TIL: How to create a cluster-admin service account in Kubernetes

Depending on how you deployed a Kubernetes cluster, you may or may not have a service account with cluster-admin rights. These steps will create one. (Note: this is not necessarily what you should do in a production deployment)

Create the service account

kubectl create serviceaccount myroot

output

serviceaccount "myroot" created

Create the role binding

kubectl create clusterrolebinding myroot-cluster-admin --clusterrole=cluster-admin --serviceaccount=default:myroot

output

clusterrolebinding "myroot-cluster-admin" created

Describe the service account to find the token ID

kubectl describe serviceaccount myroot

output

Name:                myroot
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   myroot-token-dzqvn
Tokens:              myroot-token-dzqvn
Events:              <none>

Get the token secret

kubectl describe secret myroot-token-dzqvn

output

Name:         myroot-token-dzqvn
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=myroot
              kubernetes.io/service-account.uid=37bd952c-1b8e-11e8-9faa-005056bf340f

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      <TOKEN>

TIL: Using pipenv

Pipenv is a great new way to manage virtual environments without needing to use pip and virtualenv seperately.

To start a new pipenv in the current directory (using python 3.x):

pipenv --three

To install packages within the new virtual environment:

pipenv install <package>

To activate the virtual environment:

pipenv shell

TIL: Using ssh-copy-id to install public keys on hosts

For years I have been manually adding my SSH public keys to the ~/.ssh/authorized_keys file (like an animal) on systems that I SSH into. It turns out that there’s an automated way to do this - ssh-copy-id.

In the simplest case, just running:

ssh-copy-id <host>

will install either the newest public key in your ~/.ssh/ directory or (if you are using the ssh-agent) it will install all of the keys returned by ssh-add -L.

So, if you want to be picky about which key(s) get installed you can either touch the public key file you want to use, or only have in ssh-agent the key(s) you want to install - e.g.:

# Delete any existing keys in the ssh-agent
ssh-add -D

# Add the key we want to use to the ssh-agent
ssh-add ~/.ssh/id_ed25519

# Copy the public keys to the remote host
ssh-copy-id <host>

(A pleasant side effect of using this is that I should never need to type the American spelling of “authorised” again)

TIL: Python Literal String Interpolation with F-strings

There are many ways to format strings in Python but as of version 3.6, f-strings offer a very simple and clean method for interpolating string literals:

>>> pi=3.14159
>>> print(f'pi is {pi}')
pi is 3.14159

Just as with str.format(), format specifiers may be used. For example:

>>> print(f'pi is {pi:.2f}')
pi is 3.14

Expressions between braces are evaluated too:

>>> print(f'pi squared is {pi ** 2}')
pi squared is 9.869587728099999

For more information and examples, see PEP 498

TIL: Use SSH ProxyJump

An easy (and much nicer than using ProxyCommand and/or ForwardAgent) way to “proxy” or “jump” through a bastion host to a private host. In ~/.ssh/config:

Host private_host
  ProxyJump bastion_host

Or on the command line:

ssh -J bastion_host private_host