### Elliptic-curve cryptography (ECC)

Elliptic-curve cryptography (ECC)

finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP).

Applicable for
ECC Key length comparison with RSA Key length.

 RSA ECC 512 112 1024 160 2048 224 3072 256 7680 384 15360 512

Elliptic Curve
• Symmetric to X axis
• Straight line : intersect with 3 points
• y ^ 2 = x ^3 + a * x + b Weierstrass equation.
• No self-intersections,
• No isolated points
• R = P + Q : First, draw the line that intersects P and Q to curve then third point will be -R
• If line is tangent then also it interacts with one more curve.
• All vertical lines intersects the curve at infinity.
• Other algorithms
ECC implementation

Module form https://en.wikipedia.org/wiki/Modular_form and Field arithmetic https://en.wikipedia.org/wiki/Field_arithmetic

* Software

* Hardware

### Public Key Cryptography

PKI (Public Key Infrastructure)

• CA (Certificate Authority) binds public key with identity. = TTP Trusted Third
• Party. E.g. Symantec, Comodo, GoDaddy
• OSCP Responder
• RA (Registration Authority) = subordinate CA in Microsoft PKI.
• VA (Validation Authority)
• Central Directory to store index keys
• Certificate Management System
• Certificate Policy
Method of certification

1. CA

2. Web of Trust. E.g. PGP (Pretty Good Privacy) and GnuPG
3. Simple Public Key Infrastructure (SPKI). Authorization loop : verifier = issuers

Open Source implementation of CA

• OpenSSL is the simplest CA and tool to build PKI enabled apps. C. Part of all major Linux distributions,
• EJBCA is a full featured, Enterprise grade, CA implementation. Java.
• OpenCA is a full featured CA implementation
• XCA is a graphical interface, and database.
• (Discontinued) TinyCA was a graphical interface for OpenSSL.
• XiPKI CA and OCSP responder. With SHA3 support, OSGi-based Java.
• IoT_pki is a simple PKI. Python cryptography library
• DogTag
• gnoMint
• EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
• r509
• Boulder is an automated server that uses the Automated Certificate Management Environment (ACME) protocol.
• Windows Server : Active Directory Certificate Services.
Free digital certificate for public by CA

• CAcert  https://en.wikipedia.org/wiki/CAcert
• Let's Encrypt. https://en.wikipedia.org/wiki/Let%27s_Encrypt
Tools

• genrsa
• ssh-keygen
Standards

Public Key Cryptography Standards : https://en.wikipedia.org/wiki/PKCS
Cryptographic Message Syntax :  https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax and RFC 2315, RFC 2360, RFC 3369

Books

1. Introduction to cryptography and network security

2. Cryptography theory and practice

3. Field Arithmetic

4. Problems in the Theory of Modular Forms

### Kubernetes - practicals

To get more practical insight about internals of Kubernetes

1. Kubernetes - the hard way

https://github.com/kelseyhightower/kubernetes-the-hard-way

https://github.com/kinvolk/kubernetes-the-hard-way-vagrant

https://veerendra2.github.io/kubernetes-the-hard-way-1/
https://veerendra2.github.io/kubernetes-the-hard-way-2/
https://veerendra2.github.io/kubernetes-the-hard-way-3/

2. Learn Kubernetes using Interactive Browser-Based Scenarios

https://www.katacoda.com/courses/kubernetes

3.

Hands-on with Minikube: single node kubernates cluster

To install Minikube :

Free course : “Kubernetes Hardway”

4.

First install curl

sudo apt-get install curl

Install latest stable release of Kubectl

chmod +x kubectl

sudo mv kubectl /usr/local/bin/kubectl

Install latest stable release of Minikube

chmod +x minikube

sudo mv minikube /usr/local/bin

If virtual box is already installed earlier using
sudo apt-get install -y virtualbox virtualbox-ext-pack

Then execute command:

minikube start --memory 1536

Else execute command

echo 'export CHANGE_MINIKUBE_NONE_USER=true' >> ~/.bashrc
source .bashrc
sudo -E minikube start --vm-driver=none

Now play around with Minicube with kubectl

Overview of kubectl

https://kubernetes.io/docs/reference/kubectl/overview/

kubectl Cheat Sheet

https://kubernetes.io/docs/reference/kubectl/cheatsheet/

5. K8S client

https://github.com/kubernetes-client/

https://github.com/kubernetes-client/python

7. Ansible modules

https://docs.ansible.com/ansible/latest/modules/k8s_module.html
https://docs.ansible.com/ansible/latest/modules/k8s_facts_module.html

8. Oneline courses

9. Play with k8s : https://labs.play-with-k8s.com/

10. k8s live talks https://github.com/bbenetskyy/k8s-live-talks

13. Useful commands

https://hub.docker.com/r/karthequian/helloworld/

kubectl run hw --image=karthequian/helloworld --port=80

Deployment name is : hw

kubectl get all
kubectl get pods
kubectl get pods --all-namespaces

the pod is only accessible by its internal IP address within the cluster. To make a container accessible from outside the Kubernetes virtual network, one has to expose the pod as a Kubernetes service using expose command

kubectl expose deployment hello-minikube --type=NodePort

To get YAML file at deployment

kubectl get deploy/hw -o yaml
kubectl get helloworld-service -o yaml

Create

kubectl create -f helloworld-deployment.yml
kubectl create -f helloworld-service.yml
minikube service helloworld

Scale

kubectl get rs //replica set
kubectl scale --replica=3 deply/helloworld-deployment

With Labels

kubectl get pods --show-labels
kubectl label pod/helloworld app=newName --overwrite // to overwrite
kubectl label pod/helloworld app- // to delete

Labels can be used with deployments, services, replica sets etc.

With Selector

To search

kubectl get pods -l label1=value1,label2=value2

kubectl get pods -l label1!=value1

kubectl get pods -l label1 in (value1, value2)

kubectl get pods -l label1 notin (value1, value2)

One can use --selector instead of -l

To delete we can use

kubectl delete pods -l .....

Health check

kubectl create -f helloworld-black.yaml --record

--record is used to add it to roll out history

kubectl set image deployment/navbar-deployment helloworld=karthequian/helloworld:blue

kubectl rollout history deployment/navbar-deployment

kubectl rollout undo deployment/navbar-deployment

to rollback to a specific version. To do this, add a `--to-revision=version`

Debug

kubectl describe pod "pod name"
kubectl describe deployment "deployment name"
kubectl logs "pod name"
kubectl exec --it "pod name" /bin/bash
kubectl exec --it "pod name" -c "container name" /bin/bash

Dashboard

minikube dashboard

kubectl edit "pod name"

Configmaps

an example of "log_level", and pass the value "debug" to a pod via a configmap in this example.

To create a configmap for this literal type
kubectl create configmap logger --from-literal=log_level=debug

To see all your configmaps: `kubectl get configmaps`

To read the value in the logger configmap: `kubectl get configmap/logger -o yaml`

To edit the value, we can run `kubectl edit configmap/logger`

Application Secretes

They cannot be part of YML file.

kubectl create secrete
kubectl get secrete

We have similar CLI commands for cronjobs, statefulsets and namespaces

kubectl create cronjobs
kubectl edit cronjobs/hellow

kubectl create -f "yaml file for statefulsets"
kubectl get statefulsets

namespace provides multi-tenancy to k8s instance. k8s provides multiple virtual cluster on same physical cluster.

kubectl get namespaces
kubectl create namespaces "name"
kubectl delete namespaces "name"

# Get ExternalIPs of all nodes

Events

# List Events sorted by timestamp

Autoscale

kubectl autoscale deployment foo --min=2 --max=10                # Auto scale a deployment "foo"

Running Pods

kubectl logs my-pod                                 # dump pod logs (stdout)
kubectl port-forward my-pod 5000:6000               # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl top pod POD_NAME --containers               # Show metrics for a given pod and its containers

Use Case : nginx server with load balancer

kubectl run nginx --image = nginx: 1.10 --replicas = 5

kubectl get deployments
kubectl get pods

kubectl expose deployment nginx -type=LoadBalancer -port=80
kubectl get svc

Reference :

### istio

istio

Micro-service mesh management framework

It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.

Benifit

* A/B testing,
* canary releases,
* failure recovery,
* metrics,

Key Capability

* Traffic Management

- rate limiting,
* Observability
- monitoring
* Policy Enforcement
- access control,
* Service identity and security
- service-to-service authentication,
- discovery of services,
- end-to-end authentication.
* Platform Support
- Cloud,
- on-premise,
- Kubernetes,
- Mesos
* Integration and Customization : integrate with existing solutions for
- ACLs,
- logging,
- monitoring,
- quotas,
- auditing
- etc.

* Grafana : dashboard to visualize service mesh traffic data
* Prometheus : to query istio metrics
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system

Architecture

1. Data plane :
set of intelligent proxy (Envoy)

2. Control plane :

manage and configure proxy
- to route traffic
- to enforce policy runtime.

1. Envoy : sidecar proxy in same pod with features :
dynamic service discovery,
TLS termination,
HTTP & gRPC proxying,
circuit breakers,
health checks,
staged roll-outs with percentage-based traffic split,
fault injection,
rich metrics.
rich L7 routing

2. Mixer:

platform independent

flexible plugin model
with a variety of host environments and infrastructure back end

- enforce access control
- enforce usage policies such as authorization, rate limits, quotas, authentication etc.
- collect telemetry data from envoy
- request tracing

Mixer configuration for
- attribute extraction
- policy evaluation

Go Package.

3. Pilot

- converts high level routing rules that control traffic behavior into Envoy-specific configurations
- propagates Envoy-specific configurations to the sidecars at runtime
- abstracts platform-specific service discovery mechanisms
- translate service discovery to Envoy data plane API

Benefits

* service discovery
* traffic management
* intelligent routing
- A/B tests,
- canary deployments
* resiliency
- timeouts,
- retries,
- circuit breakers,
- etc.
* multiple environments
- Kubernetes,

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity