SweetOps #kubernetes for November, 2022

Archive: https://archive.sweetops.com/kubernetes/

2022-11-02

Mallikarjuna M

Hi Team, can someone help me with creating a service account in Kubernetes with a test namespace and access the resources based on service account kubeconfig file.

2022-11-03

Adnan

08:06:35 AM

How to construct a trust policy for allowing role assumption from multiple / all clusters in one account?

This is the docs example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:default:my-service-account",
                    "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

This is coupled to one particular OIDC provider i.e. one cluster.

I there are a way to make it cluster independent?

2022-11-07

2022-11-08

Nenad Strainovic

08:13:18 PM

Hi everyone, I’m trying to create K8s secret for Service Account (1.24+), with kubectl but I’m getting the following error: error: failed to create secret Secret "admin2" is invalid: metadata.annotations[[kubernetes.io/service-account.name](http://kubernetes.io/service-account.name)]: Required value This is commanand: kubectl create secret generic admin2 --type='[kubernetes.io/service-account-token](http://kubernetes.io/service-account-token)' Do you have any idea where to look? I didn’t find a way how to set annotations from the kubectl beside kubectl annotate which can be used on already created objects.

kubectl version 1.25.3 k8s version 1.24.7

Thanks!

James

03:41:38 AM

Hey Guys - I’m walking to the learning path of K8s and there’s one thing I need to understand.

In your own experience/idea, what is the use case of running multiple schedulers in the real-world?

2022-11-15

2022-11-19

Jim Park

06:08:58 AM

Not sure who might want this in the future, but here’s something I put together to export a kubernetes namespace to disk.

2022-11-29

Talal Ashraf

03:29:09 PM

Hey Folks. Wondering if people using EKS have tried using Karpenter ? Can I simply replace the autoscaler with this ? The autoscaler unfortunately doesn’t consider volume node affinities

Erik Osterman (Cloud Posse)

05:43:03 PM

(re: affinities, we use EFS for this reason; not suitable for all workloads, but suitable for quite a lot)

Hao Wang

02:49:25 PM

I used Karpenter, much faster than HPA didn’t use volume affinity, it should support

Erik Osterman (Cloud Posse)

08:38:31 PM

https://www.reddit.com/r/kubernetes/comments/ziao4d/karpenter_consolidation_and_eks_node_viewer/

Karpenter consolidation and EKS node viewer attachment image

Posted in r/kubernetes by u/xrothgarx • 182 points and 44 comments

Erik Osterman (Cloud Posse)

08:38:56 PM

Karpenter is rad, but I wouldn’t say it’s just as easy as replacing the autoscaler if you want to do it in a production configuration.

Erik Osterman (Cloud Posse)

08:39:14 PM

You’ll still need compute capacity to run karpenter itself

Erik Osterman (Cloud Posse)

08:39:41 PM

We provision fargate profiles to run operators, then run karpenter on fargate, which manages the rest of the cluster.

Talal Ashraf

09:27:43 PM

EFS will become cost inhibitive for us. off the top of your head what are some consideration when swapping out autoscaler ?