mitzen

When we setup multiple VNET and peer them, let's say we have marketing VNET and research VNET. then we created a storage account and setup private link in research VNET. At this point, VM trying to resolve our storage account in marketing vnet will get a public ip. How do we configure to ensure this VM in marketing would be able internal IP?  All we need to do is go to the Private dns zone that we have created and then add a " Virtual Network link " and we choose "marketing" vnet target network. And then in the VM that we have created in marketing VNET, you can see that we are resolving to a local ip address instead of public.  And then if we look at the subnet. there's no IP that has been taken up.

To use this we need to create a "ValidatingAdminisionPolicy" and "ValidatingAdmissionPolicyBinding".  This example will prevent pod from being created if it des not have "label called environment". apiVersion : admissionregistration.k8s.io/v1 kind : ValidatingAdmissionPolicy metadata :   name : " require-env-label " spec :   failurePolicy : Fail   matchConstraints :     resourceRules :     - apiGroups :   [ "" ]       apiVersions : [ " v1 " ]       operations :   [ " CREATE " , " UPDATE " ]       resources :   [ " pods " ]   validations :     - expression : " has(object.metadata.labels) && 'environment' in object.metadata.labels "       message : " The 'environment' label is required for all Pods. " And then we have ValidatingAdmissionPolicyBinding apiVersion : admissionregistration.k8s.io/v1 kind : ValidatingAdmissionPolicyBinding meta...

First we should create our VNET, in this context we are going to create 3 vnet - research, marketing and 3rd party.  Then we are going to create Network Manager and then add your management scope - which is your subscription accessible to this network manager. Please ensure you selected Feature => Connectivity Network Group Then we will create a network group. Then provide it with a name "Hub-Spoke-Network-Group".  After it is crated, click on Add Virtual Network manally. We will select the vnet here  Network Configuration   This is where we will create Hub-Spoke topology here. Then go next:- Click "Review and create" when ready Deployment Before you ca  have your hub and spoke network, we need to click on "Deployment".  And then click on " Deploy configuration " And then after we deploy it, it should look like this :-

First we are going to need the following files and apply them  apiVersion : v1 kind : Service metadata :   name : rollouts-demo spec :   ports :   - port : 80     targetPort : http     protocol : TCP     name : http   selector :     app : rollouts-demo And this is the rollout file and notice the image we are using is ' blue '  apiVersion : argoproj.io/v1alpha1 kind : Rollout metadata :   name : rollouts-demo spec :   replicas : 5   strategy :     canary :       steps :       - setWeight : 20       - pause : {}       - setWeight : 40       - pause : {}       - setWeight : 60       - pause : {}       - setWeight : 80       - pause : {}   revisionHistoryLimit : 2   selector :     matchLabels :       ...

 To setup argocd plugin for kubectl, we need to run the following command on our linux machine curl -LO https://github.com/argoproj/argo-rollouts/releases/latest/download/kubectl-argo-rollouts-linux-amd64 chmod +x ./kubectl-argo-rollouts-linux-amd64 sudo mv ./kubectl-argo-rollouts-linux-amd64 /usr/local/bin/kubectl-argo-rollouts Finally test if it is working  kubectl argo rollouts version

Krew is a plugin manager which allows us to download and use plugins and extend current functionality of kubectl.  To install on bash, run the following command :- ( set -x; cd " $( mktemp -d ) " && OS = " $( uname | tr '[:upper:]' '[:lower:]' ) " && ARCH = " $( uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/' ) " && KREW = "krew- ${ OS } _ ${ ARCH } " && curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/ ${ KREW } .tar.gz" && tar zxvf " ${ KREW } .tar.gz" && ./ " ${ KREW } " install krew ) And remember to add this to your path  export PATH = " ${ KREW_ROOT :- $HOME /.krew } /bin: $PATH " Then run this to update,  kubectl krew update Next run this to list plugins  kubectl krew list 

In AKS we can setup rbac for service acount. Let's create a service account and then  using the following yaml definition to setup it access to list pods.  kubectl create serviceaccount pod-watcher -n dev Next we will create a role that only allows this service account to list and watch pods in dev namespace, Role is reusable.  apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   namespace: dev   name: pod-reader-only rules: - apiGroups: [ "" ] # The core API group   resources: [ "pods" ]   verbs: ["get", "list", "watch"] # No "delete", "create", or "update" Here we can see the common apiGroups that you can use and please ensure you do not omit the (s) - plural as will NOT work API Group Common Resources "" (Core) pods , services , nodes , namespaces , configmaps , secrets , persistentvolumeclaims apps deployments , statefulsets , daemonsets , replicasets batch jobs , cronjobs ne...

This is a step by step guide to show how we can federate our workload identity in a kubernetes cluster. First we enable OIDC on our cluster. Next, we create a managed identity in Azure.  Then we will be creating a service account and the federating the managed identity. # 1. Enable OIDC and Workload Identity on your cluster az aks update - g myRG - n myCluster -- enable - oidc - issuer -- enable - workload - identity # 2. Get the OIDC Issuer URL (needed for the trust) AKS_OIDC_ISSUER = $ ( az aks show - n myCluster - g myRG -- query " oidcIssuerProfile.issuerUrl " - otsv ) # 3. Create the Managed Identity in Azure az identity create -- name " my-app-identity " -- resource - group myRG # 4. Create the Kubernetes Service Account (SA) # Note: You MUST annotate it with the Client ID of the Managed Identity CLIENT_ID = $ ( az identity show -- name " my-app-identity " -- resource - group myRG -- query clientId - o tsv ) kubectl create serviceaccount my - app...

This questions might sound hard but it is quite easy to answer. When we enable service endpoint for storage acccount or other resources, we will be using microsoft backbone to route request to the storage account. When this happens, we no longer using a NAT and hence our public IP might not be whitelisted.  In that case, how do you whitelist it? Simple, just use the subnet that your resources resides in. 

Terraform taint will mark a resource to be 'bad' and requires it to be re-created when we run terraform plan or terraform apply. And example of use case would be something like this :- Here we are listing the statefile. From here, we can easily apply taint and untaint our resources.

 We can easily setup our terraform to support different providers. This is useful when we like to setup our resources using different subscription.  modules/storage/main.tf resource "azurerm_storage_account" "old_storage" {   name                     = var . storage_name   resource_group_name       = " mytest-kv-rg "   location                 = " australiaeast "   account_tier             = " Standard "   account_replication_type = " LRS " } variable "storage_name" {   type = string } And then we have this as our main.tf  # The default provider (Implicitly used if no provider is specified) provider "azurerm" {   features {}   subscription_id = "aaaaaaaaaaaaaaaaaaaaa " # Subscription A } # The aliased provider provider "azurerm" {   alias         ...

Ran into this error trying to work with terraform - turn out the simplest solution is just to do "az login" 

  In this example, we will be creating a simple storage account and then testing it with terraform test. Let start off with the following scripts  variable "account_name" { type = string } variable "resource_group_name" { type = string } variable "location" { type = string } variable "environment" { type = string description = "The environment for the deployment." validation { # The condition must return true for the variable to be accepted. condition = contains ([ "dev" , "staging" , "prod" ], var . environment) # This is the message printed to the screen if the condition is false. error_message = "Validation Error: The environment must be 'dev', 'staging', or 'prod'." } } resource "azurerm_storage_account" "this" { name = var . account_name resource_group_name...