carverauto/serviceradar

Fork 0

adding missing files #2259

Merged

mfreeman451 merged 1 commit from refs/pull/2259/head into main

2025-10-02 07:08:59 +00:00

mfreeman451 commented

2025-10-02 07:08:22 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1681
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1681
Original created: 2025-10-02T07:08:22Z
Original updated: 2025-10-02T07:10:39Z
Original head: carverauto/serviceradar:k8s/missing_ext_dns
Original base: main
Original merged: 2025-10-02T07:08:59Z by @mfreeman451

PR Type

Enhancement

Description

Add complete external-dns Kubernetes configuration
Configure Cloudflare DNS provider integration
Set up RBAC permissions and service account
Include deployment with health checks

Diagram Walkthrough

flowchart LR
  SA["ServiceAccount"] --> CRB["ClusterRoleBinding"]
  CRB --> CR["ClusterRole"]
  CR --> DEP["Deployment"]
  DEP --> SVC["Service"]
  DEP --> CF["Cloudflare API"]
  KUST["Kustomization"] --> SA
  KUST --> CRB
  KUST --> DEP
  KUST --> SVC
  KUST --> CR

File Walkthrough

Relevant files

Documentation

README.md

Documentation for external-dns setup

k8s/external-dns/base/README.md

Add setup instructions for Cloudflare API secrets
Include installation commands for external-dns

+17/-0

Configuration changes

clusterrolebinding.yaml `RBAC cluster role binding configuration` k8s/external-dns/base/clusterrolebinding.yaml Create cluster role binding for external-dns service account Bind to external-dns cluster role in default namespace	+12/-0
kustomization.yaml `Kustomization resource definition` k8s/external-dns/base/kustomization.yaml Define Kustomize resources for external-dns components Include all YAML files for complete deployment	+8/-0
patch.yaml `Domain-specific configuration patch` k8s/external-dns/base/patch.yaml Override deployment args with carverauto.dev domain filter Set trace logging level for debugging	+16/-0
rbac.yaml `RBAC permissions for external-dns` k8s/external-dns/base/rbac.yaml Define cluster role with standard Kubernetes resource permissions Add custom DNS CRD permissions for carverauto.dev Grant access to services, ingresses, pods, nodes, endpoints	+28/-0
service-account.yaml `Service account for external-dns` k8s/external-dns/base/service-account.yaml Create service account for external-dns in default namespace	+5/-0
service.yaml `Service configuration for external-dns` k8s/external-dns/base/service.yaml Expose external-dns on port 80 targeting port 7979 Configure service selector for external-dns app	+12/-0

Enhancement

external-dns.yaml

Main external-dns deployment configuration

k8s/external-dns/base/external-dns.yaml

Deploy external-dns with Cloudflare provider configuration
Configure resource limits and health checks
Set up environment variables for Cloudflare API credentials
Add tolerations for master/control-plane nodes

+70/-0

Imported from GitHub pull request. Original GitHub pull request: #1681 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1681 Original created: 2025-10-02T07:08:22Z Original updated: 2025-10-02T07:10:39Z Original head: carverauto/serviceradar:k8s/missing_ext_dns Original base: main Original merged: 2025-10-02T07:08:59Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add complete external-dns Kubernetes configuration - Configure Cloudflare DNS provider integration - Set up RBAC permissions and service account - Include deployment with health checks ___ ### Diagram Walkthrough ```mermaid flowchart LR SA["ServiceAccount"] --> CRB["ClusterRoleBinding"] CRB --> CR["ClusterRole"] CR --> DEP["Deployment"] DEP --> SVC["Service"] DEP --> CF["Cloudflare API"] KUST["Kustomization"] --> SA KUST --> CRB KUST --> DEP KUST --> SVC KUST --> CR ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Documentation</strong></td><td><table> <tr> <td> <details> <summary><strong>README.md</strong><dd><code>Documentation for external-dns setup</code>                                          </dd></summary> <hr> k8s/external-dns/base/README.md <ul><li>Add setup instructions for Cloudflare API secrets<br> <li> Include installation commands for external-dns</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-894e6b1d6c15adedc469c46c437989dc603f1885e0de515b90b42986490cafcc">+17/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>clusterrolebinding.yaml</strong><dd><code>RBAC cluster role binding configuration</code>                                    </dd></summary> <hr> k8s/external-dns/base/clusterrolebinding.yaml <ul><li>Create cluster role binding for external-dns service account<br> <li> Bind to external-dns cluster role in default namespace</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-6b6391a6dede6ec2508fff29ee6b581b3ac0524c8a085e6877fbaa1f7a63d7eb">+12/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>kustomization.yaml</strong><dd><code>Kustomization resource definition</code>                                                </dd></summary> <hr> k8s/external-dns/base/kustomization.yaml <ul><li>Define Kustomize resources for external-dns components<br> <li> Include all YAML files for complete deployment</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-1f8670d9e224b0180e23741a598af52e0563cb5fb0ac36cc8968eaaa4f96bb31">+8/-0</a>      </td> </tr> <tr> <td> <details> <summary><strong>patch.yaml</strong><dd><code>Domain-specific configuration patch</code>                                            </dd></summary> <hr> k8s/external-dns/base/patch.yaml <ul><li>Override deployment args with carverauto.dev domain filter<br> <li> Set trace logging level for debugging</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-afcb40e9c7c625d732b1c45bc6d21f995da3b4b481add772c476ecf3ee1c2149">+16/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>rbac.yaml</strong><dd><code>RBAC permissions for external-dns</code>                                                </dd></summary> <hr> k8s/external-dns/base/rbac.yaml <ul><li>Define cluster role with standard Kubernetes resource permissions<br> <li> Add custom DNS CRD permissions for carverauto.dev<br> <li> Grant access to services, ingresses, pods, nodes, endpoints</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-b18efa3c62b1a4d2fa979c51c5d429b45a8c282073e5d1c8b6c504e088d0071d">+28/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>service-account.yaml</strong><dd><code>Service account for external-dns</code>                                                  </dd></summary> <hr> k8s/external-dns/base/service-account.yaml - Create service account for external-dns in default namespace </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-4dafae6dddc56704c6cc6c5e489a79c7fed07ec90590d7167c8186ee4338c98d">+5/-0</a>      </td> </tr> <tr> <td> <details> <summary><strong>service.yaml</strong><dd><code>Service configuration for external-dns</code>                                      </dd></summary> <hr> k8s/external-dns/base/service.yaml <ul><li>Expose external-dns on port 80 targeting port 7979<br> <li> Configure service selector for external-dns app</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-69a7479c4834d7c07ceef6a240320141642697082690bbea8f4649f32fa71fd2">+12/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>external-dns.yaml</strong><dd><code>Main external-dns deployment configuration</code>                              </dd></summary> <hr> k8s/external-dns/base/external-dns.yaml <ul><li>Deploy external-dns with Cloudflare provider configuration<br> <li> Configure resource limits and health checks<br> <li> Set up environment variables for Cloudflare API credentials<br> <li> Add tolerations for master/control-plane nodes</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-a11795ea19e03d0f45d96ce9fd444ecfd2b292058b75ade332640c942f50913d">+70/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-02 07:09:36 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1681#issuecomment-3359503277
Original created: 2025-10-02T07:09:36Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret handling risk Description: Documentation suggests creating a Kubernetes Secret from literal values which can encourage committing or pasting plaintext API keys; ensure secrets are injected via secure CI/secret manager and not stored in repo history or terminals. README.md [8-11] Referred Code `kubectl create secret generic cloudflare-api-secret \ --from-literal=CF_API_KEY="YOUR_CLOUDFLARE_API_KEY" \ --from-literal=CF_API_EMAIL="YOUR_CLOUDFLARE_API_EMAIL"` </details></details></td></tr> <tr><td><details><summary><strong>Secret exposure via env </strong></summary><br> <b>Description:</b> Cloudflare credentials are mounted via environment variables which can be exposed via pod <br>exec/env dumps; prefer using projected service account tokens with external secrets <br>manager or mounting as files with restricted access.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1681/files#diff-a11795ea19e03d0f45d96ce9fd444ecfd2b292058b75ade332640c942f50913dR44-R53'>external-dns.yaml [44-53]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml - name: CF_API_KEY valueFrom: secretKeyRef: name: cloudflare-api-secret key: CF_API_KEY - name: CF_API_EMAIL valueFrom: secretKeyRef: name: cloudflare-api-secret key: CF_API_EMAIL
	Excessive RBAC permissions Description: Broad CRUD permissions granted to custom resource 'dnsendpoints' may exceed least privilege; if create/update/delete are unnecessary, restrict verbs to read-only to reduce blast radius. rbac.yaml [23-28] Referred Code `- apiGroups: ["dns.tunnel.carverauto.dev"] resources: ["dnsendpoints"] verbs: ["get","watch","list","create","update","patch","delete"] - apiGroups: ["dns.tunnel.carverauto.dev"] resources: ["dnsendpoints/status"] verbs: ["get","update","patch"]`
	Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1681#issuecomment-3359503277 Original created: 2025-10-02T07:09:36Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary><strong>Secret handling risk </strong></summary><br> <b>Description:</b> Documentation suggests creating a Kubernetes Secret from literal values which can <br>encourage committing or pasting plaintext API keys; ensure secrets are injected via secure <br>CI/secret manager and not stored in repo history or terminals.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1681/files#diff-894e6b1d6c15adedc469c46c437989dc603f1885e0de515b90b42986490cafccR8-R11'>README.md [8-11]</a></strong><br> <details open><summary>Referred Code</summary> ```markdown kubectl create secret generic cloudflare-api-secret \ --from-literal=CF_API_KEY="YOUR_CLOUDFLARE_API_KEY" \ --from-literal=CF_API_EMAIL="YOUR_CLOUDFLARE_API_EMAIL" ``` ``` </details></details></td></tr> <tr><td><details><summary><strong>Secret exposure via env </strong></summary><br> <b>Description:</b> Cloudflare credentials are mounted via environment variables which can be exposed via pod <br>exec/env dumps; prefer using projected service account tokens with external secrets <br>manager or mounting as files with restricted access.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1681/files#diff-a11795ea19e03d0f45d96ce9fd444ecfd2b292058b75ade332640c942f50913dR44-R53'>external-dns.yaml [44-53]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml - name: CF_API_KEY valueFrom: secretKeyRef: name: cloudflare-api-secret key: CF_API_KEY - name: CF_API_EMAIL valueFrom: secretKeyRef: name: cloudflare-api-secret key: CF_API_EMAIL ``` </details></details></td></tr> <tr><td><details><summary><strong>Excessive RBAC permissions </strong></summary><br> <b>Description:</b> Broad CRUD permissions granted to custom resource 'dnsendpoints' may exceed least <br>privilege; if create/update/delete are unnecessary, restrict verbs to read-only to reduce <br>blast radius.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1681/files#diff-b18efa3c62b1a4d2fa979c51c5d429b45a8c282073e5d1c8b6c504e088d0071dR23-R28'>rbac.yaml [23-28]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml - apiGroups: ["dns.tunnel.carverauto.dev"] resources: ["dnsendpoints"] verbs: ["get","watch","list","create","update","patch","delete"] - apiGroups: ["dns.tunnel.carverauto.dev"] resources: ["dnsendpoints/status"] verbs: ["get","update","patch"] ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </summary></strong> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-02 07:10:39 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1681#issuecomment-3359508240
Original created: 2025-10-02T07:10:39Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Correct the unsafe and broken Kustomize configuration The base `external-dns` configuration is unsafe due to an empty domain filter, posing a security risk. A patch file intended to scope the domain exists but is not applied by the Kustomize configuration, which needs to be corrected. Examples: k8s/external-dns/base/external-dns.yaml [24] `- --domain-filter=` k8s/external-dns/base/kustomization.yaml [1-8] `apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml` Solution Walkthrough: Before: `# k8s/external-dns/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml # patch.yaml is not applied # k8s/external-dns/base/external-dns.yaml ... containers: - name: external-dns args: - --domain-filter= # Unsafe empty filter ...` After: `# k8s/external-dns/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml patchesStrategicMerge: - patch.yaml # Apply the patch to scope the domain # The resulting deployment would have: ... containers: - name: external-dns args: - --domain-filter=carverauto.dev # Safely scoped ...` Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability where an empty `domain-filter` in `external-dns.yaml` is not patched by `kustomization.yaml`, potentially allowing modifications to any DNS zone.	High
Possible issue	Restore missing arguments in patch Restore missing arguments in the `external-dns` deployment patch to prevent incorrect DNS record management. The patch currently removes `--registry=txt`, `--txt-owner-id`, and `--managed-record-types` arguments from the base configuration. k8s/external-dns/base/patch.yaml [1-16] `spec: template: spec: containers: - name: external-dns args: - --source=service - --source=ingress - --domain-filter=carverauto.dev - --provider=cloudflare - --cloudflare-dns-records-per-page=5000 - --log-level=trace + - --registry=txt + - --txt-owner-id=external-dns-1 + - --managed-record-types=A + - --managed-record-types=AAAA - --policy=sync - --request-timeout=30s - --min-event-sync-interval=5s - --events` Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that the Kustomize patch replaces the entire `args` list, removing critical arguments like `--registry=txt` and `--txt-owner-id`, which can lead to serious DNS record management issues.	High
General	Remove deprecated API group alias Remove the deprecated `networking` API group alias from the `ClusterRole` definition, using only the canonical `networking.k8s.io` group to ensure future compatibility. k8s/external-dns/base/rbac.yaml [13-15] `-- apiGroups: ["networking","networking.k8s.io"] +- apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"]` Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly points out the use of a deprecated `networking` API group alias, and removing it improves future compatibility and aligns with best practices.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1681#issuecomment-3359508240 Original created: 2025-10-02T07:10:39Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Correct the unsafe and broken Kustomize configuration</summary> ___ **The base <code>external-dns</code> configuration is unsafe due to an empty domain filter, <br>posing a security risk. A patch file intended to scope the domain exists but is <br>not applied by the Kustomize configuration, which needs to be corrected.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-a11795ea19e03d0f45d96ce9fd444ecfd2b292058b75ade332640c942f50913dR24-R24">k8s/external-dns/base/external-dns.yaml [24]</a> </summary> ```yaml - --domain-filter= ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1681/files#diff-1f8670d9e224b0180e23741a598af52e0563cb5fb0ac36cc8968eaaa4f96bb31R1-R8">k8s/external-dns/base/kustomization.yaml [1-8]</a> </summary> ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml ``` </details> ### Solution Walkthrough: #### Before: ```yaml # k8s/external-dns/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml # patch.yaml is not applied # k8s/external-dns/base/external-dns.yaml ... containers: - name: external-dns args: - --domain-filter= # Unsafe empty filter ... ``` #### After: ```yaml # k8s/external-dns/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service-account.yaml - clusterrolebinding.yaml - external-dns.yaml - service.yaml - rbac.yaml patchesStrategicMerge: - patch.yaml # Apply the patch to scope the domain # The resulting deployment would have: ... containers: - name: external-dns args: - --domain-filter=carverauto.dev # Safely scoped ... ``` <details><summary>Suggestion importance[1-10]: 10</summary> __ Why: The suggestion correctly identifies a critical security vulnerability where an empty `domain-filter` in `external-dns.yaml` is not patched by `kustomization.yaml`, potentially allowing modifications to any DNS zone. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Restore missing arguments in patch</summary> ___ **Restore missing arguments in the <code>external-dns</code> deployment patch to prevent <br>incorrect DNS record management. The patch currently removes <code>--registry=txt</code>, <br><code>--txt-owner-id</code>, and <code>--managed-record-types</code> arguments from the base <br>configuration.** [k8s/external-dns/base/patch.yaml [1-16]](https://github.com/carverauto/serviceradar/pull/1681/files#diff-afcb40e9c7c625d732b1c45bc6d21f995da3b4b481add772c476ecf3ee1c2149R1-R16) ```diff spec: template: spec: containers: - name: external-dns args: - --source=service - --source=ingress - --domain-filter=carverauto.dev - --provider=cloudflare - --cloudflare-dns-records-per-page=5000 - --log-level=trace + - --registry=txt + - --txt-owner-id=external-dns-1 + - --managed-record-types=A + - --managed-record-types=AAAA - --policy=sync - --request-timeout=30s - --min-event-sync-interval=5s - --events ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies that the Kustomize patch replaces the entire `args` list, removing critical arguments like `--registry=txt` and `--txt-owner-id`, which can lead to serious DNS record management issues. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Remove deprecated API group alias</summary> ___ **Remove the deprecated <code>networking</code> API group alias from the <code>ClusterRole</code> <br>definition, using only the canonical <code>networking.k8s.io</code> group to ensure future <br>compatibility.** [k8s/external-dns/base/rbac.yaml [13-15]](https://github.com/carverauto/serviceradar/pull/1681/files#diff-b18efa3c62b1a4d2fa979c51c5d429b45a8c282073e5d1c8b6c504e088d0071dR13-R15) ```diff -- apiGroups: ["networking","networking.k8s.io"] +- apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"] ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion correctly points out the use of a deprecated `networking` API group alias, and removing it improves future compatibility and aligns with best practices. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>