IPTables Flow Chart
Posted by
Manish Panchmatia
on Wednesday, December 11, 2019
Labels:
security,
software
/
Comments: (0)
Full article...>>
Another interesting flowchart about IPTables in general
Reference: https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/
Reference: https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/
KubeProxy IPTables
I found this flowchart about execution of different rule chains of IPTables firewall. It is based on various configurations and service types. So let me share it with readers of my blog. Express YourSelf !
Reference :
https://twitter.com/thockin/status/1191766983735296000?lang=en
https://docs.google.com/drawings/d/1MtWL8qRTs6PlnJrW4dh8135_S9e2SaawT410bJuoBPk/edit
Reference :
https://twitter.com/thockin/status/1191766983735296000?lang=en
https://docs.google.com/drawings/d/1MtWL8qRTs6PlnJrW4dh8135_S9e2SaawT410bJuoBPk/edit
K8s Security : References from Kubecon2019
Posted by
Manish Panchmatia
on Thursday, December 5, 2019
Labels:
k8s,
security
/
Comments: (0)
Full article...>>
Extended NodeRestrictions for Pods: https://bit.ly/2XdeWOF
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
Choose a minimal base image https://bit.ly/37eTPzT
Run as non root! https://bit.ly/2qpUNJ7
Use resource limits https://bit.ly/37k48Tx
Use least privilege authorization https://bit.ly/2CV1INd
Restrict network access https://bit.ly/37cL9dv
Node Authorizer: https://bit.ly/33XRIPb
Node Restriction: https://bit.ly/2QkRqhk
Kubelet Static Pods: https://bit.ly/2Qj0DGL
Extended NodeRestrictions for Pods: https://bit.ly/2XdeWOF
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
ReplicaSet deletion logic: https://bit.ly/2NQTL1O
Run as non-root using security context https://bit.ly/2qpUNJ7
Minimal base images: https://bit.ly/37eTPzT
Resource limits: https://bit.ly/37k48Tx
Least privilege: https://bit.ly/2CV1INd
GKE hardening guide: g.co/gke/hardening
GKE sandboxes: g.co/gke/sandbox
Kata containers: katacontainers.io
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
Choose a minimal base image https://bit.ly/37eTPzT
Run as non root! https://bit.ly/2qpUNJ7
Use resource limits https://bit.ly/37k48Tx
Use least privilege authorization https://bit.ly/2CV1INd
Restrict network access https://bit.ly/37cL9dv
Node Authorizer: https://bit.ly/33XRIPb
Node Restriction: https://bit.ly/2QkRqhk
Kubelet Static Pods: https://bit.ly/2Qj0DGL
Extended NodeRestrictions for Pods: https://bit.ly/2XdeWOF
Bounding Self-Labeling Kubelets: https://bit.ly/351BaFN
ReplicaSet deletion logic: https://bit.ly/2NQTL1O
Run as non-root using security context https://bit.ly/2qpUNJ7
Minimal base images: https://bit.ly/37eTPzT
Resource limits: https://bit.ly/37k48Tx
Least privilege: https://bit.ly/2CV1INd
GKE hardening guide: g.co/gke/hardening
GKE sandboxes: g.co/gke/sandbox
Kata containers: katacontainers.io
State of Kubernetes Security https://bit.ly/2OdqgWC
“The Devil in the Details: Kubernetes’ First Security Assessment”
https://bit.ly/34VkAr2
Walls Within Walls: What If Your Attacker Knows Parkour?”
https://bit.ly/33PZiLl
“Binary Authorization in Kubernetes” https://bit.ly/32L2yqj
“Piloting Around the Rocks: Avoiding Threats in Kubernetes”
https://bit.ly/36XLAbc
“Hello from the Other Side: Dispatches from a Kubernetes
Attacker” https://bit.ly/2NBpe7Y
“How Kubernetes Components Communicate Securely in Your
Cluster” https://bit.ly/2QrIzKP
“Sig-Auth Update” https://bit.ly/2Kk7kEQ
“Attacking and Defending Kubernetes Clusters: A Guided Tour”
https://bit.ly/36Xb0G0
kubectl productivity
Auto Complete
source <(kubectl completion bash) # setup autocomplete in bash into the current shell, bash-completion package should be installed first.
echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.
Context
kubectx
helps you switch between clusters back and forth:kubens
helps you switch between Kubernetes namespaces smoothly:
Explain
kubectl explain
command outputs the specification of the requested resource or field.
Alias
A script to generate hundreds of convenient kubectl aliases programmatically.
Syntax explanation
k
=kubectl
sys
=--namespace kube-system
- commands:
g
=get
d
=describe
rm
=delete
a
:apply -f
ex
:exec -i -t
lo
:logs -f
- resources:
po
=pod,dep
=deployment
,ing
=ingress
,svc
=service
,cm
=configmap
,sec
=secret
,ns
=namespace
,no
=node
- flags:
- output format:
oyaml
,ojson
,owide
all
:--all
or--all-namespaces
depending on the commandsl
:--show-labels
w
=-w/--watch
- output format:
- value flags (should be at the end):
n
=-n/--namespace
f
=-f/--filename
l
=-l/--selector
Reference
eBPF, OPA, Blackbox exporter, ffwd, Heroic
eBPF can be used for
1. Map application and HA architecture
2. Detect network issues
3. Identify misbehaving svc
https://www.youtube.com/watch?v=thBCB7YeZ2g&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=3
Open Policy Agent https://github.com/open-policy-agent/opa can be used to validate CRD
https://www.youtube.com/watch?v=DUe_8nf42Ik&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=5
The blackbox exporter allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP and ICMP. https://github.com/prometheus/blackbox_exporter
ffwd is a flexible metric forwarding agent. It is intended to run locally on the system and receive metrics through a wide set of protocols and then forward them to your TSDB. https://github.com/spotify/ffwd
Heroic A scalable time series database based on Bigtable, Cassandra, and Elasticsearch. https://github.com/spotify/heroic
https://www.youtube.com/watch?v=AA8e5v43AcU&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=6
1. Map application and HA architecture
2. Detect network issues
3. Identify misbehaving svc
https://www.youtube.com/watch?v=thBCB7YeZ2g&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=3
Open Policy Agent https://github.com/open-policy-agent/opa can be used to validate CRD
https://www.youtube.com/watch?v=DUe_8nf42Ik&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=5
The blackbox exporter allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP and ICMP. https://github.com/prometheus/blackbox_exporter
ffwd is a flexible metric forwarding agent. It is intended to run locally on the system and receive metrics through a wide set of protocols and then forward them to your TSDB. https://github.com/spotify/ffwd
Heroic A scalable time series database based on Bigtable, Cassandra, and Elasticsearch. https://github.com/spotify/heroic
https://www.youtube.com/watch?v=AA8e5v43AcU&list=PLj6h78yzYM2NDs-iu8WU5fMxINxHXlien&index=6