License: Other
In this repository, you can find a collection of sample configuration scripts to deploy resources into Kubernetes clusters by using IBM Cloud Kubernetes Service.
For the complete IBM Cloud Service documentation, see https://cloud.ibm.com/docs/containers?topic=containers-getting-started#getting-started.
Hi,
I was told by support that I needed to add an IP address to allow our ingress health check to work. They sent this url
https://github.com/IBM-Cloud/kube-samples/blob/master/control-plane-ips/control-plane-ips-wdc.txt
I have made the change and submitted a pull request (#155) but am not sure how to request it to be reviewed, or what the next steps are.
Would appreciate any assistance.
Thanks.
David.
Hi @bhpratt. Thanks for putting together this repo. The new installer is jx boot. Are you planning to update your repo https://github.com/IBM-Cloud/kube-samples/tree/master/jenkins-x?
oc apply -n openshift-compliance -f https://raw.githubusercontent.com/IBM-Cloud/kube-samples/master/roks-compliance-operator/tailoredprofile.yaml
error: error parsing https://raw.githubusercontent.com/IBM-Cloud/kube-samples/master/roks-compliance-operator/tailoredprofile.yaml: error converting YAML to JSON: yaml: line 8: did not find expected key
resolved with
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: roks-cis-node
namespace: openshift-compliance
spec:
description: "IBM ROKS tailored scan"
setValues:
i try to install Jenkinx X on IKS, i specify the --git-provider-url="https://github.ibm.com", however, the hook pods are CrashLoopBackOff, checking the logs for pods , shows:
{"client":"github","component":"hook","level":"info","msg":"User()","time":"2019-11-13T12:21:59Z"}
{"component":"hook","error":"error getting bot name: fetching bot name from GitHub: status code 401 not one of [200], body: {"message":"Bad credentials","documentation_url":"https://developer.github.com/v3\"}","level":"fatal","msg":"Error getting Git client.","time":"2019-11-13T12:21:59Z"}
,
it is very strange, hook used the public github instead of ibm github. How to fix this?
Applying the public network isolation policies to a cluster in au-syd (with logging enabled), shows that it's denying access to 135.90.69.82/32. This appear to be a valid tugboat IP, so should be allow-listed.
Today, all CIDS for EU-CEntral are in one file [iam-firewall-ips-fra.txt](https://github.com/IBM-Cloud/kube-samples/blob/master/iam-firewall-ips/iam-firewall-ips-fra.txt)
Please only add Frankfurt CIDR in the Frankfurt file and keep AMS, PAR and MIL separate.
That will make the IP range to whitelist smaller for Frankfurt users only.
Thanks.
The Secret Sync Operator will fail-fast if a target namespace doesn't exist with the following error:
{"level":"error","ts":1572685378.8804283,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"secretsync-controller","request":"kube-system/testreplication","error":"namespaces \"doesnotexist\" not found","stacktrace":"github.com/ibm/secret-sync-operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/ibm/secret-sync-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/ibm/secret-sync-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/ibm/secret-sync-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}
This causes the operator to go into a loop until the namespace is created and could prevent some secrets being synchronised.
The PR attached amends the logic by checking if the namespace exists first, bypassing any missing namespaces and creates all secrets where the namespace exists. The reconcile will requeue after 5 minutes if a missing namespace is detected as there is no namespace watch in this sample project and the secret may not be edited to retrigger the watch.
I noticed that "oc apply" will fail when loading the tailoredprofile.yaml and complains about a missing spec.description field:
% oc apply -n openshift-compliance -f https://raw.githubusercontent.com/IBM-Cloud/kube-samples/master/roks-compliance-operator/tailoredprofile.yaml
The TailoredProfile "roks-cis-node" is invalid: spec.description: Required value
I was doing this on an OpenShift 4.7 cluster. I have not looked at other versions of OpenShift.
I can resolve this by adding the line
description: "IBM ROKS tailored scan"
in line 8 as shown below...
# For more information, see https://cloud.ibm.com/docs/openshift?topic=openshift-compliance-operator
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: roks-cis-node
namespace: openshift-compliance
spec:
description: "IBM ROKS tailored scan"
setValues:
Thanks for the great resources!
These CIDRS for EU-DE Control Plane are mentioned in the IAM docs, but not in the region docs for eu-central. We have a customer hitting IP 161.156.188.198 which falls under CIDR 161.156.188.192/28 and is listed in THIS DOC
161.156.188.96/27
161.156.188.128/27
161.156.188.192/28
161.156.188.96/27
Having issue syncing secret name with more than 63 characters
Docker image used : bourneid/secret-sync-operator
ERROR from secret-sync pod:
"error":"Secret "clustername-xxxxxxxxxxxxxxx-0001" is invalid: metadata.labels: Invalid value: "default.clustername-xxxxxxxxxxxxxxx-0001": must be no more than 63 characters",
Add Secret Sync Operator to OperatorHub.io at https://github.com/operator-framework/community-operators.
I get an error (below) when I use the command ibmcloud ks cluster-config mycluster
Hi All,
We are using calico network policy solution and except kube-system ns all other namespaces working fine controlling traffic according to network policies defined.
Right now, Kube-System ns allowing only all allow network policy and if we define any custom network policy, i am getting 502 bad gateway with [502][socket hang up][ECONNRESET] error.
Is there any restrictions IKS will apply on kube-system ns to not allow network policies?
The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:
A recent Kubernetes bugfix means that audit-logging of subresource requests which previously failed will now log successfully. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.
The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log:
- group: "" # core
resources: ["secrets", "configmaps", "serviceaccounts/token"]
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.