IPTables Flow Chart


Another interesting flowchart about IPTables in general


Referencehttps://stuffphilwrites.com/2014/09/iptables-processing-flowchart/

KubeProxy IPTables


I found this flowchart about execution of different rule chains of IPTables firewall. It is based on various configurations and service types. So let me share it with readers of my blog. Express YourSelf !


Reference :
https://twitter.com/thockin/status/1191766983735296000?lang=en
https://docs.google.com/drawings/d/1MtWL8qRTs6PlnJrW4dh8135_S9e2SaawT410bJuoBPk/edit

K8s Security : References from Kubecon2019


Extended NodeRestrictions for Pods: https://bit.ly/2XdeWOF
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
Choose a minimal base image https://bit.ly/37eTPzT
Run as non root! https://bit.ly/2qpUNJ7 
Use resource limits https://bit.ly/37k48Tx 
Use least privilege authorization https://bit.ly/2CV1INd 
Restrict network access https://bit.ly/37cL9dv 
Node Authorizer: https://bit.ly/33XRIPb
Node Restriction: https://bit.ly/2QkRqhk
Kubelet Static Pods: https://bit.ly/2Qj0DGL
Extended NodeRestrictions for Pods: https://bit.ly/2XdeWOF
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
ReplicaSet deletion logic: https://bit.ly/2NQTL1O
Run as non-root using security context https://bit.ly/2qpUNJ7
Minimal base images: https://bit.ly/37eTPzT
Resource limits: https://bit.ly/37k48Tx
Least privilege: https://bit.ly/2CV1INd
GKE hardening guide: g.co/gke/hardening
GKE sandboxes: g.co/gke/sandbox
Kata containers: katacontainers.io
State of Kubernetes Security https://bit.ly/2OdqgWC
“The Devil in the Details: Kubernetes’ First Security Assessment”
https://bit.ly/34VkAr2
Walls Within Walls: What If Your Attacker Knows Parkour?”
https://bit.ly/33PZiLl
“Binary Authorization in Kubernetes” https://bit.ly/32L2yqj
“Piloting Around the Rocks: Avoiding Threats in Kubernetes”
https://bit.ly/36XLAbc
“Hello from the Other Side: Dispatches from a Kubernetes
Attacker” https://bit.ly/2NBpe7Y
“How Kubernetes Components Communicate Securely in Your
Cluster” https://bit.ly/2QrIzKP
“Sig-Auth Update” https://bit.ly/2Kk7kEQ
“Attacking and Defending Kubernetes Clusters: A Guided Tour”
https://bit.ly/36Xb0G0

kubectl productivity


Auto Complete

source <(kubectl completion bash) # setup autocomplete in bash into the current shell, bash-completion package should be installed first.

echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.

Context 

kubectx helps you switch between clusters back and forth:

kubens helps you switch between Kubernetes namespaces smoothly:


Explain

kubectl explain
command outputs the specification of the requested resource or field.

Alias

A script to generate hundreds of convenient kubectl aliases programmatically.


Syntax explanation
  • k=kubectl
    • sys=--namespace kube-system
  • commands:
    • g=get
    • d=describe
    • rm=delete
    • a:apply -f
    • exexec -i -t
    • lologs -f
  • resources:
    • po=pod, dep=deploymenting=ingresssvc=servicecm=configmapsec=secretns=namespaceno=node
  • flags:
    • output format: oyamlojsonowide
    • all--all or --all-namespaces depending on the command
    • sl--show-labels
    • w=-w/--watch
  • value flags (should be at the end):
    • n=-n/--namespace
    • f=-f/--filename
    • l=-l/--selector

Reference

eBPF, OPA, Blackbox exporter, ffwd, Heroic


eBPF can be used for 

1. Map application and HA architecture
2. Detect network issues
3. Identify misbehaving svc

https://www.youtube.com/watch?v=thBCB7YeZ2g&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=3

Open Policy Agent https://github.com/open-policy-agent/opa can be used to validate CRD
https://www.youtube.com/watch?v=DUe_8nf42Ik&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=5

The blackbox exporter allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP and ICMP. https://github.com/prometheus/blackbox_exporter

ffwd is a flexible metric forwarding agent. It is intended to run locally on the system and receive metrics through a wide set of protocols and then forward them to your TSDB.  https://github.com/spotify/ffwd 

Heroic A scalable time series database based on Bigtable, Cassandra, and Elasticsearch. https://github.com/spotify/heroic

https://www.youtube.com/watch?v=AA8e5v43AcU&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=6