This document summarizes best practices for Kubernetes security. It covers infrastructure protection, Kubernetes internal security, authentication and authorization options, network security, secrets management, container runtime security, and other security tools. Specific recommendations include limiting SSH access, encrypting storage, using minimal base images, RBAC for authorization, network policies, secrets encryption, security contexts, and image scanning.
In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice.
We will cover:
• Persistent data abstractions in K8s: persistent volumes (PV) and their attributes
• PV specifics in different clouds
• Using PV in K8s: persistent volume claims (PVC) and storage classes (SC)
• Automatic volume provisioning
• Persistence and scheduling interrelationships
• Practical examples
Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.
Security best practices for kubernetes deploymentMichael Cherny
Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls.
Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/
Orchestrating Microservices with Kubernetes Weaveworks
- Kubernetes Concepts
- Hands on: Using kubeadm to stand up a Kubernetes cluster
- Hands on: Using kubectl to make changes to running Kubernetes cluster
Social Connections 14 - Kubernetes Basics for Connections Adminspanagenda
The product formerly known as IBM Connections pink is deployed on Kubernetes and some other Open Source Tools. Learn the basics of Kubernetes in this session. Deploying additional pods, getting some statistics or find deeper information of the installed stuff to find log files and so on.
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice.
We will cover:
• Persistent data abstractions in K8s: persistent volumes (PV) and their attributes
• PV specifics in different clouds
• Using PV in K8s: persistent volume claims (PVC) and storage classes (SC)
• Automatic volume provisioning
• Persistence and scheduling interrelationships
• Practical examples
Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.
Security best practices for kubernetes deploymentMichael Cherny
Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls.
Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/
Orchestrating Microservices with Kubernetes Weaveworks
- Kubernetes Concepts
- Hands on: Using kubeadm to stand up a Kubernetes cluster
- Hands on: Using kubectl to make changes to running Kubernetes cluster
Social Connections 14 - Kubernetes Basics for Connections Adminspanagenda
The product formerly known as IBM Connections pink is deployed on Kubernetes and some other Open Source Tools. Learn the basics of Kubernetes in this session. Deploying additional pods, getting some statistics or find deeper information of the installed stuff to find log files and so on.
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
15 kubernetes failure points you should watchSysdig
When operating a production platform we should prepare for failure and in addition to monitoring working metrics, we cannot forget about the most common failure points. From monitoring solution agnostic perspective, and following a use-case driven approach, we will learn the most common failure points in a Kubernetes infrastructure and how to detect them (metrics, events, checks, etc).
Kubernetes and Bluemix introduction along with the sample demo application(Color Cluster) on IBM Bluemix Container Service(BCS). Also, some advanced features provided by IBM. Sample code for the repo is here, [Kuberbetes Bluemix Demo](https://github.com/mohan08p/KubernetesMeetup/tree/master/14th%20Oct%202017/ColorDemo)
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
In this presentation, I'll describe a variety of tools, like the Kubernetes Dashboard, Heapster, Grafana, Fluentd, Elasticsearch, Kibana, Jolokia and OpenTracing to bring Monitoring, Logging and Tracing to the Kubernetes container platform.
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
Join us for this informative session on "Enhancing OpenShift Security." Andrew Toth from Red Hat will outline typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes.
Glen Kosaka from NeuVector will present how to enhance security for Kubernetes and OpenShift by using advanced run-time security features to improve visibility and protection in production.
Docker Online Meetup: Infrakit update and Q&ADocker, Inc.
While working on Docker for AWS and Azure, we realized the need for a standard way to create and manage infrastructure state that was portable across any type of infrastructure, from different cloud providers to on-prem. One challenge is that each vendor has differentiated IP invested in how they handle certain aspects of their cloud infrastructure. It is not enough to just provision five servers; what IT ops teams need is a simple and consistent way to declare the number of servers, what size they should be, and what sort of base software configuration is required. And in the case of server failures (especially unplanned), that sudden change needs to be reconciled against the desired state to ensure that any required servers are re-provisioned with the necessary configuration. We started InfraKit to solves these problems and to provide the ability to create a self healing infrastructure for distributed systems.
containerd the universal container runtimeDocker, Inc.
containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc..
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
containerd includes a daemon exposing gRPC API over a local UNIX socket. The API is a low-level one designed for higher layers to wrap and extend. It also includes a barebone CLI (ctr) designed specifically for development and debugging purpose. It uses runC to run containers according to the OCI specification. The code can be found on GitHub, and here are the contribution guidelines.
containerd is based on the Docker Engine’s core container runtime to benefit from its maturity and existing contributors.
Deep dive in container service discoveryDocker, Inc.
Service discovery and traffic load-balancing in the container ecosystem relies on different technologies, such as IPVS and iptables, and container orchestrators use different approaches. This talk will present in details how Docker Swarm and Kubernetes achieve this. The talk will continue with a demo showing how applications that are not managed by Kubernetes can take advantage of its native load-balancing. Finally, it will compare these approaches to service-mesh solutions.
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...Docker, Inc.
Presented by Gareth Rushgrove, Sr. Software Engineer, Puppet Labs
The shipping container metaphor for Docker points to many of the advantages of building and running software using containers. But what about other essential parts of the shipping container ecosystem like the shipping manifest and bill of lading?
Many of the most powerful features of traditional package management tools like apt or yum are based on metadata associated with the packages. You can find out who created a package and when, check where a particular file came from, whether the package has a known vulnerability and more. What would this capability look like for Docker containers?
This talk will look at the power of metadata for containers, in particular:
* Docker provides labels for associating metadata with images and containers but how best to use them?* What problems can be solved by agreeing on standards for container metadata?* Exposing standard commands and endpoints to expose metadata about what is inside a container* Demo some open source toolings and also look at the sort of tools we might build atop those standards and low-level tools.
This is the second session of Deep Dive into Kubernetes. It includes information on optimizing Docker image size, persistent volumes, container security, and different aspects of running Kubernetes on GKE and AWS.
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
15 kubernetes failure points you should watchSysdig
When operating a production platform we should prepare for failure and in addition to monitoring working metrics, we cannot forget about the most common failure points. From monitoring solution agnostic perspective, and following a use-case driven approach, we will learn the most common failure points in a Kubernetes infrastructure and how to detect them (metrics, events, checks, etc).
Kubernetes and Bluemix introduction along with the sample demo application(Color Cluster) on IBM Bluemix Container Service(BCS). Also, some advanced features provided by IBM. Sample code for the repo is here, [Kuberbetes Bluemix Demo](https://github.com/mohan08p/KubernetesMeetup/tree/master/14th%20Oct%202017/ColorDemo)
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
In this presentation, I'll describe a variety of tools, like the Kubernetes Dashboard, Heapster, Grafana, Fluentd, Elasticsearch, Kibana, Jolokia and OpenTracing to bring Monitoring, Logging and Tracing to the Kubernetes container platform.
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
Join us for this informative session on "Enhancing OpenShift Security." Andrew Toth from Red Hat will outline typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes.
Glen Kosaka from NeuVector will present how to enhance security for Kubernetes and OpenShift by using advanced run-time security features to improve visibility and protection in production.
Docker Online Meetup: Infrakit update and Q&ADocker, Inc.
While working on Docker for AWS and Azure, we realized the need for a standard way to create and manage infrastructure state that was portable across any type of infrastructure, from different cloud providers to on-prem. One challenge is that each vendor has differentiated IP invested in how they handle certain aspects of their cloud infrastructure. It is not enough to just provision five servers; what IT ops teams need is a simple and consistent way to declare the number of servers, what size they should be, and what sort of base software configuration is required. And in the case of server failures (especially unplanned), that sudden change needs to be reconciled against the desired state to ensure that any required servers are re-provisioned with the necessary configuration. We started InfraKit to solves these problems and to provide the ability to create a self healing infrastructure for distributed systems.
containerd the universal container runtimeDocker, Inc.
containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc..
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
containerd includes a daemon exposing gRPC API over a local UNIX socket. The API is a low-level one designed for higher layers to wrap and extend. It also includes a barebone CLI (ctr) designed specifically for development and debugging purpose. It uses runC to run containers according to the OCI specification. The code can be found on GitHub, and here are the contribution guidelines.
containerd is based on the Docker Engine’s core container runtime to benefit from its maturity and existing contributors.
Deep dive in container service discoveryDocker, Inc.
Service discovery and traffic load-balancing in the container ecosystem relies on different technologies, such as IPVS and iptables, and container orchestrators use different approaches. This talk will present in details how Docker Swarm and Kubernetes achieve this. The talk will continue with a demo showing how applications that are not managed by Kubernetes can take advantage of its native load-balancing. Finally, it will compare these approaches to service-mesh solutions.
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...Docker, Inc.
Presented by Gareth Rushgrove, Sr. Software Engineer, Puppet Labs
The shipping container metaphor for Docker points to many of the advantages of building and running software using containers. But what about other essential parts of the shipping container ecosystem like the shipping manifest and bill of lading?
Many of the most powerful features of traditional package management tools like apt or yum are based on metadata associated with the packages. You can find out who created a package and when, check where a particular file came from, whether the package has a known vulnerability and more. What would this capability look like for Docker containers?
This talk will look at the power of metadata for containers, in particular:
* Docker provides labels for associating metadata with images and containers but how best to use them?* What problems can be solved by agreeing on standards for container metadata?* Exposing standard commands and endpoints to expose metadata about what is inside a container* Demo some open source toolings and also look at the sort of tools we might build atop those standards and low-level tools.
This is the second session of Deep Dive into Kubernetes. It includes information on optimizing Docker image size, persistent volumes, container security, and different aspects of running Kubernetes on GKE and AWS.
Who is afraid of privileged containers ?Marko Bevc
This talk will focus on a possible privilege escalation to bypass RBAC rules when running privileged containers without any security policies in place. We will also do a live demo and show how this can be achieved in AWS EKS cluster. Afterwards we will show how to remediate this using PodSecurityPolicies and what to watch for when implementing those in an active cluster.
New and smart way to develop microservice for istio with micro profileEmily Jiang
The new and smart way to develop microservices for Istio - Eclipse MicroProfile
Focus on MicroProfile and demonstrate 8 MicroProfile specifications with some overview on Istio
Learn from the dozens of large-scale deployments how to get the most out of your Kubernetes environment:
- Container images optimization
- Organizing namespaces
- Readiness and Liveness probes
- Resource requests and limits
- Failing with grace
- Mapping external services
- Upgrading clusters with zero downtime
Bare Metal to OpenStack with Razor and ChefMatt Ray
Slides from the OpenStack Spring 2013 Summit workshop presented by Egle Sigler (@eglute) and Matt Ray (@mattray) from Rackspace and Opscode respectively. Please refer to http://anystacker.com/ for additional content.
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
*Introduction to security strategies in K8s environments
*Pod Security Admission(PSA) vs Open Policy Agent (OPA)
*Combination of different security strategies together
*Access to resources in privileged and non-privileged mode
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
-Introduction to security strategies in K8s environments
-Pod Security Admission(PSA) vs Open Policy Agent (OPA)
-Combination of different security strategies together
-Access to resources in privileged and non-privileged mode
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
A talk give on Tuesday, January 28th, 2020 at the Tel Aviv, Israel Cloud Native meetup covering the core concepts of how to secure containerized applications in a Kubernetes context.
Container Security Deep Dive & Kubernetes Aqua Security
Container Security Deep Dive & Kubernetes by Tsvi Korren, Director of Technical Services at Aqua.
Container security best practices and implications in a Kubernetes environment. Tsvi will cover security for your containerized applications from development, through build, ship, and run, and as a result, how to make your entire Kubernetes deployment more secure.
Meetup 12-12-2017 - Application Isolation on Kubernetesdtoledo67
Here are the slides I presented on 12-12-2017 at the Bay Area Microservices Meeting. I presented some of the best practices to achieve application isolation on Kubernetes
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
We are excited to continue our work on BeanStalk with the introduction of a range of great new features. If you are a Python shop you'll learn how BeanStalk now supports Python containers and the Django and Flask frameworks. Hear about BeanStalk integration with RDS and how custom configuration of containers is possible through simple configuration files.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
2. 0
500
1000
1500
2000
2500
Mac Os X Windows 7 Windows XP Windows 8.1 Windows 10
CVE Sum
CVE Sum
2
Total Number Of Vulnerabilities in 2017 – Source:
CVEdetails.com
6. Infrastructure protection
K8s internal security
Authentication & Authorization options
Network
Secrets
Container runtime Security
Some other security tools and considerations
6
Agenda
7. Infrastructure protection
7
Limit SSH access to your cluster
Use hardened images for your cluster ( )
Encrypt your storage volume
Avoid from exposing your cluster to the internet
Limit the access to the K8s API (consider to use bastion machine)
Create dedicated cluster for each environment (Prod, Stg, Dev)
Separate sensitive pods into different nodes
8. Kubernetes internal security
8
Use minimal base docker image
Don’t use arbitrary base images
Separate sensitive workloads across instances (using anti-affinity,
taints and tolerations)
Use namespaces for isolation
Enforce resource quota (CPU, Memory, Storage)
Image Name node:latest ubuntu:latest alpine:latest scratch
Image Size 670MB~ 110MB~ 4.1MB~ 0
9. Secure kubelet
9
curl -sk https://<nodeIP>:10250/run/<namespace>/<pod-name>/<container-name> -d
"cmd=ls -la /“
Protect kubelet by enable authentication and authorization:
start the apiserver with --kubelet-client-certificate and --kubelet-client-key flags
/usr/local/bin/kubelet
--anonymous-auth=false
--authorization-mode=Webhook
--allow-privileged=true
--kubeconfig=/var/lib/kubelet/kubeconfig
--client-ca-file=/var/lib/kubernetes/ca.pem
• Enable kubelet certification rotation (1.8 beta)
14. Authentication
14
Service accounts
Default service account have full permissions over the cluster, use custom SA instead
Set “automountServiceAccountToken : false” in your pod spec – when possible
15. Authorization
15
ABAC
Difficult to manage and understand
Requires ssh and root filesystem access on the master
For permission changes to take effect the cluster API server must be restarted
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1",
"kind": "Policy",
"spec": {
"user": "bob",
"namespace": "projectSpaceX",
"resource": "pods",
"readonly": true
}
}
23. 23
# Place credentials in ENV vars
$ export AWS_REGION=us-east-1
$ export AWS_ACCESS_KEY_ID=MyAccessKeyID
$ export AWS_SECRET_ACCESS_KEY=MySecretAccessKey
$ export AWS_SESSION_TOKEN=MySessionToken
$ aws ec2 … @bradgeesaman
24. The solution
24
• For AWS use kube2iam or kiam (using docker proxy for requests to the
metadata)
• For GCE use k8s-metadata-proxy
• Limit egress with network policy
25. 25
Use network policy (GA from 1.7) https://goo.gl/HRtn5B
Egress rules are beta from 1.8
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
• Istio
26. Network policy guidelines
26
Label your workloads properly
Isolate workloads from each other
Restrict income traffic to the kube-system (except kube-dns)
Consider limit egress to the internet
27. “The definition of Secret—
something you tell everybody to
tell nobody.”
– The universe
28. Treat your secrets with respect
28
Don’t store your secrets on Git, it will remain in history even If you
delete it.
Create dedicated secrets for dev and prod environments
Secrets are stored at etcd as base64 (almost like plain text)
encrypt your secrets (K8S encryption –alpha 1.7)
Use Vault as you secret management (starting from Vault 0.8.3)
29. Security Context
A security context defines privilege and access control settings for a Pod or Container
29
Discretionary Access Control: Permission to access an object, like a file, is
based on user ID (UID) and group ID (GID).
Security Enhanced Linux (SELinux): Objects are assigned security labels.
Running as privileged or unprivileged.
Linux Capabilities: Give a process some privileges, but not all the privileges
of the root user.
AppArmor: Use program profiles to restrict the capabilities of individual
programs.
Seccomp: Limit a process’s access to open file descriptors.
AllowPrivilegeEscalation: Controls whether a process can gain more
privileges than its parent process.
35. Other security tools and considerations
35
Scan your docker images for vulnerabilities, (Clair CoreOS /Quay.io,
Docker Security Scanning, aqua, Twistlock).
Use kube-bench (aqua security) or kubernetes-auto-analyzer
(nccgroup) to execute CIS Kubernetes Benchmark
Enforce cluster wide security policy w/podSecurityPolicy
Use only trusted private docker registry
Always tag your images avoid from using “latest”
Audit events and store them on external storage (beta 1.8)
Consider using kubeaudit to audit security issue
37. Other security considerations
37
Specify an image with its digest (SHA256)
Keep up with K8S stable releases
Implement monitoring and set alerts
Don’t run “kubectl create –f <some unknown URL to some unknown
yamls>
Keep updated with new security vulnerabilities from the google
group “kubernetes-announces”
https://groups.google.com/forum/#!forum/kubernetes-announce
39. Thanks and credit
39
My Wife
All K8s contributors
Hacking and Hardening Kubernetes Clusters by Example [I] - Brad
Geesaman - https://goo.gl/komeXN
Running containers securely with Google Container Engine, Alex
Mohr and Jessica Frazelle - https://goo.gl/AFhTyp
Shipping in Pirate-Infested Waters: Practical Attack and Defense in
Kubernetes [A] - Greg Castle - https://goo.gl/WFDrrv
Compliance and Identity Management in Kubernetes [I] - Marc
Boorshtein - https://goo.gl/Jf7Rkh
Using the firewall will force the attacker to run from the cluster and not from his “friendly environment”
Public images – we aren’t aware who build them and what they contain
Enforcing quota will protected us in some cases of DOS
Quota doesn’t currently support ASG
Who need to authenticate to the Kubernetes API?
Why certificates are better?
You can enable multiple authentication methods at once. You should usually use at least two methods:
Reverse proxy – not secure enough we need to take into account possibility the some is already in our network.
OpenID connect – no web oauth2 client and token no revokeable usually requires refresh
Normal users are assumed to be managed by an outside, independent service. Kubernetes does not have objects which represent normal user accounts.
In contrast, service accounts are users managed by the Kubernetes API.
Example attacker needs curl
Many security features have been implemented for each release you must keep updated with them