GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-24 21:34:06 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

Automated commit at Fri Apr 5 10:00:00 CEST 2024

Browse Source
This commit is contained in:
Mischa van den Burg 2024-04-05 10:00:00 +02:00
parent d1d2719bd3
commit 3da23fc476
3 changed files with 54 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
content/CKS.md
View File

@ -6,29 +6,27 @@
# Notes
## Containers
[[User Space and Kernel Space]]
[[Containerized applications can do syscalls directly to the Linux Kernel]]
[[Linux Kernel also has namespaces for isolation]]
[[Container Isolation]]
[[Podman and docker commands are exactly the same]]
## Networking
[[Network Policies]]
[[Generating TLS certificate for testing on Kubernetes]]
## Certificates
[[Kubernetes users are simply holders of TLS Certificates]]
- [[Containers]]
- [[User Space and Kernel Space]]
- [[Containerized applications can do syscalls directly to the Linux Kernel]]
- [[Linux Kernel also has namespaces for isolation]]
- [[Container Isolation]]
- [[Podman and docker commands are exactly the same]]
- [[Networking]]
- [[Network Policies]]
- [[Generating TLS certificate for testing on Kubernetes]]
- [[Certificates]]
- [[Kubernetes users are simply holders of TLS Certificates]]
- [[RBAC]]
- [[There are no Deny rules in Kubernetes RBAC]]
- [[ClusterRoles can be applied to one or more namespaces]]
- [[RBAC permissions are additive]]
- [[Users do not live in the cluster as resources]]
- [[Service Accounts]]
- [[ServiceAccounts are only used by non-humans]]
- [[Service Account Tokens & Mounting]]
## Other
[[CKS Tips from Sander]]

9
content/RBAC.md
View File

@ -1,13 +1,4 @@
[[There are no Deny rules in Kubernetes RBAC]]
[[ClusterRoles can be applied to one or more namespaces]]
[[RBAC permissions are additive]]
[[ServiceAccounts are only used by non-humans]]
[[Users do not live in the cluster as resources]]
## Links:

33
content/Service Account Tokens & Mounting.md Normal file
View File

@ -0,0 +1,33 @@
Each Service Account receives a token which is mounted in the pod at
`/var/run/secrets/kubernetes.io/serviceaccount`
You can cat the token and inspect it at [JSON Web Tokens - jwt.io](https://jwt.io/)
The auto mounting can be disabled by configuring either the Service account or the pod as follows:
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
```
```yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
```
## Links:
202404050951