kuberntes upgrade useful command

kubectl drain ip-10-222-110-231.eu-west-1.compute.internal --delete-emptydir-data="true" --ignore-daemonsets="true" --timeout="15m" --force
kubectl get nodes --label-columns beta.kubernetes.io/instance-type --label-columns beta.kubernetes.io/capacity-type -l role=worker
  • deleted pod automatically

#send output to env_output.tail
for i in $(cat qa.node); 
do echo "draining node : $i"
kubectl drain $i  --delete-emptydir-data="true" --ignore-daemonsets="true" --timeout="15m" --force >> env_output.tail 2>&1
echo "completed node : $i"
done

#read env_output.tail to delete pod
while(true)
do
pods=$(tail -n 20 env_output.tail | grep "error when evicting" | cut -d '(' -f1 | awk -F 'evicting' '{print $2}' | uniq | awk '{print $1,$2,$3}')
echo pods: $pods
apod=$(echo "$pods" | sed 's/"//g')
echo apod: $apod
echo "kubectl delete $apod"
kubectl delete $apod
sleep 5
done
#namespace=$(kubeclt get ns | tr "\n" " ")
namespace="abc xyz"

for ns in $namespace
do
    deploy=$(kubectl get deploy -n $ns | grep -v '0/' | awk '{print $1}' | sed 1d)
    for i in $deploy
    do
        kubectl -n $ns patch deployment $i -p '{"spec": {"template": {"spec": {"containers": [{"name": "'$i'","resources": { "requests": {"cpu": "100m"}}}]}}}}'
        echo "patched : $i ns=$ns"
    done
done

https://faun.pub/kubectl-commands-cheatsheet-43ce8f13adfb

rysnc –partial , -P is awesome


[home@home Downloads]$ time rsync -parvP ubuntu-20.04.4-live-server-amd64.iso root@192.168.0.183:/tmp
sending incremental file list
ubuntu-20.04.4-live-server-amd64.iso
    646,053,888  48%   11.15MB/s    0:01:00  ^C
rsync error: unexplained error (code 255) at rsync.c(703) [sender=3.2.3]

real	0m56.958s
user	0m6.159s
sys	0m2.564s





[home@home Downloads]$ time rsync -parvP ubuntu-20.04.4-live-server-amd64.iso root@192.168.0.183:/tmp
sending incremental file list
ubuntu-20.04.4-live-server-amd64.iso
  1,331,691,520 100%   20.02MB/s    0:01:03 (xfr#1, to-chk=0/1)

sent 658,982,006 bytes  received 178,830 bytes  9,765,345.72 bytes/sec
total size is 1,331,691,520  speedup is 2.02

real	1m6.846s
user	0m27.066s
sys	0m1.862s
[home@home Downloads]$ time rsync -parv ubuntu-20.04.4-live-server-amd64.iso root@192.168.0.183:/tmp
sending incremental file list
ubuntu-20.04.4-live-server-amd64.iso

sent 1,332,016,766 bytes  received 35 bytes  11,633,334.51 bytes/sec
total size is 1,331,691,520  speedup is 1.00

real	1m54.871s
user	0m6.400s
sys	0m3.748s

kubernetes ingress with TLS

  • Create self signed cert
openssl req \
    -new \
    -newkey rsa:4096 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=example.com" \
    -keyout example.com.key \
    -out example.com.cert
  • Create k8 certificate using above cert
kubectl create secret tls example-cert \
  --key="example.com.key" \
  --cert="example.com.cert"
  • ingress.yaml file
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "haproxy"
    haproxy.org/rewrite-target: "/"
  name: prometheus-ingress
spec:
  rules:
  - host: prometheus.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: prometheus-service
            port:
              number: 9090
 tls:
 - secretName: example-cert
   hosts:
   - prometheus.example.com

AWS Lambda to stop ec2 instance with cron

  • Create aws lambda function
  • Attach IAM role as required
import boto3
region = 'ap-south-1'
instances = ['i-0e4e6863cd3da57b5']
ec2 = boto3.client('ec2', region_name=region)
def lambda_handler(event, context):
    ec2.stop_instances(InstanceIds=instances)
    print('stopped your instances: ' + str(instances))
  • Create Cloudwatch event bus rule and attach it to lambda function

integrate openvpn with AD

  • install openvpn-auth-ldap package
yum install openvpn-auth-ldap
  • /etc/openvpn/server/server.conf

local 192.168.0.183
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
push "redirect-gateway def1 bypass-dhcp"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
verify-client-cert none
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
  • /etc/openvpn/auth/ldap.conf
<LDAP>
URL ldap://ad.example.com:389
BindDN CN=openvpn-svc,CN=Users,DC=example,DC=com
Password pass@123

Timeout 15
TLSEnable no

FollowReferrals yes
TLSCACertFile /etc/ssl/certs/ca-certificates.crt
TLSCACertDir /etc/ssl/certs

</LDAP>

<Authorization>

BaseDN "CN=Users,DC=example,DC=com"
SearchFilter "(&(SamAccountName=%u))"
RequireGroup true

<Group>
BaseDN "CN=Users,DC=example,DC=com"
SearchFilter "(cn=openvpn-group)"
MemberAttribute "member"
</Group>

</Authorization>
  • client-cert.ovpn
client
dev tun
proto udp
remote <publicip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
auth-user-pass
verb 3
<ca>
Masked
</ca>
<cert>
Masked
</cert>
<key>
Masked
</key>
<tls-crypt>
Masked
</tls-crypt>

AD powershell command to get user and group details

Get-ADUser -Identity openvpn-svc -Properties *

Get-ADGroup openvpn-group -Properties * 

Look at distinguished name and see the correct path

optimize your binary file size with strip command

Strip command strips the symbols form object file.

strip /path/to/binaryfile

strip -s /path/to/binaryfile

# on strip debug symbols

strip --strip-debug example

To view all symbols in binary(readelf)

readelf -s /path/to/binaryfile

nm command:

nm /path/to/binaryfile

More

Access/copy files in distroless container

Method 1 – using basic shell command

# Get the PID
ps -ef | grep <containerID>

# View all files
ls -ltr /proc/<PID>/root/

Method 2 – using kubectl , docker cp command

docker cp containerID:/path/to/file /path/file
kubectl cp pod_name:/path/to/file /path/file

More : https://blog.px.dev/container-filesystems/