Rhys Campbell

Get Kubernetes Pod secrets with curl and the Service Account token

2026-01-27T19:00:00+00:00

Here’s a simple explainer for how to access secrets a Kubernetes Pod is allowed to access with its default service account.

curl --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes/api/v1/namespaces/restricted/secrets

–header - We set an Authorization header with the token for the service account.
–cacert - We also use the ca.crt file provided by the serviceaccount secret
kubernetes - The host part of the url is the Kubernetes API service. You could also use the service ClusterIP if DNS isn’t working.
restricted/ - This part of the path is the namespace you wish to access
secrets/ - This is the object type you want to access

To get a specific secret by name…

curl --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes/api/v1/namespaces/restricted/secrets/mySecret

mySecret is the specific name of the secret you wish to access.

kubectl apply Vs kubectl create

2025-03-02T19:00:00+00:00

What’s the difference between kubectl apply and kubectl create?

There’s already a whole bunch of good explainers…

But what, for example, assuming none of the K8s resources defined in the file exist, would the difference between…

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.2/manifests/tigera-operator.yaml

and

kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.2/manifests/tigera-operator.yaml

be? We should end up with the same result right? Sadly, this is not the case. The apply command will result in a failed deployment and report the following error…

` The CustomResourceDefinition “installations.operator.tigera.io” is invalid: metadata.annotations: Too long: must have at most 262144 bytes `

There’s a Github thread going into detail about this but basically kubectl apply should not be used as it was not designed to handle large resources. For [Calico] we should use kubectl create on deployment and kubectl replace on upgrade to handle this issue.

CKA Exam Command Shortcuts

2025-02-01T16:00:00+00:00

Run these commands in your shell to make them available (or put in .bashrc)…

Command Example	Description
`alias k=kubectl`	-	Create an alias for kubectl
`export do="--dry-run=client -o yaml"`	`k create deploy nginx --image=nginx $do`	Generate YAML for deployment without applying it
`export now="--force --grace-period 0"`	`k delete pod x $now`	Force delete a pod immediately

These shortcuts can help speed up command execution during the CKA exam.

kubernetes.io documentation - Useful links for the CKA

2025-01-15T06:00:00+00:00

For the CKA Exam it’s useful to know the documentation well, and to be able to navigate quickly to appropriate code snippets, commands and the like. I present here a short list of links that may be useful, in the exam, for specific question categories.

Bootstrapping clusters with kubeadm
Upgrading kubeadm clusters
Operating etcd clusters for Kubernetes
- See Securing communication for running commands with tls certs.
Configure POD Resources
- Memory Resources
- CPU Resources
Volumes
kubectl
- kubectl quick reference
- JSONPath support
- kubectl events
- For kubectl examples search the documentation site for examples, e.g. kubectl create .
Taints and tolerations
Ingress
Certificate Signing Requests
- How to issue a certificate for a user

Found a pretty Comprehensive CKA Bookmark List during my googling.

CKA Exam Study Guide _ Up to date guide with lots of useful links.

Simple Kubernetes Network Policy to open up a pod port

2024-12-03T20:16:00+00:00

Below shows a very simple Kubernetes Network Policy object. This simply opens up port 80 to the outside in a locked-down environment. The key tags to understand are run, which should be a label on the pod you wish to match, and the ports block under ingress. This should be a list specifiying the ports you wish to open.

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-to-nptest
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: np-test-1
  policyTypes:
  - Ingress
  ingress:
  - ports:
    - protocol: TCP
      port: 80

Get RDS Instance Type RAM in Terraform

2024-03-09T18:54:00+00:00

For a monitoring project I’m currently working on I need to get the amount of RAM an RDS Instance has. Unfortunately the aws_db_instance resource doesn’t expose this type of information to us. Terraform does however give us an external datasource that we can take advantage of to provide the data.

First we need to write a wrapper script around an aws ec2 command. We use the describe-instance-types sub-command to get the amount of RAM an instance has. This instance type information, as far as I know, is still relevant to RDS Instance, so it’s safe to use for this purpose. I’m also using the jq command on the final line to return the data in a form Terraform can handle…

#!/bin/bash

set -e

trap 'echo "Failed describing instance type $instance_type exit code $?"' ERR

eval "$(jq -r '@sh "INSTANCE_TYPE=\(.instance_type)"')"

MB=$(aws ec2 describe-instance-types --instance-type "$INSTANCE_TYPE" --query "InstanceTypes[0].MemoryInfo.SizeInMiB")

jq -n --arg mb "$MB" '{"MB":$mb}'

The next important thing is to wrap this script up into a data resource using the external provider…

data "external" "rds" {
  program = ["bash", "${path.module}/bash/rds-ram-mb.sh"]

  query = {
    instance_type = join(".", [split(".", aws_db_instance.rds1.instance_class)[1], split(".", aws_db_instance.rds1.instance_class)[2]])
  }

  depends_on = [aws_db_instance.rds1]
}

We’re setting the instance_type variable using a few Terraform functions. Basically this turns db.t3.micro into t3.micro. This is the format that the aws cli tool in the wrapper script requires. Also note the use of depends_on as the RDS Instance needs to exist before the datasource is run.

With all that in place we can then reference the RAM value like so…

output "instance_ram" {
  value = data.external.rds.result.MB
}

There’s a working demo over at github/rhysmeister

After performing a terraform apply you’ll see the output variable is set to the instance type’s RAM in MB. In this case the RDS instance is a db.t3.micro and it has 1024MB of RAM.

Why doesn’t SELinux log a denied message?

2024-01-30T16:46:00+00:00

If you’re wondering why SELinux is not printing a “denied” message in /var/log/audit/audit.log it’s probably because somebody wanted to hide it! Yes, it’s possible to prevent an SELinux module from logging a denied message. Disable this behaviour by executing the following command:

semodule --disable_dontaudit --build

Re-enable again with:

semodule --build

For more consult the semodule man page and Possible Causes of Silent Denials

Terraform will damage your Computer

2023-05-15T16:59:00+00:00

Today I experienced the following error on my Intel MacBook Pro when attempting to run Terraform…

The equivalent English error message is “Terraform will damage your computer. You should move it to the Trash.”. Hashicorp have cycled their keys used to sign their packages/executables. You can read more about that at the link below. I resolved it by simply removing the old terraform binary and replacing it with a newer version…

which terraform
sudo rm /usr/local/bin/terraform
wget https://releases.hashicorp.com/terraform/1.4.6/terraform_1.4.6_darwin_amd64.zip
unzip terraform_1.4.6_darwin_amd64.zip
sudo mv terraform /usr/local/bin
terraform version

Further useful links

Generate BATS Unit Tests with ChatGPT

2023-01-07T13:27:00+00:00

Of course everyone has now heard about ChatGPT. I’ve seen a few posts on LinkedIn where people have used it to generate code. I thought I’d have a quick go at seeing if ChatGPT would generate useful units tests. So I gave it the following bash function…

mytest () {
        var="$1";
        if [[ "$var" == "rhys" ]]; then
                echo "Hello Rhys"
        else
                echo "Hello $var"
        fi;
}

and I asked it…

Hello, Can you write me some test cases for this Bash function?

Sure! Here are some test cases for the Bash function:

    Test that the function correctly prints "Hello Rhys" when given "rhys" as an input:

test "rhys"

Expected output:

Hello Rhys

    Test that the function correctly prints "Hello [name]" when given a name other than "rhys" as an input:

test "John"

Expected output:

Hello John

    Test that the function correctly handles an empty input:

test ""

Expected output:

Hello

    Test that the function correctly handles inputs with spaces:

test "John Smith"

Expected output:

Hello John Smith

    Test that the function correctly handles inputs with special characters:

test "!@#$%^&*()"

Expected output:

Hello !@#$%^&*()

OK, pretty good but let’s try something a little more practical. I like using the BATS Unit Testing Framework for bash. So I asked it to generate the tests again using BATS…

Can you write the same test cases using the BATS framework?

Sure! Here are the test cases written using the BATS (Bash Automated Testing System) framework:

# Test that the function correctly prints "Hello Rhys" when given "rhys" as an input
@test "mytest prints 'Hello Rhys' when given 'rhys' as an input" {
  run mytest "rhys"
  [ "$status" -eq 0 ]
  [ "$output" = "Hello Rhys" ]
}

# Test that the function correctly prints "Hello [name]" when given a name other than "rhys" as an input
@test "mytest prints 'Hello [name]' when given a name other than 'rhys' as an input" {
  run mytest "John"
  [ "$status" -eq 0 ]
  [ "$output" = "Hello John" ]
}

# Test that the function correctly handles an empty input
@test "mytest handles an empty input" {
  run mytest ""
  [ "$status" -eq 0 ]
  [ "$output" = "Hello" ]
}

# Test that the function correctly handles inputs with spaces
@test "mytest handles inputs with spaces" {
  run mytest "John Smith"
  [ "$status" -eq 0 ]
  [ "$output" = "Hello John Smith" ]
}

# Test that the function correctly handles inputs with special characters
@test "mytest handles inputs with special characters" {
  run mytest "!@#$%^&*()"
  [ "$status" -eq 0 ]
  [ "$output" = "Hello !@#$%^&*()" ]
}

Here’s the output when I run those tests…

 ✓ mytest prints 'Hello Rhys' when given 'rhys' as an input 
 ✓ mytest prints 'Hello [name]' when given a name other than 'rhys' as an input 
 ✗ mytest handles an empty input
   (in test file tests.bats, line 20)
     `[ "$output" = "Hello" ]' failed
 ✓ mytest handles inputs with spaces 
 ✓ mytest handles inputs with special characters 

5 tests, 1 failure

One test is failing because it doesn’t account for the fact that whitespace will be returned in the output when an empty input is provided. Let’s ask ChatGPT to correct this…

In the test labelled “mytest handles an empty input” you don’t take account of that fact that whitespace will be returned in the output. Therefore the test will always fail. Can you correct this please?”

It provided the following code…

# Test that the function correctly handles an empty input
@test "mytest handles an empty input" {
  run mytest ""
  [ "$status" -eq 0 ]
  [ "$output" = "Hello " ]
}

Now all the tests run correctly…

 ✓ mytest prints 'Hello Rhys' when given 'rhys' as an input 
 ✓ mytest prints 'Hello [name]' when given a name other than 'rhys' as an input 
 ✓ mytest handles an empty input 
 ✓ mytest handles inputs with spaces 
 ✓ mytest handles inputs with special characters 

5 tests, 0 failures

Now I am not surprised that ChatGPT made a mistake with the whitespace but, I am pretty impressed it could fix it, once I pointed out that mistake!

What else have I asked ChatGPT?

Hi ChatGPT, can you generate me an Ansible Playbook to install MariaDB on a CentOS system with some common settings changed?
Can you do the same thing but for a Debian based system?
Can you generate a testinfa class to validate a MariaDB server is running and the root login is secured?
Can you also generate a test that will check the MariaDB server is listening on 3306?

It gave pretty good answers for all of these, although probably not 100% production ready, it certainly provided a good starting point and takes out some of the tediousness of some of these tasks!

Install PyLint on Python 2.7

2022-06-25T12:18:00+00:00

When installing pylint with Python 2.7 you may encounter the following problem…

Collecting pylint
  Downloading https://files.pythonhosted.org/packages/d9/99/2958da59c0203fe40670bcbce52043b4db4e74ef0db14ab59d5b66c0ba6c/pylint-2.14.3.tar.gz (393kB)
  Running setup.py (path:/tmp/pip-build-VElRHY/pylint/setup.py) egg_info for package pylint produced metadata for project name unknown. Fix your #egg=pylint fragments.
Installing collected packages: unknown
  Running setup.py install for unknown: started
    Running setup.py install for unknown: finished with status 'done'
Successfully installed unknown-0.0.0
You are using pip version 8.1.2, however version 22.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

Note the package name of “unknown” in the output. Python 2.7 is no longer supported by newer versions of PyLint (from V2) and its dependencies. If you’re not in the position to update Python then the following fix should work…

pip install 'pylint==1.9.*' 'configparser==4.0.*' 'isort==4.3.*' 'lazy-object-proxy==1.6.*'