DevOps Hunter Security Automation

  Setting up the Kubernetes namespace for kafka apiVersion: v1 kind: Namespace metadata: name: "kafka" labels: name: "kafka" k apply -f kafka-ns.yml Now let's create the ZooKeeper container inside the kafka namespace apiVersion: v1 kind: Service metadata: labels: app: zookeeper-service name: zookeeper-service namespace: kafka spec: type: NodePort ports: - name: zookeeper-port port: 2181 nodePort: 30181 targetPort: 2181 selector: app: zookeeper --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: zookeeper name: zookeeper namespace: kafka spec: replicas: 1 selector: matchLabels: app: zookeeper template: metadata: labels: app: zookeeper spec: containers: - image: wurstmeister/zookeeper imagePullPolicy: IfNotPresent name: zookeeper ports: - containerPort: 2181 image1 - kube-kafka1 From th...

What is Job object in Kubernetes? A Job object will be used to create one or more Pods and the Job ensures that a specified number of Pod instances will be created and terminates after completion of the Job. There could be finite jobs which will run within given certain timeout values. Job tracks for 'Successful' completion of the required task. Jobs can be run in two variants they can be parallel and also non-parallel. Kubernetes Job types There are 3 types of jobs non-parallel jobs [single pod jobs - unless it fails. creates replacement pod when pod goes down] parallel jobs with a fixed completion count parallel jobs with task queue  ##Example type 1: hundred-fibonaccis.yml --- apiVersion: batch/v1 kind: Job metadata: name: fibo-100 spec: template: spec: containers: - name: fib-container image: truek8s/hundred-fibonaccis:1.0 restartPolicy: OnFailure backoffLimit: 3 Create the Job: kubectl create -f hundred-fibonaccis.yml Now let's...

Hello DevSecOps, SRE or Platform Engineer or DevOps Engineers, In this post I want to discuss, Understanding of Kubernetes deployment it's hierarchy of kube objects. Declaratives and imperative ways to make deployment on kube clusters.  How to deploy an application on  Kubernetes pods, just follow these steps as shown in this post.  Here is new learning, I would like to share with you about Kubernetes deployment hierarchy , which internally calls the replication controller to make desired number of replicas of pod temple specified. Kubernetes Deployment hierarchy Let's go to have a deep understanding about Kubernetes deployment hierarchy. 1. Generating Kubernetes Deployment Manifest file We need to create a YAML file to define the deployment of the 'httpd' Apache Webserver. Here we are going to use the '--dry-run' option with client as value and '-o yaml' to generate the YAML file, to redirect the output we can use the g...

 We as DevOps and DevSecOps Engineers working on many microservice based application architectures where we need to manage Kubernetes Cluster  Troubleshot at various levels. You cannot rely on single point of look for failures. While working on Kubernetes Troubleshooting we can make ourselves easy to understand the problem, if we could classify the problem belong to the following categories. Application Failure Master node/ControlPlane Failures Worker node Failures Application Failure - trobleshooting Here I'm listing out these with my understanding and experiance in practice tests provided by Munshad Mohammad on KodeKloud. You should know the architecture how it is deployed what all its dependents, where they have deployed with what endpoints, what names used. Check the service 'name' defined and referring service should match and also check the services 'Endpoints' are correctly defined and in referenceing used correctly. k -n dev-ns get all Better to check that t...

Hey Guys, Welcome to "DevOps Hunter" blog! In this post I would like to share my learnings at different times collected that is about Kubernetes commands and their applied tricks and tips. Initially I've collected few kubectl related alias command tricks Play with the etcd database and then backup and recovery short-cuts Finally worked on the Kubernetes command tools kubectx, kubens for easy switching in CLI. Come on! let's explore about the API resources which we might be frequently use when we prepare the YAML files for each Kubernetes Objects. kubectl api-resources We can get sometime the API version mismatch due to change in API version. This can be examine what is new in the current version How do you identify the certificate file used to authenticate 'apiserver'? cat /etc/kubernetes/manifests/kube-apiserver.yaml|grep tls-cert - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt The tls-cert-file will be Kubernetes apiserver ceri...

In this post we are going to learn more  about what is service accounts in Kubernetes and how that is useful. Prerequisites Kubernetes cluster Up and running Let's take the scenario where we get need to connect with the pods, nodes, deployments and other resources in the Kubernetes cluster. you might be working with the automated build with the CICD pipelines to interconnect with each other resources. Pod  is going to work with the planned application deployments. If  you're working in DevSecOps you need to focus on the regular monthly maintenance OS  patching scheduled in this case Kubernetes node maintenance should be done from a pod.  In the above two scenarios there is a need of service account inside the pod. When Kubernetes cluster is created at the same time service account also created and its name is default . We can also create our own service accounts using the following command Every service account is associated with the secret wh...

Hello in this post we will explore about ClusterRoles and ClusterRoleBindings on Kubernetes Cluster. The ClusterRoleBindings are mapping a subjects with ClusterRole. Here Subjects are nothing but rules that can be applicable with an action on the Cluster resources. It deals with Users, Groups and service accounts. In this post we will try to focus with 'User' specific rules. Kubernetes User Access Control with ClusterRoleBindings to ClusterRole   Prerequisite:  1. Kubernetes Cluster up and running  2. Basic understand on RBAC These system related resources such as pods, nodes, storage etcs will be administrated using ClusterRole and ClusterRoleBindings by assigning to a user.   To list the ClusterRoles in the Kubernetes cluster kubectl get clusterrole # Get the Count kubectl get clusterrole --no-headers |wc -l To know about the api-resources that have clusterrole and clusterrolebindings. k api-resources |grep cluster To veiew the clusterrolebindings availabl...

My Understanding about RBAC in Kubernetes RBAC stands for Role based access control in our Kubernetes system we have users that needs to access the kubernetes cluster and it's resources. Here role is that categorize their needs. Let's say our project have developers, admins, presale users. We could define role named as "readers" that allows all users, because its common need to all user to read from the system. We could define a role called "writers" and allow certainer users like "developers" who contribute many things to develop in application end, "Admin" user can have this to control it. We could also define a role called "administrators" to admins users. Administrator role users can have full rights such as delete from the system. Role can be used to define "what can be done?" Role will be given to users, application software. If we need to deal with software then we need to use service account. Service accou...

Hello all! Welcome to new learning Kubernetes Certificate API in the series of "Kubernetes Security". a. Private key generation  Kubernetes Certificate API We must aware of what does certificate authority CA will do and in Kubernetes how it works. CA server it is a server which is runs certificate API. In your DevOps or DevSecOps team a New Kubernetes Admin joins you. Hhow to handle. Private key, Public key valid pair of CA server sign automated in Kubernetes, it performs following steps: 1. Create CertificateSigningRequest object 2. Review Request 3. Approve Request 4. Share Certs to Users Let's try how it works  A user Maheshwari(Mahi)  want to create certificate files first private key will be generated with RSA algorithm 'mahi.key' the key size could be 2048 bits. openssl genrsa -out mahi.key 2048 b. Certificate Signing request (CSR) object Request can be created by providing key and subject values the result can be stored into a csr file by perfor...

Hello Guys! in this post we are going to explore about the Kubeconfig. This is a special configuration that will be part of Kubernetes Security. We can configure multiple clusters and different users can access these Kubernetes cluster. We can also configure the users can have access to multiple clusters. When we started working on Kubernetes Cluster there is a config file automatically generated for us.  To access a Kube Cluster using the certificate files generated for admin user can be given as follows: kubectl get pods \ --server controlplane:6443 --clisent-key: admin.key --client-certificate admin.crt --certificate-authority ca.crt Every time passing all these TLS details(server,client-key,client-certificate, certificate-authority) including in the kubectl command is tedious process. Instead of this we can move TLS Certificate file set into a config file that is called kubeconfig file. The usage will be as follows kubectl get pods --kubeconfig config Usually this...

Hello DevOps | DevSecOps teams, we are running into the new generation of microservices inside Pods where we need to focus on how we can protect them. And here this post is going with the Security rules imposing on the Kubernetes Cluster with Secret Objects which are specially designed to store the sensitive data in them to refer inside the Pod Containers. But they have limitation that they can hold up to 1MB size of data only.   Why Secret objects? We can store Password, keys, tokens, certificates etc Secrets will reduce the risk of exposing sensitive data Access secrets using volumes and environment variables Secrets object will be created outside pod/containers  When it is created there is NO clues where it will be injected All secrets resides in ETCD database on the K8s master This Kubernetes Secret Objects are similar to ConfigMaps Objects  Kubernetes Secret objects Using Volume, ENVIRONMENT variables Pre-check f irst we will check the Kubernetes Cluster is u...