Friday, February 7, 2025

Search by action all AWS IAM Policies in your account

Find all policies that contain a specific action(grep by string)

AWS Iam manage access to AWS cloud trough different entities that narrow down to policies that have actions.

One such situation be the following, you want to find all policies that contain the action ec2:CreateVolume under your AWS account.

To find all policies that contain ec2:CreateVolume using the Web Ui can be time consuming and error prone when you need to search multiple policies, especially if you have inline and managed (AWS or customer).

So cli to the rescue !

Examples

To search trough use aws iam and get-account-authorization-details.

All policies

To note this output will not include inline policies.

In the case of ec2:CreateVolume this should do

aws iam \
    get-account-authorization-details \
    --query 'Policies[?contains(PolicyVersionList[].Document[].Statement[].Action[], `ec2:CreateVolume`)].{Arn:Arn, Path:Path}'

If any policy contains the action ec2:CreateVolume will show something like


[
    {
        "Arn": "arn:aws:iam::000000000000:policy/path/subPath/NameOfPolicy",
        "Path": "/path/subPath/"
    },
    {
        "Arn": "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
        "Path": "/"
    },
    {
        "Arn": "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
        "Path": "/service-role/"
    }
]

So the first entry is a customer managed policy, the account id is zeroed in this example but will show the actual account id, the path and subPath are namespaces as where the policy was written.

The second and third don’t have an account id and the name starts with Amazon, these are managed by AWS.

All groups with inline policies

aws iam \
    get-account-authorization-details \
    --query 'GroupDetailList[?GroupPolicyList[].PolicyDocument[].Statement[].Action!=null && contains(GroupPolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{GroupArn:Arn, PolicyName:GroupPolicyList[].PolicyName}'

All users with inline policies

aws iam \
    get-account-authorization-details \
    --query 'UserDetailList[?UserPolicyList[].PolicyDocument[].Statement[].Action!=null && contains(UserPolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{UserArn:Arn, PolicyName:UserPolicyList[].PolicyName}[]'

All roles with inline policies

aws iam \
    get-account-authorization-details \
    --query 'RoleDetailList[?RolePolicyList[].PolicyDocument[].Statement[].Action!=null && contains(RolePolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{RoleArn:Arn, PolicyName:RolePolicyList[].PolicyName}'
Posted by at 5:35 PM 0 comments
Labels: ,

Wednesday, January 22, 2025

Change storage class in a running StateFull Set (sts)

Change the storage class of a running STS in k8s

K8s doesn’t allow to change the StorageClass for an active StateFull Set.

However there are times when this is needed.

This article explains how to change the storage class for a running sts.

For this will use

  • sts workload
  • sc (currently in use) default
  • sc (we want to change to) premium

As environment I’m using Azure Kubernetes Service (AKS)

Storage classes

Default storage class using Standard SDD with ZRS (zonal replication).

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
  name: default
parameters:
  skuname: StandardSSD_ZRS
provisioner: disk.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true

Premium storage class using Premium SSD

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
  name: managed-csi-premium
parameters:
  skuname: Premium_ZRS
provisioner: disk.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true

The two classes above are created by AKS, in case more control over the IOPS is needed a custom class will do

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
   name: premium2-disk-sc
parameters:
# fine tune
   cachingMode: None
   skuName: PremiumV2_LRS
   DiskIOPSReadWrite: "4000"
   DiskMBpsReadWrite: "1000"
provisioner: disk.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: Immediate  # note - creates a volume when a PVC is present.
allowVolumeExpansion: true

Current state

Manifests

Deployment of two nginx pods with default storage class under the namespace sts-change-sc.

---
apiVersion: v1
kind: Namespace
metadata:
  name: sts-change-sc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: nginx
  namespace: sts-change-sc
spec:
  ports:
  - port: 80
    name: web
  clusterIP: None
  selector:
    app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
  namespace: sts-change-sc
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 2 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.24
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
# initial storage class
      storageClassName: "default"  # technically not needed specified for this demo.
      resources:
        requests:
          storage: 1Gi
$ kubectl get pv -n sts-change-sc| grep web
pvc-87813cdf-2f48-4e4e-b121-8ba2bfa04aca  1Gi RWO  Delete Bound  sts-change-sc/www-web-0  default  <unset>  28m
pvc-ad285352-93bc-422c-be14-3628482fa9ba  1Gi RWO  Delete Bound  sts-change-sc/www-web-1  default  <unset>  119s

PVC

$ kubectl get pvc -n sts-change-sc| grep web
www-web-0  Bound  pvc-87813cdf-2f48-4e4e-b121-8ba2bfa04aca  1Gi  RWO  default  <unset>  29m
www-web-1  Bound  pvc-ad285352-93bc-422c-be14-3628482fa9ba  1Gi  RWO  default  <unset>  2m8s

STS

$ kubectl get sts -n sts-change-sc
NAME   READY   AGE
web    2/2     6m4s

SC used by STS

$ kubectl get sts -n sts-change-sc -o json | jq .items[].spec.volumeClaimTemplates[].spec.storageClassName
"default"

Change storage class used by sts

Changing from default to managed-csi-premium.

Manifests

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
  namespace: sts-change-sc
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.24
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
# changed storage class
      storageClassName: "managed-csi-premium"
      resources:
        requests:
          storage: 1Gi

Try to apply the updated sts

$ kubectl apply -f changed.yaml -n sts-change-sc
The StatefulSet "web" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'ordinals', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden

Since that didn’t work we need to do the following

  1. Delete the sts with the --cascade=orphan option.
  2. Apply the sts manifest with the changed storage class "managed-csi-premium".
  3. Delete one by one each pod from sts and its pvc (cascade delete its referrenced pv).

Applying this looks like

Step 1

$ kubectl delete sts/web --cascade=orphan -n sts-change-sc
statefulset.apps "web" deleted

At this point the pods are still running but the sts is gone. Let’s see the pods.

$ kubectl get pods -n sts-change-sc
NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   0          24m
web-1   1/1     Running   0          24m

Step 2

Apply the changed manifest.

$ kubectl apply -f changed.yaml -n sts-change-sc
statefulset.apps/web created

Since the initial pods are still running no new pods are created by the updated sts.

$ kubectl get pods -n sts-change-sc
NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   0          28m
web-1   1/1     Running   0          28m

Step 3

Replacing one by one each pod, starting with web-0.

First you need its pvc so it can be deleted.

$ kubectl get pvc -n sts-change-sc| grep web-0
www-web-0   Bound    pvc-87813cdf-2f48-4e4e-b121-8ba2bfa04aca   1Gi        RWO            default        <unset>                 56m

As you can see its status is Bound so it will not be deleted unless the pod is deleted.

$ kubectl delete pvc/www-web-0 -n sts-change-sc
persistentvolumeclaim "www-web-0" deleted

$ kubectl get pvc -n sts-change-sc
NAME        STATUS        VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
www-web-0   Terminating   pvc-87813cdf-2f48-4e4e-b121-8ba2bfa04aca   1Gi        RWO            default        <unset>                 63m
www-web-1   Bound         pvc-ad285352-93bc-422c-be14-3628482fa9ba   1Gi        RWO            default        <unset>                 36m

In the case that a finalizer is attached to the pvc, this case has one, you can see it with

k describe pvc/www-web-0 -n sts-change-sc |grep Finalizers
Finalizers:    [kubernetes.io/pvc-protection]

So you need to delete the pod, as k8s is protecting the pvc deletion kubectl delete pvc/www-web-0 -n sts-change-sc and the command never returns.

So will delete the pod as well.

$ kubectl delete pod/web-0 -n sts-change-sc
pod "web-0" deleted

At this point the initial delete of the pvc is finished and since the pod web-0 is under the control of the updated sts it will be recreated with the updated storage class.

List the pods

$ kubectl get pods -n sts-change-sc
NAME    READY   STATUS    RESTARTS   AGE
web-0   1/1     Running   0          88s  ### NEW
web-1   1/1     Running   0          47m

The newly created pod also created a new pvc and volumes under the new storage class.

$ kubectl get pvc -n sts-change-sc| grep web-0
www-web-0  Bound  pvc-40de012d-98d9-4f76-810f-7bcfb2970b37  1Gi RWO managed-csi-premium  <unset>  2m15s

Continue with the pod rotation until all pods are using the updated storage class.

NOTE if you don’t delete the pvc and skip to just the pod delete this will not work for example

$ kubectl delete pod/web-1 -n sts-change-sc
pod "web-1" deleted

$ kubectl get pvc -n sts-change-sc| grep web-1
www-web-1   Bound    pvc-ad285352-93bc-422c-be14-3628482fa9ba   1Gi        RWO            default               <unset>                 55m

So the initial class default is still there.

Final state

Looking again at resources

$ kubectl get pvc -n sts-change-sc
NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS          VOLUMEATTRIBUTESCLASS   AGE
www-web-0   Bound    pvc-40de012d-98d9-4f76-810f-7bcfb2970b37   1Gi        RWO            managed-csi-premium   <unset>                 27m
www-web-1   Bound    pvc-21600a0f-85ff-4d06-9a60-9958a45177ff   1Gi        RWO            managed-csi-premium   <unset>                 9s

Sts storage class

$ kubectl get sts -n sts-change-sc -o json | jq .items[].spec.volumeClaimTemplates[].spec.storageClassName
"managed-csi-premium"

Final notes

I’ve been using the images provided by registry.k8s.io which is the official registry used by k8s these days.

To note that is no public web interface that you can use to list images and their tags but you can use

curl -sL "https://registry.k8s.io/v2/tags/list" | jq .

ps: an useful tool to further inspect images is gcrane

In the case where the finalizer is causing any issues it can be changed kubectl patch pvc my-pvc -p '{"metadata":{"finalizers":null}}' before deletion this will have the effect that when deleting a pvc the command will return immediatly.

Posted by at 10:58 AM 0 comments
Labels: , ,

Tuesday, October 29, 2024

Golang clean package cache

Cleaning golang (cache)packages on your system

The usual flow is to install packages on your system with the simple command go install url/package@version, for example to install godoc you will run go install golang.org/x/tools/cmd/godoc@latest.

This works well untill you kind of run of disk space …

So how to clean up your disk space ?

First you need to know where the packages are downloaded that is under your $GOMODCACHE this you can find by running

go env and is usually under $HOME/go/pkg/mod.

On my system this looks like this before clean up.

$ cd $HOME/go/pkg/mod
# list size
$ du -sh .
9.6G  # space used

To clean up

# clean the cache
$ go clean -modcache
$ cd $HOME/go/pkg/mod
# list size
$ du -sh .
4.0K

That’s it.

Posted by at 4:00 PM 0 comments

Friday, April 12, 2024

Databricks AWS private link with conditional DNS forwarder

Databricks allows workspace to be accessible via a private ip so not publicly available.
This is useful in some cases where you want to restrict users to used it only if are connected to a VPN or equivalent.
These are the steps to achive this goal
  1. Create a custom VPC in AWS
  2. Connect the VPC to your infrastructure (VPN/Direct Connect)
  3. Create VPC Endpoint for frontend and backend
  4. Register private link in the databricks account and associate it to your workspace
  5. Change access mode to Private from Public in the Private Access Settings
  6. Create a private zone in Route53
  7. Create an inbound resolver in Route53
  8. Add an A entry in the zone that points to the address of the VPC Endpoint (step3)
  9. Add a forwarder in your Private DNS to point to the inbound resolver (step 7) ip address(es)
For more details Databricks documentation explains in more details docs.databricks.com (search for private link). Once all is in place the flow is 
+---------+                               +-------------+                                            +-----------+ +-------------------------+                                         +-------------+
| Client  |                               | PrivateDns  |                                            | PublicDns | | Route53InboundResolver  |                                         | Route53Zone |
+---------+                               +-------------+                                            +-----------+ +-------------------------+                                         +-------------+
     |                                           |                                                         |                    |                                                             |
     | my-workspace.cloud.databricks.com         |                                                         |                    |                                                             |
     |------------------------------------------>|                                                         |                    |                                                             |
     |                                           |                                                         |                    |                                                             |
     |                                           | my-workspace.cloud.databricks.com                       |                    |                                                             |
     |                                           |-------------------------------------------------------->|                    |                                                             |
     |                                           |                                                         |                    |                                                             |
     |                                           |       CNAME nvirginia.privatelink.cloud.databricks.com. |                    |                                                             |
     |                                           |<--------------------------------------------------------|                    |                                                             |
     |                                           |                                                         |                    |                                                             |
     |                                           | nvirginia.privatelink.cloud.databricks.com ?            |                    |                                                             |
     |                                           |----------------------------------------------------------------------------->|                                                             |
     |                                           |                                                         |                    |                                                             |
     |                                           |                                                         |                    | nvirginia.privatelink.cloud.databricks.com ?                |
     |                                           |                                                         |                    |------------------------------------------------------------>|
     |                                           |                                                         |                    |                                                             |
     |                                           |                                                         |                    |                                      Address is 172.16.0.10 |
     |                                           |                                                         |                    |<------------------------------------------------------------|
     |                                           |                                                         |                    |-----------------------------------------------------------\ |
     |                                           |                                                         |                    || nvirginia.privatelink.cloud.databricks.com A 172.16.0.10 |-|
     |                                           |                                                         |                    ||----------------------------------------------------------| |
     |                                           |                                                         |                    |                                                             |
     |                                           |                                                Answer address is 172.16.0.10 |                                                             |
     |                                           |<-----------------------------------------------------------------------------|                                                             |
     |                                           |                                                         |                    |                                                             |
     |                    Connect to 172.16.0.10 |                                                         |                    |                                                             |
     |<------------------------------------------|                                                         |                    |                                                             |
     |                                           |                                                         |                    |                                                             |
Posted by at 2:25 PM 0 comments
Labels: , ,

Tuesday, October 10, 2023

Remove Windows 10 drivers from command line

Normally you would use System Settings -> Apps & features ... but that didn't work for you so this will explain how to uninstall a driver from command line.
First if you searched and tried to remove the files from a location as C:\windows\system32\driverstore\FileRepository\ you might notice that is not possible since you need SYSTEM access.
To know what driver you want to remove you will need to list them.
Open a command prompt or powershell as Administrator than 
dism /online /get-drivers /format:table > c:\drivers.txt
Open the file c:\drivers.txt and note the Published Name as per 
Version: 10.0.19041.844

Image Version: 10.0.19045.3448

Obtaining list of 3rd party drivers from the driver store...

Driver packages listing:


-------------- | ----------------------------- | ----- | -------------------- | ---------------------------- | ---------- | ----------------
Published Name | Original File Name            | Inbox | Class Name           | Provider Name                | Date       | Version         
-------------- | ----------------------------- | ----- | -------------------- | ---------------------------- | ---------- | ----------------
oem77.inf      | nxdrv.inf                     | No    | Net                  | SonicWall                    | 10/18/2017 | 2.0.6.1
Now to remove the driver take note of its Published Name as above list. 
pnputil.exe /d oem77.inf
That's it.
Other tools that can help are https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns though I found that would work most of the time but in some cases will not be able to remove the driver files but just registry cleanup.
Posted by at 11:19 AM 0 comments
Labels: ,

Thursday, January 19, 2023

Tmux cheetsheet

Attach and detach

$ tmux Start new tmux session
$ tmux attach Attach to tmux session running in the background
Ctrl+B d Detach from tmux session, leaving it running in the background
Ctrl+B & Exit and quit tmux
Ctrl+B ? List all key bindings (press Q to exit help screen)

Window management

Ctrl+B C Create new window If you are running more than one tmux session (more than one
PID), you can switch between the two clients.
Ctrl+B N Move to next window
Ctrl+B P Move to previous window
Ctrl+B L Move to last window
Ctrl+B 0-9 Move to window by index number
Ctrl+B ) Move to next session
Ctrl+B ( Move to previous session
Ctrl+B Ctrl+Z Suspend session

Split window into panes

Ctrl+B % Vertical split (panes side by side)
Ctrl+B " Horizontal split (one pane below the other)
Ctrl+B CTRL+O Interchange pane position
Ctrl+B O Move to other pane
Ctrl+B ! Remove all panes but the current one from the window
Ctrl+B Q Display window index numbers
Ctrl+B Ctrl-Up/Down Resize current pane (due north/south)
Ctrl+B Ctrl-Left/Right Resize current pane (due west/east)

Pane related


join-pane -s 1 -t 0 -p 20  "Join pane source 1 into pane target 0 with 20% usage"
break pane  "remove all other panes like CTRL+B !"

# best to create some key bindings into tmux.conf
# pane movement vertical split
bind-key j command-prompt -p "join pane from:"  "join-pane -h -s '%%'"
bind-key s command-prompt -p "send pane to:"  "join-pane -h -t '%%'"

# pane movement
bind-key J command-prompt -p "join pane from:"  "join-pane -s '%%'"
bind-key S command-prompt -p "send pane to:"  "join-pane -t '%%'"

# move panes around
Ctrl+B <space>

Copy/Paste

CTRL+B [ enter copy mode (user arrows or CTRL+F CTRL+B CTRL+B to move)
SHIFT+v to start select
Movement keys to select
ENTER to copy

CTRL+B ] to paste

q to exit from copy mode

Misc

CTRL+B ? List all bindings
For more details - https://github.com/tmux/tmux/blob/master/key-bindings.c#L345

For all commands see into https://github.com/tmux/tmux/blob/master files that begin with cmd-

Posted by at 11:26 AM 0 comments
Labels:

Thursday, October 6, 2022

Online openssl private certificate and key with alternative DNS

Openssl added a nice alternative to the config file or extention to create requests with alternative DNS. This will create a key and certificate (not certificate request) with two additional DNS alt1.example.net and alt2.example.net 

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mycer.crt  -subj '/CN=main.example.net' -addext 'subjectAltName=DNS:alt1.example.net,DNS:alt2.example.net'
Posted by at 2:13 PM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)