# OCP TAM Monthly Sharing Meeting Minutes 2025/12/18 * Seasonny * Deep Dive into OpenShift CPU Manager and Throttling Concepts * https://docs.google.com/presentation/d/1PEbbIx8Ty550opag_Hllhm-eWz7ZZ5x8zT8izrPKdKI/edit?usp=sharing * Ref. (by Jacky) 1. https://docs.openshift.com/container-platform/4.14/nodes/clusters/nodes-cluster-overcommit.html#nodes-cluster-overcommit-reserving-memory_nodes-cluster-overcommit 2. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits 3. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run * OVN-K issue (Jacky) * 04322303 2025/11/12 ### Wing - Loki stack - Log collection & forward flow - https://miro.com/app/board/uXjVJtJXRNY=/?share_link_id=130594426574 - Loki + Grafana Integration Demo - https://docs.google.com/presentation/d/1ouCmX_lgqRfsTK374B3JKM_Ixo-nfcDJyLSqr3ef4EU/edit?slide=id.g21a6cf6d465_0_0#slide=id.g21a6cf6d465_0_0 - Deployment Scripts: https://drive.google.com/drive/folders/15Bim6n-LkyTtQ3QJUdutfMkfv1D1LCkO?usp=sharing - LokiTenantRateLimit error + Log Query Enquiries - https://docs.google.com/presentation/d/1ScwhrGv-AfWp8xFPFqTE2jp78idRV3sAJp4EVedqPvI/edit?usp=sharing - Loki Migration - https://docs.google.com/presentation/d/1dAKJcnFC2LzMLKl5DJlLBTc_9XwBeehAILnGJYv4YYo/edit?usp=sharing - Loki with logcli - https://docs.google.com/presentation/d/19jkTzpzAxKg76Llv1FnHNmBiLX8Exp3JaWM59L54tbE/edit?usp=sharing - App Team - OCP4 EFK to Loki migration (Log query tutorial) - https://docs.google.com/presentation/d/1criheJ8fEkO0qpm27heezQFp334OQrEc4T3Ki9I8nB8/edit?usp=sharing - Message missing, but header metadata received issue upon Cluster Log Forwarding to external ELK - Check if the clusterlogforwarder is set correctly set to http (not Elasticsearch if through logstash) - Logstash setting, use input codec plain / json, without filter source raw message - If using logstash, you may keep using custom index, not restricted to use app-write - 429 Loki Rate Limit Issue - Suggested max value: - ingestionBurstSize: 512 - ingestionRate: 256 - Discussion Thread: https://redhat-internal.slack.com/archives/C01B5F1SDE3/p1756374011884889 - Doc https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/logging/troubleshooting-logging#loki-rate-limit-errors_log-forwarding-troubleshooting - ETX AI Delivery Workshop Lab Guide -- https://redhat-ai-services.github.io/etx-serving-at-scale/modules/index.html -- https://redhat-ai-services.github.io/etx-agentic-ai/modules/index.html -- https://redhat-ai-services.github.io/etx-llm-optimization-and-inference-leveraging/modules/index.html - Sharing on AI Delivery Workshop (For HK SA Meeting) - https://docs.google.com/presentation/d/1qwrWj2dPF4EK2Hzhae2Z9n5lLua1kX8wZu4en2dDxQE/edit?usp=sharing ### Jace - 3x faster OCP update https://docs.google.com/presentation/d/1aReej5HrinWBxVTIcng6w8Q55ooiueG5DUD1c0owciw/edit?slide=id.g346088bc6d7_0_0#slide=id.g346088bc6d7_0_0 ### KFC - Resource Evaluation Table https://docs.google.com/spreadsheets/d/1PXarEY-Mz-HdIWMx-eR5JDO_O5yKETsx/edit?gid=47377224#gid=47377224 - CVE DB Bug - missing 4.15, 4.16 https://access.redhat.com/security/cve/cve-2025-5994 1. Searching for keyword `site:access.redhat.com/errata "OpenShift Container Platform 4.16" CVE-2025-5994` 2. Found [RHSA-2025:13336](https://access.redhat.com/errata/RHSA-2025:13336) 2025/10/08 - Key Considerations for Java App on OpenShift - https://docs.google.com/presentation/d/1RMv5esQoPNRuIEWx-Q2H-EoOHzMo7jkHGhq9Cwz73bk/edit?slide=id.g38e4c65524d_0_231#slide=id.g38e4c65524d_0_231 - AppDev TAM (OCP TAM Offering RFP) - https://docs.google.com/presentation/d/101VZyN-JmsrXz_0-445O-UsKrvlrivFMT1AMjYW_fYs/edit?slide=id.p1#slide=id.p1 2025/07/09 ### KFC * CVE patch https://gitlab.cee.redhat.com/kchang/cve-check * iscsi disk abnormally detached https://access.redhat.com/support/cases/#/case/04153244 ### Wing Loki stack max size issue * https://redhat-internal.slack.com/archives/CB3HXM2QK/p1751422413210789 * https://issues.redhat.com/browse/LOG-5998 * https://access.redhat.com/support/cases/#/case/04135165 * EFK to Loki * https://notebooklm.google.com/notebook/2a0ea4ad-c86b-4c61-af45-1ed95d02de28 ### Seasonny kubernetes mcp server * https://github.com/seasonny/kubernetes-mcp-server add tools * must gather * create rh support case * upload attachment to the support case service mesh demo * OSSM demo * https://docs.google.com/presentation/d/1FuDeE24nW2HWqTbTYJh0sE4rovG08QISssTmR0VlIFc/edit * OSSM Traffic Management * https://docs.google.com/presentation/d/1Ms9mZUfJd5P_ZXj_qhcNqEDwTtxhpOy8otsJ7Nn8HAQ/edit?slide=id.gc221c7df69_0_876#slide=id.gc221c7df69_0_876 * demo repo * https://github.com/seasonny/ossm-3-demo Helen - https://docs.google.com/presentation/d/1CAZX6t8gsetI_VL4tDMa4ho8gkWRAm4Uz8kUSm1iRgQ/edit?usp=sharing 2025/06/11 1. Technical Account Plan Modularization https://miro.com/app/board/uXjVM2rHGLI=/ 1.1. 建立一張卡片，這個 Card 可以是一個完整的 Account Plan 或是任何一個主題 1.2. 點開該卡片建立一個 NotebookLM 連結，並開共享 1.3. 在 Note 區塊可以把 Execution 以人為單位分別擺放，例如： Execution -Seasonny 2. TW/HK TAM-day discussion 2025 徵求 Topics! OCP 相關的需要兩個題目 OCP-V 一個題目 https://docs.google.com/document/d/1xf8vT2_9cBonMn-G6f5Nof8J89qeFJwsrjabnLrlCdg/edit?tab=t.0 --- Technical Account Plan Modularization 我們這樣做試試看吧＠＠，大家有空可以把一些 topics 整理上來，我們看看效果好不好 我有寫一簡單的介紹，今天有會衝突的大家可以先看一下，有問題可以隨時問 Modularization 1. 建立一張卡片，這個 Card 可以是一個完整的 Account Plan 或是任何一個主題 2. 點開該卡片建立一個 NotebookLM 連結，並開共享 3. 在 Note 區塊可以把 Execution 以人為單位分別擺放，例如： Execution -Seasonny 2025/05/14 [AI TAM discussion from OCP perspective](https://docs.google.com/presentation/d/1TwRxr1cVu3kNfUKeG0j1S2KzzJI_QUI-/edit#slide=id.g3583597ee65_0_57) ## 2025/04/09 [ESG Power monitoring - Kepler](https://docs.google.com/presentation/d/1zCeGE_c3UF4F2xa8yuQkWuaJ44nQtb0YePn7mPnho2g/edit#slide=id.g3401b12bc8e_0_440) ## 2025/03/12 - Technical Supportability Review (TSR) - https://docs.google.com/presentation/d/1c7RiuZPjlL5PKL5YEaQAbVI-eoaZKa3FROX64cDLoL8/edit#slide=id.g33cd9ce6bd3_0_0 ## 2024/10/09 - OCP Router(harpoxy) graceful shutdown explianation. - Set up OpenShift Service Mesh + Distributed Tracing (Tempo) https://hackmd.io/iiLRi0EsQGyz-Ic2pZHz9Q?view - tcp_keepalive_time - tcp_keepalive_time 並不在 safe sysctls 清單裡頭，4.14先前誤植，目前已修正，這是因為 k8s 1.29+才有增加; 不過 4.16 暫時也無法，因為漏掉了，詳情可參考下方 github issue - https://docs.openshift.com/container-platform/4.16/nodes/containers/nodes-containers-sysctls.html - https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls - https://github.com/openshift/apiserver-library-go/commit/391b4d68b655dc8a4ff90cbca3276baca019b282 - https://issues.redhat.com/browse/LOG-5998 - [OpenShift Wildcard Subdomain testing ](https://hackmd.io/eOy75GUAQhqnjc70etXHUg) - HSTS Trust On First Use - https://hstspreload.org/ - haproxy X-Forwarded-For 會在 http header新增另一組 X-Forwarded-For header，而不是以 IP1,IP2,IP3..的形式附加上去，可能會造成混淆 ## 2024/09/11 - Allow from ingress的networkpolicy不work https://access.redhat.com/solutions/7055050 ## 2024/08/14 - OCP 4.12-> 4.14 vsphere CSI migration https://access.redhat.com/node/7011683 - https://github.com/mJace/PodResourceCalculator - 加入新資訊 Deployment / DaemonSet / Node resource information - rook-ceph-osd-X Pod Stuck in CLBO/init after Node Reboot/OCP Upgrade monclient(hunting) - OpenShift Data Foundation - https://access.redhat.com/solutions/7067491 - https://stackoverflow.com/questions/66832316/what-is-the-relation-between-container-memory-working-set-bytes-metric-and-oom - https://mohamedmsaeed.medium.com/memory-working-set-vs-memory-rss-in-kubernetes-which-one-you-should-monitor-8ef77bf0acee - chaos testing - https://litmuschaos.io/ ## 2024/07/10 * Admission Controller: A Deep Dive * https://docs.google.com/presentation/d/1TqzQbJogVxK87wHs45BYHSyt-hofQwCfT36A-q_d150/edit#slide=id.g547716335e_0_220 * https://github.com/seasonny/systemd-injection-checker-webhook/blob/main/systemd-injection-checker-webhook.yaml * OpenShift AI * https://docs.google.com/presentation/d/1TwRxr1cVu3kNfUKeG0j1S2KzzJI_QUI-/edit#slide=id.p1 * Account Health Check * https://docs.google.com/spreadsheets/d/1lu4Mr_yt7Q0ln41wlDHv7b8AtE9rpmRySW0pDwkob6U/edit?gid=0#gid=0 輸出SLO監控儀表板 - Sloth https://hackmd.io/CDqB117XRFifJzR23mo5MA ## 2024/06/12 * [[202406] OpenShift TAM and Sales Syncup - TW](https://docs.google.com/presentation/d/11S8o-HDo18HQu6dN8j09pRoLDXrgBIIo28jAYJgmfjg/edit#slide=id.g1a7b41b8708_0_2775) * [Apps Deployment Framework](https://docs.google.com/document/d/1NxExiRZikc9tWTDqDF3z-pnqW7vz3xF0N7mWrvb6seE/edit#heading=h.gjdgxs) * [OCP-V leveling](https://docs.google.com/presentation/d/1fsr980yqn8GVTOCN9JZmxRT4azM_aUOoZp0IRY2iX-Q/edit#slide=id.g2cf99d5e6c1_0_0) * [Leveling Customer and Application for OCP-V ](https://docs.google.com/presentation/d/1suy0QFWhJcSGjQ9__-b0_OJ9uCAED1PsvZMGJTp952s/edit#slide=id.g13e2f914c57_0_463) ## 2024/05/08 * OpenShift SNO as Local Lab * https://hackmd.io/uA4QAJiEQOGXTwefrZPs9Q?view * https://docs.openshift.com/container-platform/4.14/security/security_profiles_operator/spo-overview.html * https://docs.openshift.com/container-platform/4.14/security/security_profiles_operator/spo-seccomp.html#spo-recording-profiles_spo-seccomp * Kubescape * https://hackmd.io/K5aPd53HSzmBNvkt8akCpA?view ## 2024/04/18 * Technical Account Plan * https://docs.google.com/presentation/d/1HHzPyc0wPu0gsgkQgoZavh6BfLv7lWNv73f4CSVQH1E/edit#slide=id.g2cd14d0b486_0_0 * Trivy Vex * https://aquasecurity.github.io/trivy/v0.50/docs/supply-chain/vex/ * Vulnerability Exploitability eXchange (VEX) beta files now available * https://www.redhat.com/en/blog/vulnerability-exploitability-exchange-vex-beta-files-now-available ## 2024/03/13 KFC * Scaling Applicaion https://docs.google.com/presentation/d/1gXv4AH_-eXqjhuPMs4Lx-kdHKPos3jJuAelLwB5rM7M/edit#slide=id.g13e2f914c57_0_463 * ACM scaling - https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/install/installing#requirements-and-recommendations Jace *  Seasonny * Event-driven Ansible(EDA) integrate with alert * https://github.com/openshift/runbooks?tab=readme-ov-file * https://developers.redhat.com/articles/2024/01/08/openshift-application-monitoring-event-driven-ansible-alertmanager?source=sso#3__test_event_driven_ansible_functionality ## 2024/01/10 Seasonny * OpenShift CVE 爬蟲 https://gitlab.cee.redhat.com/nlin/py-ocp-patch-diff ## 2023/12/13 Jace * [OpenShift 叢集節點-跨網段架構規劃 ](https://docs.google.com/presentation/d/1Wq61vNSyLKNcNM4hR6NBi-kdY2SLJBYlcY6kjzk2BNY/edit#slide=id.g151ea527b28_0_300) * [CUB - OpenShift secret encrypt](https://docs.google.com/presentation/d/1VvRwJv8L1_AoD1XC6mQHCT5Hi_a6JFbVnAz6-B4j80k/edit#slide=id.g2a5e8013dad_0_0) Seasonny * DevSecOps-MaturityModel (DSOMM) * [Slides deck](https://docs.google.com/presentation/d/17Hra-EDw97Yk2vuQzrbWVi5E8ACc_XQDXiRQub_WA6Q/edit#slide=id.g547716335e_0_220) * https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel ```bash= # Copy configs to local docker run --rm -v ${PWD}:/tmp wurstbrot/dsomm:3.5.2 /bin/sh -c "cp -rf /usr/share/nginx/html/assets/YAML/generated /usr/share/nginx/html/assets/YAML/meta.yaml /tmp" ``` So, now you have the following assets ```bash= ├── generated │ ├── README.md │ └── generated.yaml # security practice list └── meta.yaml # team topology ``` Config the team topology by meta.yaml ```yaml= # An example for meta.yaml teams: ['A', 'B', 'C'] teamGroups: projectA: ['A', 'B'] projectB: ['B', 'C'] projectC: ['A', 'C'] ``` Please note that the teamsImplemented section in generated.yaml might be changed accordingly, E.g., ```yaml= teamsImplemented: TeamA: false TeamB: false TeamC: false ``` Run it in your local(container) environment ```bash= docker run -d -p 8080:8080 \ -v ${PWD}/generated:/usr/share/nginx/html/assets/YAML/generated \ -v ${PWD}/meta.yaml:/usr/share/nginx/html/assets/YAML/meta.yaml \ --name dsomm wurstbrot/dsomm:3.5.2 # Open it in your default browser (Mac example) open http://127.0.0.1:8080 ``` KFC [[TBB][20231213] Understand the Vulnerability](https://docs.google.com/presentation/d/1eXMjOzs80XAXf4hZ_uP8YoiK0EFasMOSEDsXU6ZlFd8/edit#slide=id.g26305aa8583_1_8071) Jace [Secret Store CSI Driver] https://docs.google.com/presentation/d/1VvRwJv8L1_AoD1XC6mQHCT5Hi_a6JFbVnAz6-B4j80k/edit#slide=id.g2a5e8013dad_0_0 [OpenShift Worker node跨網段] https://source.redhat.com/groups/private/taiwan_team/444/ocp_worker_node_ ## 2023/10/11 * etcd tool analyzer * https://github.com/peterducai/etcd-tools/tree/main * Baremetal installing issue BMC & redfish * https://docs.openshift.com/container-platform/4.12/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.html#bmc-addressing_ipi-install-installation-workflow:~:text=List%20of%20redfish%20APIs * https://docs.openshift.com/container-platform/4.11/rest_api/provisioning_apis/provisioning-metal3-io-v1alpha1.html disableVirtualMediaTLS on support in metal3 provisioning ## 2023/08/09 PCI-DSS Propect kernel config will be enabled as default in ocp4.13 https://issues.redhat.com/browse/OCPNODE-1500 ## 2023/05/10 * Application HA * https://docs.google.com/presentation/d/1YHO-CPKdr1qxL6FxrC7u2HpozmmdOQaNxP7uGcL3lCg/edit#slide=id.g13e2f914c57_0_463 * https://docs.google.com/spreadsheets/d/1DtU7fQ-8BCjMM3zqByZKi4c2O1GSrusO0b8Oa_xdNUk/edit#gid=0 * OpenShift Upgradation Checklist - v2 * https://docs.google.com/document/d/1EKT7TZztIReXq9cFhlAwjRTdq-7r6Pmxnpm7jncwmeM/edit# * https://docs.google.com/presentation/d/1_L5QE80dOKw_cYQMynK02tJSCjrwtmQnD_8TMjZCFhc/edit#slide=id.g226993a49e9_0_3 * https://connect.redhat.com/en/blog/important-openshift-changes-pod-security-standards ## 2023/03/08 * crio service failed * https://gss--c.vf.force.com/apex/Case_View?srPos=0&srKp=500&id=5006R00001qDoXS&sfdc.override=1 * https://access.redhat.com/solutions/5350721 * podman reset system * destinationRule test (service mesh) * https://docs.google.com/presentation/d/18g66-QloTzSti8t6eHq-uSCvprZohoumW_3l9N2nIEY/edit#slide=id.g211142b6ee2_0_0 ## 2023/01/11 * Jace * Helen * https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/1710-selinux-relabeling/README.md ## 2022/12/14 ### Discussions * Nick: OCP default config 哪些更改會有比較大的風險 * 可以透過 Change Management 流程，針對客戶想更改的設定提出來去做討論 ### Seasonny * Serverless * R&R 問題 * Global config OP team 可能需要掌握 * Quay 問題 * Connection Pooling https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/manage_red_hat_quay/advanced-quay-configuration ### KFC * OCP Cluster Health Check List https://docs.google.com/spreadsheets/d/16-s5mxA3kbQxBBvtT1iVjOCucSaewpPhfCinXdgG0sc/edit#gid=1238974780 * Proactive Notice https://docs.google.com/spreadsheets/d/1955DxD5MHsj4jZD_cUFux4YxM7Z4W9TFgH994l_ZtKU/edit#gid=0 * 登入登出稽核 https://access.redhat.com/support/cases/#/case/03388713 ## 2022/11/09 ### Seasonny * Compliance * https://docs.google.com/presentation/d/14J7LF1sYF_1hTnnh5ORBUDbD6msUKCQWzFNbYl5VpUU/edit#slide=id.g1723e0abd73_0_52 ## 2022/10/12 ### Jace * Properly remove Service Mesh Operators * 沒正確移除會導致SMCP remove pending, 新的service mesh Operator install pending * https://docs.openshift.com/container-platform/4.7/service_mesh/v2x/removing-ossm.html#ossm-remove-cleanup_removing-ossm * https://access.redhat.com/solutions/6413511 * Service mesh OLM images * https://access.redhat.com/solutions/6975305 ## 2022/09/14 ### Jace * Amq operator failed to run on FIPS enabled OCP * https://gss--c.visualforce.com/apex/Case_View?srPos=40&srKp=500&id=5002K000011EY8R&sfdc.override=1 ### Seasonny * OpenShift Vulnerabilities Patch Practices * https://docs.google.com/presentation/d/1ZKBVxDsUoCkHbyISkW5MxMz5wir5BZl3/edit#slide=id.p1 ## 2022/08/10 ### KFC - [Security Components](https://docs.google.com/spreadsheets/d/19dxTfh_MAWXgIrjgJx4WB4GryHR-H1-j46FMxCmwB2o/edit#gid=0) - [[CTBC][20220808]PCI DSS 3.2.1 COMPLIANCE APPLICABILITY DETAIL](https://docs.google.com/spreadsheets/d/1cPoi5EjVzVMJbS5wsRoWYS7wLZJcGEhShVcoA0Ty0Fw/edit#gid=0) - [[CTBC][20220804]OpenShift 4 Security](https://docs.google.com/presentation/d/1kpe1hSi3BloQnYMjAYhzrFdn4whB7JUfdckXfphwlIY/edit#slide=id.g13ebe79b16c_0_44) ### Jace 1.  ## 2022/05/11 ### Jace - [高鐵UPI新增baremetal worker node失敗 ](https://hackmd.io/eY3RcKdtQ-is69McByFFhQ) - [Ignition fails adding new nodes to UPI cluster after upgrading to OCP 4.6+ ](https://access.redhat.com/solutions/5514051) - [How to set password for core user in CoreOs OpenShift 4.x ](https://access.redhat.com/solutions/5895321) - [ignition-validate](https://github.com/coreos/ignition#config-validation) ### seasonny - [windows container on OCP](https://hackmd.io/eY3RcKdtQ-is69McByFFhQ) ## 2022/04/13 ### Jace - Manage serice endpoint records in istio-proxy https://medium.com/geekculture/watch-out-for-this-istio-proxy-sidecar-memory-pitfall-8dbd99ea7e9d - OpenShift Wildcard Subdomain testing https://hackmd.io/eOy75GUAQhqnjc70etXHUg ### Nick - Robusta k8s troubles https://docs.robusta.dev/master/index.html ### Seasonny * [VPA - Resource recommendations](https://docs.google.com/presentation/d/1fU19BEDAwC5B5CPD-lw7XuNAdoi4XlbevKxXr_ASVUE/edit?usp=sharing) * [Goldilocks](https://www.fairwinds.com/blog/introducing-goldilocks-a-tool-for-recommending-resource-requests) ## 2022/03/09 ### Seasonny SRE/SLO * (nelson) SLO https://cloud.redhat.com/blog/monitoring-services-like-an-sre-in-openshift-servicemesh https://github.com/raffaelespazzoli/sre-monitoring-openshift/blob/master/grafana-sre/dashboards/sre/slo.json * [keptn - Cloud-native application life-cycle orchestration ](https://keptn.sh/) * [Vmware Snapshot Limitations](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-53F65726-A23B-4CF0-A7D5-48E584B88613.html) * [Anti-fragility](https://miro.com/app/board/o9J_lKL0T84=/?invite_link_id=807457821727) * [DevOps Research and Assessment](https://www.devops-research.com/research.html) ### Nelson [Kubernetes source code](https://github.com/Kevin-fqh/learning-k8s-source-code/) ## 2022/02/09 ### Seasonny * https://observatorium.io/ * [App Deploy Framework ](https://docs.google.com/document/d/1NxExiRZikc9tWTDqDF3z-pnqW7vz3xF0N7mWrvb6seE/edit#heading=h.30j0zll) * [Kubernetes Policy Management ](https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/papers/policy/kubernetes-policy-management.md) * [Kyverno policy](https://kyverno.io/policies/) ### Nick * [How to collect metrics with metricbeat](https://hackmd.io/n0wRKTTKTiGFmmwv5QDbGg) * [Prometheus federate](https://prometheus.io/docs/prometheus/latest/federation/) ### Jace * [Design Considerations at the Edge of the ServiceMesh](https://cloud.redhat.com/blog/design-considerations-at-the-edge-of-the-servicemesh) 介紹Service Mesh ingress/egress的各種模式 * To allow Service Mesh ingress, the ingress gateway must be created first. https://gss--c.visualforce.com/apex/Case_View?id=5002K000011CbE6&sfdc.override=1#comment_a0a2K00000eJfcgQAC ## 2022/01/12 ### Seasonny The start sequence of sidecar and app container * https://banzaicloud.com/blog/k8s-sidecars/ * [Red Hat Service Mesh 2 - holdApplicationUntilProxyStarts](https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/servicemesh-release-notes.html#istio-compatibility-support-matrix_ossm-release-notes) * Blocks application container startup until proxy is running * Dapr * dapr_sidecar_injector.webhookFailurePolicy => Fail (default is **Ignore**) * **Fail** means that an error calling the webhook causes the admission to fail and the API request to be rejected. * Learn more about [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) ## 2021/12/08 ### Seasonny RBAC review report * https://github.com/alcideio/rbac-tool * ```rbac-tool policy-rules -o json ``` * [json to excel converter](https://conversiontools.io/convert/json-to-excel) * https://github.com/corneliusweig/rakkess ### Jace 1. CSI won't apply correct permission for corresponding SCC https://access.redhat.com/solutions/6539131 2. OpenShift on Nutanix [Source Page](https://source.redhat.com/groups/private/redhatnutanixpartnership) [Reference Architecture](https://docs.google.com/presentation/d/1GunYhx1XaE4oel2iDvpo76oAy8dNRXqRiETmWst32XQ/edit#slide=id.gf774271ded_0_9) 3. Most Prometheus samples in OCP 4.7 - https://docs.google.com/presentation/d/1056JKgFL9zDhW_RuEVaGjfF9HuREGzvq8-bPj4QnPR4/edit ## 2021/11/10 ### Jace tcp_recycle在nat環境下的議題 [不要开启tcp_tw_recycle](https://ieevee.com/tech/2017/07/19/tcp-tw-recycle.html) ### seasonny * [Scheduler](https://docs.google.com/presentation/d/1ginkqvJvmv2R9ULjxas6BLb_6LVag8pPCIM31yBrVcQ/edit?usp=sharing) ### Catherine * [shell-operator](https://docs.google.com/presentation/d/1OdsGsFwzCDMnXtb7WMIQHxyDeyoo1ZiX2oEGdfyPfWQ/edit?usp=sharing) ## 2021/10/13 Nelson ### Jace oc cli plugin GA https://docs.openshift.com/container-platform/4.8/cli_reference/openshift_cli/extending-cli-plugins.html ## 2021/09/08 ### Jace !! Don't pause reboot longer than 15 Days. (Before 4.7) https://gss--c.visualforce.com/apex/Case_View?id=5002K00000xEM8q&sfdc.override=1 https://gss--c.visualforce.com/apex/Case_View?id=5002K00000xEM8q&sfdc.override=1#comment_a0a2K00000bsNzRQAU ### seasonny * [service mesh load test result](https://docs.openshift.com/container-platform/4.6/service_mesh/v2x/ossm-performance-scalability.html#ossm-load-test-results_performance-scalability) * [How to setup resources to EnvoyProxy sidecar with OSSM operator 2.0](https://access.redhat.com/solutions/5888771) * [kubewatch](https://github.com/bitnami-labs/kubewatch) * [Using OpenScap to Scan RHCOS Vulnerabilities ](https://hackmd.io/KyPl7gVnT2qCvMFLBSj6jg) ## 2021/08/11 ### seasonny * [Policy-Based Governance](https://docs.google.com/presentation/d/1FOt27SzFDmrO13eriAKlEXRbBql5ymb6c87vyOVhkn8/edit?usp=sharing) # Kyverno * [Policies example](https://kyverno.io/policies/) * [Simple Demo for Velero with Kyverno](https://hackmd.io/ZVqAV3NQSx2VPox7fXPODg?view) ### Nick * [ROSA installation guide](https://docs.google.com/document/d/1LzT6bVuVBqHh9dJGnAQDSVQHFI0MTWUpv2CJ4sJFwQ0/edit?usp=sharing) ### Jace Custom Metric HPA troubleshooting Guide * https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/troubleshooting.md#overview-of-servicemonitor-tagging-and-related-elements * or call Jace ## 2021/07/16 ### seasonny * [OpenShift Service Mesh Control Plane management](https://docs.google.com/presentation/d/1cL3mLGF0JYJXMM09oXi0Z-vWhafERguhXjsB4EplwDE/edit#slide=id.gc221c7df69_0_876) * [SecurityDemos](https://github.com/RedHatDemos/SecurityDemos/blob/master/2021Labs/OpenShiftSecurity/documentation/lab4.adoc) * [kyverno for policy management](https://www.cncf.io/wp-content/uploads/2020/10/Self-Service-Kubernetes.pdf) ### Kate #### NFS UID/GID squash **all_squash** Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories, news spool directories, etc. The opposite option is no_all_squash, which is the default setting. **anonuid and anongid** These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe). ### Jace [OCP 3.11 記憶體顯示不一致](https://docs.google.com/document/d/1_cDxtabDR_kxPA2WFBd4LDTSoElfHafknPshEdf5Pvw/edit#) * [Memory_working_set vs Memory_rss in Kubernetes, which one you should monitor? ](https://medium.com/@eng.mohamed.m.saeed/memory-working-set-vs-memory-rss-in-kubernetes-which-one-you-should-monitor-8ef77bf0acee) [ [Still WIP] EFK install failed - permission related issue](https://gss--c.visualforce.com/apex/Case_View?id=5002K00000wYGzb&sfdc.override=1)