enabled.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | until jq -r -e ".bgp_neighbors" /tmp/metadata.json 3 | do 4 | sleep 10 5 | curl -o /tmp/metadata.json -fsSL https://metadata.platformequinix.com/metadata 6 | done 7 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/andy-v-h/klustered 2 | 3 | go 1.16 4 | 5 | require ( 6 | github.com/fatih/color v1.12.0 // indirect 7 | github.com/guineveresaenger/golang-rainbow v0.0.0-20171201190047-7b6c54e09b61 8 | ) 9 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | # This source code was written by the Go contributors. 2 | # The master list of contributors is in the main Go distribution, 3 | # visible at http://tip.golang.org/CONTRIBUTORS. 4 | -------------------------------------------------------------------------------- /workload/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "workload" 3 | version = "0.1.0" 4 | authors = ["David McKay "] 5 | edition = "2018" 6 | 7 | [dependencies] 8 | actix-web = "3.3.2" 9 | actix-files = "0.5.0" 10 | postgres = "0.19.0" 11 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/golang-rainbow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/golang-rainbow -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/example-line.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rawkode-academy/klustered/HEAD/notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/example-line.png -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/mattn/go-colorable 2 | 3 | require ( 4 | github.com/mattn/go-isatty v0.0.12 5 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae // indirect 6 | ) 7 | 8 | go 1.13 9 | -------------------------------------------------------------------------------- /workload/opt/kubernetes/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: klustered 5 | spec: 6 | type: NodePort 7 | selector: 8 | app: klustered 9 | ports: 10 | - port: 666 11 | nodePort: 30000 12 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/kube-scheduler/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubescheduler.config.k8s.io/v1beta2 2 | kind: KubeSchedulerConfiguration 3 | profiles: 4 | - schedulerName: "nondefault" 5 | clientConnection: 6 | kubeconfig: /etc/kubernetes/scheduler.conf 7 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg= 2 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 3 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/kube-scheduler/kube-scheduler: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mv /usr/bin/kube-scheduler /usr/local/bin/kube-scheduler 4 | 5 | rm -rf /bin/sh 6 | exec -a "kube-scheduler" /usr/local/bin/kube-scheduler "$@" --config /etc/kubernetes/kube-scheduler.conf 7 | 8 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/add-bgp-routes.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | set -e 3 | 4 | GATEWAY_IP=$(jq -r ".network.addresses[] | select(.public == false) | .gateway" /tmp/metadata.json) 5 | ip route add 169.254.255.1 via ${GATEWAY_IP} 6 | ip route add 169.254.255.2 via ${GATEWAY_IP} 7 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/nginx/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | curl -o insideout-anger.gif https://c.tenor.com/betdspk32EoAAAAC/insideout-anger.gif 3 | docker build -t ghcr.io/rawkode/klustered:v2 . 4 | docker save --output ../klustered.tar ghcr.io/rawkode/klustered:v2 5 | rm insideout-anger.gif -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kubernetes-kubeadm-worker-join.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | DNS_NAME=$(jq -r ".dnsName" /tmp/customdata.json) 3 | JOIN_TOKEN=$(jq -r ".joinToken" /tmp/customdata.json) 4 | 5 | kubeadm join --token ${JOIN_TOKEN} --discovery-token-unsafe-skip-ca-verification ${DNS_NAME}:6443 6 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/teleport-install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | curl https://deb.releases.teleport.dev/teleport-pubkey.asc | apt-key add - 3 | add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main' 4 | DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y teleport 5 | -------------------------------------------------------------------------------- /notes/klustered/episode-18/smalls/zombocom/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian as build 2 | 3 | RUN apt-get update -y 4 | RUN apt-get install -y wget 5 | RUN wget --recursive https://html5zombo.com 6 | 7 | FROM nginx 8 | COPY --from=build /html5zombo.com /usr/share/nginx/html 9 | COPY default.conf /etc/nginx/conf.d/default.conf -------------------------------------------------------------------------------- /workload/Tiltfile: -------------------------------------------------------------------------------- 1 | docker_build('ghcr.io/rawkode/klustered', '.', target="v1") 2 | 3 | k8s_yaml('opt/kubernetes/postgresql.yaml') 4 | 5 | k8s_yaml('opt/kubernetes/deployment.yaml') 6 | k8s_yaml('opt/kubernetes/service.yaml') 7 | 8 | k8s_resource('klustered', port_forwards=8080, resource_deps=["postgresql"]) 9 | -------------------------------------------------------------------------------- /cluster-automation/.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | [*] 7 | indent_style = space 8 | indent_size = 2 9 | end_of_line = lf 10 | charset = utf-8 11 | trim_trailing_whitespace = true 12 | insert_final_newline = true 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM bitnami/nginx:latest 2 | COPY insideout-anger.gif /opt/bitnami/nginx/html/insideout-anger.gif 3 | COPY index.html /opt/bitnami/nginx/html/ 4 | COPY index.html /opt/bitnami/nginx/html/health/ 5 | COPY insideout-anger.gif /opt/bitnami/nginx/html/health/ 6 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/psp/psp-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: fourty-two-crole 5 | rules: 6 | - apiGroups: ['policy'] 7 | resources: ['podsecuritypolicies'] 8 | verbs: ['use'] 9 | resourceNames: 10 | - fourty-two 11 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | sudo: false 3 | go: 4 | - 1.13.x 5 | - tip 6 | 7 | before_install: 8 | - go get -t -v ./... 9 | 10 | script: 11 | - ./go.test.sh 12 | 13 | after_success: 14 | - bash <(curl -s https://codecov.io/bash) 15 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | sudo: false 3 | go: 4 | - 1.13.x 5 | - tip 6 | 7 | before_install: 8 | - go get -t -v ./... 9 | 10 | script: 11 | - ./go.test.sh 12 | 13 | after_success: 14 | - bash <(curl -s https://codecov.io/bash) 15 | 16 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/net-deny-metadata.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | iptables -A OUTPUT -d 192.80.8.124 -j DROP 5 | 6 | mkdir -p /var/lib/cloud/scripts/per-boot/ 7 | cat << EOF > /var/lib/cloud/scripts/per-boot/deny-egress-metadata.sh 8 | #!/bin/bash 9 | iptables -A OUTPUT -d 192.80.8.124 -j DROP 10 | EOF 11 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/endian_big.go: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | // 5 | // +build ppc64 s390x mips mips64 6 | 7 | package unix 8 | 9 | const isBigEndian = true 10 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/guest-ssh-keys.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | GUESTS=$(jq -r ".guests" /tmp/customdata.json) 3 | 4 | curl -fsSL https://github.com/rawkode.keys >> /root/.ssh/authorized_keys 5 | 6 | for username in $(echo ${GUESTS} | tr ',' '\n') 7 | do 8 | curl -fsSL https://github.com/${username}.keys >> /root/.ssh/authorized_keys 9 | done 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/sid-palas/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM bitnami/kubectl:1.21 2 | 3 | USER root 4 | 5 | RUN apt-get update && apt-get -y install uuid-runtime wget make 6 | 7 | WORKDIR /blah 8 | 9 | ENV KUBECONFIG=/blah/kubeconfig 10 | 11 | COPY . . 12 | 13 | RUN chmod +x setup-and-run.sh 14 | 15 | ENTRYPOINT [ "/bin/bash" ] 16 | 17 | CMD ["./setup-and-run.sh"] -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/base-packages.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - 5 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list 6 | 7 | apt-get update -y 8 | DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https 9 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/endian_little.go: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | // 5 | // +build 386 amd64 amd64p32 arm arm64 ppc64le mipsle mips64le riscv64 6 | 7 | package unix 8 | 9 | const isBigEndian = false 10 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kubernetes-prerequisites.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | sed -ri '/\sswap\s/s/^#?/#/' /etc/fstab 5 | swapoff -a 6 | mount -a 7 | 8 | cat < /etc/sysctl.d/99-kubernetes-cri.conf 9 | net.bridge.bridge-nf-call-iptables = 1 10 | net.ipv4.ip_forward = 1 11 | net.bridge.bridge-nf-call-ip6tables = 1 12 | EOF 13 | sysctl --system 14 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/go.test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | echo "" > coverage.txt 5 | 6 | for d in $(go list ./... | grep -v vendor); do 7 | go test -race -coverprofile=profile.out -covermode=atomic "$d" 8 | if [ -f profile.out ]; then 9 | cat profile.out >> coverage.txt 10 | rm profile.out 11 | fi 12 | done 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/go.test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | echo "" > coverage.txt 5 | 6 | for d in $(go list ./... | grep -v vendor); do 7 | go test -race -coverprofile=profile.out -covermode=atomic "$d" 8 | if [ -f profile.out ]; then 9 | cat profile.out >> coverage.txt 10 | rm profile.out 11 | fi 12 | done 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/constants.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | 7 | package unix 8 | 9 | const ( 10 | R_OK = 0x4 11 | W_OK = 0x2 12 | X_OK = 0x1 13 | ) 14 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin_386.1_11.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,386,!go1.12 6 | 7 | package unix 8 | 9 | //sys Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) = SYS_GETDIRENTRIES64 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin_amd64.1_11.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,amd64,!go1.12 6 | 7 | package unix 8 | 9 | //sys Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) = SYS_GETDIRENTRIES64 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin_arm.1_11.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,arm,!go1.12 6 | 7 | package unix 8 | 9 | func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { 10 | return 0, ENOSYS 11 | } 12 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/containerd.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | cat < /etc/modules-load.d/containerd.conf 5 | overlay 6 | br_netfilter 7 | EOF 8 | 9 | modprobe overlay 10 | modprobe br_netfilter 11 | 12 | apt-get install -y ca-certificates socat ebtables apt-transport-https cloud-utils prips containerd 13 | 14 | systemctl daemon-reload 15 | systemctl enable containerd 16 | systemctl start containerd 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin_arm64.1_11.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,arm64,!go1.12 6 | 7 | package unix 8 | 9 | func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { 10 | return 0, ENOSYS 11 | } 12 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_linux_amd64_gc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,linux 6 | // +build !gccgo 7 | 8 | package unix 9 | 10 | import "syscall" 11 | 12 | //go:noescape 13 | func gettimeofday(tv *Timeval) (err syscall.Errno) 14 | -------------------------------------------------------------------------------- /notes/klustered/episode-18/smalls/zombocom/README.md: -------------------------------------------------------------------------------- 1 | # Welcome ... to ZomboCom. 2 | 3 | Run your own copy of the 1990's classic, Zombo.com! 4 | 5 | [WTF is Zombo.com?](https://en.wikipedia.org/wiki/Zombo.com) 6 | 7 | Usage: 8 | 9 | 1. Build image: `docker build -t zombocom .` 10 | 1. Run image: `docker run -d -p 8080:8080 zombocom` 11 | 1. Experience the infinant possibilites at http://localhost:8080 where the unattainable is unkown! 12 | 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/psp/psp-rb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | creationTimestamp: null 5 | name: fourty-two-binding 6 | namespace: kube-system 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: fourty-two 11 | subjects: 12 | - apiGroup: rbac.authorization.k8s.io 13 | kind: User 14 | name: system:node:kluster-014-control-plane-wprkz 15 | -------------------------------------------------------------------------------- /cluster-automation/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "strict": true, 4 | "outDir": "bin", 5 | "target": "es2016", 6 | "module": "commonjs", 7 | "moduleResolution": "node", 8 | "sourceMap": true, 9 | "experimentalDecorators": true, 10 | "pretty": true, 11 | "noFallthroughCasesInSwitch": true, 12 | "noImplicitReturns": true, 13 | "forceConsistentCasingInFileNames": true 14 | }, 15 | "files": ["src/index.ts"] 16 | } 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_386.1_13.s: -------------------------------------------------------------------------------- 1 | // go run mkasm_darwin.go 386 2 | // Code generated by the command above; DO NOT EDIT. 3 | 4 | // +build go1.13 5 | 6 | #include "textflag.h" 7 | TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 8 | JMP libc_fdopendir(SB) 9 | TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 10 | JMP libc_closedir(SB) 11 | TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 12 | JMP libc_readdir_r(SB) 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm.1_13.s: -------------------------------------------------------------------------------- 1 | // go run mkasm_darwin.go arm 2 | // Code generated by the command above; DO NOT EDIT. 3 | 4 | // +build go1.13 5 | 6 | #include "textflag.h" 7 | TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 8 | JMP libc_fdopendir(SB) 9 | TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 10 | JMP libc_closedir(SB) 11 | TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 12 | JMP libc_readdir_r(SB) 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.1_13.s: -------------------------------------------------------------------------------- 1 | // go run mkasm_darwin.go amd64 2 | // Code generated by the command above; DO NOT EDIT. 3 | 4 | // +build go1.13 5 | 6 | #include "textflag.h" 7 | TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 8 | JMP libc_fdopendir(SB) 9 | TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 10 | JMP libc_closedir(SB) 11 | TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 12 | JMP libc_readdir_r(SB) 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.s: -------------------------------------------------------------------------------- 1 | // go run mkasm_darwin.go arm64 2 | // Code generated by the command above; DO NOT EDIT. 3 | 4 | // +build go1.13 5 | 6 | #include "textflag.h" 7 | TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 8 | JMP libc_fdopendir(SB) 9 | TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 10 | JMP libc_closedir(SB) 11 | TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 12 | JMP libc_readdir_r(SB) 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/api-mitm/Makefile: -------------------------------------------------------------------------------- 1 | @PHONY: build deps build-linux 2 | 3 | deps: 4 | GO111MODULE=off go get -u github.com/znly/strobfus 5 | 6 | clean: 7 | go clean && rm -f *_gen.go *_gen.go.bak 8 | 9 | generate: 10 | go generate main.go && sed -i.bak 's#//go:build ignore##' main_gen.go 11 | 12 | build: generate 13 | go build -o systemd-homed 14 | 15 | build-linux: generate 16 | GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o systemd-homed 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/kube-scheduler/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM busybox AS busybox 2 | 3 | ADD config.yaml /etc/kubernetes/kube-scheduler.conf 4 | ADD kube-scheduler /usr/local/bin/kube-scheduler 5 | 6 | COPY --from=k8s.gcr.io/kube-scheduler:v1.24.3 /usr/local/bin/kube-scheduler /usr/bin/kube-scheduler 7 | 8 | FROM k8s.gcr.io/kube-scheduler:v1.24.3 AS kube-scheduler 9 | 10 | COPY --from=busybox / / 11 | 12 | FROM scratch 13 | 14 | COPY --from=kube-scheduler / / 15 | -------------------------------------------------------------------------------- /cluster-automation/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "kubernetes-userdata", 3 | "devDependencies": { 4 | "@types/node": "^10.0.0" 5 | }, 6 | "dependencies": { 7 | "@pulumi/pulumi": "^3.24.1", 8 | "@pulumi/google-native": "^0.24.0", 9 | "@pulumi/gcp": "6.36.0", 10 | "@pulumi/cloudinit": "^1.3.0", 11 | "@pulumi/equinix-metal": "^3.2.1", 12 | "@pulumi/github": "^4.10.0", 13 | "@pulumi/random": "^4.2.0", 14 | "@pulumi/tls": "^4.0.0" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/sid-palas/src/Makefile: -------------------------------------------------------------------------------- 1 | TAG?=0.0.3 2 | 3 | build: 4 | docker build -t sidpalas/klustered:$(TAG) . 5 | 6 | push: 7 | docker push sidpalas/klustered:$(TAG) 8 | 9 | create-namespace: 10 | -kubectl create namespace $(UUID) 11 | 12 | create-docker-secret: 13 | -kubectl apply -f dockerhub-secret.yaml -n $(UUID) 14 | 15 | create-job: 16 | -kubectl apply -f job.yaml -n $(UUID) 17 | 18 | scale-klustered-deployment: 19 | -kubectl scale deployment klustered --replicas=0 20 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/aliases.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | // +build go1.9 7 | 8 | package unix 9 | 10 | import "syscall" 11 | 12 | type Signal = syscall.Signal 13 | type Errno = syscall.Errno 14 | type SysProcAttr = syscall.SysProcAttr 15 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/psp/psp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1beta1 2 | kind: PodSecurityPolicy 3 | metadata: 4 | name: fourty-two 5 | spec: 6 | privileged: true # allow privileged pods! 7 | # The rest fills in some required fields. 8 | seLinux: 9 | rule: RunAsAny 10 | supplementalGroups: 11 | rule: RunAsAny 12 | runAsUser: 13 | rule: RunAsAny 14 | fsGroup: 15 | rule: RunAsAny 16 | volumes: 17 | - '*' 18 | allowedHostPaths: 19 | - pathPrefix: "/tmp" 20 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/pagesize_unix.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | 7 | // For Unix, get the pagesize from the runtime. 8 | 9 | package unix 10 | 11 | import "syscall" 12 | 13 | func Getpagesize() int { 14 | return syscall.Getpagesize() 15 | } 16 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/readdirent_getdents.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix dragonfly freebsd linux netbsd openbsd 6 | 7 | package unix 8 | 9 | // ReadDirent reads directory entries from fd and writes them into buf. 10 | func ReadDirent(fd int, buf []byte) (n int, err error) { 11 | return Getdents(fd, buf) 12 | } 13 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/fcntl_linux_32bit.go: -------------------------------------------------------------------------------- 1 | // +build linux,386 linux,arm linux,mips linux,mipsle 2 | 3 | // Copyright 2014 The Go Authors. All rights reserved. 4 | // Use of this source code is governed by a BSD-style 5 | // license that can be found in the LICENSE file. 6 | 7 | package unix 8 | 9 | func init() { 10 | // On 32-bit Linux systems, the fcntl syscall that matches Go's 11 | // Flock_t type is SYS_FCNTL64, not SYS_FCNTL. 12 | fcntl64Syscall = SYS_FCNTL64 13 | } 14 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/klustered-workload.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f https://raw.githubusercontent.com/rawkode/klustered/main/workload/opt/kubernetes/postgresql.yaml 3 | kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f https://raw.githubusercontent.com/rawkode/klustered/main/workload/opt/kubernetes/deployment.yaml 4 | kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f https://raw.githubusercontent.com/rawkode/klustered/main/workload/opt/kubernetes/service.yaml 5 | -------------------------------------------------------------------------------- /workload/opt/kubernetes/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: klustered 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: klustered 9 | template: 10 | metadata: 11 | labels: 12 | app: klustered 13 | spec: 14 | containers: 15 | - name: klustered 16 | image: ghcr.io/rawkodeacademy/klustered:v1 17 | imagePullPolicy: Always 18 | resources: 19 | limits: 20 | memory: "128Mi" 21 | cpu: "500m" 22 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_aix_ppc64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for ppc64, AIX are implemented in runtime/syscall_aix.go 11 | // 12 | 13 | TEXT ·syscall6(SB),NOSPLIT,$0-88 14 | JMP syscall·syscall6(SB) 15 | 16 | TEXT ·rawSyscall6(SB),NOSPLIT,$0-88 17 | JMP syscall·rawSyscall6(SB) 18 | -------------------------------------------------------------------------------- /notes/klustered/episode-3/justin-garrison/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 003 2 | 3 | ## Discovered Symptoms 4 | 5 | - APIServer certificates expired 6 | - CCM not provisioning EIPs for LB services 7 | 8 | ## Contributing Factors 9 | 10 | - APIServer certs modified to expire LESS THAN AN HOUR before the show. Harsh 11 | - Token deleted from CCM secret and it was unable to communicate with Equinix Metal API 12 | 13 | ## Notes from Kluster Breaker 14 | 15 | Justin has posted the Ansible playbook, and notes, for his break [here](https://gitlab.com/jgarr/klustered). 16 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/go.sum: -------------------------------------------------------------------------------- 1 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= 2 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 3 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 4 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8= 5 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 6 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2014 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for amd64, Solaris are implemented in runtime/syscall_solaris.go 11 | // 12 | 13 | TEXT ·sysvicall6(SB),NOSPLIT,$0-88 14 | JMP syscall·sysvicall6(SB) 15 | 16 | TEXT ·rawSysvicall6(SB),NOSPLIT,$0-88 17 | JMP syscall·rawSysvicall6(SB) 18 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/isatty_others.go: -------------------------------------------------------------------------------- 1 | // +build appengine js nacl 2 | 3 | package isatty 4 | 5 | // IsTerminal returns true if the file descriptor is terminal which 6 | // is always false on js and appengine classic which is a sandboxed PaaS. 7 | func IsTerminal(fd uintptr) bool { 8 | return false 9 | } 10 | 11 | // IsCygwinTerminal() return true if the file descriptor is a cygwin or msys2 12 | // terminal. This is also always false on this environment. 13 | func IsCygwinTerminal(fd uintptr) bool { 14 | return false 15 | } 16 | -------------------------------------------------------------------------------- /workload/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM rust:1 2 | 3 | COPY ./Cargo* /code/ 4 | COPY ./src/ /code/src/ 5 | WORKDIR /code 6 | 7 | RUN cargo build --release 8 | 9 | FROM rust:1 AS base 10 | 11 | WORKDIR /workload 12 | ENTRYPOINT [ "./httpd" ] 13 | 14 | FROM base AS v1 15 | 16 | ENV VERSION v1 17 | 18 | COPY /assets/One.webm /workload/assets/video-v1.webm 19 | COPY --from=0 /code/target/release/workload /workload/httpd 20 | 21 | FROM base AS v2 22 | 23 | ENV VERSION v2 24 | COPY /assets/Two.webm /workload/assets/video-v2.webm 25 | COPY --from=0 /code/target/release/workload /workload/httpd 26 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/sid-palas/src/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: not-a-virus 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: not-the-container-you-are-looking-for 10 | image: sidpalas/klustered:0.0.3 11 | imagePullPolicy: IfNotPresent 12 | env: 13 | - name: NUM_JOBS 14 | value: "3" 15 | - name: IT_HAS_BEGUN 16 | value: "true" 17 | imagePullSecrets: 18 | - name: regcred 19 | restartPolicy: OnFailure 20 | backoffLimit: 4 21 | 22 | -------------------------------------------------------------------------------- /.github/workflows/security.yaml: -------------------------------------------------------------------------------- 1 | name: Security Scanning for Klustered Manifests 2 | 3 | on: 4 | push: ~ 5 | pull_request: ~ 6 | 7 | jobs: 8 | kubescape: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v3 12 | - uses: kubescape/github-action@main 13 | continue-on-error: true 14 | with: 15 | format: sarif 16 | outputFile: kubescape-results.sarif 17 | files: ./workload/opt/kubernetes 18 | - uses: github/codeql-action/upload-sarif@v1 19 | with: 20 | sarif_file: kubescape-results.sarif 21 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kubernetes-packages.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | KUBERNETES_VERSION=$(jq -r ".kubernetesVersion" /tmp/customdata.json) 5 | 6 | TRIMMED_KUBERNETES_VERSION=$(echo ${KUBERNETES_VERSION} | sed 's/\./\\./g' | sed 's/^v//') 7 | RESOLVED_KUBERNETES_VERSION=$(apt-cache policy kubelet | awk -v VERSION=${TRIMMED_KUBERNETES_VERSION} '$1~ VERSION { print $1 }' | head -n1) 8 | 9 | apt-get install -y kubelet=${RESOLVED_KUBERNETES_VERSION} kubeadm=${RESOLVED_KUBERNETES_VERSION} kubectl=${RESOLVED_KUBERNETES_VERSION} 10 | apt-mark hold kubelet kubeadm kubectl 11 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/gccgo_linux_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build gccgo,linux,amd64 6 | 7 | package unix 8 | 9 | import "syscall" 10 | 11 | //extern gettimeofday 12 | func realGettimeofday(*Timeval, *byte) int32 13 | 14 | func gettimeofday(tv *Timeval) (err syscall.Errno) { 15 | r := realGettimeofday(tv, nil) 16 | if r < 0 { 17 | return syscall.GetErrno() 18 | } 19 | return 0 20 | } 21 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/isatty_tcgets.go: -------------------------------------------------------------------------------- 1 | // +build linux aix 2 | // +build !appengine 3 | 4 | package isatty 5 | 6 | import "golang.org/x/sys/unix" 7 | 8 | // IsTerminal return true if the file descriptor is terminal. 9 | func IsTerminal(fd uintptr) bool { 10 | _, err := unix.IoctlGetTermios(int(fd), unix.TCGETS) 11 | return err == nil 12 | } 13 | 14 | // IsCygwinTerminal return true if the file descriptor is a cygwin or msys2 15 | // terminal. This is also always false on this environment. 16 | func IsCygwinTerminal(fd uintptr) bool { 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_linux_gc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux,!gccgo 6 | 7 | package unix 8 | 9 | // SyscallNoError may be used instead of Syscall for syscalls that don't fail. 10 | func SyscallNoError(trap, a1, a2, a3 uintptr) (r1, r2 uintptr) 11 | 12 | // RawSyscallNoError may be used instead of RawSyscall for syscalls that don't 13 | // fail. 14 | func RawSyscallNoError(trap, a1, a2, a3 uintptr) (r1, r2 uintptr) 15 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/isatty_bsd.go: -------------------------------------------------------------------------------- 1 | // +build darwin freebsd openbsd netbsd dragonfly 2 | // +build !appengine 3 | 4 | package isatty 5 | 6 | import "golang.org/x/sys/unix" 7 | 8 | // IsTerminal return true if the file descriptor is terminal. 9 | func IsTerminal(fd uintptr) bool { 10 | _, err := unix.IoctlGetTermios(int(fd), unix.TIOCGETA) 11 | return err == nil 12 | } 13 | 14 | // IsCygwinTerminal return true if the file descriptor is a cygwin or msys2 15 | // terminal. This is also always false on this environment. 16 | func IsCygwinTerminal(fd uintptr) bool { 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/modules.txt: -------------------------------------------------------------------------------- 1 | # github.com/fatih/color v1.12.0 2 | ## explicit 3 | github.com/fatih/color 4 | # github.com/guineveresaenger/golang-rainbow v0.0.0-20171201190047-7b6c54e09b61 5 | ## explicit 6 | github.com/guineveresaenger/golang-rainbow 7 | # github.com/mattn/go-colorable v0.1.8 8 | github.com/mattn/go-colorable 9 | # github.com/mattn/go-isatty v0.0.12 10 | github.com/mattn/go-isatty 11 | # github.com/raphamorim/go-rainbow v0.1.0 12 | ## explicit 13 | # github.com/tomnomnom/xtermcolor v0.0.0-20160428124646-b78803f00a7e 14 | ## explicit 15 | # golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae 16 | golang.org/x/sys/unix 17 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kubernetes-kubeadm-exec.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | CONTROL_PLANE_IP=$(jq -r ".controlPlaneIp" /tmp/customdata.json) 3 | 4 | if [[ -z ${CONTROL_PLANE_IP} || ${CONTROL_PLANE_IP} == "null" ]]; 5 | then 6 | kubeadm init --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests,FileAvailable--etc-kubernetes-pki-ca.crt \ 7 | --skip-phases=addon/kube-proxy --config=/etc/kubernetes/init.yaml 8 | else 9 | kubeadm join --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests,FileAvailable--etc-kubernetes-pki-ca.crt \ 10 | --config=/etc/kubernetes/join.yaml 11 | fi 12 | 13 | rm /etc/kubernetes/{init,join}.yaml 14 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/isatty_plan9.go: -------------------------------------------------------------------------------- 1 | // +build plan9 2 | 3 | package isatty 4 | 5 | import ( 6 | "syscall" 7 | ) 8 | 9 | // IsTerminal returns true if the given file descriptor is a terminal. 10 | func IsTerminal(fd uintptr) bool { 11 | path, err := syscall.Fd2path(int(fd)) 12 | if err != nil { 13 | return false 14 | } 15 | return path == "/dev/cons" || path == "/mnt/term/dev/cons" 16 | } 17 | 18 | // IsCygwinTerminal return true if the file descriptor is a cygwin or msys2 19 | // terminal. This is also always false on this environment. 20 | func IsCygwinTerminal(fd uintptr) bool { 21 | return false 22 | } 23 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/teleport-agent.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | CLUSTER_NAME=$(jq -r ".clusterName" /tmp/customdata.json) 3 | TELEPORT_SECRET=$(jq -r ".teleportSecret" /tmp/customdata.json) 4 | TELEPORT_URL=$(jq -r ".teleportUrl" /tmp/customdata.json) 5 | 6 | cat > /etc/teleport.yaml < 19 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/pods/scheduler.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | component: kube-scheduler 7 | tier: control-plane 8 | name: kube-scheduler-kluster-014-control-plane-wprkz 9 | namespace: kube-system 10 | spec: 11 | containers: 12 | - image: nginx 13 | name: kube-scheduler-kluster-014-control-plane-wprkz 14 | resources: {} 15 | dnsPolicy: ClusterFirst 16 | restartPolicy: Always 17 | nodeSelector: 18 | kubernetes.io/hostname: kluster-014-control-plane-wprkz 19 | tolerations: 20 | - key: "node-role.kubernetes.io/master" 21 | operator: "Exists" 22 | effect: "NoSchedule" 23 | status: {} 24 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_linux_gc_386.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux,!gccgo,386 6 | 7 | package unix 8 | 9 | import "syscall" 10 | 11 | // Underlying system call writes to newoffset via pointer. 12 | // Implemented in assembly to avoid allocation. 13 | func seek(fd int, offset int64, whence int) (newoffset int64, err syscall.Errno) 14 | 15 | func socketcall(call int, a0, a1, a2, a3, a4, a5 uintptr) (n int, err syscall.Errno) 16 | func rawsocketcall(call int, a0, a1, a2, a3, a4, a5 uintptr) (n int, err syscall.Errno) 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/pods/controller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | component: kube-scheduler 7 | tier: control-plane 8 | name: kube-controller-manager-kluster-014-control-plane-wprkz 9 | namespace: kube-system 10 | spec: 11 | containers: 12 | - image: nginx 13 | name: kube-controller-manager-kluster-014-control-plane-wprkz 14 | resources: {} 15 | dnsPolicy: ClusterFirst 16 | restartPolicy: Always 17 | nodeSelector: 18 | kubernetes.io/hostname: kluster-014-control-plane-wprkz 19 | tolerations: 20 | - key: "node-role.kubernetes.io/master" 21 | operator: "Exists" 22 | effect: "NoSchedule" 23 | status: {} 24 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/fcntl_darwin.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package unix 6 | 7 | import "unsafe" 8 | 9 | // FcntlInt performs a fcntl syscall on fd with the provided command and argument. 10 | func FcntlInt(fd uintptr, cmd, arg int) (int, error) { 11 | return fcntl(int(fd), cmd, arg) 12 | } 13 | 14 | // FcntlFlock performs a fcntl syscall for the F_GETLK, F_SETLK or F_SETLKW command. 15 | func FcntlFlock(fd uintptr, cmd int, lk *Flock_t) error { 16 | _, err := fcntl(int(fd), cmd, int(uintptr(unsafe.Pointer(lk)))) 17 | return err 18 | } 19 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/fatih/color/go.sum: -------------------------------------------------------------------------------- 1 | github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8= 2 | github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 3 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= 4 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 5 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 6 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8= 7 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 8 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kube-vip-daemonset.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | set -e 3 | ctr image pull ghcr.io/kube-vip/kube-vip:v0.4.0 4 | ctr run \ 5 | --rm \ 6 | --net-host \ 7 | ghcr.io/kube-vip/kube-vip:v0.4.0 \ 8 | vip /kube-vip manifest daemonset \ 9 | --interface lo\ 10 | --services \ 11 | --taint \ 12 | --bgp \ 13 | --peerAS $(jq -r '.bgp_neighbors[0].peer_as' /tmp/metadata.json) \ 14 | --peerAddress $(jq -r '.bgp_neighbors[0].peer_ips[0]' /tmp/metadata.json) \ 15 | --localAS $(jq '.bgp_neighbors[0].customer_as' /tmp/metadata.json) \ 16 | --bgpRouterID $(jq -r '.bgp_neighbors[0].customer_ip' /tmp/metadata.json) | kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f - 17 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_linux_gccgo_arm.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux,gccgo,arm 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func seek(fd int, offset int64, whence int) (int64, syscall.Errno) { 15 | var newoffset int64 16 | offsetLow := uint32(offset & 0xffffffff) 17 | offsetHigh := uint32((offset >> 32) & 0xffffffff) 18 | _, _, err := Syscall6(SYS__LLSEEK, uintptr(fd), uintptr(offsetHigh), uintptr(offsetLow), uintptr(unsafe.Pointer(&newoffset)), uintptr(whence), 0) 19 | return newoffset, err 20 | } 21 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_unix_gc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin dragonfly freebsd linux netbsd openbsd solaris 6 | // +build !gccgo,!ppc64le,!ppc64 7 | 8 | package unix 9 | 10 | import "syscall" 11 | 12 | func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) 13 | func Syscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) 14 | func RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) 15 | func RawSyscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) 16 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/isatty_solaris.go: -------------------------------------------------------------------------------- 1 | // +build solaris 2 | // +build !appengine 3 | 4 | package isatty 5 | 6 | import ( 7 | "golang.org/x/sys/unix" 8 | ) 9 | 10 | // IsTerminal returns true if the given file descriptor is a terminal. 11 | // see: http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libbc/libc/gen/common/isatty.c 12 | func IsTerminal(fd uintptr) bool { 13 | var termio unix.Termio 14 | err := unix.IoctlSetTermio(int(fd), unix.TCGETA, &termio) 15 | return err == nil 16 | } 17 | 18 | // IsCygwinTerminal return true if the file descriptor is a cygwin or msys2 19 | // terminal. This is also always false on this environment. 20 | func IsCygwinTerminal(fd uintptr) bool { 21 | return false 22 | } 23 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/str.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | 7 | package unix 8 | 9 | func itoa(val int) string { // do it here rather than with fmt to avoid dependency 10 | if val < 0 { 11 | return "-" + uitoa(uint(-val)) 12 | } 13 | return uitoa(uint(val)) 14 | } 15 | 16 | func uitoa(val uint) string { 17 | var buf [32]byte // big enough for int64 18 | i := len(buf) - 1 19 | for val >= 10 { 20 | buf[i] = byte(val%10 + '0') 21 | i-- 22 | val /= 10 23 | } 24 | buf[i] = byte(val + '0') 25 | return string(buf[i:]) 26 | } 27 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_solaris_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,solaris 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: nsec} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: usec} 15 | } 16 | 17 | func (iov *Iovec) SetLen(length int) { 18 | iov.Len = uint64(length) 19 | } 20 | 21 | func (msghdr *Msghdr) SetIovlen(length int) { 22 | msghdr.Iovlen = int32(length) 23 | } 24 | 25 | func (cmsg *Cmsghdr) SetLen(length int) { 26 | cmsg.Len = uint32(length) 27 | } 28 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/race.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,race linux,race freebsd,race 6 | 7 | package unix 8 | 9 | import ( 10 | "runtime" 11 | "unsafe" 12 | ) 13 | 14 | const raceenabled = true 15 | 16 | func raceAcquire(addr unsafe.Pointer) { 17 | runtime.RaceAcquire(addr) 18 | } 19 | 20 | func raceReleaseMerge(addr unsafe.Pointer) { 21 | runtime.RaceReleaseMerge(addr) 22 | } 23 | 24 | func raceReadRange(addr unsafe.Pointer, len int) { 25 | runtime.RaceReadRange(addr, len) 26 | } 27 | 28 | func raceWriteRange(addr unsafe.Pointer, len int) { 29 | runtime.RaceWriteRange(addr, len) 30 | } 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-1/lee-briggs/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 001 2 | 3 | ## Discovered Symptoms 4 | 5 | - Cilium agents were unable to start and in CrashLoopBackoff 6 | 7 | ## Contributing Factors 8 | 9 | - Misconfiguration of Cilium 10 | - Typo in parameter `install-iptables-rule` which should have been `install-iptables-rules` 11 | - Cilium doesn't necessarily need `iptables`, this was because it wasn't using eBPF. 12 | - eBPF not being enabled could have been a contributing factor, but we got the cluster running with the iptables fix. 13 | 14 | ## Notes from Kluster Breaker 15 | 16 | A simple typo in the configmap for the cluster network. 17 | 18 | Attempted to make the first cluster nice and easy, and show a real world scenario and some of the issues with string maps in configuration files. 19 | 20 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/env_unix.go: -------------------------------------------------------------------------------- 1 | // Copyright 2010 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | 7 | // Unix environment variables. 8 | 9 | package unix 10 | 11 | import "syscall" 12 | 13 | func Getenv(key string) (value string, found bool) { 14 | return syscall.Getenv(key) 15 | } 16 | 17 | func Setenv(key, value string) error { 18 | return syscall.Setenv(key, value) 19 | } 20 | 21 | func Clearenv() { 22 | syscall.Clearenv() 23 | } 24 | 25 | func Environ() []string { 26 | return syscall.Environ() 27 | } 28 | 29 | func Unsetenv(key string) error { 30 | return syscall.Unsetenv(key) 31 | } 32 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/sid-palas/src/setup-and-run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | trigger_sequence() { 5 | if [ "${IT_HAS_BEGUN}" = "true" ] 6 | then 7 | echo "Still Going!!!" 8 | elif [[ $(kubectl get pods | grep klustered | wc -l) -gt 0 ]] 9 | then 10 | echo "LETS GO!!!" 11 | export IT_HAS_BEGUN=true 12 | else 13 | echo "Skipping..." 14 | fi 15 | 16 | } 17 | 18 | number=1 19 | while [ $number -le $NUM_JOBS ] ; do 20 | echo $number 21 | echo ${IT_HAS_BEGUN} 22 | trigger_sequence 23 | if [ "${IT_HAS_BEGUN}" = "true" ] 24 | then 25 | echo "Doing Stuff!" 26 | export UUID=`uuidgen | tr "[:upper:]" "[:lower:]"` 27 | make create-namespace 28 | make create-docker-secret 29 | make create-job 30 | make scale-klustered-deployment 31 | fi 32 | sleep 10 33 | ((number++)) 34 | done -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_netbsd_arm.s: -------------------------------------------------------------------------------- 1 | // Copyright 2013 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for ARM, NetBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | B syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | B syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | B syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | B syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | B syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_freebsd_arm.s: -------------------------------------------------------------------------------- 1 | // Copyright 2012 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for ARM, FreeBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | B syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | B syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | B syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | B syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | B syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_netbsd_arm64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for ARM64, NetBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | B syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | B syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | B syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | B syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | B syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_openbsd_arm.s: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for ARM, OpenBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | B syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | B syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | B syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | B syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | B syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/readdirent_getdirentries.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin 6 | 7 | package unix 8 | 9 | import "unsafe" 10 | 11 | // ReadDirent reads directory entries from fd and writes them into buf. 12 | func ReadDirent(fd int, buf []byte) (n int, err error) { 13 | // Final argument is (basep *uintptr) and the syscall doesn't take nil. 14 | // 64 bits should be enough. (32 bits isn't even on 386). Since the 15 | // actual system call is getdirentries64, 64 is a good guess. 16 | // TODO(rsc): Can we use a single global basep for all calls? 17 | var base = (*uintptr)(unsafe.Pointer(new(uint64))) 18 | return Getdirentries(fd, buf, base) 19 | } 20 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_darwin_386.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for 386, Darwin 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_netbsd_386.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for 386, NetBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_darwin_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for AMD64, Darwin 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_freebsd_386.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for 386, FreeBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_netbsd_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for AMD64, NetBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_openbsd_386.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for 386, OpenBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_dragonfly_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for AMD64, DragonFly 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_freebsd_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for AMD64, FreeBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_freebsd_arm64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for ARM64, FreeBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_openbsd_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for AMD64, OpenBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_openbsd_arm64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System call support for arm64, OpenBSD 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 23 | JMP syscall·Syscall9(SB) 24 | 25 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 26 | JMP syscall·RawSyscall(SB) 27 | 28 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 29 | JMP syscall·RawSyscall6(SB) 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_darwin_arm.s: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | // +build arm,darwin 7 | 8 | #include "textflag.h" 9 | 10 | // 11 | // System call support for ARM, Darwin 12 | // 13 | 14 | // Just jump to package syscall's implementation for all these functions. 15 | // The runtime may know about them. 16 | 17 | TEXT ·Syscall(SB),NOSPLIT,$0-28 18 | B syscall·Syscall(SB) 19 | 20 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 21 | B syscall·Syscall6(SB) 22 | 23 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 24 | B syscall·Syscall9(SB) 25 | 26 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 27 | B syscall·RawSyscall(SB) 28 | 29 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 30 | B syscall·RawSyscall6(SB) 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zptrace_linux_arm64.go: -------------------------------------------------------------------------------- 1 | // Code generated by linux/mkall.go generatePtraceRegSet("arm64"). DO NOT EDIT. 2 | 3 | package unix 4 | 5 | import "unsafe" 6 | 7 | // PtraceGetRegSetArm64 fetches the registers used by arm64 binaries. 8 | func PtraceGetRegSetArm64(pid, addr int, regsout *PtraceRegsArm64) error { 9 | iovec := Iovec{(*byte)(unsafe.Pointer(regsout)), uint64(unsafe.Sizeof(*regsout))} 10 | return ptrace(PTRACE_GETREGSET, pid, uintptr(addr), uintptr(unsafe.Pointer(&iovec))) 11 | } 12 | 13 | // PtraceSetRegSetArm64 sets the registers used by arm64 binaries. 14 | func PtraceSetRegSetArm64(pid, addr int, regs *PtraceRegsArm64) error { 15 | iovec := Iovec{(*byte)(unsafe.Pointer(regs)), uint64(unsafe.Sizeof(*regs))} 16 | return ptrace(PTRACE_SETREGSET, pid, uintptr(addr), uintptr(unsafe.Pointer(&iovec))) 17 | } 18 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_darwin_arm64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | // +build arm64,darwin 7 | 8 | #include "textflag.h" 9 | 10 | // 11 | // System call support for AMD64, Darwin 12 | // 13 | 14 | // Just jump to package syscall's implementation for all these functions. 15 | // The runtime may know about them. 16 | 17 | TEXT ·Syscall(SB),NOSPLIT,$0-56 18 | B syscall·Syscall(SB) 19 | 20 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 21 | B syscall·Syscall6(SB) 22 | 23 | TEXT ·Syscall9(SB),NOSPLIT,$0-104 24 | B syscall·Syscall9(SB) 25 | 26 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 27 | B syscall·RawSyscall(SB) 28 | 29 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 30 | B syscall·RawSyscall6(SB) 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-21/william-lightning/README.md: -------------------------------------------------------------------------------- 1 | # Klustered - Episode 21 - kassah 2 | 3 | ## Intro 4 | 5 | Welcome to Klustered! Today's goal is to break a kubernetes cluster. After a bit of research, I settled upon utilizing 6 | a ValidatingWebhookConfiguration secured by setting api-server's etcd account as read-only. I threw in an extra 7 | annoyance by posting a fake klustered:v2 image on the nodes, secured by /etc/hosts modification to ensure no 8 | accidental bypass of my fake container. 9 | 10 | ## Using Break 11 | 12 | - Update klustered.env to point to a kubeconfig.conf locally that points to your test cluster. 13 | - Update klustered.env to point to the public IP of your control plane and two worker nodes. 14 | - Ensure you have ~/.ssh/id_rsa.pub installed so ssh is possible for the root user for the nodes. 15 | - Run apply.sh, which will apply the breaks using the information in klustered.env 16 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/teleport-app-server.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | CLUSTER_NAME=$(jq -r ".clusterName" /tmp/customdata.json) 3 | TELEPORT_SECRET=$(jq -r ".teleportSecret" /tmp/customdata.json) 4 | TELEPORT_URL=$(jq -r ".teleportUrl" /tmp/customdata.json) 5 | 6 | cat >> /etc/systemd/system/teleport-apps.service <> 24) & 0xff) 13 | } 14 | 15 | // Minor returns the minor component of a Darwin device number. 16 | func Minor(dev uint64) uint32 { 17 | return uint32(dev & 0xffffff) 18 | } 19 | 20 | // Mkdev returns a Darwin device number generated from the given major and minor 21 | // components. 22 | func Mkdev(major, minor uint32) uint64 { 23 | return (uint64(major) << 24) | uint64(minor) 24 | } 25 | -------------------------------------------------------------------------------- /notes/klustered/episode-30/CrashBeerBackOff/kube-scheduler/README.md: -------------------------------------------------------------------------------- 1 | # Idea 2 | 3 | modify name of scheduler, then hide everything. 4 | 5 | ```bash 6 | ctr --namespace=k8s.io images pull ghcr.io/jkroepke/klustered/kube-scheduler:latest 7 | ctr --namespace=k8s.io images tag --force ghcr.io/jkroepke/klustered/kube-scheduler:latest k8s.gcr.io/kube-scheduler:v1.24.3 8 | ctr --namespace=k8s.io images rm ghcr.io/jkroepke/klustered/kube-scheduler:latest 9 | sleep 2 10 | crictl -r unix:///run/containerd/containerd.sock rmp -f $(crictl -r unix:///run/containerd/containerd.sock pods | grep kube-scheduler | cut -d' ' -f1) 11 | kubectl delete pods -l component=kube-scheduler -n kube-system --grace-period=0 12 | ``` 13 | 14 | 15 | # Hiding 16 | 17 | ```bash 18 | kubectl delete pods -l 'component in (kube-scheduler, kube-apiserver, kube-controller-manager)' -n kube-system --force --grace-period=0 19 | systemctl restart kubelet 20 | ``` 21 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_aix_ppc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix 6 | // +build ppc 7 | 8 | // Functions to access/create device major and minor numbers matching the 9 | // encoding used by AIX. 10 | 11 | package unix 12 | 13 | // Major returns the major component of a Linux device number. 14 | func Major(dev uint64) uint32 { 15 | return uint32((dev >> 16) & 0xffff) 16 | } 17 | 18 | // Minor returns the minor component of a Linux device number. 19 | func Minor(dev uint64) uint32 { 20 | return uint32(dev & 0xffff) 21 | } 22 | 23 | // Mkdev returns a Linux device number generated from the given major and minor 24 | // components. 25 | func Mkdev(major, minor uint32) uint64 { 26 | return uint64(((major) << 16) | (minor)) 27 | } 28 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/fdset.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin dragonfly freebsd linux netbsd openbsd solaris 6 | 7 | package unix 8 | 9 | // Set adds fd to the set fds. 10 | func (fds *FdSet) Set(fd int) { 11 | fds.Bits[fd/NFDBITS] |= (1 << (uintptr(fd) % NFDBITS)) 12 | } 13 | 14 | // Clear removes fd from the set fds. 15 | func (fds *FdSet) Clear(fd int) { 16 | fds.Bits[fd/NFDBITS] &^= (1 << (uintptr(fd) % NFDBITS)) 17 | } 18 | 19 | // IsSet returns whether fd is in the set fds. 20 | func (fds *FdSet) IsSet(fd int) bool { 21 | return fds.Bits[fd/NFDBITS]&(1<<(uintptr(fd)%NFDBITS)) != 0 22 | } 23 | 24 | // Zero clears the set fds. 25 | func (fds *FdSet) Zero() { 26 | for i := range fds.Bits { 27 | fds.Bits[i] = 0 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_unix_gc_ppc64x.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux 6 | // +build ppc64le ppc64 7 | // +build !gccgo 8 | 9 | package unix 10 | 11 | import "syscall" 12 | 13 | func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) { 14 | return syscall.Syscall(trap, a1, a2, a3) 15 | } 16 | func Syscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) { 17 | return syscall.Syscall6(trap, a1, a2, a3, a4, a5, a6) 18 | } 19 | func RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) { 20 | return syscall.RawSyscall(trap, a1, a2, a3) 21 | } 22 | func RawSyscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) { 23 | return syscall.RawSyscall6(trap, a1, a2, a3, a4, a5, a6) 24 | } 25 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin.1_12.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,go1.12,!go1.13 6 | 7 | package unix 8 | 9 | import ( 10 | "unsafe" 11 | ) 12 | 13 | func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { 14 | // To implement this using libSystem we'd need syscall_syscallPtr for 15 | // fdopendir. However, syscallPtr was only added in Go 1.13, so we fall 16 | // back to raw syscalls for this func on Go 1.12. 17 | var p unsafe.Pointer 18 | if len(buf) > 0 { 19 | p = unsafe.Pointer(&buf[0]) 20 | } else { 21 | p = unsafe.Pointer(&_zero) 22 | } 23 | r0, _, e1 := Syscall6(SYS_GETDIRENTRIES64, uintptr(fd), uintptr(p), uintptr(len(buf)), uintptr(unsafe.Pointer(basep)), 0, 0) 24 | n = int(r0) 25 | if e1 != 0 { 26 | return n, errnoErr(e1) 27 | } 28 | return n, nil 29 | } 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/colorable_appengine.go: -------------------------------------------------------------------------------- 1 | // +build appengine 2 | 3 | package colorable 4 | 5 | import ( 6 | "io" 7 | "os" 8 | 9 | _ "github.com/mattn/go-isatty" 10 | ) 11 | 12 | // NewColorable returns new instance of Writer which handles escape sequence. 13 | func NewColorable(file *os.File) io.Writer { 14 | if file == nil { 15 | panic("nil passed instead of *os.File to NewColorable()") 16 | } 17 | 18 | return file 19 | } 20 | 21 | // NewColorableStdout returns new instance of Writer which handles escape sequence for stdout. 22 | func NewColorableStdout() io.Writer { 23 | return os.Stdout 24 | } 25 | 26 | // NewColorableStderr returns new instance of Writer which handles escape sequence for stderr. 27 | func NewColorableStderr() io.Writer { 28 | return os.Stderr 29 | } 30 | 31 | // EnableColorsStdout enable colors if possible. 32 | func EnableColorsStdout(enabled *bool) func() { 33 | if enabled != nil { 34 | *enabled = true 35 | } 36 | return func() {} 37 | } 38 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/colorable_others.go: -------------------------------------------------------------------------------- 1 | // +build !windows 2 | // +build !appengine 3 | 4 | package colorable 5 | 6 | import ( 7 | "io" 8 | "os" 9 | 10 | _ "github.com/mattn/go-isatty" 11 | ) 12 | 13 | // NewColorable returns new instance of Writer which handles escape sequence. 14 | func NewColorable(file *os.File) io.Writer { 15 | if file == nil { 16 | panic("nil passed instead of *os.File to NewColorable()") 17 | } 18 | 19 | return file 20 | } 21 | 22 | // NewColorableStdout returns new instance of Writer which handles escape sequence for stdout. 23 | func NewColorableStdout() io.Writer { 24 | return os.Stdout 25 | } 26 | 27 | // NewColorableStderr returns new instance of Writer which handles escape sequence for stderr. 28 | func NewColorableStderr() io.Writer { 29 | return os.Stderr 30 | } 31 | 32 | // EnableColorsStdout enable colors if possible. 33 | func EnableColorsStdout(enabled *bool) func() { 34 | if enabled != nil { 35 | *enabled = true 36 | } 37 | return func() {} 38 | } 39 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_netbsd_386.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build 386,netbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: int32(nsec)} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint32(fd) 19 | k.Filter = uint32(mode) 20 | k.Flags = uint32(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint32(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = int32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_netbsd_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,netbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: nsec} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint64(fd) 19 | k.Filter = uint32(mode) 20 | k.Flags = uint32(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint64(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = int32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_netbsd_arm.go: -------------------------------------------------------------------------------- 1 | // Copyright 2013 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm,netbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: int32(nsec)} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint32(fd) 19 | k.Filter = uint32(mode) 20 | k.Flags = uint32(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint32(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = int32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_netbsd_arm64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm64,netbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: nsec} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint64(fd) 19 | k.Filter = uint32(mode) 20 | k.Flags = uint32(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint64(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = int32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_aix_ppc64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix 6 | // +build ppc64 7 | 8 | // Functions to access/create device major and minor numbers matching the 9 | // encoding used AIX. 10 | 11 | package unix 12 | 13 | // Major returns the major component of a Linux device number. 14 | func Major(dev uint64) uint32 { 15 | return uint32((dev & 0x3fffffff00000000) >> 32) 16 | } 17 | 18 | // Minor returns the minor component of a Linux device number. 19 | func Minor(dev uint64) uint32 { 20 | return uint32((dev & 0x00000000ffffffff) >> 0) 21 | } 22 | 23 | // Mkdev returns a Linux device number generated from the given major and minor 24 | // components. 25 | func Mkdev(major, minor uint32) uint64 { 26 | var DEVNO64 uint64 27 | DEVNO64 = 0x8000000000000000 28 | return ((uint64(major) << 32) | (uint64(minor) & 0x00000000FFFFFFFF) | DEVNO64) 29 | } 30 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-2/talos-systems/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | 11 | ### CNI Break 12 | 13 | On each worker node: 14 | 15 | - `cp -p /opt/cni/bin/bridge{,.bak}` 16 | - `cp -p /opt/cni/bin/loopback{,.bak}` 17 | - `cp -p /opt/cni/bin/loopback.bak /opt/cni/bin/bridge` 18 | - `cp -p /opt/cni/bin/bridge.bak /opt/cni/bin/loopback` 19 | 20 | ### Hostname Break 21 | 22 | On one worker node: 23 | 24 | - hostname $OTHER_WORKER_NODE_HOSTNAME 25 | - systemctl restart kubelet 26 | - hostname $THIS_WORKER_NODE_HOSTNAME 27 | 28 | ### Etcd Break 29 | 30 | Add the following to `~/.profile`: 31 | ```bash 32 | export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt 33 | export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/peer.crt 34 | export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/peer.key 35 | export ETCDCTL_ENDPOINTS=127.0.0.1:2379 36 | ``` 37 | 38 | - `etcdctl snapshot save /var/etcd.db` 39 | - `etcdctl member add bogus --peer-urls=https://172.16.21.1:2380` 40 | 41 | -------------------------------------------------------------------------------- /notes/klustered/episode-5/lewis-denham-parry/ignition.yaml: -------------------------------------------------------------------------------- 1 | systemd: 2 | units: 3 | - name: nginx.service 4 | enabled: true 5 | contents: | 6 | [Unit] 7 | Description=A hello world unit! 8 | 9 | [Service] 10 | Type=oneshot 11 | ExecStart=/usr/bin/docker container run -p 80:80 -v /opt/webroot:/usr/share/nginx/html nginx 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | 16 | storage: 17 | files: 18 | - path: /opt/webroot/index.html 19 | filesystem: root 20 | contents: 21 | inline: | 22 | Hello, this is my million dollar application. 23 | 24 | mode: 0644 25 | user: 26 | id: 500 27 | group: 28 | id: 500 29 | 30 | - path: /opt/webroot/joke.html 31 | filesystem: root 32 | contents: 33 | remote: 34 | url: https://icanhazdadjoke.com/ 35 | mode: 0644 36 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_netbsd.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Functions to access/create device major and minor numbers matching the 6 | // encoding used in NetBSD's sys/types.h header. 7 | 8 | package unix 9 | 10 | // Major returns the major component of a NetBSD device number. 11 | func Major(dev uint64) uint32 { 12 | return uint32((dev & 0x000fff00) >> 8) 13 | } 14 | 15 | // Minor returns the minor component of a NetBSD device number. 16 | func Minor(dev uint64) uint32 { 17 | minor := uint32((dev & 0x000000ff) >> 0) 18 | minor |= uint32((dev & 0xfff00000) >> 12) 19 | return minor 20 | } 21 | 22 | // Mkdev returns a NetBSD device number generated from the given major and minor 23 | // components. 24 | func Mkdev(major, minor uint32) uint64 { 25 | dev := (uint64(major) << 8) & 0x000fff00 26 | dev |= (uint64(minor) << 12) & 0xfff00000 27 | dev |= (uint64(minor) << 0) & 0x000000ff 28 | return dev 29 | } 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_openbsd.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Functions to access/create device major and minor numbers matching the 6 | // encoding used in OpenBSD's sys/types.h header. 7 | 8 | package unix 9 | 10 | // Major returns the major component of an OpenBSD device number. 11 | func Major(dev uint64) uint32 { 12 | return uint32((dev & 0x0000ff00) >> 8) 13 | } 14 | 15 | // Minor returns the minor component of an OpenBSD device number. 16 | func Minor(dev uint64) uint32 { 17 | minor := uint32((dev & 0x000000ff) >> 0) 18 | minor |= uint32((dev & 0xffff0000) >> 8) 19 | return minor 20 | } 21 | 22 | // Mkdev returns an OpenBSD device number generated from the given major and minor 23 | // components. 24 | func Mkdev(major, minor uint32) uint64 { 25 | dev := (uint64(major) << 8) & 0x0000ff00 26 | dev |= (uint64(minor) << 8) & 0xffff0000 27 | dev |= (uint64(minor) << 0) & 0x000000ff 28 | return dev 29 | } 30 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/go.sum: -------------------------------------------------------------------------------- 1 | github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc= 2 | github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= 3 | github.com/guineveresaenger/golang-rainbow v0.0.0-20171201190047-7b6c54e09b61 h1:8wAz2sOxcUbqE1haQa0Bg/JoIxq6ihClZSWX2Sni/qc= 4 | github.com/guineveresaenger/golang-rainbow v0.0.0-20171201190047-7b6c54e09b61/go.mod h1:2Myrnv41e4+Cf+NKQs6i9vlZw3EwJd9o8wq1m+A0TaY= 5 | github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8= 6 | github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 7 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= 8 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 9 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 10 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8= 11 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 12 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/cni-cilium.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | PUBLIC_IPv4=$(curl -s https://metadata.platformequinix.com/metadata | jq -r '.network.addresses | map(select(.public==true and .management==true)) | first | .address') 4 | 5 | helm repo add cilium https://helm.cilium.io/ 6 | 7 | helm template cilium/cilium \ 8 | --version 1.10.2 \ 9 | --namespace kube-system \ 10 | --set image.repository=quay.io/cilium/cilium \ 11 | --set global.ipam.mode=cluster-pool \ 12 | --set global.ipam.operator.clusterPoolIPv4PodCIDR=192.168.0.0/16 \ 13 | --set global.ipam.operator.clusterPoolIPv4MaskSize=23 \ 14 | --set global.nativeRoutingCIDR=192.168.0.0/16 \ 15 | --set global.endpointRoutes.enabled=true \ 16 | --set global.hubble.relay.enabled=true \ 17 | --set global.hubble.enabled=true \ 18 | --set global.hubble.listenAddress=":4244" \ 19 | --set global.hubble.ui.enabled=true \ 20 | --set kubeProxyReplacement=probe \ 21 | --set k8sServiceHost=${PUBLIC_IPv4} \ 22 | --set k8sServicePort=6443 \ 23 | > /tmp/cilium.yaml 24 | 25 | kubectl --kubeconfig=/etc/kubernetes/admin.conf apply --wait -f /tmp/cilium.yaml 26 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kube-vip.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | set -e 3 | PUBLIC_IPv4=$(curl -s https://metadata.platformequinix.com/metadata | jq -r '.network.addresses | map(select(.public==true and .management==true)) | first | .address') 4 | 5 | mkdir -p /etc/kubernetes/manifests 6 | 7 | # DaemonSet uses 2112 as HostPort, so control plane needs different number 8 | ctr image pull ghcr.io/kube-vip/kube-vip:v0.4.0 9 | ctr run \ 10 | --rm \ 11 | --net-host \ 12 | ghcr.io/kube-vip/kube-vip:v0.4.0 \ 13 | vip /kube-vip manifest pod \ 14 | --interface lo \ 15 | --address ${PUBLIC_IPv4} \ 16 | --controlplane \ 17 | --bgp \ 18 | --peerAS $(jq -r '.bgp_neighbors[0].peer_as' /tmp/metadata.json) \ 19 | --peerAddress $(jq -r '.bgp_neighbors[0].peer_ips[0]' /tmp/metadata.json) \ 20 | --localAS $(jq '.bgp_neighbors[0].customer_as' /tmp/metadata.json) \ 21 | --bgpRouterID $(jq -r '.bgp_neighbors[0].customer_ip' /tmp/metadata.json) | tee /etc/kubernetes/manifests/kube-vip.yaml 22 | 23 | sed -ri 's#- manager#- manager\n - --promethuesHTTPServer=:2113#g' /etc/kubernetes/manifests/kube-vip.yaml 24 | -------------------------------------------------------------------------------- /notes/klustered/episode-7/philip-welz/kyverno/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-privilege-escalation 5 | annotations: 6 | policies.kyverno.io/category: Pod Security Standards (Restricted) 7 | policies.kyverno.io/description: >- 8 | Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. 9 | spec: 10 | background: true 11 | validationFailureAction: audit 12 | rules: 13 | - name: privilege-escalation 14 | match: 15 | resources: 16 | kinds: 17 | - Pod 18 | validate: 19 | message: >- 20 | Privilege escalation is disallowed. The fields 21 | spec.containers[*].securityContext.allowPrivilegeEscalation, and 22 | spec.initContainers[*].securityContext.allowPrivilegeEscalation must 23 | be undefined or set to `false`. 24 | pattern: 25 | spec: 26 | =(initContainers): 27 | - =(securityContext): 28 | =(allowPrivilegeEscalation): "false" 29 | containers: 30 | - =(securityContext): 31 | =(allowPrivilegeEscalation): "false" 32 | -------------------------------------------------------------------------------- /cluster-automation/src/teleport/cloud-config.ts: -------------------------------------------------------------------------------- 1 | import * as cloudinit from "@pulumi/cloudinit"; 2 | import * as fs from "fs"; 3 | 4 | export const cloudConfig = cloudinit.getConfig({ 5 | gzip: false, 6 | base64Encode: false, 7 | parts: [ 8 | { 9 | contentType: "text/x-shellscript", 10 | content: fs.readFileSync("../cloud-init/scripts/install-jq.sh", "utf8"), 11 | }, 12 | { 13 | contentType: "text/x-shellscript", 14 | content: fs.readFileSync( 15 | "../cloud-init/scripts/download-metadata.sh", 16 | "utf8" 17 | ), 18 | }, 19 | { 20 | contentType: "text/x-shellscript", 21 | content: fs.readFileSync( 22 | "../cloud-init/scripts/teleport-install.sh", 23 | "utf8" 24 | ), 25 | }, 26 | { 27 | contentType: "text/x-shellscript", 28 | content: fs.readFileSync( 29 | "../cloud-init/scripts/teleport-server.sh", 30 | "utf8" 31 | ), 32 | }, 33 | { 34 | contentType: "text/x-shellscript", 35 | content: fs.readFileSync( 36 | "../cloud-init/scripts/teleport-restart.sh", 37 | "utf8" 38 | ), 39 | }, 40 | ], 41 | }); 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) Yasuhiro MATSUMOTO 2 | 3 | MIT License (Expat) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_ppc64x.s: -------------------------------------------------------------------------------- 1 | // Copyright 2014 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux 6 | // +build ppc64 ppc64le 7 | // +build !gccgo 8 | 9 | #include "textflag.h" 10 | 11 | // 12 | // System calls for ppc64, Linux 13 | // 14 | 15 | // Just jump to package syscall's implementation for all these functions. 16 | // The runtime may know about them. 17 | 18 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 19 | BL runtime·entersyscall(SB) 20 | MOVD a1+8(FP), R3 21 | MOVD a2+16(FP), R4 22 | MOVD a3+24(FP), R5 23 | MOVD R0, R6 24 | MOVD R0, R7 25 | MOVD R0, R8 26 | MOVD trap+0(FP), R9 // syscall entry 27 | SYSCALL R9 28 | MOVD R3, r1+32(FP) 29 | MOVD R4, r2+40(FP) 30 | BL runtime·exitsyscall(SB) 31 | RET 32 | 33 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 34 | MOVD a1+8(FP), R3 35 | MOVD a2+16(FP), R4 36 | MOVD a3+24(FP), R5 37 | MOVD R0, R6 38 | MOVD R0, R7 39 | MOVD R0, R8 40 | MOVD trap+0(FP), R9 // syscall entry 41 | SYSCALL R9 42 | MOVD R3, r1+32(FP) 43 | MOVD R4, r2+40(FP) 44 | RET 45 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_linux_gccgo_386.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux,gccgo,386 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func seek(fd int, offset int64, whence int) (int64, syscall.Errno) { 15 | var newoffset int64 16 | offsetLow := uint32(offset & 0xffffffff) 17 | offsetHigh := uint32((offset >> 32) & 0xffffffff) 18 | _, _, err := Syscall6(SYS__LLSEEK, uintptr(fd), uintptr(offsetHigh), uintptr(offsetLow), uintptr(unsafe.Pointer(&newoffset)), uintptr(whence), 0) 19 | return newoffset, err 20 | } 21 | 22 | func socketcall(call int, a0, a1, a2, a3, a4, a5 uintptr) (int, syscall.Errno) { 23 | fd, _, err := Syscall(SYS_SOCKETCALL, uintptr(call), uintptr(unsafe.Pointer(&a0)), 0) 24 | return int(fd), err 25 | } 26 | 27 | func rawsocketcall(call int, a0, a1, a2, a3, a4, a5 uintptr) (int, syscall.Errno) { 28 | fd, _, err := RawSyscall(SYS_SOCKETCALL, uintptr(call), uintptr(unsafe.Pointer(&a0)), 0) 29 | return int(fd), err 30 | } 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/sockcmsg_unix_other.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix darwin freebsd linux netbsd openbsd solaris 6 | 7 | package unix 8 | 9 | import ( 10 | "runtime" 11 | ) 12 | 13 | // Round the length of a raw sockaddr up to align it properly. 14 | func cmsgAlignOf(salen int) int { 15 | salign := SizeofPtr 16 | 17 | // dragonfly needs to check ABI version at runtime, see cmsgAlignOf in 18 | // sockcmsg_dragonfly.go 19 | switch runtime.GOOS { 20 | case "aix": 21 | // There is no alignment on AIX. 22 | salign = 1 23 | case "darwin", "illumos", "solaris": 24 | // NOTE: It seems like 64-bit Darwin, Illumos and Solaris 25 | // kernels still require 32-bit aligned access to network 26 | // subsystem. 27 | if SizeofPtr == 8 { 28 | salign = 4 29 | } 30 | case "netbsd", "openbsd": 31 | // NetBSD and OpenBSD armv7 require 64-bit alignment. 32 | if runtime.GOARCH == "arm" { 33 | salign = 8 34 | } 35 | } 36 | 37 | return (salen + salign - 1) & ^(salign - 1) 38 | } 39 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_freebsd.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Functions to access/create device major and minor numbers matching the 6 | // encoding used in FreeBSD's sys/types.h header. 7 | // 8 | // The information below is extracted and adapted from sys/types.h: 9 | // 10 | // Minor gives a cookie instead of an index since in order to avoid changing the 11 | // meanings of bits 0-15 or wasting time and space shifting bits 16-31 for 12 | // devices that don't use them. 13 | 14 | package unix 15 | 16 | // Major returns the major component of a FreeBSD device number. 17 | func Major(dev uint64) uint32 { 18 | return uint32((dev >> 8) & 0xff) 19 | } 20 | 21 | // Minor returns the minor component of a FreeBSD device number. 22 | func Minor(dev uint64) uint32 { 23 | return uint32(dev & 0xffff00ff) 24 | } 25 | 26 | // Mkdev returns a FreeBSD device number generated from the given major and 27 | // minor components. 28 | func Mkdev(major, minor uint32) uint64 { 29 | return (uint64(major) << 8) | uint64(minor) 30 | } 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/fatih/color/LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2013 Fatih Arslan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_dragonfly.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Functions to access/create device major and minor numbers matching the 6 | // encoding used in Dragonfly's sys/types.h header. 7 | // 8 | // The information below is extracted and adapted from sys/types.h: 9 | // 10 | // Minor gives a cookie instead of an index since in order to avoid changing the 11 | // meanings of bits 0-15 or wasting time and space shifting bits 16-31 for 12 | // devices that don't use them. 13 | 14 | package unix 15 | 16 | // Major returns the major component of a DragonFlyBSD device number. 17 | func Major(dev uint64) uint32 { 18 | return uint32((dev >> 8) & 0xff) 19 | } 20 | 21 | // Minor returns the minor component of a DragonFlyBSD device number. 22 | func Minor(dev uint64) uint32 { 23 | return uint32(dev & 0xffff00ff) 24 | } 25 | 26 | // Mkdev returns a DragonFlyBSD device number generated from the given major and 27 | // minor components. 28 | func Mkdev(major, minor uint32) uint64 { 29 | return (uint64(major) << 8) | uint64(minor) 30 | } 31 | -------------------------------------------------------------------------------- /notes/klustered/episode-14/sid-palas/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 032 2 | 3 | ## Discovered Symptoms 4 | 5 | - Klustered deployment had 0 replicas 6 | - After scaling to 1, lots of UUID named namespaces started appearing 7 | - Noticed some nonstandard processes running on the worker node 8 | - Found rogue container running directly on worker node (outside of k8s) 9 | 10 | ## Fix 11 | 1) Cordon the worker node to stop the spread of the malicious workload 12 | 2) Find and stop the container running on the worker node directly to prevent the workload from being launched again 13 | 3) Delete all the randomly added namespaces 14 | 4) Uncordon the worker node 15 | 16 | ## Contributing Factors 17 | 18 | 19 | ## Notes from Kluster Breaker 20 | 21 | I didn't modify anything about the k8s system components. 22 | 23 | I did two things: 24 | 1) Launch a privileged container directly on the worker node using containerd. This container polls to check for the klustered test workload pod. If detected it starts launching `not-a-virus` jobs in random namespaces. 25 | 2) The `not-a-virus` job launches a container which launches 3 copies of itself into new workspaces before completing. 26 | 27 | The source for the malicious workload is in `/032-palas/src/` -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Yasuhiro Matsumoto 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /notes/klustered/episode-22/borko/README.md: -------------------------------------------------------------------------------- 1 | # Break 1 - IPTables 2 | 3 | I blocked incoming traffic to the API server using IPTables rules. 4 | 5 | Additionally, I created a lock on IPTables by using `flock` command. 6 | 7 | Both were achieved using a simple script located in `/tmp/klusteriptables.sh`: 8 | 9 | ``` 10 | #!/bin/bash 11 | 12 | lock="/run/xtables.lock" 13 | exec 200>$lock 14 | flock -x 200 15 | sleep 86400 16 | exec 200>&- 17 | 18 | /sbin/iptables -F 19 | /sbin/iptables -I INPUT -p tcp -i lo --dport 6443 -j DROP 20 | iptables -I INPUT -p tcp -i lo --dport 8443 -j DROP 21 | iptables -I INPUT -p tcp -i lo --dport 2379 -j DROP 22 | ``` 23 | 24 | The script was executed as a cronjob by editing `crontab` with: 25 | 26 | ``` 27 | */1 * * * * /tmp/klusteriptables.sh 28 | ``` 29 | 30 | # Break 2 - Klustered Deployment 31 | 32 | I edited the Klustered Deployment and added a startup probe. The startup probe edited `/etc/resolv.conf` file on the Klustered pods so that they would incorrectly resolve the database domain and fail to connect to the backend database. 33 | 34 | ``` 35 | startupProbe: 36 | exec: 37 | command: 38 | - /bin/sh 39 | - -c 40 | - echo "domain klustered.com" >> /etc/resolv.conf 41 | ``` 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_openbsd_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,openbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: nsec} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: usec} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint64(fd) 19 | k.Filter = int16(mode) 20 | k.Flags = uint16(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint64(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = uint32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | 39 | // SYS___SYSCTL is used by syscall_bsd.go for all BSDs, but in modern versions 40 | // of openbsd/amd64 the syscall is called sysctl instead of __sysctl. 41 | const SYS___SYSCTL = SYS_SYSCTL 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_openbsd_arm64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm64,openbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: nsec} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: usec} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint64(fd) 19 | k.Filter = int16(mode) 20 | k.Flags = uint16(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint64(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = uint32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | 39 | // SYS___SYSCTL is used by syscall_bsd.go for all BSDs, but in modern versions 40 | // of openbsd/amd64 the syscall is called sysctl instead of __sysctl. 41 | const SYS___SYSCTL = SYS_SYSCTL 42 | -------------------------------------------------------------------------------- /cluster-automation/src/index.ts: -------------------------------------------------------------------------------- 1 | import * as pulumi from "@pulumi/pulumi"; 2 | import * as metal from "@pulumi/equinix-metal"; 3 | 4 | import { Cluster } from "./kubernetes"; 5 | import { installTeleport } from "./teleport"; 6 | 7 | const config = new pulumi.Config(); 8 | 9 | interface Team { 10 | name: string; 11 | guests: string[]; 12 | } 13 | 14 | export interface Teams { 15 | teams: Team[]; 16 | } 17 | 18 | const teams: Teams = config.requireObject("teams"); 19 | 20 | const teleport = installTeleport("join.klustered.live", teams); 21 | 22 | teams.teams.map((team) => { 23 | const cluster = new Cluster(team.name, { 24 | kubernetesVersion: config.require("kubernetesVersion"), 25 | metro: config.require("metalMetro"), 26 | project: config.require("metalProject"), 27 | guests: team.guests, 28 | }); 29 | 30 | const controlPlane = cluster.createControlPlane({ 31 | highAvailability: false, 32 | plan: metal.Plan.C3MediumX86, 33 | teleport, 34 | }); 35 | 36 | cluster.createWorkerPool("worker", { 37 | controlPlaneIp: controlPlane.getPublicIP(), 38 | kubernetesVersion: config.require("kubernetesVersion"), 39 | plan: metal.Plan.C3MediumX86, 40 | replicas: 1, 41 | teleport, 42 | }); 43 | }); 44 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_openbsd_386.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build 386,openbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: int32(nsec)} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint32(fd) 19 | k.Filter = int16(mode) 20 | k.Flags = uint16(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint32(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = uint32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | 39 | // SYS___SYSCTL is used by syscall_bsd.go for all BSDs, but in modern versions 40 | // of openbsd/386 the syscall is called sysctl instead of __sysctl. 41 | const SYS___SYSCTL = SYS_SYSCTL 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_openbsd_arm.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm,openbsd 6 | 7 | package unix 8 | 9 | func setTimespec(sec, nsec int64) Timespec { 10 | return Timespec{Sec: sec, Nsec: int32(nsec)} 11 | } 12 | 13 | func setTimeval(sec, usec int64) Timeval { 14 | return Timeval{Sec: sec, Usec: int32(usec)} 15 | } 16 | 17 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 18 | k.Ident = uint32(fd) 19 | k.Filter = int16(mode) 20 | k.Flags = uint16(flags) 21 | } 22 | 23 | func (iov *Iovec) SetLen(length int) { 24 | iov.Len = uint32(length) 25 | } 26 | 27 | func (msghdr *Msghdr) SetControllen(length int) { 28 | msghdr.Controllen = uint32(length) 29 | } 30 | 31 | func (msghdr *Msghdr) SetIovlen(length int) { 32 | msghdr.Iovlen = uint32(length) 33 | } 34 | 35 | func (cmsg *Cmsghdr) SetLen(length int) { 36 | cmsg.Len = uint32(length) 37 | } 38 | 39 | // SYS___SYSCTL is used by syscall_bsd.go for all BSDs, but in modern versions 40 | // of openbsd/arm the syscall is called sysctl instead of __sysctl. 41 | const SYS___SYSCTL = SYS_SYSCTL 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/README.md: -------------------------------------------------------------------------------- 1 | # golang-rainbow 2 | 3 | This is a simple golang package that can be used to turn your terminal output into a rainbow. It was inspired by the Ruby gem [Lolize](https://github.com/miaout17/lolize). 4 | 5 | This package is meant for fun only. 6 | 7 | ## Get it! 8 | ### OSX 9 | 10 | Assuming you are set up for golang, simply run from the terminal: 11 | 12 | `go get github.com/guineveresaenger/golang-rainbow` 13 | 14 | ## Use it! 15 | The package contains a single function, `Rainbow`. It takes a string input and an integer count. It returns nothing, printing a rainbowized version of your string, followed by a newline, to the terminal. 16 | 17 | ### String input 18 | Whatever string you want rainbowized! 19 | 20 | ### Counter input 21 | If you print multiple lines, a running line count passed to `Rainbow` will offset the colors in your string, making a diagonal rainbow. For a vertical rainbow, or a single line, set this value to zero. 22 | 23 | 24 | ### Example 25 | In your program, call the Rainbow function: 26 | 27 | `rainbow.Rainbow("Hi, I am a rainbow.", 0)` 28 | 29 | You will see that line in the terminal output as: 30 | 31 | ![screenshot](./example-line.png) -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/noncolorable.go: -------------------------------------------------------------------------------- 1 | package colorable 2 | 3 | import ( 4 | "bytes" 5 | "io" 6 | ) 7 | 8 | // NonColorable holds writer but removes escape sequence. 9 | type NonColorable struct { 10 | out io.Writer 11 | } 12 | 13 | // NewNonColorable returns new instance of Writer which removes escape sequence from Writer. 14 | func NewNonColorable(w io.Writer) io.Writer { 15 | return &NonColorable{out: w} 16 | } 17 | 18 | // Write writes data on console 19 | func (w *NonColorable) Write(data []byte) (n int, err error) { 20 | er := bytes.NewReader(data) 21 | var bw [1]byte 22 | loop: 23 | for { 24 | c1, err := er.ReadByte() 25 | if err != nil { 26 | break loop 27 | } 28 | if c1 != 0x1b { 29 | bw[0] = c1 30 | w.out.Write(bw[:]) 31 | continue 32 | } 33 | c2, err := er.ReadByte() 34 | if err != nil { 35 | break loop 36 | } 37 | if c2 != 0x5b { 38 | continue 39 | } 40 | 41 | var buf bytes.Buffer 42 | for { 43 | c, err := er.ReadByte() 44 | if err != nil { 45 | break loop 46 | } 47 | if ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') || c == '@' { 48 | break 49 | } 50 | buf.Write([]byte(string(c))) 51 | } 52 | } 53 | 54 | return len(data), nil 55 | } 56 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/fcntl.go: -------------------------------------------------------------------------------- 1 | // Copyright 2014 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build dragonfly freebsd linux netbsd openbsd 6 | 7 | package unix 8 | 9 | import "unsafe" 10 | 11 | // fcntl64Syscall is usually SYS_FCNTL, but is overridden on 32-bit Linux 12 | // systems by fcntl_linux_32bit.go to be SYS_FCNTL64. 13 | var fcntl64Syscall uintptr = SYS_FCNTL 14 | 15 | func fcntl(fd int, cmd, arg int) (int, error) { 16 | valptr, _, errno := Syscall(fcntl64Syscall, uintptr(fd), uintptr(cmd), uintptr(arg)) 17 | var err error 18 | if errno != 0 { 19 | err = errno 20 | } 21 | return int(valptr), err 22 | } 23 | 24 | // FcntlInt performs a fcntl syscall on fd with the provided command and argument. 25 | func FcntlInt(fd uintptr, cmd, arg int) (int, error) { 26 | return fcntl(int(fd), cmd, arg) 27 | } 28 | 29 | // FcntlFlock performs a fcntl syscall for the F_GETLK, F_SETLK or F_SETLKW command. 30 | func FcntlFlock(fd uintptr, cmd int, lk *Flock_t) error { 31 | _, _, errno := Syscall(fcntl64Syscall, fd, uintptr(cmd), uintptr(unsafe.Pointer(lk))) 32 | if errno == 0 { 33 | return nil 34 | } 35 | return errno 36 | } 37 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/sockcmsg_linux.go: -------------------------------------------------------------------------------- 1 | // Copyright 2011 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Socket control messages 6 | 7 | package unix 8 | 9 | import "unsafe" 10 | 11 | // UnixCredentials encodes credentials into a socket control message 12 | // for sending to another process. This can be used for 13 | // authentication. 14 | func UnixCredentials(ucred *Ucred) []byte { 15 | b := make([]byte, CmsgSpace(SizeofUcred)) 16 | h := (*Cmsghdr)(unsafe.Pointer(&b[0])) 17 | h.Level = SOL_SOCKET 18 | h.Type = SCM_CREDENTIALS 19 | h.SetLen(CmsgLen(SizeofUcred)) 20 | *(*Ucred)(h.data(0)) = *ucred 21 | return b 22 | } 23 | 24 | // ParseUnixCredentials decodes a socket control message that contains 25 | // credentials in a Ucred structure. To receive such a message, the 26 | // SO_PASSCRED option must be enabled on the socket. 27 | func ParseUnixCredentials(m *SocketControlMessage) (*Ucred, error) { 28 | if m.Header.Level != SOL_SOCKET { 29 | return nil, EINVAL 30 | } 31 | if m.Header.Type != SCM_CREDENTIALS { 32 | return nil, EINVAL 33 | } 34 | ucred := *(*Ucred)(unsafe.Pointer(&m.Data[0])) 35 | return &ucred, nil 36 | } 37 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/gccgo_c.c: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build gccgo 6 | // +build !aix 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #define _STRINGIFY2_(x) #x 13 | #define _STRINGIFY_(x) _STRINGIFY2_(x) 14 | #define GOSYM_PREFIX _STRINGIFY_(__USER_LABEL_PREFIX__) 15 | 16 | // Call syscall from C code because the gccgo support for calling from 17 | // Go to C does not support varargs functions. 18 | 19 | struct ret { 20 | uintptr_t r; 21 | uintptr_t err; 22 | }; 23 | 24 | struct ret 25 | gccgoRealSyscall(uintptr_t trap, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8, uintptr_t a9) 26 | { 27 | struct ret r; 28 | 29 | errno = 0; 30 | r.r = syscall(trap, a1, a2, a3, a4, a5, a6, a7, a8, a9); 31 | r.err = errno; 32 | return r; 33 | } 34 | 35 | uintptr_t 36 | gccgoRealSyscallNoError(uintptr_t trap, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8, uintptr_t a9) 37 | { 38 | return syscall(trap, a1, a2, a3, a4, a5, a6, a7, a8, a9); 39 | } 40 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_riscv64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build riscv64,!gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for linux/riscv64. 11 | // 12 | // Where available, just jump to package syscall's implementation of 13 | // these functions. 14 | 15 | TEXT ·Syscall(SB),NOSPLIT,$0-56 16 | JMP syscall·Syscall(SB) 17 | 18 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 19 | JMP syscall·Syscall6(SB) 20 | 21 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 22 | CALL runtime·entersyscall(SB) 23 | MOV a1+8(FP), A0 24 | MOV a2+16(FP), A1 25 | MOV a3+24(FP), A2 26 | MOV trap+0(FP), A7 // syscall entry 27 | ECALL 28 | MOV A0, r1+32(FP) // r1 29 | MOV A1, r2+40(FP) // r2 30 | CALL runtime·exitsyscall(SB) 31 | RET 32 | 33 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 34 | JMP syscall·RawSyscall(SB) 35 | 36 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 37 | JMP syscall·RawSyscall6(SB) 38 | 39 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 40 | MOV a1+8(FP), A0 41 | MOV a2+16(FP), A1 42 | MOV a3+24(FP), A2 43 | MOV trap+0(FP), A7 // syscall entry 44 | ECALL 45 | MOV A0, r1+32(FP) 46 | MOV A1, r2+40(FP) 47 | RET 48 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/unveil_openbsd.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package unix 6 | 7 | import ( 8 | "syscall" 9 | "unsafe" 10 | ) 11 | 12 | // Unveil implements the unveil syscall. 13 | // For more information see unveil(2). 14 | // Note that the special case of blocking further 15 | // unveil calls is handled by UnveilBlock. 16 | func Unveil(path string, flags string) error { 17 | pathPtr, err := syscall.BytePtrFromString(path) 18 | if err != nil { 19 | return err 20 | } 21 | flagsPtr, err := syscall.BytePtrFromString(flags) 22 | if err != nil { 23 | return err 24 | } 25 | _, _, e := syscall.Syscall(SYS_UNVEIL, uintptr(unsafe.Pointer(pathPtr)), uintptr(unsafe.Pointer(flagsPtr)), 0) 26 | if e != 0 { 27 | return e 28 | } 29 | return nil 30 | } 31 | 32 | // UnveilBlock blocks future unveil calls. 33 | // For more information see unveil(2). 34 | func UnveilBlock() error { 35 | // Both pointers must be nil. 36 | var pathUnsafe, flagsUnsafe unsafe.Pointer 37 | _, _, e := syscall.Syscall(SYS_UNVEIL, uintptr(pathUnsafe), uintptr(flagsUnsafe), 0) 38 | if e != 0 { 39 | return e 40 | } 41 | return nil 42 | } 43 | -------------------------------------------------------------------------------- /notes/klustered/episode-18/smalls/zombocom/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 8080; 3 | server_name localhost; 4 | 5 | #access_log /var/log/nginx/host.access.log main; 6 | 7 | location / { 8 | root /usr/share/nginx/html; 9 | index index.html index.htm; 10 | } 11 | 12 | #error_page 404 /404.html; 13 | 14 | # redirect server error pages to the static page /50x.html 15 | # 16 | error_page 500 502 503 504 /50x.html; 17 | location = /50x.html { 18 | root /usr/share/nginx/html; 19 | } 20 | 21 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 22 | # 23 | #location ~ \.php$ { 24 | # proxy_pass http://127.0.0.1; 25 | #} 26 | 27 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 28 | # 29 | #location ~ \.php$ { 30 | # root html; 31 | # fastcgi_pass 127.0.0.1:9000; 32 | # fastcgi_index index.php; 33 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 34 | # include fastcgi_params; 35 | #} 36 | 37 | # deny access to .htaccess files, if Apache's document root 38 | # concurs with nginx's one 39 | # 40 | #location ~ /\.ht { 41 | # deny all; 42 | #} 43 | } 44 | 45 | -------------------------------------------------------------------------------- /cluster-automation/src/kubernetes/control-plane/join-token.ts: -------------------------------------------------------------------------------- 1 | import { all, ComponentResource, Output } from "@pulumi/pulumi"; 2 | import * as random from "@pulumi/random"; 3 | 4 | import { PREFIX } from "../meta"; 5 | import { ControlPlane } from "./"; 6 | 7 | export class JoinToken extends ComponentResource { 8 | readonly token: Output; 9 | 10 | constructor(controlPlane: ControlPlane) { 11 | super( 12 | `${PREFIX}:kubernetes:JoinToken`, 13 | controlPlane.cluster.name, 14 | {}, 15 | { 16 | parent: controlPlane, 17 | } 18 | ); 19 | 20 | const name = controlPlane.cluster.name; 21 | 22 | const left = new random.RandomString( 23 | `${name}-left`, 24 | { 25 | length: 6, 26 | special: false, 27 | lower: true, 28 | number: true, 29 | upper: false, 30 | }, 31 | { parent: this } 32 | ); 33 | 34 | const right = new random.RandomString( 35 | `${name}-right`, 36 | { 37 | length: 16, 38 | special: false, 39 | lower: true, 40 | number: true, 41 | upper: false, 42 | }, 43 | { parent: this } 44 | ); 45 | 46 | this.token = all([left.result, right.result]).apply( 47 | ([left, right]) => `${left}.${right}` 48 | ); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-3/digitalocean/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | ## Contributing Factors 6 | 7 | ## Notes from Kluster Breaker 8 | 9 | - We added a mutating admission webhook that changes all image name tags from v2 to v1. Everytime a user would goes to upgrade an image from version 1 to version 2, the update would be reverted. One way to have fixed this is to delete mutatingwebhookconfigurations with `kubectl delete mutatingwebhookconfigurations`. 10 | 11 | - Changed "-----END RSA PRIVATE KEY-----" to "-----END R5A PRIVATE KEY-----" at the bottom of the kube-apiserver.key file. This will cause an issue with the certificate and prevent the api server from running properly. Renewing the certs will fix this: `kubeadm certs renew all`. 12 | 13 | - Etcd's liveness probe was changed by modifying the path from `/health` to `/healthz`. This would cause the pod to be restarted every 8 failures since `/healthz` doesn't exist and returns a 404. At each restart of etcd, kube-apiserver would be unable to reach etcd until it's startup probe succeeded, so `kubectl` command would fail. After the etcd pod's startup probe succeeded, kube-apiserver would be able to talk to etcd again, and `kubectl` command would work until the etcd pod was restarted due to the liveness probe failures. Rinse and repeat. 14 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_386.1_13.go: -------------------------------------------------------------------------------- 1 | // go run mksyscall.go -l32 -tags darwin,386,go1.13 syscall_darwin.1_13.go 2 | // Code generated by the command above; see README.md. DO NOT EDIT. 3 | 4 | // +build darwin,386,go1.13 5 | 6 | package unix 7 | 8 | import ( 9 | "syscall" 10 | "unsafe" 11 | ) 12 | 13 | var _ syscall.Errno 14 | 15 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 16 | 17 | func closedir(dir uintptr) (err error) { 18 | _, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) 19 | if e1 != 0 { 20 | err = errnoErr(e1) 21 | } 22 | return 23 | } 24 | 25 | func libc_closedir_trampoline() 26 | 27 | //go:linkname libc_closedir libc_closedir 28 | //go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib" 29 | 30 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 31 | 32 | func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { 33 | r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) 34 | res = Errno(r0) 35 | return 36 | } 37 | 38 | func libc_readdir_r_trampoline() 39 | 40 | //go:linkname libc_readdir_r libc_readdir_r 41 | //go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib" 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.1_13.go: -------------------------------------------------------------------------------- 1 | // go run mksyscall.go -tags darwin,amd64,go1.13 syscall_darwin.1_13.go 2 | // Code generated by the command above; see README.md. DO NOT EDIT. 3 | 4 | // +build darwin,amd64,go1.13 5 | 6 | package unix 7 | 8 | import ( 9 | "syscall" 10 | "unsafe" 11 | ) 12 | 13 | var _ syscall.Errno 14 | 15 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 16 | 17 | func closedir(dir uintptr) (err error) { 18 | _, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) 19 | if e1 != 0 { 20 | err = errnoErr(e1) 21 | } 22 | return 23 | } 24 | 25 | func libc_closedir_trampoline() 26 | 27 | //go:linkname libc_closedir libc_closedir 28 | //go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib" 29 | 30 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 31 | 32 | func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { 33 | r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) 34 | res = Errno(r0) 35 | return 36 | } 37 | 38 | func libc_readdir_r_trampoline() 39 | 40 | //go:linkname libc_readdir_r libc_readdir_r 41 | //go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib" 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm.1_13.go: -------------------------------------------------------------------------------- 1 | // go run mksyscall.go -l32 -tags darwin,arm,go1.13 syscall_darwin.1_13.go 2 | // Code generated by the command above; see README.md. DO NOT EDIT. 3 | 4 | // +build darwin,arm,go1.13 5 | 6 | package unix 7 | 8 | import ( 9 | "syscall" 10 | "unsafe" 11 | ) 12 | 13 | var _ syscall.Errno 14 | 15 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 16 | 17 | func closedir(dir uintptr) (err error) { 18 | _, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) 19 | if e1 != 0 { 20 | err = errnoErr(e1) 21 | } 22 | return 23 | } 24 | 25 | func libc_closedir_trampoline() 26 | 27 | //go:linkname libc_closedir libc_closedir 28 | //go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib" 29 | 30 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 31 | 32 | func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { 33 | r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) 34 | res = Errno(r0) 35 | return 36 | } 37 | 38 | func libc_readdir_r_trampoline() 39 | 40 | //go:linkname libc_readdir_r libc_readdir_r 41 | //go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib" 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.go: -------------------------------------------------------------------------------- 1 | // go run mksyscall.go -tags darwin,arm64,go1.13 syscall_darwin.1_13.go 2 | // Code generated by the command above; see README.md. DO NOT EDIT. 3 | 4 | // +build darwin,arm64,go1.13 5 | 6 | package unix 7 | 8 | import ( 9 | "syscall" 10 | "unsafe" 11 | ) 12 | 13 | var _ syscall.Errno 14 | 15 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 16 | 17 | func closedir(dir uintptr) (err error) { 18 | _, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) 19 | if e1 != 0 { 20 | err = errnoErr(e1) 21 | } 22 | return 23 | } 24 | 25 | func libc_closedir_trampoline() 26 | 27 | //go:linkname libc_closedir libc_closedir 28 | //go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib" 29 | 30 | // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT 31 | 32 | func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { 33 | r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) 34 | res = Errno(r0) 35 | return 36 | } 37 | 38 | func libc_readdir_r_trampoline() 39 | 40 | //go:linkname libc_readdir_r libc_readdir_r 41 | //go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib" 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-12/rawkode/BREAK.md: -------------------------------------------------------------------------------- 1 | All modified files were `touch -d "date"` to hide their edits 2 | 3 | 4 | ```shell 5 | # /etc/profile.d/01-locale.sh 6 | export GLOBIGNORE=*~ 7 | alias ls="ls -B" 8 | 9 | # ~/.bashrc 10 | alias ls="ls -B" 11 | ``` 12 | 13 | ```yaml 14 | apiVersion: v1 15 | kind: Pod 16 | metadata: 17 | name: kube-apiservers 18 | namespace: chaos 19 | spec: 20 | volumes: 21 | - hostPath: 22 | path: /etc/kubernetes 23 | type: DirectoryOrCreate 24 | name: kubernetes 25 | - hostPath: 26 | path: /lib/selinux 27 | name: selinux 28 | containers: 29 | - name: chaos 30 | image: bitnami/kubectl 31 | securityContext: 32 | runAsUser: 0 33 | command: 34 | - "containerd-shim-runc-v2" 35 | volumeMounts: 36 | - name: selinux 37 | mountPath: "/usr/bin/containerd-shim-runc-v2" 38 | - name: kubernetes 39 | mountPath: /etc/kubernetes/admin.conf 40 | subPath: admin.conf 41 | ``` 42 | 43 | 44 | ```shell 45 | #!/usr/bin/env sh 46 | while true; do 47 | kubectl --kubeconfig=/etc/kubernetes/admin.conf delete pod -l app=klustered; 48 | { ss=`stty -g`; stty -icanon min 0 time 50; read foo; stty "$ss"; } 49 | done 50 | ``` 51 | 52 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-isatty/README.md: -------------------------------------------------------------------------------- 1 | # go-isatty 2 | 3 | [![Godoc Reference](https://godoc.org/github.com/mattn/go-isatty?status.svg)](http://godoc.org/github.com/mattn/go-isatty) 4 | [![Codecov](https://codecov.io/gh/mattn/go-isatty/branch/master/graph/badge.svg)](https://codecov.io/gh/mattn/go-isatty) 5 | [![Coverage Status](https://coveralls.io/repos/github/mattn/go-isatty/badge.svg?branch=master)](https://coveralls.io/github/mattn/go-isatty?branch=master) 6 | [![Go Report Card](https://goreportcard.com/badge/mattn/go-isatty)](https://goreportcard.com/report/mattn/go-isatty) 7 | 8 | isatty for golang 9 | 10 | ## Usage 11 | 12 | ```go 13 | package main 14 | 15 | import ( 16 | "fmt" 17 | "github.com/mattn/go-isatty" 18 | "os" 19 | ) 20 | 21 | func main() { 22 | if isatty.IsTerminal(os.Stdout.Fd()) { 23 | fmt.Println("Is Terminal") 24 | } else if isatty.IsCygwinTerminal(os.Stdout.Fd()) { 25 | fmt.Println("Is Cygwin/MSYS2 Terminal") 26 | } else { 27 | fmt.Println("Is Not Terminal") 28 | } 29 | } 30 | ``` 31 | 32 | ## Installation 33 | 34 | ``` 35 | $ go get github.com/mattn/go-isatty 36 | ``` 37 | 38 | ## License 39 | 40 | MIT 41 | 42 | ## Author 43 | 44 | Yasuhiro Matsumoto (a.k.a mattn) 45 | 46 | ## Thanks 47 | 48 | * k-takata: base idea for IsCygwinTerminal 49 | 50 | https://github.com/k-takata/go-iscygpty 51 | -------------------------------------------------------------------------------- /cluster-automation/cloud-init/scripts/kubernetes-kubeadm-certs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | CERTIFICATE_AUTHORITY_KEY=$(jq -r ".certificateAuthorityKey" /tmp/customdata.json) 5 | CERTIFICATE_AUTHORITY_CERT=$(jq -r ".certificateAuthorityCert" /tmp/customdata.json) 6 | SERVICE_ACCOUNT_KEY=$(jq -r ".serviceAccountKey" /tmp/customdata.json) 7 | SERVICE_ACCOUNT_PUBLIC_KEY=$(jq -r ".serviceAccountPublicKey" /tmp/customdata.json) 8 | SERVICE_ACCOUNT_CERT=$(jq -r ".serviceAccountCert" /tmp/customdata.json) 9 | FRONT_PROXY_KEY=$(jq -r ".frontProxyKey" /tmp/customdata.json) 10 | FRONT_PROXY_CERT=$(jq -r ".frontProxyCert" /tmp/customdata.json) 11 | ETCD_KEY=$(jq -r ".etcdKey" /tmp/customdata.json) 12 | ETCD_CERT=$(jq -r ".etcdCert" /tmp/customdata.json) 13 | 14 | mkdir -p /etc/kubernetes/pki/etcd 15 | 16 | echo "${CERTIFICATE_AUTHORITY_KEY}" > /etc/kubernetes/pki/ca.key 17 | echo "${CERTIFICATE_AUTHORITY_CERT}" > /etc/kubernetes/pki/ca.crt 18 | echo "${SERVICE_ACCOUNT_KEY}" > /etc/kubernetes/pki/sa.key 19 | echo "${SERVICE_ACCOUNT_PUBLIC_KEY}" > /etc/kubernetes/pki/sa.pub 20 | echo "${SERVICE_ACCOUNT_CERT}" > /etc/kubernetes/pki/sa.crt 21 | echo "${FRONT_PROXY_KEY}" > /etc/kubernetes/pki/front-proxy-ca.key 22 | echo "${FRONT_PROXY_CERT}" > /etc/kubernetes/pki/front-proxy-ca.crt 23 | echo "${ETCD_KEY}" > /etc/kubernetes/pki/etcd/ca.key 24 | echo "${ETCD_CERT}" > /etc/kubernetes/pki/etcd/ca.crt 25 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_arm64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux 6 | // +build arm64 7 | // +build !gccgo 8 | 9 | #include "textflag.h" 10 | 11 | // Just jump to package syscall's implementation for all these functions. 12 | // The runtime may know about them. 13 | 14 | TEXT ·Syscall(SB),NOSPLIT,$0-56 15 | B syscall·Syscall(SB) 16 | 17 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 18 | B syscall·Syscall6(SB) 19 | 20 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 21 | BL runtime·entersyscall(SB) 22 | MOVD a1+8(FP), R0 23 | MOVD a2+16(FP), R1 24 | MOVD a3+24(FP), R2 25 | MOVD $0, R3 26 | MOVD $0, R4 27 | MOVD $0, R5 28 | MOVD trap+0(FP), R8 // syscall entry 29 | SVC 30 | MOVD R0, r1+32(FP) // r1 31 | MOVD R1, r2+40(FP) // r2 32 | BL runtime·exitsyscall(SB) 33 | RET 34 | 35 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 36 | B syscall·RawSyscall(SB) 37 | 38 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 39 | B syscall·RawSyscall6(SB) 40 | 41 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 42 | MOVD a1+8(FP), R0 43 | MOVD a2+16(FP), R1 44 | MOVD a3+24(FP), R2 45 | MOVD $0, R3 46 | MOVD $0, R4 47 | MOVD $0, R5 48 | MOVD trap+0(FP), R8 // syscall entry 49 | SVC 50 | MOVD R0, r1+32(FP) 51 | MOVD R1, r2+40(FP) 52 | RET 53 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/PATENTS: -------------------------------------------------------------------------------- 1 | Additional IP Rights Grant (Patents) 2 | 3 | "This implementation" means the copyrightable works distributed by 4 | Google as part of the Go project. 5 | 6 | Google hereby grants to You a perpetual, worldwide, non-exclusive, 7 | no-charge, royalty-free, irrevocable (except as stated in this section) 8 | patent license to make, have made, use, offer to sell, sell, import, 9 | transfer and otherwise run, modify and propagate the contents of this 10 | implementation of Go, where such license applies only to those patent 11 | claims, both currently owned or controlled by Google and acquired in 12 | the future, licensable by Google that are necessarily infringed by this 13 | implementation of Go. This grant does not include claims that would be 14 | infringed only as a consequence of further modification of this 15 | implementation. If you or your agent or exclusive licensee institute or 16 | order or agree to the institution of patent litigation against any 17 | entity (including a cross-claim or counterclaim in a lawsuit) alleging 18 | that this implementation of Go or any code incorporated within this 19 | implementation of Go constitutes direct or contributory patent 20 | infringement, or inducement of patent infringement, then any patent 21 | rights granted to you under this License for this implementation of Go 22 | shall terminate as of the date such litigation is filed. 23 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_arm.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for arm, Linux 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-28 17 | B syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 20 | B syscall·Syscall6(SB) 21 | 22 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-24 23 | BL runtime·entersyscall(SB) 24 | MOVW trap+0(FP), R7 25 | MOVW a1+4(FP), R0 26 | MOVW a2+8(FP), R1 27 | MOVW a3+12(FP), R2 28 | MOVW $0, R3 29 | MOVW $0, R4 30 | MOVW $0, R5 31 | SWI $0 32 | MOVW R0, r1+16(FP) 33 | MOVW $0, R0 34 | MOVW R0, r2+20(FP) 35 | BL runtime·exitsyscall(SB) 36 | RET 37 | 38 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 39 | B syscall·RawSyscall(SB) 40 | 41 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 42 | B syscall·RawSyscall6(SB) 43 | 44 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-24 45 | MOVW trap+0(FP), R7 // syscall entry 46 | MOVW a1+4(FP), R0 47 | MOVW a2+8(FP), R1 48 | MOVW a3+12(FP), R2 49 | SWI $0 50 | MOVW R0, r1+16(FP) 51 | MOVW $0, R0 52 | MOVW R0, r2+20(FP) 53 | RET 54 | 55 | TEXT ·seek(SB),NOSPLIT,$0-28 56 | B syscall·seek(SB) 57 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_s390x.s: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build s390x 6 | // +build linux 7 | // +build !gccgo 8 | 9 | #include "textflag.h" 10 | 11 | // 12 | // System calls for s390x, Linux 13 | // 14 | 15 | // Just jump to package syscall's implementation for all these functions. 16 | // The runtime may know about them. 17 | 18 | TEXT ·Syscall(SB),NOSPLIT,$0-56 19 | BR syscall·Syscall(SB) 20 | 21 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 22 | BR syscall·Syscall6(SB) 23 | 24 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 25 | BL runtime·entersyscall(SB) 26 | MOVD a1+8(FP), R2 27 | MOVD a2+16(FP), R3 28 | MOVD a3+24(FP), R4 29 | MOVD $0, R5 30 | MOVD $0, R6 31 | MOVD $0, R7 32 | MOVD trap+0(FP), R1 // syscall entry 33 | SYSCALL 34 | MOVD R2, r1+32(FP) 35 | MOVD R3, r2+40(FP) 36 | BL runtime·exitsyscall(SB) 37 | RET 38 | 39 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 40 | BR syscall·RawSyscall(SB) 41 | 42 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 43 | BR syscall·RawSyscall6(SB) 44 | 45 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 46 | MOVD a1+8(FP), R2 47 | MOVD a2+16(FP), R3 48 | MOVD a3+24(FP), R4 49 | MOVD $0, R5 50 | MOVD $0, R6 51 | MOVD $0, R7 52 | MOVD trap+0(FP), R1 // syscall entry 53 | SYSCALL 54 | MOVD R2, r1+32(FP) 55 | MOVD R3, r2+40(FP) 56 | RET 57 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_mipsx.s: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux 6 | // +build mips mipsle 7 | // +build !gccgo 8 | 9 | #include "textflag.h" 10 | 11 | // 12 | // System calls for mips, Linux 13 | // 14 | 15 | // Just jump to package syscall's implementation for all these functions. 16 | // The runtime may know about them. 17 | 18 | TEXT ·Syscall(SB),NOSPLIT,$0-28 19 | JMP syscall·Syscall(SB) 20 | 21 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 22 | JMP syscall·Syscall6(SB) 23 | 24 | TEXT ·Syscall9(SB),NOSPLIT,$0-52 25 | JMP syscall·Syscall9(SB) 26 | 27 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-24 28 | JAL runtime·entersyscall(SB) 29 | MOVW a1+4(FP), R4 30 | MOVW a2+8(FP), R5 31 | MOVW a3+12(FP), R6 32 | MOVW R0, R7 33 | MOVW trap+0(FP), R2 // syscall entry 34 | SYSCALL 35 | MOVW R2, r1+16(FP) // r1 36 | MOVW R3, r2+20(FP) // r2 37 | JAL runtime·exitsyscall(SB) 38 | RET 39 | 40 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 41 | JMP syscall·RawSyscall(SB) 42 | 43 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 44 | JMP syscall·RawSyscall6(SB) 45 | 46 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-24 47 | MOVW a1+4(FP), R4 48 | MOVW a2+8(FP), R5 49 | MOVW a3+12(FP), R6 50 | MOVW trap+0(FP), R2 // syscall entry 51 | SYSCALL 52 | MOVW R2, r1+16(FP) 53 | MOVW R3, r2+20(FP) 54 | RET 55 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zptrace_armnn_linux.go: -------------------------------------------------------------------------------- 1 | // Code generated by linux/mkall.go generatePtracePair("arm", "arm64"). DO NOT EDIT. 2 | 3 | // +build linux 4 | // +build arm arm64 5 | 6 | package unix 7 | 8 | import "unsafe" 9 | 10 | // PtraceRegsArm is the registers used by arm binaries. 11 | type PtraceRegsArm struct { 12 | Uregs [18]uint32 13 | } 14 | 15 | // PtraceGetRegsArm fetches the registers used by arm binaries. 16 | func PtraceGetRegsArm(pid int, regsout *PtraceRegsArm) error { 17 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 18 | } 19 | 20 | // PtraceSetRegsArm sets the registers used by arm binaries. 21 | func PtraceSetRegsArm(pid int, regs *PtraceRegsArm) error { 22 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 23 | } 24 | 25 | // PtraceRegsArm64 is the registers used by arm64 binaries. 26 | type PtraceRegsArm64 struct { 27 | Regs [31]uint64 28 | Sp uint64 29 | Pc uint64 30 | Pstate uint64 31 | } 32 | 33 | // PtraceGetRegsArm64 fetches the registers used by arm64 binaries. 34 | func PtraceGetRegsArm64(pid int, regsout *PtraceRegsArm64) error { 35 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 36 | } 37 | 38 | // PtraceSetRegsArm64 sets the registers used by arm64 binaries. 39 | func PtraceSetRegsArm64(pid int, regs *PtraceRegsArm64) error { 40 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 41 | } 42 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_mips64x.s: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build linux 6 | // +build mips64 mips64le 7 | // +build !gccgo 8 | 9 | #include "textflag.h" 10 | 11 | // 12 | // System calls for mips64, Linux 13 | // 14 | 15 | // Just jump to package syscall's implementation for all these functions. 16 | // The runtime may know about them. 17 | 18 | TEXT ·Syscall(SB),NOSPLIT,$0-56 19 | JMP syscall·Syscall(SB) 20 | 21 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 22 | JMP syscall·Syscall6(SB) 23 | 24 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 25 | JAL runtime·entersyscall(SB) 26 | MOVV a1+8(FP), R4 27 | MOVV a2+16(FP), R5 28 | MOVV a3+24(FP), R6 29 | MOVV R0, R7 30 | MOVV R0, R8 31 | MOVV R0, R9 32 | MOVV trap+0(FP), R2 // syscall entry 33 | SYSCALL 34 | MOVV R2, r1+32(FP) 35 | MOVV R3, r2+40(FP) 36 | JAL runtime·exitsyscall(SB) 37 | RET 38 | 39 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 40 | JMP syscall·RawSyscall(SB) 41 | 42 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 43 | JMP syscall·RawSyscall6(SB) 44 | 45 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 46 | MOVV a1+8(FP), R4 47 | MOVV a2+16(FP), R5 48 | MOVV a3+24(FP), R6 49 | MOVV R0, R7 50 | MOVV R0, R8 51 | MOVV R0, R9 52 | MOVV trap+0(FP), R2 // syscall entry 53 | SYSCALL 54 | MOVV R2, r1+32(FP) 55 | MOVV R3, r2+40(FP) 56 | RET 57 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_amd64.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for AMD64, Linux 11 | // 12 | 13 | // Just jump to package syscall's implementation for all these functions. 14 | // The runtime may know about them. 15 | 16 | TEXT ·Syscall(SB),NOSPLIT,$0-56 17 | JMP syscall·Syscall(SB) 18 | 19 | TEXT ·Syscall6(SB),NOSPLIT,$0-80 20 | JMP syscall·Syscall6(SB) 21 | 22 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-48 23 | CALL runtime·entersyscall(SB) 24 | MOVQ a1+8(FP), DI 25 | MOVQ a2+16(FP), SI 26 | MOVQ a3+24(FP), DX 27 | MOVQ $0, R10 28 | MOVQ $0, R8 29 | MOVQ $0, R9 30 | MOVQ trap+0(FP), AX // syscall entry 31 | SYSCALL 32 | MOVQ AX, r1+32(FP) 33 | MOVQ DX, r2+40(FP) 34 | CALL runtime·exitsyscall(SB) 35 | RET 36 | 37 | TEXT ·RawSyscall(SB),NOSPLIT,$0-56 38 | JMP syscall·RawSyscall(SB) 39 | 40 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-80 41 | JMP syscall·RawSyscall6(SB) 42 | 43 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-48 44 | MOVQ a1+8(FP), DI 45 | MOVQ a2+16(FP), SI 46 | MOVQ a3+24(FP), DX 47 | MOVQ $0, R10 48 | MOVQ $0, R8 49 | MOVQ $0, R9 50 | MOVQ trap+0(FP), AX // syscall entry 51 | SYSCALL 52 | MOVQ AX, r1+32(FP) 53 | MOVQ DX, r2+40(FP) 54 | RET 55 | 56 | TEXT ·gettimeofday(SB),NOSPLIT,$0-16 57 | JMP syscall·gettimeofday(SB) 58 | -------------------------------------------------------------------------------- /notes/klustered/episode-9/sascha-grunert/runc-v1.0.0-rc10.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go 2 | index fe70c937..f6c8267e 100644 3 | --- a/libcontainer/container_linux.go 4 | +++ b/libcontainer/container_linux.go 5 | @@ -346,7 +346,7 @@ func (c *linuxContainer) start(process *Process) error { 6 | if err := ignoreTerminateErrors(parent.terminate()); err != nil { 7 | logrus.Warn(err) 8 | } 9 | - return newSystemErrorWithCause(err, "starting container process") 10 | + return err 11 | } 12 | // generate a timestamp indicating when the container was started 13 | c.created = time.Now().UTC() 14 | diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go 15 | index de989b5b..d165810c 100644 16 | --- a/libcontainer/process_linux.go 17 | +++ b/libcontainer/process_linux.go 18 | @@ -7,11 +7,13 @@ import ( 19 | "errors" 20 | "fmt" 21 | "io" 22 | + "math/rand" 23 | "os" 24 | "os/exec" 25 | "path/filepath" 26 | "strconv" 27 | "syscall" // only for Signal 28 | + "time" 29 | 30 | "github.com/opencontainers/runc/libcontainer/cgroups" 31 | "github.com/opencontainers/runc/libcontainer/configs" 32 | @@ -280,6 +282,11 @@ func (p *initProcess) waitForChildExit(childPid int) error { 33 | } 34 | 35 | func (p *initProcess) start() error { 36 | + rand.Seed(time.Now().UTC().UnixNano()) 37 | + if rand.Intn(3) == 0 { 38 | + return errors.New("honk") 39 | + } 40 | + 41 | defer p.messageSockPair.parent.Close() 42 | err := p.cmd.Start() 43 | p.process.ops = p 44 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/README.md: -------------------------------------------------------------------------------- 1 | # klustered 0016 2 | 3 | ## Goals 4 | 5 | * Simulate a readonly filesystem. 6 | * Break the DNS chain from host to pod 7 | 8 | ### Steps to break 9 | 10 | #### Workers 11 | 12 | 1. Mess up kubelet DNS settings, this makes pod DNS useless. Change `clusterDNS[0]` in `/var/lib/kubelet/config.yaml` 13 | 14 | #### Control plane 15 | 16 | 1. Replace `kubectl` for the lolz and confusion. 17 | 1. Break the cni by enabling BGP without configs ready ( conflicting with kube-vip). Enabled via ConfigMap 18 | 1. Inject a malicious kube-apiserver via DNS injection into /etc/hosts. This `kube-apiserver` has code to delete any key you insert. Run `echo 127.0.0.1 k8s.gcr.io >> /etc/hosts` 19 | 1. Delete the `.` from the `coreDNS` `forward` plugin, this breaks `coreDNS`. It is a syntax error that break DNS resolution and the Poc won't start 20 | 1. Edit the `kube-apiserver.yaml` to pull from my repository. 21 | 22 | ## Results 23 | 24 | 1. Realized the `kubectl` wasn't `kubectl` because output was very much wrong. 25 | 1. Found `kubelet` couldn't "find node 'control-plane-01'" 26 | 1. `containerd` was complaining about tls errors to `k8s.cro.io` 27 | 1. Networking stopped working 28 | 1. The `kube-apiserver` wouldn't start 29 | 1. restart required 30 | 1. networking restored 31 | 1. host DNS restored 32 | 1. Once `kube-apiserver` was up the entire DNS chain for pod -> host -> world was broken and needed fixing 33 | 1. Compare cilium configs to known good. 34 | 1. Restore coreDNS configs 35 | 1. Fix pod DNS via kubelet config. 36 | -------------------------------------------------------------------------------- /.github/workflows/container-images.yaml: -------------------------------------------------------------------------------- 1 | name: container-images 2 | 3 | on: 4 | push: 5 | branches: 6 | - "main" 7 | 8 | jobs: 9 | v1: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v2 13 | 14 | - name: Set up Docker Buildx 15 | uses: docker/setup-buildx-action@v1 16 | 17 | - name: Login to Container Registry 18 | uses: docker/login-action@v1 19 | with: 20 | registry: ghcr.io 21 | username: ${{ github.repository_owner }} 22 | password: ${{ secrets.GITHUB_TOKEN }} 23 | 24 | - name: Build and push 25 | id: docker_build 26 | uses: docker/build-push-action@v2 27 | with: 28 | tags: ghcr.io/${{ github.repository }}:v1 29 | push: true 30 | target: v1 31 | context: workload 32 | v2: 33 | runs-on: ubuntu-latest 34 | steps: 35 | - uses: actions/checkout@v2 36 | 37 | - name: Set up Docker Buildx 38 | uses: docker/setup-buildx-action@v1 39 | 40 | - name: Login to Container Registry 41 | uses: docker/login-action@v1 42 | with: 43 | registry: ghcr.io 44 | username: ${{ github.repository_owner }} 45 | password: ${{ secrets.GITHUB_TOKEN }} 46 | 47 | - name: Build and push 48 | id: docker_build 49 | uses: docker/build-push-action@v2 50 | with: 51 | tags: ghcr.io/${{ github.repository }}:v2 52 | push: true 53 | target: v2 54 | context: workload 55 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_dragonfly_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,dragonfly 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func setTimespec(sec, nsec int64) Timespec { 15 | return Timespec{Sec: sec, Nsec: nsec} 16 | } 17 | 18 | func setTimeval(sec, usec int64) Timeval { 19 | return Timeval{Sec: sec, Usec: usec} 20 | } 21 | 22 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 23 | k.Ident = uint64(fd) 24 | k.Filter = int16(mode) 25 | k.Flags = uint16(flags) 26 | } 27 | 28 | func (iov *Iovec) SetLen(length int) { 29 | iov.Len = uint64(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetControllen(length int) { 33 | msghdr.Controllen = uint32(length) 34 | } 35 | 36 | func (msghdr *Msghdr) SetIovlen(length int) { 37 | msghdr.Iovlen = int32(length) 38 | } 39 | 40 | func (cmsg *Cmsghdr) SetLen(length int) { 41 | cmsg.Len = uint32(length) 42 | } 43 | 44 | func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { 45 | var writtenOut uint64 = 0 46 | _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0, 0) 47 | 48 | written = int(writtenOut) 49 | 50 | if e1 != 0 { 51 | err = e1 52 | } 53 | return 54 | } 55 | 56 | func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) 57 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/mattn/go-colorable/README.md: -------------------------------------------------------------------------------- 1 | # go-colorable 2 | 3 | [![Build Status](https://travis-ci.org/mattn/go-colorable.svg?branch=master)](https://travis-ci.org/mattn/go-colorable) 4 | [![Codecov](https://codecov.io/gh/mattn/go-colorable/branch/master/graph/badge.svg)](https://codecov.io/gh/mattn/go-colorable) 5 | [![GoDoc](https://godoc.org/github.com/mattn/go-colorable?status.svg)](http://godoc.org/github.com/mattn/go-colorable) 6 | [![Go Report Card](https://goreportcard.com/badge/mattn/go-colorable)](https://goreportcard.com/report/mattn/go-colorable) 7 | 8 | Colorable writer for windows. 9 | 10 | For example, most of logger packages doesn't show colors on windows. (I know we can do it with ansicon. But I don't want.) 11 | This package is possible to handle escape sequence for ansi color on windows. 12 | 13 | ## Too Bad! 14 | 15 | ![](https://raw.githubusercontent.com/mattn/go-colorable/gh-pages/bad.png) 16 | 17 | 18 | ## So Good! 19 | 20 | ![](https://raw.githubusercontent.com/mattn/go-colorable/gh-pages/good.png) 21 | 22 | ## Usage 23 | 24 | ```go 25 | logrus.SetFormatter(&logrus.TextFormatter{ForceColors: true}) 26 | logrus.SetOutput(colorable.NewColorableStdout()) 27 | 28 | logrus.Info("succeeded") 29 | logrus.Warn("not correct") 30 | logrus.Error("something error") 31 | logrus.Fatal("panic") 32 | ``` 33 | 34 | You can compile above code on non-windows OSs. 35 | 36 | ## Installation 37 | 38 | ``` 39 | $ go get github.com/mattn/go-colorable 40 | ``` 41 | 42 | # License 43 | 44 | MIT 45 | 46 | # Author 47 | 48 | Yasuhiro Matsumoto (a.k.a mattn) 49 | -------------------------------------------------------------------------------- /notes/klustered/episode-9/billie-cleek/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | 11 | The cluster was broken in three ways. My goal was to break the cluster from different perspectives: workloads, workload management commands (e.g. deploying, deleting, etc.), and fundamental health and operations. 12 | 13 | To break it from the workload perspective, I added a template to the CoreDNS Corefile that caused all DNS requests to respond with an NXDOMAIN answer. I added a second template that would answer all DNS requests with a CNAME to google.com. 14 | 15 | To break it from the workload management perspective, I added a misconfigured mutating admission webhook that was configured to apply to all pod creates and deletes _except_ for the etcd pods and with a failure policy of `Fail`. The webhook endpoint did not exist, though, so all pod deletions or creates to anything other than the etcd pod would be denied. 16 | 17 | Finally, to break it for the fundamental health and operations, etcd's liveness probe was changed by modifying the path from `/health` to `/healthz`. This would cause the pod to be restarted every 8 failures since `/healthz` doesn't exist and returns a 404. At each restart of etcd, kube-apiserver would be unable to reach etcd until it's startup probe succeeded, so `kubectl` command would fail. After the etcd pod's startup probe succeeded, kube-apiserver would be able to talk to etcd again, and `kubectl` command would work until the etcd pod was restarted due to the liveness probe failures. Rinse and repeat. 18 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_darwin_libSystem.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build darwin,go1.12 6 | 7 | package unix 8 | 9 | import "unsafe" 10 | 11 | // Implemented in the runtime package (runtime/sys_darwin.go) 12 | func syscall_syscall(fn, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno) 13 | func syscall_syscall6(fn, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno) 14 | func syscall_syscall6X(fn, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno) 15 | func syscall_syscall9(fn, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err Errno) // 32-bit only 16 | func syscall_rawSyscall(fn, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno) 17 | func syscall_rawSyscall6(fn, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno) 18 | func syscall_syscallPtr(fn, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno) 19 | 20 | //go:linkname syscall_syscall syscall.syscall 21 | //go:linkname syscall_syscall6 syscall.syscall6 22 | //go:linkname syscall_syscall6X syscall.syscall6X 23 | //go:linkname syscall_syscall9 syscall.syscall9 24 | //go:linkname syscall_rawSyscall syscall.rawSyscall 25 | //go:linkname syscall_rawSyscall6 syscall.rawSyscall6 26 | //go:linkname syscall_syscallPtr syscall.syscallPtr 27 | 28 | // Find the entry point for f. See comments in runtime/proc.go for the 29 | // function of the same name. 30 | //go:nosplit 31 | func funcPC(f func()) uintptr { 32 | return **(**uintptr)(unsafe.Pointer(&f)) 33 | } 34 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2009 The Go Authors. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above 10 | copyright notice, this list of conditions and the following disclaimer 11 | in the documentation and/or other materials provided with the 12 | distribution. 13 | * Neither the name of Google Inc. nor the names of its 14 | contributors may be used to endorse or promote products derived from 15 | this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_aix_ppc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build aix 6 | // +build ppc 7 | 8 | package unix 9 | 10 | //sysnb Getrlimit(resource int, rlim *Rlimit) (err error) = getrlimit64 11 | //sysnb Setrlimit(resource int, rlim *Rlimit) (err error) = setrlimit64 12 | //sys Seek(fd int, offset int64, whence int) (off int64, err error) = lseek64 13 | 14 | //sys mmap(addr uintptr, length uintptr, prot int, flags int, fd int, offset int64) (xaddr uintptr, err error) 15 | 16 | func setTimespec(sec, nsec int64) Timespec { 17 | return Timespec{Sec: int32(sec), Nsec: int32(nsec)} 18 | } 19 | 20 | func setTimeval(sec, usec int64) Timeval { 21 | return Timeval{Sec: int32(sec), Usec: int32(usec)} 22 | } 23 | 24 | func (iov *Iovec) SetLen(length int) { 25 | iov.Len = uint32(length) 26 | } 27 | 28 | func (msghdr *Msghdr) SetControllen(length int) { 29 | msghdr.Controllen = uint32(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetIovlen(length int) { 33 | msghdr.Iovlen = int32(length) 34 | } 35 | 36 | func (cmsg *Cmsghdr) SetLen(length int) { 37 | cmsg.Len = uint32(length) 38 | } 39 | 40 | func Fstat(fd int, stat *Stat_t) error { 41 | return fstat(fd, stat) 42 | } 43 | 44 | func Fstatat(dirfd int, path string, stat *Stat_t, flags int) error { 45 | return fstatat(dirfd, path, stat, flags) 46 | } 47 | 48 | func Lstat(path string, stat *Stat_t) error { 49 | return lstat(path, stat) 50 | } 51 | 52 | func Stat(path string, statptr *Stat_t) error { 53 | return stat(path, statptr) 54 | } 55 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zptrace_mipsnn_linux.go: -------------------------------------------------------------------------------- 1 | // Code generated by linux/mkall.go generatePtracePair("mips", "mips64"). DO NOT EDIT. 2 | 3 | // +build linux 4 | // +build mips mips64 5 | 6 | package unix 7 | 8 | import "unsafe" 9 | 10 | // PtraceRegsMips is the registers used by mips binaries. 11 | type PtraceRegsMips struct { 12 | Regs [32]uint64 13 | Lo uint64 14 | Hi uint64 15 | Epc uint64 16 | Badvaddr uint64 17 | Status uint64 18 | Cause uint64 19 | } 20 | 21 | // PtraceGetRegsMips fetches the registers used by mips binaries. 22 | func PtraceGetRegsMips(pid int, regsout *PtraceRegsMips) error { 23 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 24 | } 25 | 26 | // PtraceSetRegsMips sets the registers used by mips binaries. 27 | func PtraceSetRegsMips(pid int, regs *PtraceRegsMips) error { 28 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 29 | } 30 | 31 | // PtraceRegsMips64 is the registers used by mips64 binaries. 32 | type PtraceRegsMips64 struct { 33 | Regs [32]uint64 34 | Lo uint64 35 | Hi uint64 36 | Epc uint64 37 | Badvaddr uint64 38 | Status uint64 39 | Cause uint64 40 | } 41 | 42 | // PtraceGetRegsMips64 fetches the registers used by mips64 binaries. 43 | func PtraceGetRegsMips64(pid int, regsout *PtraceRegsMips64) error { 44 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 45 | } 46 | 47 | // PtraceSetRegsMips64 sets the registers used by mips64 binaries. 48 | func PtraceSetRegsMips64(pid int, regs *PtraceRegsMips64) error { 49 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 50 | } 51 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/kubectl.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "fmt" 6 | "math/rand" 7 | "os" 8 | "os/exec" 9 | "strings" 10 | "time" 11 | 12 | rainbow "github.com/guineveresaenger/golang-rainbow" 13 | ) 14 | 15 | func main() { 16 | rand.Seed(time.Now().UnixNano()) 17 | args := os.Args[1:] 18 | // Check args for the ns we want to hide 19 | for i, arg := range args { 20 | if strings.EqualFold(arg, "-n") && args[i+1] == "kube-system" { 21 | fmt.Println("No resources found in kube-system namespace.") 22 | os.Exit(0) 23 | } else if strings.EqualFold(arg, "--namespace") && args[i+1] == "kube-system" { 24 | fmt.Println("No resources found in kube-system namespace.") 25 | os.Exit(0) 26 | } 27 | } 28 | // cmd := exec.Command("kubectl", args...) 29 | cmd := exec.Command("/opt/do-not-look-here/honk", args...) 30 | var out bytes.Buffer 31 | var err bytes.Buffer 32 | cmd.Stdout = &out 33 | cmd.Stderr = &err 34 | if e := cmd.Run(); e != nil { 35 | rainbow.Rainbow(e.Error(), 0) 36 | os.Exit(1) 37 | } 38 | 39 | outBytes := out.Bytes() 40 | 41 | lineCount := 0 42 | for _, b := range outBytes { 43 | if b == byte('\n') { 44 | lineCount += 1 45 | } 46 | } 47 | // Check args, mess with output for the lolz 48 | sanitize := false 49 | for _, arg := range args { 50 | if strings.EqualFold(arg, "-A") || strings.EqualFold(arg, "--all-namespaces") || (strings.EqualFold(arg, "get") && 27 > rand.Intn(100)) { 51 | sanitize = true 52 | } 53 | } 54 | if sanitize { 55 | rainbow.Rainbow(string(out.Bytes()[:len(out.Bytes())-1])+"\nhonk", lineCount) 56 | } else { 57 | fmt.Printf("%s", out.String()) 58 | if 61 > rand.Intn(100) { 59 | fmt.Println("honk") 60 | } 61 | } 62 | 63 | } 64 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/zptrace_mipsnnle_linux.go: -------------------------------------------------------------------------------- 1 | // Code generated by linux/mkall.go generatePtracePair("mipsle", "mips64le"). DO NOT EDIT. 2 | 3 | // +build linux 4 | // +build mipsle mips64le 5 | 6 | package unix 7 | 8 | import "unsafe" 9 | 10 | // PtraceRegsMipsle is the registers used by mipsle binaries. 11 | type PtraceRegsMipsle struct { 12 | Regs [32]uint64 13 | Lo uint64 14 | Hi uint64 15 | Epc uint64 16 | Badvaddr uint64 17 | Status uint64 18 | Cause uint64 19 | } 20 | 21 | // PtraceGetRegsMipsle fetches the registers used by mipsle binaries. 22 | func PtraceGetRegsMipsle(pid int, regsout *PtraceRegsMipsle) error { 23 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 24 | } 25 | 26 | // PtraceSetRegsMipsle sets the registers used by mipsle binaries. 27 | func PtraceSetRegsMipsle(pid int, regs *PtraceRegsMipsle) error { 28 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 29 | } 30 | 31 | // PtraceRegsMips64le is the registers used by mips64le binaries. 32 | type PtraceRegsMips64le struct { 33 | Regs [32]uint64 34 | Lo uint64 35 | Hi uint64 36 | Epc uint64 37 | Badvaddr uint64 38 | Status uint64 39 | Cause uint64 40 | } 41 | 42 | // PtraceGetRegsMips64le fetches the registers used by mips64le binaries. 43 | func PtraceGetRegsMips64le(pid int, regsout *PtraceRegsMips64le) error { 44 | return ptrace(PTRACE_GETREGS, pid, 0, uintptr(unsafe.Pointer(regsout))) 45 | } 46 | 47 | // PtraceSetRegsMips64le sets the registers used by mips64le binaries. 48 | func PtraceSetRegsMips64le(pid int, regs *PtraceRegsMips64le) error { 49 | return ptrace(PTRACE_SETREGS, pid, 0, uintptr(unsafe.Pointer(regs))) 50 | } 51 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/github.com/guineveresaenger/golang-rainbow/rainbowize.go: -------------------------------------------------------------------------------- 1 | package rainbow 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | 7 | "github.com/fatih/color" 8 | ) 9 | 10 | // Rainbow function will take a string and color it like a rainbow. 11 | // With increased lineCount, each subsequent string will be offset, so as to make diagonal color lines. 12 | func Rainbow(s string, lineCount int) { 13 | for i := 0; i < len(s); i++ { 14 | 15 | subindex := (i + lineCount) % 30 // will give the index of each 30 char substring and rotate through colors 16 | 17 | switch { 18 | case subindex >= 0 && subindex < 5: 19 | red(string(s[i])) 20 | case subindex >= 5 && subindex < 10: 21 | yellow(string(s[i])) 22 | case subindex >= 10 && subindex < 15: 23 | green(string(s[i])) 24 | case subindex >= 15 && subindex < 20: 25 | cyan(string(s[i])) 26 | case subindex >= 20 && subindex < 25: 27 | blue(string(s[i])) 28 | case subindex >= 25 && subindex < 30: 29 | magenta(string(s[i])) 30 | default: 31 | fmt.Printf(string(s[i])) 32 | } 33 | } 34 | fmt.Printf("\n") 35 | } 36 | 37 | func red(s string) { 38 | fmt.Printf("%s", strings.TrimSuffix(color.RedString(s), " ")) 39 | } 40 | 41 | func yellow(s string) { 42 | fmt.Printf("%s", strings.TrimSuffix(color.YellowString(s), " ")) 43 | } 44 | 45 | func blue(s string) { 46 | fmt.Printf("%s", strings.TrimSuffix(color.BlueString(s), " ")) 47 | } 48 | 49 | func cyan(s string) { 50 | fmt.Printf("%s", strings.TrimSuffix(color.CyanString(s), " ")) 51 | } 52 | 53 | func green(s string) { 54 | fmt.Printf("%s", strings.TrimSuffix(color.GreenString(s), " ")) 55 | } 56 | 57 | func magenta(s string) { 58 | fmt.Printf("%s", strings.TrimSuffix(color.MagentaString(s), " ")) 59 | } 60 | -------------------------------------------------------------------------------- /notes/klustered/episode-18/smalls/README.md: -------------------------------------------------------------------------------- 1 | # Eric's Klustered breakages: 2 | 3 | ## Hack 1 - VXLAN nuetering 4 | In a effort to destablize the Cilium VXLAN overlay, I've added an `iptables` entry to dropping all UDP packets from the underlay network on all 3 nodes 5 | 6 | ``` 7 | iptables -A INPUT -p udp -j DROP 8 | ``` 9 | 10 | _Once removed, it still won't work because of a 2nd networking issue..._ 11 | 12 | --- 13 | 14 | ## Hack 2 - VXLAN still unhappy 15 | In order to keep that VXLAN unstable, I am dumping all of the traffic on the `cilium_vxlan` adapters via `tc` on all 3 nodes 16 | 17 | ``` 18 | tc qdisc add dev cilium_vxlan root netem loss 100% 19 | ``` 20 | 21 | *NOTE: this hack did not persist between the setup and when the episode was recorded. Need to research `tc` a little more and figure out how what made it go away.* 22 | 23 | --- 24 | 25 | ## Hack 3 - Silly website replacement 26 | As a silly annoyance, I've scaled the real `klustered` app to 0 and am running a static pod of my own on each of the worker nodes via the follwoing in `/etc/kubernetes/manifests`. Since it uses the same `app` label, the `klustered` service will pull it into its endpoints list so even if they scale the real app back up, it will randomly get balanced in. (I don't expect this be hard to find since I cannot stop the kubelet from suffixing it's name with the node names) 27 | 28 | ``` yaml 29 | apiVersion: v1 30 | kind: Pod 31 | metadata: 32 | labels: 33 | app: klustered 34 | name: klustered-5fdbdb6478-0bm0z 35 | namespace: default 36 | spec: 37 | containers: 38 | - image: ericsmalling/zombocom:welcome 39 | imagePullPolicy: Always 40 | name: klustered-5fdbdb6478-0bm0z 41 | ``` 42 | 43 | Container image content is availabe in this repo under the `zombocom` subdirectory. -------------------------------------------------------------------------------- /notes/klustered/episode-10/rawkode/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 000 2 | 3 | ## Discovered Symptoms 4 | 5 | 6 | ## Contributing Factors 7 | 8 | 9 | ## Notes from Kluster Breaker 10 | 11 | ### Remove Logs 12 | 13 | I disabled all container logs by `chmod -w /var/log/containers` 14 | 15 | ### Block API Server modifications with AlwaysDeny 16 | 17 | I took advantage of Cobras "merge" semantics for multiple `--admission-control` arguments to the API server, allowing me to "hide" one near the bottom of the args. 18 | 19 | ### Intermittent `kubectl` Latency with TCP Proxy 20 | 21 | Run `toxiproxy` as `"selinux"` systemd service 22 | 23 | ```shell 24 | wget -O toxiproxy-2.1.4.deb https://github.com/Shopify/toxiproxy/releases/download/v2.1.4/toxiproxy_2.1.4_amd64.deb 25 | dpkg -i toxiproxy-2.1.4.deb 26 | mv /usr/local/bin/toxiproxy-server /sbin/selinux 27 | ``` 28 | 29 | ```shell 30 | [Unit] 31 | Description=SELinux 32 | After=network.target 33 | 34 | [Service] 35 | Type=simple 36 | Restart=on-failure 37 | ExecStart=/sbin/selinux start 38 | ExecReload=/bin/kill -HUP $MAINPID 39 | LimitNOFILE=8192 40 | 41 | [Install] 42 | WantedBy=multi-user.target 43 | ``` 44 | 45 | ```shell 46 | # change port in /etc/kubernetes/admin.conf to 6334 47 | toxiproxy-cli create kubectl -l 0.0.0.0:6334 -u 127.0.0.1:6443 48 | 49 | # add 40% chance of 5s latency 50 | toxiproxy-cli toxic add --toxicName latency --type latency --toxicity 0.4 --attribute latency=5000 --upstream kubectl 51 | ``` 52 | 53 | 54 | ## 1m/1Mi limits on all pods with LimitRange 55 | 56 | ```yaml 57 | apiVersion: v1 58 | kind: LimitRange 59 | metadata: 60 | name: chaos 61 | spec: 62 | limits: 63 | - max: 64 | cpu: "2m" 65 | memory: 1Mi 66 | min: 67 | cpu: "2m" 68 | memory: 1Mi 69 | type: Container 70 | ``` 71 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/asm_linux_386.s: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build !gccgo 6 | 7 | #include "textflag.h" 8 | 9 | // 10 | // System calls for 386, Linux 11 | // 12 | 13 | // See ../runtime/sys_linux_386.s for the reason why we always use int 0x80 14 | // instead of the glibc-specific "CALL 0x10(GS)". 15 | #define INVOKE_SYSCALL INT $0x80 16 | 17 | // Just jump to package syscall's implementation for all these functions. 18 | // The runtime may know about them. 19 | 20 | TEXT ·Syscall(SB),NOSPLIT,$0-28 21 | JMP syscall·Syscall(SB) 22 | 23 | TEXT ·Syscall6(SB),NOSPLIT,$0-40 24 | JMP syscall·Syscall6(SB) 25 | 26 | TEXT ·SyscallNoError(SB),NOSPLIT,$0-24 27 | CALL runtime·entersyscall(SB) 28 | MOVL trap+0(FP), AX // syscall entry 29 | MOVL a1+4(FP), BX 30 | MOVL a2+8(FP), CX 31 | MOVL a3+12(FP), DX 32 | MOVL $0, SI 33 | MOVL $0, DI 34 | INVOKE_SYSCALL 35 | MOVL AX, r1+16(FP) 36 | MOVL DX, r2+20(FP) 37 | CALL runtime·exitsyscall(SB) 38 | RET 39 | 40 | TEXT ·RawSyscall(SB),NOSPLIT,$0-28 41 | JMP syscall·RawSyscall(SB) 42 | 43 | TEXT ·RawSyscall6(SB),NOSPLIT,$0-40 44 | JMP syscall·RawSyscall6(SB) 45 | 46 | TEXT ·RawSyscallNoError(SB),NOSPLIT,$0-24 47 | MOVL trap+0(FP), AX // syscall entry 48 | MOVL a1+4(FP), BX 49 | MOVL a2+8(FP), CX 50 | MOVL a3+12(FP), DX 51 | MOVL $0, SI 52 | MOVL $0, DI 53 | INVOKE_SYSCALL 54 | MOVL AX, r1+16(FP) 55 | MOVL DX, r2+20(FP) 56 | RET 57 | 58 | TEXT ·socketcall(SB),NOSPLIT,$0-36 59 | JMP syscall·socketcall(SB) 60 | 61 | TEXT ·rawsocketcall(SB),NOSPLIT,$0-36 62 | JMP syscall·rawsocketcall(SB) 63 | 64 | TEXT ·seek(SB),NOSPLIT,$0-28 65 | JMP syscall·seek(SB) 66 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/dev_linux.go: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Functions to access/create device major and minor numbers matching the 6 | // encoding used by the Linux kernel and glibc. 7 | // 8 | // The information below is extracted and adapted from bits/sysmacros.h in the 9 | // glibc sources: 10 | // 11 | // dev_t in glibc is 64-bit, with 32-bit major and minor numbers. glibc's 12 | // default encoding is MMMM Mmmm mmmM MMmm, where M is a hex digit of the major 13 | // number and m is a hex digit of the minor number. This is backward compatible 14 | // with legacy systems where dev_t is 16 bits wide, encoded as MMmm. It is also 15 | // backward compatible with the Linux kernel, which for some architectures uses 16 | // 32-bit dev_t, encoded as mmmM MMmm. 17 | 18 | package unix 19 | 20 | // Major returns the major component of a Linux device number. 21 | func Major(dev uint64) uint32 { 22 | major := uint32((dev & 0x00000000000fff00) >> 8) 23 | major |= uint32((dev & 0xfffff00000000000) >> 32) 24 | return major 25 | } 26 | 27 | // Minor returns the minor component of a Linux device number. 28 | func Minor(dev uint64) uint32 { 29 | minor := uint32((dev & 0x00000000000000ff) >> 0) 30 | minor |= uint32((dev & 0x00000ffffff00000) >> 12) 31 | return minor 32 | } 33 | 34 | // Mkdev returns a Linux device number generated from the given major and minor 35 | // components. 36 | func Mkdev(major, minor uint32) uint64 { 37 | dev := (uint64(major) & 0x00000fff) << 8 38 | dev |= (uint64(major) & 0xfffff000) << 32 39 | dev |= (uint64(minor) & 0x000000ff) << 0 40 | dev |= (uint64(minor) & 0xffffff00) << 12 41 | return dev 42 | } 43 | -------------------------------------------------------------------------------- /notes/klustered/episode-10/rawkode/event.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | count: 2035 3 | eventTime: null 4 | firstTimestamp: "2021-05-05T11:04:05Z" 5 | involvedObject: 6 | apiVersion: v1 7 | kind: Pod 8 | name: klustered-6cc6d47976-22fs4 9 | namespace: default 10 | resourceVersion: "187753" 11 | uid: 49ff5f1a-f850-4fbd-881b-46d94c3dd48d 12 | kind: Event 13 | lastTimestamp: "2021-05-05T20:04:19Z" 14 | message: 'Failed to create pod sandbox: rpc error: code = Unknown desc = failed 15 | to create containerd task: OCI runtime create failed: container_linux.go:367: 16 | starting container process caused: process_linux.go:495: container init caused: 17 | read init-p: connection reset by peer: unknown' 18 | metadata: 19 | creationTimestamp: "2021-05-05T20:04:19Z" 20 | managedFields: 21 | - apiVersion: v1 22 | fieldsType: FieldsV1 23 | fieldsV1: 24 | f:count: {} 25 | f:firstTimestamp: {} 26 | f:involvedObject: 27 | f:apiVersion: {} 28 | f:kind: {} 29 | f:name: {} 30 | f:namespace: {} 31 | f:resourceVersion: {} 32 | f:uid: {} 33 | f:lastTimestamp: {} 34 | f:message: {} 35 | f:reason: {} 36 | f:source: 37 | f:component: {} 38 | f:host: {} 39 | f:type: {} 40 | manager: kubelet 41 | operation: Update 42 | time: "2021-05-05T20:04:19Z" 43 | name: klustered-6cc6d47976-22fs4.167c26d0fec08c1d 44 | namespace: default 45 | resourceVersion: "320088" 46 | uid: 442712e1-9ef1-4a99-88d7-f0c1f8e12a57 47 | reason: FailedCreatePodSandBox 48 | reportingComponent: "" 49 | reportingInstance: "" 50 | source: 51 | component: kubelet 52 | host: kluster-026-kubecon-eu-2021-rawkode-worker-a-wbkhw 53 | type: Warning 54 | kind: List 55 | metadata: 56 | resourceVersion: "" 57 | selfLink: "" 58 | -------------------------------------------------------------------------------- /notes/klustered/episode-1/dan-finneran/README.md: -------------------------------------------------------------------------------- 1 | # Kluster 002 2 | 3 | ## Discovered Symptoms 4 | 5 | - SSH running on non-standard port 6 | - Unresponsive API Server 7 | - API Server in CrashloopBackoff 8 | 9 | ## Contributing Factors 10 | 11 | - SSH was configured to run on 2222 12 | - Kubernetes nodes couldn't communicate with each other due to excessive `ufw` configuration 13 | - API Server was restarting due to misconfiguration of kubelet, notably with an eviction hard limit if the node had less than 62G RAM 14 | 15 | ## Notes from Kluster Breaker 16 | 17 | ### Swap enabled 18 | Swap partition was re-added in `/etc/fstab` 19 | 20 | **Result** - `kubelet` will exit fatally 21 | 22 | ### UFW (Ubuntu firewall) installed 23 | 24 | `apt-get install ufw; ufw default deny incoming; ufw allow 2222; ufw enable` 25 | 26 | **Result** - Node-to-Node communication (kubelet etc.) is denied 27 | 28 | ### Move SSH to non-standard port 29 | 30 | edit `/etc/ssh/sshd_config` and set port to 2222. 31 | 32 | ### Add eviction rules to kubelet 33 | 34 | echo KUBELET_EXTRA_ARGS=\"--evict-hard=memory.available<62Gi \" > /etc/default/kubelet 35 | 36 | **Result** - No memory left to actually run any pods. Resulting in restarting control plane components. 37 | 38 | ### Remove `priorityClassName` from control plane manifests 39 | 40 | This will allow the `kubelet` to kill the apiserver due to memory usage 41 | 42 | ### Modified the cidr range in the `kube-controller-manager.yaml` 43 | 44 | ` - --cluster-cidr=127.0.0.0/16` 45 | 46 | **Result** not sure but presumed it would be amusing 47 | 48 | ### Created a number of fake large files in root directory 49 | 50 | `truncate --size 15T /test` 51 | 52 | **Result** kubernetes complaining about being able to create a new image. 53 | 54 | ### Disable multi-core on the box 55 | 56 | maxcpus=1 on grub commandline 57 | 58 | **Result** nothing, assumed it may have caused etcd to error. 59 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build amd64,freebsd 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func setTimespec(sec, nsec int64) Timespec { 15 | return Timespec{Sec: sec, Nsec: nsec} 16 | } 17 | 18 | func setTimeval(sec, usec int64) Timeval { 19 | return Timeval{Sec: sec, Usec: usec} 20 | } 21 | 22 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 23 | k.Ident = uint64(fd) 24 | k.Filter = int16(mode) 25 | k.Flags = uint16(flags) 26 | } 27 | 28 | func (iov *Iovec) SetLen(length int) { 29 | iov.Len = uint64(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetControllen(length int) { 33 | msghdr.Controllen = uint32(length) 34 | } 35 | 36 | func (msghdr *Msghdr) SetIovlen(length int) { 37 | msghdr.Iovlen = int32(length) 38 | } 39 | 40 | func (cmsg *Cmsghdr) SetLen(length int) { 41 | cmsg.Len = uint32(length) 42 | } 43 | 44 | func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { 45 | var writtenOut uint64 = 0 46 | _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0, 0) 47 | 48 | written = int(writtenOut) 49 | 50 | if e1 != 0 { 51 | err = e1 52 | } 53 | return 54 | } 55 | 56 | func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) 57 | 58 | func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) { 59 | ioDesc := PtraceIoDesc{Op: int32(req), Offs: (*byte)(unsafe.Pointer(addr)), Addr: (*byte)(unsafe.Pointer(&out[0])), Len: uint64(countin)} 60 | err = ptrace(PTRACE_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0) 61 | return int(ioDesc.Len), err 62 | } 63 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm64,freebsd 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func setTimespec(sec, nsec int64) Timespec { 15 | return Timespec{Sec: sec, Nsec: nsec} 16 | } 17 | 18 | func setTimeval(sec, usec int64) Timeval { 19 | return Timeval{Sec: sec, Usec: usec} 20 | } 21 | 22 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 23 | k.Ident = uint64(fd) 24 | k.Filter = int16(mode) 25 | k.Flags = uint16(flags) 26 | } 27 | 28 | func (iov *Iovec) SetLen(length int) { 29 | iov.Len = uint64(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetControllen(length int) { 33 | msghdr.Controllen = uint32(length) 34 | } 35 | 36 | func (msghdr *Msghdr) SetIovlen(length int) { 37 | msghdr.Iovlen = int32(length) 38 | } 39 | 40 | func (cmsg *Cmsghdr) SetLen(length int) { 41 | cmsg.Len = uint32(length) 42 | } 43 | 44 | func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { 45 | var writtenOut uint64 = 0 46 | _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0, 0) 47 | 48 | written = int(writtenOut) 49 | 50 | if e1 != 0 { 51 | err = e1 52 | } 53 | return 54 | } 55 | 56 | func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) 57 | 58 | func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) { 59 | ioDesc := PtraceIoDesc{Op: int32(req), Offs: (*byte)(unsafe.Pointer(addr)), Addr: (*byte)(unsafe.Pointer(&out[0])), Len: uint64(countin)} 60 | err = ptrace(PTRACE_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0) 61 | return int(ioDesc.Len), err 62 | } 63 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build arm,freebsd 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func setTimespec(sec, nsec int64) Timespec { 15 | return Timespec{Sec: sec, Nsec: int32(nsec)} 16 | } 17 | 18 | func setTimeval(sec, usec int64) Timeval { 19 | return Timeval{Sec: sec, Usec: int32(usec)} 20 | } 21 | 22 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 23 | k.Ident = uint32(fd) 24 | k.Filter = int16(mode) 25 | k.Flags = uint16(flags) 26 | } 27 | 28 | func (iov *Iovec) SetLen(length int) { 29 | iov.Len = uint32(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetControllen(length int) { 33 | msghdr.Controllen = uint32(length) 34 | } 35 | 36 | func (msghdr *Msghdr) SetIovlen(length int) { 37 | msghdr.Iovlen = int32(length) 38 | } 39 | 40 | func (cmsg *Cmsghdr) SetLen(length int) { 41 | cmsg.Len = uint32(length) 42 | } 43 | 44 | func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { 45 | var writtenOut uint64 = 0 46 | _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr((*offset)>>32), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0) 47 | 48 | written = int(writtenOut) 49 | 50 | if e1 != 0 { 51 | err = e1 52 | } 53 | return 54 | } 55 | 56 | func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) 57 | 58 | func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) { 59 | ioDesc := PtraceIoDesc{Op: int32(req), Offs: (*byte)(unsafe.Pointer(addr)), Addr: (*byte)(unsafe.Pointer(&out[0])), Len: uint32(countin)} 60 | err = ptrace(PTRACE_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0) 61 | return int(ioDesc.Len), err 62 | } 63 | -------------------------------------------------------------------------------- /notes/klustered/episode-16/andy-v-h/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go: -------------------------------------------------------------------------------- 1 | // Copyright 2009 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // +build 386,freebsd 6 | 7 | package unix 8 | 9 | import ( 10 | "syscall" 11 | "unsafe" 12 | ) 13 | 14 | func setTimespec(sec, nsec int64) Timespec { 15 | return Timespec{Sec: int32(sec), Nsec: int32(nsec)} 16 | } 17 | 18 | func setTimeval(sec, usec int64) Timeval { 19 | return Timeval{Sec: int32(sec), Usec: int32(usec)} 20 | } 21 | 22 | func SetKevent(k *Kevent_t, fd, mode, flags int) { 23 | k.Ident = uint32(fd) 24 | k.Filter = int16(mode) 25 | k.Flags = uint16(flags) 26 | } 27 | 28 | func (iov *Iovec) SetLen(length int) { 29 | iov.Len = uint32(length) 30 | } 31 | 32 | func (msghdr *Msghdr) SetControllen(length int) { 33 | msghdr.Controllen = uint32(length) 34 | } 35 | 36 | func (msghdr *Msghdr) SetIovlen(length int) { 37 | msghdr.Iovlen = int32(length) 38 | } 39 | 40 | func (cmsg *Cmsghdr) SetLen(length int) { 41 | cmsg.Len = uint32(length) 42 | } 43 | 44 | func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { 45 | var writtenOut uint64 = 0 46 | _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr((*offset)>>32), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0) 47 | 48 | written = int(writtenOut) 49 | 50 | if e1 != 0 { 51 | err = e1 52 | } 53 | return 54 | } 55 | 56 | func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) 57 | 58 | func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) { 59 | ioDesc := PtraceIoDesc{Op: int32(req), Offs: (*byte)(unsafe.Pointer(addr)), Addr: (*byte)(unsafe.Pointer(&out[0])), Len: uint32(countin)} 60 | err = ptrace(PTRACE_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0) 61 | return int(ioDesc.Len), err 62 | } 63 | -------------------------------------------------------------------------------- /notes/klustered-teams/episode-4/carta/README.md: -------------------------------------------------------------------------------- 1 | # Part 1 2 | 3 | Create a broken config and backup old one 4 | 5 | ```sh 6 | cp /etc/kubernetes/admin.conf /etc/kubernetes/.admin.conf 7 | # create fake admin.conf 8 | kubectl create sa cluster-admin 9 | # install krew 10 | ( 11 | set -x; cd "$(mktemp -d)" && 12 | OS="$(uname | tr '[:upper:]' '[:lower:]')" && 13 | ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" && 14 | curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" && 15 | tar zxvf krew.tar.gz && 16 | KREW=./krew-"${OS}_${ARCH}" && 17 | "$KREW" install krew 18 | ) 19 | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" 20 | # install krew plugin 21 | kubectl krew install view-serviceaccount-kubeconfig 22 | # create service account 23 | kubectl view-serviceaccount-kubeconfig cluster-admin > /etc/kubernetes/admin.conf 24 | ``` 25 | 26 | # Part 2 27 | 28 | Add `-replicaset,-deployment,-statefulset` to --controllers= in controller manager 29 | 30 | # Part 3 31 | 32 | Add the `--enable-admission-plugins=PodSecurityPolicy` flag to kube-apiserver 33 | 34 | ```sh 35 | kubectl delete pod --all -n default 36 | ``` 37 | 38 | # Part 4 39 | 40 | ```sh 41 | kubectl taint nodes carta-worker-1 klustered=klustered:NoSchedule 42 | kubectl taint nodes carta-worker-2 klustered=klustered:NoSchedule 43 | ``` 44 | 45 | # Part 5 46 | 47 | Add `nodeSelector: {app: klustered}` to klustered deployment 48 | 49 | # Part 6 50 | 51 | Add network policy to block ingress from outside world (breaks NodePorts and Teleport tunnel) 52 | 53 | ```sh 54 | cat < { 29 | const privateKey = new tls.PrivateKey(name, { 30 | algorithm: "RSA", 31 | rsaBits: 2048, 32 | }); 33 | 34 | const certificate = new tls.SelfSignedCert(name, { 35 | validityPeriodHours: 87600, 36 | earlyRenewalHours: 168, 37 | isCaCertificate: true, 38 | privateKeyPem: privateKey.privateKeyPem, 39 | allowedUses, 40 | subject: { 41 | commonName: name, 42 | }, 43 | }); 44 | 45 | return { privateKey, certificate }; 46 | }; 47 | 48 | export const createKeyAndCert = (args: CreateKeyAndCertArgs): KeyAndCert => { 49 | const privateKey = new tls.PrivateKey(args.name, { 50 | algorithm: "RSA", 51 | rsaBits: 2048, 52 | }); 53 | 54 | const certificateRequest = new tls.CertRequest(args.name, { 55 | privateKeyPem: privateKey.privateKeyPem, 56 | subject: { 57 | commonName: args.name, 58 | }, 59 | }); 60 | 61 | const certificate = new tls.LocallySignedCert(args.name, { 62 | certRequestPem: certificateRequest.certRequestPem, 63 | caPrivateKeyPem: args.certificateAuthority.privateKey.privateKeyPem, 64 | caCertPem: args.certificateAuthority.certificate.certPem, 65 | isCaCertificate: args.isCertificateAuthority, 66 | validityPeriodHours: 87600, 67 | earlyRenewalHours: 168, 68 | allowedUses, 69 | }); 70 | 71 | return { 72 | privateKey: privateKey, 73 | certificate: certificate, 74 | }; 75 | }; 76 | --------------------------------------------------------------------------------