Elliptic-curve cryptography (ECC)


Elliptic-curve cryptography (ECC)

finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP). 

Applicable for 
ECC Key length comparison with RSA Key length. 


RSAECC
512112
1024160
2048224
3072256
7680384
15360512


Elliptic Curve

Public Key Cryptography



PKI (Public Key Infrastructure) 


  • CA (Certificate Authority) binds public key with identity. = TTP Trusted Third 
  • Party. E.g. Symantec, Comodo, GoDaddy
  • OSCP Responder
  • RA (Registration Authority) = subordinate CA in Microsoft PKI. 
  • VA (Validation Authority) 
  • Central Directory to store index keys
  • Certificate Management System
  • Certificate Policy
Method of certification

1. CA

2. Web of Trust. E.g. PGP (Pretty Good Privacy) and GnuPG
3. Simple Public Key Infrastructure (SPKI). Authorization loop : verifier = issuers 

Open Source implementation of CA



  • OpenSSL is the simplest CA and tool to build PKI enabled apps. C. Part of all major Linux distributions, 
  • EJBCA is a full featured, Enterprise grade, CA implementation. Java. 
  • OpenCA is a full featured CA implementation 
  • XCA is a graphical interface, and database. 
  • (Discontinued) TinyCA was a graphical interface for OpenSSL.
  • XiPKI CA and OCSP responder. With SHA3 support, OSGi-based Java.
  • IoT_pki is a simple PKI. Python cryptography library
  • DogTag
  • gnoMint
  • EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
  • r509
  • Boulder is an automated server that uses the Automated Certificate Management Environment (ACME) protocol.
  • Windows Server : Active Directory Certificate Services.
Free digital certificate for public by CA


  • CAcert  https://en.wikipedia.org/wiki/CAcert
  • Let's Encrypt. https://en.wikipedia.org/wiki/Let%27s_Encrypt
Tools


Standards

Public Key Cryptography Standards : https://en.wikipedia.org/wiki/PKCS
Cryptographic Message Syntax :  https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax and RFC 2315, RFC 2360, RFC 3369


Books

1. Introduction to cryptography and network security



2. Cryptography theory and practice

3. Field Arithmetic 

4. Problems in the Theory of Modular Forms

Kubernetes - practicals


To get more practical insight about internals of Kubernetes 

1. Kubernetes - the hard way


https://github.com/kelseyhightower/kubernetes-the-hard-way

https://github.com/kinvolk/kubernetes-the-hard-way-vagrant

https://veerendra2.github.io/kubernetes-the-hard-way-1/
https://veerendra2.github.io/kubernetes-the-hard-way-2/
https://veerendra2.github.io/kubernetes-the-hard-way-3/

2. Learn Kubernetes using Interactive Browser-Based Scenarios

https://www.katacoda.com/courses/kubernetes

3. 

Hands-on with Minikube: single node kubernates cluster

To install Minikube : 


Free course : “Kubernetes Hardway”

4.

First install curl

sudo apt-get install curl

Install latest stable release of Kubectl

curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl

chmod +x kubectl

sudo mv kubectl /usr/local/bin/kubectl

Install latest stable release of Minikube

curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 

chmod +x minikube

sudo mv minikube /usr/local/bin

If virtual box is already installed earlier using
sudo apt-get install -y virtualbox virtualbox-ext-pack

Then execute command:

minikube start --memory 1536


Else execute command 

echo 'export CHANGE_MINIKUBE_NONE_USER=true' >> ~/.bashrc
source .bashrc
sudo -E minikube start --vm-driver=none

Now play around with Minicube with kubectl

Overview of kubectl

https://kubernetes.io/docs/reference/kubectl/overview/

kubectl Cheat Sheet

https://kubernetes.io/docs/reference/kubectl/cheatsheet/

5. K8S client

https://github.com/kubernetes-client/

https://github.com/kubernetes-client/python

6. https://github.com/kubernetes-incubator

7. Ansible modules

https://docs.ansible.com/ansible/latest/modules/k8s_module.html
https://docs.ansible.com/ansible/latest/modules/k8s_facts_module.html
https://docs.ansible.com/ansible/latest/modules/k8s_scale_module.html.


8. Oneline courses

https://kodekloud.com/


9. Play with k8s : https://labs.play-with-k8s.com/

10. k8s live talks https://github.com/bbenetskyy/k8s-live-talks

11. https://www.abhishek-tiwari.com/local-development-environment-for-kubernetes-using-minikube/


12. https://github.com/saiyam1814/challenges-kubernetes

13. Useful commands


Download 

https://hub.docker.com/r/karthequian/helloworld/

kubectl run hw --image=karthequian/helloworld --port=80

Deployment name is : hw


kubectl get all
kubectl get pods
kubectl get pods --all-namespaces

the pod is only accessible by its internal IP address within the cluster. To make a container accessible from outside the Kubernetes virtual network, one has to expose the pod as a Kubernetes service using expose command

kubectl expose deployment hello-minikube --type=NodePort


To get YAML file at deployment

kubectl get deploy/hw -o yaml
kubectl get helloworld-service -o yaml

Create

kubectl create -f helloworld-deployment.yml
kubectl create -f helloworld-service.yml
minikube service helloworld

Scale

kubectl get rs //replica set
kubectl scale --replica=3 deply/helloworld-deployment

With Labels

kubectl get pods --show-labels
kubectl label pod/helloworld app=newName --overwrite // to overwrite
kubectl label pod/helloworld app- // to delete

Labels can be used with deployments, services, replica sets etc. 

With Selector

To search

kubectl get pods -l label1=value1,label2=value2

kubectl get pods -l label1!=value1

kubectl get pods -l label1 in (value1, value2)

kubectl get pods -l label1 notin (value1, value2)

One can use --selector instead of -l

To delete we can use 

kubectl delete pods -l .....

Health check

One can add readinessProbe and livenessProbe in YAML file


Upgrade and roolback

kubectl create -f helloworld-black.yaml --record

--record is used to add it to roll out history

kubectl set image deployment/navbar-deployment helloworld=karthequian/helloworld:blue

kubectl rollout history deployment/navbar-deployment

kubectl rollout undo deployment/navbar-deployment

to rollback to a specific version. To do this, add a `--to-revision=version`

Debug

kubectl describe pod "pod name"
kubectl describe deployment "deployment name"
kubectl logs "pod name"
kubectl exec --it "pod name" /bin/bash
kubectl exec --it "pod name" -c "container name" /bin/bash

Dashboard

minikube addons list
minikube addons enable "name"
minikube dashboard

kubectl edit "pod name"


Configmaps

an example of "log_level", and pass the value "debug" to a pod via a configmap in this example.

To create a configmap for this literal type 
kubectl create configmap logger --from-literal=log_level=debug

To see all your configmaps: `kubectl get configmaps`

To read the value in the logger configmap: `kubectl get configmap/logger -o yaml`

To edit the value, we can run `kubectl edit configmap/logger`

Application Secretes

E.g database passwords, API tokens
They cannot be part of YML file. 

kubectl create secrete
kubectl get secrete

We have similar CLI commands for cronjobs, statefulsets and namespaces

kubectl create cronjobs
kubectl edit cronjobs/hellow

kubectl create -f "yaml file for statefulsets"
kubectl get statefulsets

namespace provides multi-tenancy to k8s instance. k8s provides multiple virtual cluster on same physical cluster. 

kubectl get namespaces
kubectl create namespaces "name"
kubectl delete namespaces "name"

Auto Complete

source <(kubectl completion bash) # setup autocomplete in bash into the current shell, bash-completion package should be installed first.

echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.

Node IP Address

# Get ExternalIPs of all nodes
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'

Events

# List Events sorted by timestamp
kubectl get events --sort-by=.metadata.creationTimestamp

Autoscale

kubectl autoscale deployment foo --min=2 --max=10                # Auto scale a deployment "foo"

Running Pods

kubectl logs my-pod                                 # dump pod logs (stdout)
kubectl port-forward my-pod 5000:6000               # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl top pod POD_NAME --containers               # Show metrics for a given pod and its containers

Use Case : nginx server with load balancer 

kubectl run nginx --image = nginx: 1.10 --replicas = 5

kubectl get deployments
kubectl get pods

kubectl expose deployment nginx -type=LoadBalancer -port=80
kubectl get svc

Reference : 

istio


istio

Micro-service mesh management framework


It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.


Benifit


* A/B testing, 
* canary releases, 
* failure recovery, 
* metrics,

Key Capability


* Traffic Management 

- load balancing, 
- rate limiting, 
* Observability
- monitoring
* Policy Enforcement 
- access control,
- load balancing, 
* Service identity and security
- service-to-service authentication, 
- discovery of services, 
- end-to-end authentication.
* Platform Support
- Cloud, 
- on-premise, 
- Kubernetes, 
- Mesos
* Integration and Customization : integrate with existing solutions for 
- ACLs, 
- logging, 
- monitoring, 
- quotas, 
- auditing 
- etc.

Istio pre-configured add-ons


* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics 
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system

Architecture


1. Data plane : 
set of intelligent proxy (Envoy)

2. Control plane :

manage and configure proxy 
- to route traffic
- to enforce policy runtime. 

1. Envoy : sidecar proxy in same pod with features : 
dynamic service discovery, 
load balancing, 
TLS termination, 
HTTP & gRPC proxying, 
circuit breakers, 
health checks, 
staged roll-outs with percentage-based traffic split, 
fault injection, 
rich metrics.
 rich L7 routing

2. Mixer: 


platform independent

flexible plugin model 
with a variety of host environments and infrastructure back end

Tasks: 

- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
  - request tracing

Mixer configuration for
- attribute extraction
- policy evaluation

 Adapter

  Go Package. 
  Guide to develop new adapter : https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide  
  https://istio.io/blog/2017/adapter-model/

3. Pilot

Tasks: 
- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API

Benefits

* service discovery
* traffic management
* intelligent routing
- A/B tests, 
- canary deployments
* resiliency 
- timeouts, 
- retries, 
- circuit breakers, 
- etc.
* multiple environments 
- Kubernetes, 
- Consul/Nomad

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity

5. Citadel

A centralized component responsible for certificate issuance and rotation.

6. Node Agent

A per-node component responsible for certificate issuance and rotation.

7. Galley

Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.

In nut-shell istio is all about just configuring Envoy proxy