Add blog post on kubeadm vs coredns, tidy up TOCs (#266)

2025-12-14 10:16:27 +00:00 · 2023-02-16 11:47:35 +13:00
parent 5b5afc9608
commit 4fd6f304f1
17 changed files with 83 additions and 28 deletions
--- a/docs/blog/posts/changelog/new-recipe-invidious-swarm.md
+++ b/docs/blog/posts/changelog/new-recipe-invidious-swarm.md
@@ -7,8 +7,8 @@ tags:
 links:
  - Invidious on Docker: recipes/invidious.md
  - Invidious on Kubernetes: recipes/kubernetes/invidious.md
-description: New Recipe Added - Invidious - Private YouTube frontend, running on Docker Swarm
-title: Added recipe for Invidious on Docker Swarm
+description: New Recipe Added - Invidious - Private YouTube frontend (won't track you or recommend embarassing videos to your mum!), running on Docker Swarm
+title: Added / Invidious on Docker Swarm
 image: /images/invidious.png
 ---

--- a/docs/blog/posts/changelog/new-recipe-kavita-swarm.md
+++ b/docs/blog/posts/changelog/new-recipe-kavita-swarm.md
@@ -6,7 +6,7 @@ tags:
  - kavita
 links:
  - Kavita recipe: recipes/kavita.md
-description: New Recipe Added - Kavita - "Rocket-fueled" reader for manga/comics/ebooks, able to save reading position across devices/sessions
+description: New recipe added for Kavita (docker swarm) - Rocket-fueled reader for manga/comics/ebooks, able to save reading position across devices/sessions
 title: Added recipe for Kavita on Docker Swarm
 image: /images/kavita.png
 ---
--- a/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md
+++ b/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md
@@ -8,11 +8,11 @@ links:
  - Mastodon Review: blog/posts/reviews/review-mastodon-3.5.3.md
  - Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
  - Mastodon Docker Swarm recipe: recipes/mastodon.md
-description: New Kubernetes Recipe - Mastodon - Federated social network. Think "like twitter but also like email"
+description: New Kubernetes Recipe - Mastodon - Federated social network. Think 'like twitter but also like email'
 image: /images/mastodon.png
 title: Added tutorial for running a Mastodon instance on Kubernetes
 ---
-# New Recipe: Mastodon - Federated social network. Think "like twitter but also like email"
+# New Recipe: Mastodon - Federated social network. Think 'like twitter but also like email'

 New recipe - Mastodon, like Twitter on the Fediverse. Check out the [Kubernetes recipe][k8s/mastodon]!

--- a/docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md
+++ b/docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md
@@ -0,0 +1,52 @@
+---
+date: 2023-02-16
+categories:
+  - note
+tags:
+  - kubeadm
+  - kubernetes
+  - connaisseur
+title: Kubeadm will fail to install if you've changed the coredns deployment to use digests
+description: I debugged why my kubeadm init command was failing with "start version" .. "not supported" in isCoreDNSConfigMapMigrationRequired
+---
+
+# Made changes to your CoreDNS deployment / images? You may find kubeadm uncooperative..
+
+Are you trying to join a new control-plane node to a kubeadm-installed cluster, and seeing an error like this?
+
+```bash
+start version '8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972' not supported
+unable to get list of changes to the configuration.
+k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns.isCoreDNSConfigMapMigrationRequired
+```
+
+You've changed your CoreDNS deployment, haven't you? You're using a custom image, or an image digest, or you're using an admissionwebhook to mutate pods upon recreation?
+
+Here's what it means, and how to work around it...
+
+<!-- more -->
+
+We use [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to enforce an internal policy upon our clusters - we don't run any images not signed with [cosign](https://github.com/sigstore/cosign).
+
+!!! question "Why not use [sigstore's policy-controller admission controller](https://docs.sigstore.dev/policy-controller/overview/)?"
+    For one, I didn't know it existed before writing this! But having read up on it, here's why I believe that connaisseur is a better choice for our cluster:
+
+    #### connaisseur vs sigstore's policy-controller admission controller
+
+    * [x] Connaisseur can apply to all namespaces by default, and individual namespaces can opt-out
+    * [x] Connaisseur can "mutate" manifests, replacing tag-based images with their cosign-verified digest
+    * [x] Connaisseur can post slack webhooks to update an ops team re a policy violation, whether in "enforce" or "audit" mode 
+
+When `kubeadm init` instantiates a new control-plane node, it tries to determine which version of CoreDNS is running in the cluster, by **directly examining the coredns pods**.
+
+Here's what one of my pods looks like:
+
+```yaml
+Image: registry-internal.elpenguino.net/myorg/coredns:v1.8.6@sha256:8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972
+```
+
+kubeadm doesn't seem to be able to detect that the image above is at `v1.8.6`, and instead assumes it to be `8916...` (*the digest*).
+
+The error can't be worked-around by ignoring a pre-flight test, since this particular failure happens "post-flight", and causes the entire install process to fail. The only viable solution currently (*I'll report this upstream, but it may end up being a "this-is-by-design" issue*), is to explicitly prevent connaisseur from meddling with pods in the `kube-system` namespace, by labelling the namespace with `securesystemsengineering.connaisseur/webhook=ignore`.
+
+Aside from the fact that kubeadm could handle this failure more gracefully, I believe that excluding `kube-system` from admissionwebhooks is a smart move anyway, since `kube-system` should really be inviolate, and any unexpected changes **may** interfere with current and future Kubernetes upgrades anyway!
--- a/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md
+++ b/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md
@@ -4,8 +4,8 @@ categories:
  - note
 tags:
  - renovate
-title: How running a pod as GID 1337 can cause a Kubernetes pod to bypass istio-proxy
-description: Is your pod bypassing istio-proxy? Check your GUID isn't set to 1337!
+title: Why your Kubernetes pod is bypassing istio-proxy
+description: Is your pod sending traffic which is unexpectedly bypassing istio-proxy? Check your GUID isn't set to 1337!
 ---

 # Is your pod bypassing istio-proxy? Check your GUID
--- a/docs/blog/posts/reviews/review-mastodon-3.5.3.md
+++ b/docs/blog/posts/reviews/review-mastodon-3.5.3.md
@@ -8,7 +8,7 @@ links:
  - Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md
  - Mastodon Docker Swarm recipe: recipes/mastodon.md
 title: Review / Mastodon v3.5.3 - Open, Federated microblogging platform
-description: Mastodon is like a self-hosted Twitter on the Fediverse. Here's a review!
+description: Mastodon is a twitter-inspired, federated, microblogging community ("social network"), which anybody can partricipate in by joining a public instance, or running their own instance. Here's a review!
 image: /images/mastodon.png
 upstream_version: v3.5.3
 ---
--- a/docs/blog/posts/reviews/review-nextcloud-24.md
+++ b/docs/blog/posts/reviews/review-nextcloud-24.md
@@ -4,7 +4,7 @@ categories:
  - Review
 tags:
  - nextcloud
-description: My review of NextCloud 24
+description: An opinionated geek's review of NextCloud 24, how to make 'reliable' sexy!
 title: Review / Nextcloud v24 - Sexy on the outside, boring on the inside
 upstream_version: v24
 image: /images/nextcloud.jpg