Fred Richards flrichar

Here is a self-contained Python script designed to run inside a Kubernetes pod (such as an Ubuntu container). It uses only standard Python libraries, meaning you won't need to install requests or the kubernetes SDK inside your container.

This script checks the service account directory, verifies file permissions, extracts and decodes the JWT token to show its claims (like the service account name), and attempts a live connection test to the Kubernetes API server using that token.

The Python Script (`k8s_sa_test.py`)

import os
import json
import base64

rke2 standalone, not provisioned through rancher

... https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools

metadata:
  labels:
    app.kubernetes.io/managed-by: tigera-operator
...

CPULimit for systemd service

Sometimes it is necessary and cannot be avoided.

vi /etc/systemd/system/something.service

[service]
CPUQuota=50%
...

Remote golang pprof

Enable pprof & optional debug in config.yaml for k3s
kubectl proxy, shoud choose port 8001 by default
go tool pprof http://localhost:8001/debug/pprof/profile for interactive funtimes

# k3s config ...
debug: true
enable-pprof: true

Output of PLab PostRouting for NAT Table, CNI, Bridge, SNAT-1022

$ iptables -t nat -L POSTROUTING -vn --line
Chain POSTROUTING (policy ACCEPT 3159 packets, 581K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     4217  663K CNI-HOSTPORT-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
2     1058 81606 CNI-8d379e8c80a1fb6e997fb316  all  --  *      *       10.4.0.2             0.0.0.0/0            /* name: "bridge" id: "moby-0b65d5a522417587f04a5f4429c5b63ec2fca1065291d12c7f91b158cf18f8e1" */
3        0     0 MASQUERADE  all  --  *      eth0.87  10.16.22.0/24       !10.0.0.0/8           /* SNAT 1022 through eth0.87 via fiber-inetgw */

2025-1201 IP-Change Restore Example

Always use S3 for backups
Enable adequate, constant, consistent backups
Single-Nodes for Development, ensure quick turnaround

Example ...

Address changed from .147 to .180 ... Verified the timestamp was the same from 11/21 locally & in S3. Do not require full-path for S3 bucket data.

sudo systemctl disable --now rke2-server

Mini GwAPI

Control-plane only Istio for gateway api, installing latest 1.3.0 CRDs. Simple adjustments for newer api versions and istio releases.

kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.3.0" | kubectl apply -f -;

helm install -n istio-system upstream-istio istio/istiod --set gateway.enabled=true --set istiod.profile=minimal --version 1.27.0 --create-namespace

	DLAGENTS=('file::/usr/bin/curl -4 -qgC - -o %o %u'
	'ftp::/usr/bin/curl -4 -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
	'http::/usr/bin/curl -4 -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
	'https::/usr/bin/curl -4 -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
	'rsync::/usr/bin/rsync --no-motd -z %u %o'
	'scp::/usr/bin/scp -C %u %o')

	# just an amuse-bouche
	# arch under /etc/makepkg.conf.d/

	# a generic mcp running locally

	{
	"mcpServers": {
	"opentofu": {
	"command": "npx",
	"args": [
	"-y",
	"@opentofu/opentofu-mcp-server"
	]

	apiVersion: kustomize.config.k8s.io/v1beta1
	kind: Kustomization

	resources:
	- adm-kubeconfig.yaml

	patches:
	- target:
	kind: Config
	name: patched-20260609