Binding GCP Accounts to GKE Service Accounts with Terraform

Binding GCP Accounts to GKE Service Accounts with Terraform

Kubernetes uses Service Accounts to control who can access what within the cluster, but once a request leaves the cluster, it will use a default account. Normally this is the default Google Compute Engine account in GKE, and this has extremely high level access and could result in a lot of damage if your cluster is compromised.

In this article, I will be setting up a GKE cluster using a minimal access service account and enabling Workflow Identity.

Continue reading

GitLab’s Default Branch Name

GitLab is now implementing a change to make the default branch “main” instead of “master”, following GitHub and Atlassian in ditching the “master/slave” namings due to their negative history.

It should be noted that this change this makes little difference to the functionality these sites provide, and to git repositories in general. Also, the default branch can be overridden.

When creating a blank initial repo in GitLab or GitHub (i.e. without a README.md file), the sites will prompt you to push code in using instructions such as this (GitLab haven’t yet implemented the master –> main change yet so it still shows master on their instructions)

git clone git@gitlab.com:username/example.git
cd example
touch README.md
git add README.md
git commit -m "add README"
git push -u origin master

But there’s nothing to stop you from doing something like

git push -u origin trunk

Instead of master at the time of pushing.

trunk is also one of the three folders used in Subversion Version Control as part of the recommended layout (trunk, tags, branches) — yes, I did use svn previously, along with Mercurial, Visual SourceSafe, and even cvs.

trunk is also a more logical sounding main branch as you have branches that lead into the trunk of a repo. And the leaves could be considered to be the tags.

While it is great that the big name hosting platforms are migrating away from the master branch idea, it should be noted that you didn’t have to have this default branch name originally, nor were you (or are you still) tied to using their choice of main branch name.

Heater Repairs

We got the replacement heater installed today, mostly fine, the heat of the water is now very high, since the plumber had to replace the piping near the heater, and had to mount a plank of wood on the wall to provide additional support for the heater as the bracket where the heater will be mounted would be too high.

This heater requires electricity, compared to the previous one which did not. Meaning without power, we won’t have hot water.

The plumber had to add cement around the exit flue of the heater and a few hours later I could see a crack in the cement, probably from it contracting and cracking while drying.

The plumber also had to remove an entire cupboard from the kitchen where the heater is and we’ll have to remount that some other time.

Revolut: A warning to Android users

It seems like Revolut’s latest Android update (6th November) has shafted some users, including me, rendering them unable to receive the update, and making the app disappear entirely from the Play Store for those users. No notification, no warning. Just a sudden stop to updates. I had to restore from a backup I made of the app, and was then able to transfer my money out of there.

I spoke to support, and their suggestion? Use a newer device.

I guess I will be closing my Revolut account.

Training in Quarantine – Day 192

A busy Saturday with several house viewings. One of which got cancelled due to a resident having to self-isolate due to covid.

One of the viewings today was originally written off by my folks as a “no-hope” but once they viewed inside, their tone dramatically changed.

A literal case of not judging a book by its cover.

In other news, I saw a tweet from https://twitter.com/VictoriaBID:

Now I work on top of Victoria Station, so I walk past the memorial plaque dedicated to the Unknown Soldier every day I commute to the office. Obviously not so much this year due to covid.

The Military Wives Choir did the song for Abide With Me using the now-common feature of a virtual choir:

The virtual choir idea has been used a lot this year due to social distancing, but let’s not forget, the idea dates back way further, even as far back as 2009 with Eric Whitacre’s Virtual Choir project (https://www.youtube.com/user/EricWhitacresVrtlChr) which also made it into several TED talks

From 2010:

2011:

And 2013:

Training in Quarantine – Day 191 and other updates

My last logged walk was 23rd October. I’ve been slacking off logging runs since then, so this is my first logged run since then, even though I have been doing near-daily runs since then, so I’m skipping through to Day 191 since I’ve done 10 days of walks since then.

I’ve also got a few other updates.

My house purchase fell through a while ago so I have been actively house hunting a lot and my past few Saturdays have been spent house viewing. Viewing during the day is tricky unless I take time off to house hunt.

Dealing with different Estate Agents is a pain, with some not even bothering to give you the time of day, let alone

I also upgraded my phone to Android 10 LineageOS and I’ve been having quite a few issues with internet speed and stability. I’m seriously considering forcing a downgrade back to Android 9. In the meantime, I might switch from Adoptable Storage back to portable storage to see if that helps with stability.

Oh, and it’s frickin’ COLD.

CKAD

It’s taken me nearly a year, but I finally figured out one of the questions that stumped me in my CKAD (writeup: https://blenderfox.com/2019/12/01/ckad-writeup/)

In the exam, the question was to terminate a cronjob if it lasts longer than 17 seconds. There’s a startup deadline but not a duration deadline. It could be implemented within the command of the application itself, or by specifying to replace any previous running version of the jobs.

Well, I finally had that situation recently at work and wanted to terminate a cronjob if it was active more than 5 minutes, since the job shouldn’t take that long. Finally found out that the answer was not in the CronJob documentation, but in the Job documentation.

CronJobs spawn a Job resource, and within the specification, you can include spec.activeDeadlineSeconds. This will terminate the job pod at that time and will consider the job as failed.

Training in Quarantine – Day 179

Late out today — my phone wanted to upgrade so I attempted it (it was an upgrade from Android 9 to Android 10), and it didn’t work, and I ended up having to factory reset and install from scratch. I did have some Titanium Backup backups, but they didn’t seem to work a lot of the time :/

So for the most part, I just reinstalled all the apps I remember using and logged in. For most, that was fine. But I lost the MFA codes on Google Authenticator, meaning I had to remove and setup:

  • AWS
  • LastPass
  • WordPress
  • GitLab

all over again

AWS was quick and painless after a security check to confirm I was who I said I was and they called me on the number on the account.

WordPress was painless too — I was already logged in, so just removed MFA and set it up again, then logged in again. Similarly with LastPass

GitLab however, is proving to be more of a pain. They no longer accept MFA removal requests for people on the Free plan. So I wonder if they will accept me going to a subscription model so I _can_ then request the MFA removal. I think it is better anyway, since I’m hitting the 400 minute CI limit pretty regularly. The 2000 minute CI limit would be better. At least until I can get my own GitLab install working.

As for the run, yes, it was a run — well, more of a jog, anyway. Still did the 3km lap, doing it in 20 mins rather than the 30 mins it normally takes me when I walk it.

<span>%d</span> bloggers like this: