Saturday, November 25, 2023

Podman pitfalls

Fedora docs are your friend

https://docs.fedoraproject.org/en-US/fedora-coreos/

 

SELinux might be on

If you are having permission denied errors watch out for SELinux. Check your podman VM and verify /etc/selinux/config . You can consider switching to permissive mode + reboot

Certificate errors

MITM

Some company like to or must inspect their users traffic. Generally this is done by having a transparent proxy which terminates SSL/TLS and uses a self-signed certificate that is owned by the company and can be considered trusted. The default podman VM won´t trust this certificate. You can try the following:

COPY the PEM file to /etc/pki/ca-trust/source/anchors/ and then update the trust:
update-ca-trust force-enable && update-ca-trust extract

Time drift

If the podman VM has time drift this can also break SSL/TLS certificate verification. Just update the time of your VM.

Allow docker in podman

sudo rpm-ostree install podman-docker

Kubernetes cheat sheet

Just some commands that had value at some time or another.

Debugging

Sometimes debugging is hard because you are using an optimized images without troubleshooting tools or even a shell. Ephemeral containers come to the rescue there with some useful kubectl debug commands but if you need to see the attached volumes these tools fall short and while it is possible to do it manually it is tedious. Make sure you are aware of kubectl-superdebug :

Resources

All resources in a namespace

Just iterate over the resource type and look for them:
 
for i in `kubectl api-resources --verbs list --namespaced -o name`; do kubectl get --sho-kind --ignore-not-found $i; done

Which pods still have persistent volume claim

kubectl get pods --all-namespaces -o=json | jq -c '.items[] | {name: .metadata.name, namespace: .metadata.namespace, claimName:.spec.volumes[] | select (has ("persistentVolumeClaim") ).persistentVolumeClaim.claimName }'

Networking

Jump portals

In order to do this you'd need to be able to exec into pods and make sure socat is available on the pod. When that is possible it is possible to tunnel via the pod towards a target.

On the pod setup a tunnel to remote endpoint:

socat tcp-l:<local-port>,fork,reuseaddr tcp:<target-host>:<target-port>
kubectl port-forward pod/<jump-pod> <local-port>:<target-port>

resources:
- socat commad list: https://exploit-notes.hdks.org/exploit/network/port-forwarding/port-forwarding-with-socat/
- k8s port-forward docs: https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/