blog.scottlowe.orgScott's Weblog - Scott's Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, L

inux, containers, and networking Original, technical content centered around cloud computing, Kubernetes, Linux, and networking Home About Site Archives Post Categories Content Tags © 2005-2024. All rights reserved. Scott’s Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking Tracking EC2 Instances used by EKS with AWS CLI 17 Apr 2024 As a sort of follow-up to my previous post on using the AWS CLI to track the specific Elastic Network Interfaces (ENIs) used by Amazon Elastic Kubernetes Service (EKS) cluster nodes, this post focuses on the EC2 instances themselves. I feel this is less of a problem” than tracking ENIs, but I wanted to share this information nevertheless. In this post, I’ll show you which AWS CLI command to use to list all the EC2 instances associated with a particular EKS cluster. If you read the previous post on tracking ENIs used by EKS , you might think that you could use a very similar AWS CLI command ( aws ec2 describe-instances instead of aws ec2 describe-network-interfaces ) to track the EC2 instances in a cluster—and you’d be mostly correct. Like the ENIs, EKS does add a cluster-specific tag to all EC2 instances in the cluster. However, just to make life interesting, the tag used for EC2 instances is not the same as the tag used for ENIs. (If someone at AWS knows of a technical reason why these tags are different, I’d love to hear it.) Instead of using the cluster.k8s.amazonaws.com/name tag that is used on the ENIs, you’ll need to use the aws:eks:cluster-name tag instead, like this: aws ec2 describe-instances filters Name = tag:aws:eks:cluster-name, \ Values = name-of-cluster Just replace name-of-cluster in the above command with the name of your EKS cluster, and you’re good to go. As I mentioned in the previous post, if you’re using an automation tool such as Pulumi or Terraform , you may need to explicitly specify the name of the cluster in your code (or look it up after the cluster is created). I hope this information is useful to folks. If you have questions (or corrections, in the event I have something incorrect here!), please feel free to reach out. You can find me on Twitter , on the Fediverse , or in a number of different Slack communities. Thanks for reading! Tracking ENIs used by EKS with AWS CLI 15 Apr 2024 I’ve recently been spinning up lots of Amazon Elastic Kubernetes Service (EKS) clusters (using Pulumi, of course) in order to test various Cilium configurations. Along the way, I’ve wanted to verify the association and configuration of Elastic Network Interfaces (ENIs) being used by the EKS cluster. In this post, I’ll share a couple of AWS CLI commands that will help you track the ENIs used by an EKS cluster. When I first set out to find the easiest way to track the ENIs used by the nodes in an EKS cluster, I thought that AWS resource tags might be the key. I was right—but not in the way I expected. In the Pulumi program (written in Go ) that I use to create EKS clusters, I made sure to tag all the resources. For example, when defining the EKS cluster itself I assigned tags: eksCluster , err := eks . NewCluster ( ctx , "eks-cluster" , & eks . ClusterArgs { Name : pulumi . Sprintf ( "%s-test" , regionNames [ awsRegion ]), // Some code omitted here for brevity Tags : pulumi . StringMap { "Name" : pulumi . Sprintf ( "%s-test" , regionNames [ awsRegion ]), "owner" : pulumi . String ( ownerTag ), "team" : pulumi . String ( teamTag ), "usage" : pulumi . String ( usageTag ), "expiry" : pulumi . String ( "2025-01-01" ), }, }) And I assigned tags again when defining the node group for the EKS cluster: _ , err = eks . NewNodeGroup ( ctx , "node-group" , & eks . NodeGroupArgs { ClusterName : eksCluster . Name , // Some code omitted here for brevity Tags : pulumi . StringMap { "Name" : pulumi . Sprintf ( "%s-nodegroup-01" , regionNames [ awsRegion ]), "owner" : pulumi . String ( ownerTag ), "team" : pulumi . String ( teamTag ), "usage" : pulumi . String ( usageTag ), "expiry" : pulumi . String ( "2025-01-01" ), }, }) I thought that these tags would carry over to the ENIs attached to the EC2 instances in the node group. Assuming the value of ownerTag was set to slowe”, it would be possible to see all the ENIs with this command: aws ec2 describe-network-interfaces filters Name = tag:owner,Values = slowe Alas, these tags don’t carry over (not that I’ve observed, anyway). However, all is not lost! EKS creates its own tag you can use with the describe-network-interfaces command: aws ec2 describe-network-interfaces \ filters Name = tag:cluster.k8s.amazonaws.com/name,Values = cluster-name The cluster.k8s.amazonaws.com/name tag is automatically added to ENIs created for use by EKS; you just need to supply the correct value (to replace cluster-name in the above command). If you’re using an automation tool like Pulumi or Terraform, you’ll want to be sure you know what the EKS cluster name is; you can assign it, as I did in the code above, or you can look it up. While I didn’t share anything amazingly unique or earth-shattering here, I do hope that this post is helpful to folks. Feel free to find me on various social media platforms—such as on Twitter or on the Fediverse —if you have questions or comments about this post. Constructive feedback is always welcome! Technology Short Take 176 15 Mar 2024 Welcome to Technology Short Take #176! This Tech Short Take is a bit heavy on security-related links, but there’s still some additional content in a number of other areas, so you should be able to find something useful—or at least interesting—in here. Thanks for reading! Networking Lee Briggs (formerly of Pulumi, now with Tailscale) shows how to use the Tailscale Operator to create free” Kubernetes load balancers (free” as in no additional charge above and beyond what it would normally cost to operate a Kubernetes cluster). Ivan Pepelnjak dives deep on DHCP relaying on a Linux host . I also enjoyed Ivan’s realistic take on rollbacks in a network automation environment. (TL;DR: It’s not as easy as it might seem.) Servers/Hardware Menno Finlay-Smits shares information on reducing fan noise on Intel NUCs . Rob McBryde shares his story of reviving a 2012 MacBook Pro with Linux . Kevin Houston previews the first AMD-powered Cisco UCS blade server . Security In early February a vulnerability was uncovered in a key component of the Linux boot process. The vulnerability affects virtually all Linux distributions and allows attackers to bypass the secure boot protections and insert a low-level bootkit. While the requirements for exploiting the vulnerability are not insurmountable, they do require a certain level of effort. More details available via Ars Technica and via ZDnet . Nick Frichette shares how to bypass GuardDuty Tor client findings (basically, how to connect to Tor without GuardDuty detecting it). The Sysdig Threat Research Team uncovered the malicious use of a network mapping tool called SSH-Snake. Read more about it in this post . VMware is patching a set of severe sandbox escape” bugs. Two of the vulnerabilities are rated a 9.3 out of 10, and even VMware’s flagship ESXi hypervisor is affected. More details are available from Ars Technica . Think Linux doesn’t have malware? A new Bifrost remote access trojan (RAT) for Linux employs a number of techniques to remain hidden, including using a VMware-esque” domain name for command and control servers. And here’s another example of malware that is targeting Linux (along with Windows). This would be why I hate it when companies force me to use SMS for two-factor authentication—at least let me use a one-time passcode or something. Cloud Computing/Cloud Management Mina Abadir shares some experiences around migrating from PlanetScale to Amazon Aurora . Rory McCune explains Kubernetes authentication . Falco has graduated within the CNCF . Operating Systems/Applications Here’s one person’s take on sudo for...