BLZR

Kubernetes Quick Guide

Mon, 20 Jan 2025 00:00:00 +0000

Kubernetes Architecture

Master
- Api Server: Gateway to the cluster. Also acts as a gatekeeper for authentication (to make sure that only authorized requests get through the cluster)
- Cloud Controller Manager: Connects on-premise cluster to cloud
- Controller Manager: detects cluster state changes & recovers cluster state ASAP.
- Scheduler: Selects appropriate node to create the pod. Note here that Scheduler just decides on which node to schedule. It is kubelet that starts the pod.
- ETCD: Cluster Database (the cluster state that Controller manager checks & resources that Scheduler decides based on them are all stored in etcd)
Worker
- kubelet: used to deploy and start an object (like pod) on local nodes.
- kube-proxy: forwards requests from services to pods. request → service → kube-proxy → pod

Terminology

Node : Hosts that run Kubernetes applications
Containers : Units of packaging
Pods : Containers are not managed individually; instead, they are part of a larger object called a Pod. A Pod consists of one or more containers which share an IP address, access to storage and namespace.
Namespace : Kubernetes uses namespaces to keep objects distinct from each other, for resource control and multitenant considerations.
Service : Collection of pods exposed as an endpoint
Deployment : a deployment file can define the number of copies (or replicas, as they’re known in Kubernetes) of a given pod. Or a deployment can upgrade an existing pod to a new application version by updating the base container image.
CRI (Container Runtime Interface): CRI is an interface that k8s uses to talk to different container runtimes (docker, containerd, cri-o, …). CRI is a set of tools that define what container runtime must implement & how it should be implemented to be pluggable to kubernetes as a container runtime.

Kubelet --> CRI --> Container Runtime

Docker did not implement CRI rules. K8s added dockershim layer to support docker:

Windows Event Log Analysis

Sat, 15 Jun 2024 00:00:00 +0000

Introduction

Microsoft has gradually increased the efficiency and effectiveness of its auditing facilities over the years.

Modern Windows systems can log vast amounts of information with minimal system impact. With the corresponding decrease in the price of storage media, excuses to not enable and retain these critical pieces of evidence simply don’t stand up to scrutiny. Configuring adequate logging on Windows systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step toward ensuring that your environment is able to support an effective incident response.

Azure DevOps Security CheckList

Fri, 10 May 2024 00:00:00 +0000

This Azure DevOps Security Guide, provides acomprehensive framework for ensuring a secure and compliant Azure DevOps environment.

The guide covers various aspects of security, including access control, network security,code security, and continuous monitoring.

Key points addressed in this guide include:

Managing users and groups using Role-Based Access Control (RBAC) to define and enforce granular permissions.
Applying the principle of least privilege for granting permissions to minimize potential risks.
Regularly reviewing user accounts and disabling unnecessary accounts to reduce the attack surface.
Implementing strong authentication with Multi-Factor Authentication (MFA) to protect against unauthorized access.
Integrating centralized identity management using Single Sign-On (SSO) and Azure Active Directory.
Reducing authentication risks using risk-based policies and Azure AD Identity Protection integration.
Restricting access with IP-based network security groups and private networks.
Establishing secure communication with on-premises systems using VPN or ExpressRoute.
Protecting and routing network traffic with Azure DDoS Protection and Azure Firewall.
Applying code review processes and utilizing static and dynamic code analysis toolsfor vulnerability detection.
Establishing secure coding standards and ensuring dependency security.
Incorporating security controls and automated tests in Build and Release pipelines.
Securing agents with trusted agent pools and implementing Git branch policies and pull request reviews for code security.
Storing credentials, certificates, and access keys securely in Azure Key Vault and configuring access for Azure DevOps pipelines.
Monitoring changes using Azure DevOps audit logs for security, compliance, and operational awareness.
Continuously tracking and improving security posture with Azure Policy and Azure Security Center.
Conducting internal and external security audits and penetration tests for evaluationand continuous improvement.
Regularly review and update the security configurations of your Azure DevOps services, resources, and tools.
Implement secure baselines for your Azure resources and enforce them consistently across your environment.
Use Azure Policy to define and enforce security configurations across your Azure resources.
Continuously monitor configuration changes and assess their impact on your security posture.
Implement a robust backup and recovery strategy for your critical data, including source code, artifacts, and configuration data.
Use Azure Backup and Azure Site Recovery to protect your data and applications.
Regularly test your data recovery processes to ensure they are effective and up to date.
Establish a disaster recovery plan to minimize downtime and data loss in case of a security breach or system failure.
Maintain an up-to-date inventory of all Azure DevOps resources, including repositories, pipelines, environments, and tools.
Use Azure Resource Manager (ARM) templates to manage your Azure resources in a consistent and automated manner.
Implement tagging strategies to categorize your Azure resources based on project, team, or other relevant attributes.
Continuously monitor your inventory and resources for any unauthorized changes or access.

This summary highlights the main topics covered in the guide, providing a holistic approachto Azure DevOps security, aimed at fostering a culture of continuous improvement and collaboration between developers, security teams, and other stakeholders. Implementing these best practices will contribute to the ongoing success of your DevOps projects and helpprotect your organization’s critical assets.

The Complete Active Directory Security Handbook (Part-2)

Sat, 20 Apr 2024 00:00:00 +0000

Previous Part

The Complete Active Directory Security Handbook (Part-1)

DCShadow Attack

A DC Shadow attack involves compromising the Active Directory environment by introducinga rogue domain controller (DC) into the network and then replicating changes from thelegitimate domain controllers to the rogue one. The attack consists of six steps.

A DC Shadow attack is a type of attack on an Active Directory environment where an attackerintroduces a rogue domain controller (DC) into the network and replicates changes fromlegitimate domain controllers to it. The attacker first creates changes in the environment,such as adding new objects or modifying existing ones, and then waits for the changes to bereplicated to the legitimate domain controllers. They then register service principal names(SPNs) for the rogue DC and register it in the configuration namespace, allowing it toauthenticate and communicate with other domain controllers. The attacker triggers replication of the changes they made to the rogue DC, which replicates them, allowing thechanges to persist in the environment. Finally, the attacker deletes the SPNs and the rogue DC, covering their tracks and leaving the environment in a compromised state. This type ofattack allows the attacker to persist and control the network by making changes that arereplicated to other domain controllers.

The Complete Active Directory Security Handbook (Part-1)

Mon, 15 Apr 2024 00:00:00 +0000

Introduction

Active Directory (AD), introduced with Windows 2000 ¹, has become an integral part of modern organizations, serving as the backbone of identity infrastructure for 90% of Fortune 1000 companies ². Active Directory is widely used by organizations for its simplicity and centralized management approach. It is an attractive solution for businesses as it makes it easier for employees to access resources and applications with a single set of credentials, which increases productivity and efficiency ³. Additionally, its centralized management structure provides a single point of control for IT administrators, allowing them to manage users, computers, and access to resources in one place ⁴.

Redhat Practice

Mon, 01 Apr 2024 00:00:00 +0000

QUESTION 1

Configure your Host Name, IP Address, Gateway and DNS.

Host name: station.domain40.example.com /etc/sysconfig/network hostname=abc.com hostname abc.com IP Address:172.24.40.40/24 Gateway:172.24.40.1 DNS:172.24.40.1

cd /etc/syscofig/network-scripts/
ls
vim ifcfg-eth0 #(Configure IP Address, Gateway and DNS) 
	IPADDR=172.24.40.40
	GATEWAY=172.24.40.1
	DNS1=172.24.40.1
vim /etc/sysconfig/network #(Configure Host Name)
	HOSTNAME= station.domain40.example.com

QUESTION 2

Add 3 users: harry, natasha, tom. The requirements: The Additional group of the two users: harry, Natasha is the admin group. The user: tom’s login shell should be non-interactive.

18 Money Rules

Wed, 20 Mar 2024 00:00:00 +0000

Pay yourself first. As soon as you get paid, put money into savings. Automating this is even better.
Keep a 6-month emergency fund.

If you have multiple streams of income, you can go as low as 3 months. If starting out on your own, you could need as much as 12 months.

Budget using the 50/30/20 rule.
- 50% for needs
- 30% for wants
- 20% towards saving /investing

This is the bare minimum!

The Most Powerful Ideas

Fri, 15 Mar 2024 00:00:00 +0000

Cunningham’s Law:

The best way to find the right answer on the internet is not to ask the right question, but to post the wrong answer.

Why? Because people are more interested in criticizing others than helping them.

The Streisand Effect:

In some cases, an effort to kill an idea can lead to it becoming more popular instead.

Banned books and music albums that end up becoming popular precisely because they were banned are the most famous examples of this effect.

Things I wish I knew at 21

Fri, 01 Mar 2024 00:00:00 +0000

The biggest difference between success & failure is getting started:

The majority of people I know fantasize about things that actually can be accomplished. They just never get started.

If you get started and play the long game, you have a great chance of winning.

The 2nd biggest difference between success & failure is persistence:

Successful friends & peers of mine have almost always been doing their “thing” for decades. Not years.

Forms in Hugo - Frontend stuff

Thu, 01 Feb 2024 01:01:24 +0530

That day is upon us folks. It’s finally time to discuss on the Frontend part for creating forms in your Hugo Webpage.