public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-12 17:26:19 +00:00
Code Issues Releases Wiki Activity

Add blog post on kubeadm vs coredns, tidy up TOCs (#266)

Browse Source
This commit is contained in:
David Young
2023-02-16 11:47:35 +13:00
committed by GitHub
parent 5b5afc9608
commit 4fd6f304f1
17 changed files with 83 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/blog/category/changelog.md
View File

@@ -1,5 +1,5 @@
---
description: CHANGELOG - What's new in the cookbook
description: The CHANGELOG category lists the posts which highlight new and improved recipes in Funky Penguin's Geek Cookbook. The idea is that subscribing to the RSS feed will provide automatic notification of fresh recipes!
search:
exclude: true
---

3
docs/blog/category/note.md
View File

@@ -1,6 +1,5 @@
---
description: Funky Penguin's notes-in-progress
title: Blog / Notes
description: Sometimes you discover something which doesn't fit neatly into the "recipe" format. That's what this category of blog posts is for. I note information I don't want to loose, but I don't know (yet) how to fit it into the structure of the cookbook.
search:
exclude: true
---

5
docs/blog/category/review.md
View File

@@ -1,11 +1,10 @@
---
description: My reviews of popular self-hosted apps
title: Funky Penguin reviews self-hosted tools
description: I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (Plex) don't need a review, in which case I'll just jump straight into the recipe!
search:
exclude: true
---
# Funky Penguin's Reviews
# Reviews
I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (*like [Plex][plex]*) don't **need** a review, in which case I'll just jump straight into the recipe!

5
docs/blog/index.md
View File

@@ -1,8 +1,9 @@
---
title: Funky Penguin's Blog
title: Funky Penguin's Geek Blog
description: Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered during my daily work!
---
# Funky Penguin's Geek Cookblog
Welcome to Funky Penguin's Geeky Blog!
Welcome to Funky Penguin's Geeky Blog! Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered in my daily work!
--8<-- "common-links.md"

4
docs/blog/posts/changelog/new-recipe-invidious-swarm.md
View File

@@ -7,8 +7,8 @@ tags:
links:
- Invidious on Docker: recipes/invidious.md
- Invidious on Kubernetes: recipes/kubernetes/invidious.md
description: New Recipe Added - Invidious - Private YouTube frontend, running on Docker Swarm
title: Added recipe for Invidious on Docker Swarm
description: New Recipe Added - Invidious - Private YouTube frontend (won't track you or recommend embarassing videos to your mum!), running on Docker Swarm
title: Added / Invidious on Docker Swarm
image: /images/invidious.png
---

2
docs/blog/posts/changelog/new-recipe-kavita-swarm.md
View File

@@ -6,7 +6,7 @@ tags:
- kavita
links:
- Kavita recipe: recipes/kavita.md
description: New Recipe Added - Kavita - "Rocket-fueled" reader for manga/comics/ebooks, able to save reading position across devices/sessions
description: New recipe added for Kavita (docker swarm) - Rocket-fueled reader for manga/comics/ebooks, able to save reading position across devices/sessions
title: Added recipe for Kavita on Docker Swarm
image: /images/kavita.png
---

4
docs/blog/posts/changelog/new-recipe-mastodon-k8s.md
View File

@@ -8,11 +8,11 @@ links:
- Mastodon Review: blog/posts/reviews/review-mastodon-3.5.3.md
- Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
- Mastodon Docker Swarm recipe: recipes/mastodon.md
description: New Kubernetes Recipe - Mastodon - Federated social network. Think "like twitter but also like email"
description: New Kubernetes Recipe - Mastodon - Federated social network. Think 'like twitter but also like email'
image: /images/mastodon.png
title: Added tutorial for running a Mastodon instance on Kubernetes
---
# New Recipe: Mastodon - Federated social network. Think "like twitter but also like email"
# New Recipe: Mastodon - Federated social network. Think 'like twitter but also like email'
New recipe - Mastodon, like Twitter on the Fediverse. Check out the [Kubernetes recipe][k8s/mastodon]!

52
docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md Normal file
View File

@@ -0,0 +1,52 @@
---
date: 2023-02-16
categories:
- note
tags:
- kubeadm
- kubernetes
- connaisseur
title: Kubeadm will fail to install if you've changed the coredns deployment to use digests
description: I debugged why my kubeadm init command was failing with "start version" .. "not supported" in isCoreDNSConfigMapMigrationRequired
---
# Made changes to your CoreDNS deployment / images? You may find kubeadm uncooperative..
Are you trying to join a new control-plane node to a kubeadm-installed cluster, and seeing an error like this?
```bash
start version '8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972' not supported
unable to get list of changes to the configuration.
k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns.isCoreDNSConfigMapMigrationRequired
```
You've changed your CoreDNS deployment, haven't you? You're using a custom image, or an image digest, or you're using an admissionwebhook to mutate pods upon recreation?
Here's what it means, and how to work around it...
<!-- more -->
We use [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to enforce an internal policy upon our clusters - we don't run any images not signed with [cosign](https://github.com/sigstore/cosign).
!!! question "Why not use [sigstore's policy-controller admission controller](https://docs.sigstore.dev/policy-controller/overview/)?"
For one, I didn't know it existed before writing this! But having read up on it, here's why I believe that connaisseur is a better choice for our cluster:
#### connaisseur vs sigstore's policy-controller admission controller
* [x] Connaisseur can apply to all namespaces by default, and individual namespaces can opt-out
* [x] Connaisseur can "mutate" manifests, replacing tag-based images with their cosign-verified digest
* [x] Connaisseur can post slack webhooks to update an ops team re a policy violation, whether in "enforce" or "audit" mode
When `kubeadm init` instantiates a new control-plane node, it tries to determine which version of CoreDNS is running in the cluster, by **directly examining the coredns pods**.
Here's what one of my pods looks like:
```yaml
Image: registry-internal.elpenguino.net/myorg/coredns:v1.8.6@sha256:8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972
```
kubeadm doesn't seem to be able to detect that the image above is at `v1.8.6`, and instead assumes it to be `8916...` (*the digest*).
The error can't be worked-around by ignoring a pre-flight test, since this particular failure happens "post-flight", and causes the entire install process to fail. The only viable solution currently (*I'll report this upstream, but it may end up being a "this-is-by-design" issue*), is to explicitly prevent connaisseur from meddling with pods in the `kube-system` namespace, by labelling the namespace with `securesystemsengineering.connaisseur/webhook=ignore`.
Aside from the fact that kubeadm could handle this failure more gracefully, I believe that excluding `kube-system` from admissionwebhooks is a smart move anyway, since `kube-system` should really be inviolate, and any unexpected changes **may** interfere with current and future Kubernetes upgrades anyway!

4
docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md
View File

@@ -4,8 +4,8 @@ categories:
- note
tags:
- renovate
title: How running a pod as GID 1337 can cause a Kubernetes pod to bypass istio-proxy
description: Is your pod bypassing istio-proxy? Check your GUID isn't set to 1337!
title: Why your Kubernetes pod is bypassing istio-proxy
description: Is your pod sending traffic which is unexpectedly bypassing istio-proxy? Check your GUID isn't set to 1337!
---
# Is your pod bypassing istio-proxy? Check your GUID

2
docs/blog/posts/reviews/review-mastodon-3.5.3.md
View File

@@ -8,7 +8,7 @@ links:
- Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
- Mastodon Docker Swarm recipe: recipes/mastodon.md
title: Review / Mastodon v3.5.3 - Open, Federated microblogging platform
description: Mastodon is like a self-hosted Twitter on the Fediverse. Here's a review!
description: Mastodon is a twitter-inspired, federated, microblogging community ("social network"), which anybody can partricipate in by joining a public instance, or running their own instance. Here's a review!
image: /images/mastodon.png
upstream_version: v3.5.3
---

2
docs/blog/posts/reviews/review-nextcloud-24.md
View File

@@ -4,7 +4,7 @@ categories:
- Review
tags:
- nextcloud
description: My review of NextCloud 24
description: An opinionated geek's review of NextCloud 24, how to make 'reliable' sexy!
title: Review / Nextcloud v24 - Sexy on the outside, boring on the inside
upstream_version: v24
image: /images/nextcloud.jpg

1
docs/blog/tags.md
View File

@@ -1,4 +1,5 @@
---
title: Funky Penguin's Geeky Blog Tags
search:
exclude: true
---