public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-12 17:26:19 +00:00
Code Issues Releases Wiki Activity

Add blog post on kubeadm vs coredns, tidy up TOCs (#266)

Browse Source
This commit is contained in:
David Young
2023-02-16 11:47:35 +13:00
committed by GitHub
parent 5b5afc9608
commit 4fd6f304f1
17 changed files with 83 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/blog/category/changelog.md
View File

@@ -1,5 +1,5 @@
---
description: CHANGELOG - What's new in the cookbook
description: The CHANGELOG category lists the posts which highlight new and improved recipes in Funky Penguin's Geek Cookbook. The idea is that subscribing to the RSS feed will provide automatic notification of fresh recipes!
search:
exclude: true
---

3
docs/blog/category/note.md
View File

@@ -1,6 +1,5 @@
---
description: Funky Penguin's notes-in-progress
title: Blog / Notes
description: Sometimes you discover something which doesn't fit neatly into the "recipe" format. That's what this category of blog posts is for. I note information I don't want to loose, but I don't know (yet) how to fit it into the structure of the cookbook.
search:
exclude: true
---

5
docs/blog/category/review.md
View File

@@ -1,11 +1,10 @@
---
description: My reviews of popular self-hosted apps
title: Funky Penguin reviews self-hosted tools
description: I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (Plex) don't need a review, in which case I'll just jump straight into the recipe!
search:
exclude: true
---
# Funky Penguin's Reviews
# Reviews
I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (*like [Plex][plex]*) don't **need** a review, in which case I'll just jump straight into the recipe!

5
docs/blog/index.md
View File

@@ -1,8 +1,9 @@
---
title: Funky Penguin's Blog
title: Funky Penguin's Geek Blog
description: Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered during my daily work!
---
# Funky Penguin's Geek Cookblog
Welcome to Funky Penguin's Geeky Blog!
Welcome to Funky Penguin's Geeky Blog! Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered in my daily work!
--8<-- "common-links.md"

4
docs/blog/posts/changelog/new-recipe-invidious-swarm.md
View File

@@ -7,8 +7,8 @@ tags:
links:
- Invidious on Docker: recipes/invidious.md
- Invidious on Kubernetes: recipes/kubernetes/invidious.md
description: New Recipe Added - Invidious - Private YouTube frontend, running on Docker Swarm
title: Added recipe for Invidious on Docker Swarm
description: New Recipe Added - Invidious - Private YouTube frontend (won't track you or recommend embarassing videos to your mum!), running on Docker Swarm
title: Added / Invidious on Docker Swarm
image: /images/invidious.png
---

2
docs/blog/posts/changelog/new-recipe-kavita-swarm.md
View File

@@ -6,7 +6,7 @@ tags:
- kavita
links:
- Kavita recipe: recipes/kavita.md
description: New Recipe Added - Kavita - "Rocket-fueled" reader for manga/comics/ebooks, able to save reading position across devices/sessions
description: New recipe added for Kavita (docker swarm) - Rocket-fueled reader for manga/comics/ebooks, able to save reading position across devices/sessions
title: Added recipe for Kavita on Docker Swarm
image: /images/kavita.png
---

4
docs/blog/posts/changelog/new-recipe-mastodon-k8s.md
View File

@@ -8,11 +8,11 @@ links:
- Mastodon Review: blog/posts/reviews/review-mastodon-3.5.3.md
- Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
- Mastodon Docker Swarm recipe: recipes/mastodon.md
description: New Kubernetes Recipe - Mastodon - Federated social network. Think "like twitter but also like email"
description: New Kubernetes Recipe - Mastodon - Federated social network. Think 'like twitter but also like email'
image: /images/mastodon.png
title: Added tutorial for running a Mastodon instance on Kubernetes
---
# New Recipe: Mastodon - Federated social network. Think "like twitter but also like email"
# New Recipe: Mastodon - Federated social network. Think 'like twitter but also like email'
New recipe - Mastodon, like Twitter on the Fediverse. Check out the [Kubernetes recipe][k8s/mastodon]!

52
docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md Normal file
View File

@@ -0,0 +1,52 @@
---
date: 2023-02-16
categories:
- note
tags:
- kubeadm
- kubernetes
- connaisseur
title: Kubeadm will fail to install if you've changed the coredns deployment to use digests
description: I debugged why my kubeadm init command was failing with "start version" .. "not supported" in isCoreDNSConfigMapMigrationRequired
---
# Made changes to your CoreDNS deployment / images? You may find kubeadm uncooperative..
Are you trying to join a new control-plane node to a kubeadm-installed cluster, and seeing an error like this?
```bash
start version '8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972' not supported
unable to get list of changes to the configuration.
k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns.isCoreDNSConfigMapMigrationRequired
```
You've changed your CoreDNS deployment, haven't you? You're using a custom image, or an image digest, or you're using an admissionwebhook to mutate pods upon recreation?
Here's what it means, and how to work around it...
<!-- more -->
We use [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to enforce an internal policy upon our clusters - we don't run any images not signed with [cosign](https://github.com/sigstore/cosign).
!!! question "Why not use [sigstore's policy-controller admission controller](https://docs.sigstore.dev/policy-controller/overview/)?"
For one, I didn't know it existed before writing this! But having read up on it, here's why I believe that connaisseur is a better choice for our cluster:
#### connaisseur vs sigstore's policy-controller admission controller
* [x] Connaisseur can apply to all namespaces by default, and individual namespaces can opt-out
* [x] Connaisseur can "mutate" manifests, replacing tag-based images with their cosign-verified digest
* [x] Connaisseur can post slack webhooks to update an ops team re a policy violation, whether in "enforce" or "audit" mode
When `kubeadm init` instantiates a new control-plane node, it tries to determine which version of CoreDNS is running in the cluster, by **directly examining the coredns pods**.
Here's what one of my pods looks like:
```yaml
Image: registry-internal.elpenguino.net/myorg/coredns:v1.8.6@sha256:8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972
```
kubeadm doesn't seem to be able to detect that the image above is at `v1.8.6`, and instead assumes it to be `8916...` (*the digest*).
The error can't be worked-around by ignoring a pre-flight test, since this particular failure happens "post-flight", and causes the entire install process to fail. The only viable solution currently (*I'll report this upstream, but it may end up being a "this-is-by-design" issue*), is to explicitly prevent connaisseur from meddling with pods in the `kube-system` namespace, by labelling the namespace with `securesystemsengineering.connaisseur/webhook=ignore`.
Aside from the fact that kubeadm could handle this failure more gracefully, I believe that excluding `kube-system` from admissionwebhooks is a smart move anyway, since `kube-system` should really be inviolate, and any unexpected changes **may** interfere with current and future Kubernetes upgrades anyway!

4
docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md
View File

@@ -4,8 +4,8 @@ categories:
- note
tags:
- renovate
title: How running a pod as GID 1337 can cause a Kubernetes pod to bypass istio-proxy
description: Is your pod bypassing istio-proxy? Check your GUID isn't set to 1337!
title: Why your Kubernetes pod is bypassing istio-proxy
description: Is your pod sending traffic which is unexpectedly bypassing istio-proxy? Check your GUID isn't set to 1337!
---
# Is your pod bypassing istio-proxy? Check your GUID

2
docs/blog/posts/reviews/review-mastodon-3.5.3.md
View File

@@ -8,7 +8,7 @@ links:
- Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
- Mastodon Docker Swarm recipe: recipes/mastodon.md
title: Review / Mastodon v3.5.3 - Open, Federated microblogging platform
description: Mastodon is like a self-hosted Twitter on the Fediverse. Here's a review!
description: Mastodon is a twitter-inspired, federated, microblogging community ("social network"), which anybody can partricipate in by joining a public instance, or running their own instance. Here's a review!
image: /images/mastodon.png
upstream_version: v3.5.3
---

2
docs/blog/posts/reviews/review-nextcloud-24.md
View File

@@ -4,7 +4,7 @@ categories:
- Review
tags:
- nextcloud
description: My review of NextCloud 24
description: An opinionated geek's review of NextCloud 24, how to make 'reliable' sexy!
title: Review / Nextcloud v24 - Sexy on the outside, boring on the inside
upstream_version: v24
image: /images/nextcloud.jpg

1
docs/blog/tags.md
View File

@@ -1,4 +1,5 @@
---
title: Funky Penguin's Geeky Blog Tags
search:
exclude: true
---

2
docs/community/index.md
View File

@@ -1,6 +1,6 @@
---
title: Funky Penguin's Geeky Communities
description: Engage with your fellow geeks, wherever they may be!
description: Join Funky Penguin and your fellow geeks, wherever they be in, including Discord, Reddit, Mastodon, GitHub, and more...
---
# Geek Community

4
docs/community/mastodon.md
View File

@@ -1,11 +1,11 @@
---
title: Join our geeky, Docker/Kubernetes-flavored Mastdon instance
description: Looking for your geeky niche in the "fediverse"? Join our Mastodon instance!
description: Looking for your geeky niche in the "fediverse"? Join our Mastodon instance, focussed on self-hosting, technical news, supporting full-text search!
icon: fontawesome/brands/mastodon
status: new
---
# Join geeky / selfhosted Mastodon
# Join our geeky / selfhosted Mastodon instance
Mastondon is a self-hosted / open-source microblogging platform (*heavily inspired by Twitter*), which supports federation, rather than centralization. Like email, any user on any Mastodon instance can follow, "toot" (*not tweet!*), and reply to any user on any *other* instance.

12
docs/index.md
View File

@@ -87,17 +87,17 @@ So if you're familiar enough with the concepts above, and you've done self-hosti
Ive spent 20+ years working with technology. Im a solution architect, with a broad range of experience and skills. I'm a full-time [AWS Certified Solution Architect (Professional)][cert_aws], a [CNCF-Certified Kubernetes Administrator][cert_cka], [Application Developer][cert_ckad] and [Security Specialist][cert_cks].
### What do you want from me?
## What do you want from me?
I want your [support](https://github.com/sponsors/funkypenguin), either in the [financial](https://github.com/sponsors/funkypenguin) sense, or as a member of our [friendly geek community](http://chat.funkypenguin.co.nz) (*or both!*)
#### Get in touch 💬
### Get in touch 💬
- Come and say hi to me and the friendly geeks in the [Discord](http://chat.funkypenguin.co.nz) chat or the [Discourse](https://forum.funkypenguin.co.nz/) forums - say hi, ask a question, or suggest a new recipe!
- Toot me up, I'm [@funkypenguin](https://so.fnky.nz/@funkypenguin)! 🐘
- [Contact me](https://www.funkypenguin.co.nz/contact/) by a variety of channels
#### [Sponsor](https://github.com/sponsors/funkypenguin) me ❤️
### [Sponsor](https://github.com/sponsors/funkypenguin) me ❤️
The best way to support this work is to become a [GitHub Sponsor](https://github.com/sponsors/funkypenguin) / [Patreon patron](https://www.patreon.com/bePatron?u=6982506). You get:
@@ -110,15 +110,15 @@ The best way to support this work is to become a [GitHub Sponsor](https://github
Impulsively **[click here (NOW quick do it!)](https://github.com/sponsors/funkypenguin)** to [sponsor me](https://github.com/sponsors/funkypenguin) via GitHub, or [patronize me via Patreon](https://www.patreon.com/bePatron?u=6982506)!
#### Work with me 🤝
### Work with me 🤝
Need some Cloud / Microservices / DevOps / Infrastructure design work done? This stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk!
#### Buy me a coffee ☕️
### Buy me a coffee ☕️
A sponsorship is too much commitment, and a book is TL;DR? Hit me up with a [one-time caffine shot](https://www.buymeacoffee.com/funkypenguin)!
### Sponsored Projects
### Projects I sponsor
I'm supported and motivated by [GitHub Sponsors](https://github.com/sponsors/funkypenguin) and [Patreon patrons](https://www.patreon.com/funkypenguin) who have generously sponsored me.

4
docs/kubernetes/cluster/digitalocean.md
View File

@@ -1,6 +1,8 @@
---
description: Creating a Kubernetes cluster on DigitalOcean
description: One of the easiest ways to experiment with a "real" managed Kubernetes cluster is with DigitalOcean's Kubernetes offering
title: Create your Kubernetes cluster on Digital Ocean
---
# Kubernetes on DigitalOcean
IMO, the easiest Kubernetes cloud provider to experiment with is [DigitalOcean](https://m.do.co/c/e33b78ad621b) (_this is a referral link_). I've included instructions below to start a basic cluster.

3
mkdocs.yml
View File

@@ -405,7 +405,8 @@ markdown_extensions:
- codehilite:
linenums: true
- toc:
permalink: true
permalink: false
toc_depth: 3 # ignore H4/5/6
- footnotes
- pymdownx.critic
- pymdownx.arithmatex