Tested demos for 20241113

Author: nicholasdille

120_kubernetes/rbac/service_account_api.runme.md

@@ -81,17 +81,16 @@ Check environment variables for Kubernetes API endpoint
 kubectl exec -it foo-test -- printenv | grep KUBERNETES_ | sort
 ```
 
-Check service account from pod
+Configure and test kubectl
 
 ```sh
-kubectl exec -it foo-test -- sh
-```
-
-And then configure kubectl
-
-```sh
-apk udpate
-apk add kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing
-TOKEN="$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
-kubectl --server=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS} --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt --token="${TOKEN}" version
+kubectl exec -i foo-test -- apk update
+kubectl exec -i foo-test -- apk add kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing
+clear
+kubectl exec -i foo-test -- sh <<"EOF"
+    kubectl version \
+        --server=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS} \
+        --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+        --token="$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
+EOF
 ```

120_kubernetes/rbac/service_account_automount.runme.md

@@ -17,7 +17,7 @@ kubectl create sa foo
 Create pod with service account
 
 ```sh
-cat <<EOF
+cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Pod
 metadata:
@@ -34,8 +34,8 @@ EOF
 Check automounted service account
 
 ```sh
-kubectl exec -it foo -- mount | grep secrets
-kubectl exec -it foo -- ls -l /run/secrets/kubernetes.io/serviceaccount
+kubectl exec -it foo-automount -- mount | grep secrets
+kubectl exec -it foo-automount -- ls -l /run/secrets/kubernetes.io/serviceaccount
 ```
 
 Create pod without service account
@@ -58,5 +58,5 @@ EOF
 Check for service account
 
 ```sh
-kubectl exec -it foo -- mount | grep secrets
+kubectl exec -it foo-noautomount -- mount | grep secrets
 ```

120_kubernetes/rbac/service_account_avoid_sa.runme.md

@@ -2,7 +2,7 @@
 
 Make sure to prepare your environment according to `prepare.sh`.
 
-Avoid service accounts using env vars
+Avoid service accounts by using env vars
 
 ```sh
 cat <<EOF | kubectl apply -f -
@@ -28,10 +28,11 @@ spec:
         fieldRef:
           fieldPath: metadata.namespace
 EOF
+sleep 5
 kubectl exec -it foo -- printenv | grep MY_
 ```
 
-Avoid service accounts using files
+Avoid service accounts by using files
 
 ```sh
 cat <<EOF | kubectl apply -f -
@@ -58,5 +59,6 @@ spec:
         fieldRef:
           fieldPath: metadata.labels
 EOF
+sleep 5
 kubectl exec -it bar -- cat /etc/podinfo/labels
 ```

120_kubernetes/rbac/service_account_default_sa.runme.md

@@ -34,13 +34,13 @@ spec:
 EOF
 ```
 
-Check pod description
+Check pod description for default service account
 
 ```sh
 kubectl get pod default-test -o yaml
 ```
 
-Check for credentials
+Check pod for credentials
 
 ```sh
 kubectl exec -it default-test -- mount | grep secrets

120_kubernetes/rbac/service_account_pull_secrets.runme.md

@@ -5,13 +5,17 @@ Make sure to prepare your environment according to `prepare.sh`.
 Image pull secrets in service accounts
 
 ```sh
-kubectl create secret docker-registry registry.company.com --docker-server=registry.company.com --docker-username=ssrv_reg_user --docker-password="Secr3t!"
+kubectl create secret docker-registry registry.company.com \
+    --docker-server=registry.company.com \
+    --docker-username=ssrv_reg_user \
+    --docker-password="Secr3t!"
 ```
 
 Add image pull secret to service account
 
 ```sh
-kubectl patch serviceaccount default --patch '{"imagePullSecrets": [{"name": "registry.company.com"}]}'
+kubectl patch serviceaccount default \
+    --patch '{"imagePullSecrets": [{"name": "registry.company.com"}]}'
 ```
 
 Display service account