Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the code that creates them. And we need to inspect the containers we are using for vulnerabilities and watch for unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used to build your Kubernetes cluster safely and keep it secure.
An overview of the Kubernetes architectureIgor Sfiligoi
This talk provides a 101 introdution to Kubernetes from a user point of view.
Aimed at service providers, it was presented at the GPN Annual Meeting 2019. https://conferences.k-state.edu/gpn/
This document discusses using external scalers with KEDA (Kubernetes Event-driven Autoscaling) to allow KEDA to interact with systems outside the cluster to drive application scaling needs in a more customized way. It describes using gRPC to connect an external metrics adapter to KEDA's controller and provides an example demo of scaling applications based on messages in an ActiveMQ Artemis broker deployed outside the cluster. Relevant references are also included.
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
The document provides an overview of Kubernetes concepts and architecture. It begins with an introduction to containers and microservices architecture. It then discusses what Kubernetes is and why organizations should use it. The remainder of the document outlines Kubernetes components, nodes, development processes, networking, and security measures. It provides descriptions and diagrams explaining key aspects of Kubernetes such as architecture, components like Kubelet and Kubectl, node types, and networking models.
Service meshes are relatively new, extremely powerful and can be complex. There’s a lot of information out there on what a service mesh is and what it can do, but it’s a lot to sort through. Sometimes, it’s helpful to have a guide. If you’ve been asking questions like “What is a service mesh?” “Why would I use one?” “What benefits can it provide?” or “How did people even come up with the idea for service mesh?” then The Complete Guide to Service Mesh is for you.
This document provides an overview of Kubernetes including:
1) Kubernetes is an open-source platform for automating deployment, scaling, and operations of containerized applications. It provides container-centric infrastructure and allows for quickly deploying and scaling applications.
2) The main components of Kubernetes include Pods (groups of containers), Services (abstract access to pods), ReplicationControllers (maintain pod replicas), and a master node running key components like etcd, API server, scheduler, and controller manager.
3) The document demonstrates getting started with Kubernetes by enabling the master on one node and a worker on another node, then deploying and exposing a sample nginx application across the cluster.
Related Source Code https://github.com/abdennour/meetup-deployment-k8s
Intro
Why Deployment ?
What’s Deployment ?
How Deployment?
Deployment Strategies ( in general & in k8s )
Deployment Features
Demo ( distributed )
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
Microservices and containers are now influencing application design and deployment patterns. Sixty percent of all new applications will use cloud-enabled continuous delivery microservice architectures and containers. Service discovery, registration, and routing are fundamental tenets of microservices. Kubernetes provides a platform for running microservices. Kubernetes can be used to automate the deployment of Microservices and leverage features such as Kube-DNS, Config Maps, and Ingress service for managing those microservices. This configuration works fine for deployments up to a certain size. However, with complex deployments consisting of a large fleet of microservices, additional features are required to augment Kubernetes.
Kubernetes is an open source container orchestration system that automates the deployment, maintenance, and scaling of containerized applications. It groups related containers into logical units called pods and handles scheduling pods onto nodes in a compute cluster while ensuring their desired state is maintained. Kubernetes uses concepts like labels and pods to organize containers that make up an application for easy management and discovery.
Docker Kubernetes Istio
Understanding Docker and creating containers.
Container Orchestration based on Kubernetes
Blue Green Deployment, AB Testing, Canary Deployment, Traffic Rules based on Istio
Istio is a service mesh—a modernized service networking layer that provides a transparent and language-independent way to flexibly and easily automate application network functions. Istio is designed to run in a variety of environments: on-premise, cloud-hosted, in Kubernetes containers.
Kubernetes is a system for orchestrating containerized workloads and services across many nodes that provides tools for managing replication, scaling, and state. KEDA allows Kubernetes to automatically scale function apps in response to events from sources like message queues or serverless triggers by integrating with functions running as pods and scaling them based on metrics and triggers. KEDA is useful for running serverless functions on Kubernetes in environments like on-premises, at the edge, or alongside other Kubernetes workloads where full control over scaling is needed.
Terraform can be used to automate the deployment and management of infrastructure as code. It allows defining infrastructure components like VMs, networks, DNS records etc. as code in configuration files. Key benefits include versioning infrastructure changes, consistency across environments, and automation of deployments. The document then provides details on installing Terraform, using common commands like plan, apply and import, defining resources, variables, modules and managing remote state. It also demonstrates creating an EC2 instance using a generated AMI.
This presentation includes information on Kubernetes Architecture, Container Orchestration, Internal Routing, External Routing, Configuration Management, Credentials Management, Persistent Volumes, Rolling Out Updates, Autoscaling, Package Management, and a Hello World example using Helm.
1. Docker EE will include an unmodified Kubernetes distribution to provide orchestration capabilities alongside Docker Swarm.
2. When running mixed workloads across orchestrators, resource contention is a risk and it is recommended to separate workloads by orchestrator on each node for now.
3. Docker EE aims to address the shortcomings of running mixed workloads to better support this in the future.
Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application.
https://thinkcloudly.com/
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusKublr
In a microservices world, applications consist of dozens, hundreds, or even thousands of components. Manually deploying and verifying deployment quality in production is virtually impossible. Kubernetes, which natively supports rolling updates, enables blue-green application deployments with Spinnaker. However, gradual rollouts is a feature that doesn't come out-of-the-box but can be achieved by adding Istio and Prometheus to the equation.
During this meetup, Slava Koltovich, CEO of Kublr, and Oleg Atamanenko, Senior Software Architect, discussed canary release implementations on Kubernetes with Spinnaker, Istio, and Prometheus. They examined the role of each tool in the process and how they are all connected. During a demo, they demonstrated a successful and a failed canary release, and how these tools enable IT teams to properly roll out changes to their customer base without any downtime.
Jessica Deen, Microsoft -
Helm 3 is here; let's go hands-on! In this demo-fueled session, I'll walk you through the differences between Helm 2 and Helm 3. I'll offer tips for a successful rollout or upgrade, go over how to easily use charts created for Helm 2 with Helm 3 (without changing your syntax), and review opportunities where you can participate in the project's future.
Prometheus was recently accepted into the Cloud Native Computing Foundation, making it the second project after Kubernetes to be given their blessing and acknowledging that Prometheus and Kubernetes make an awesome combination. In this talk we'll cover common patterns for running Prometheus on Kubernetes, how to monitor services on Kubernetes, and some cool tips and hacks to ensure you get the most out of your Prometheus + Kubernetes deployment.
DevOps (Continuous Integrations, Continuous Delivery & Continuous deployment using Jenkins and Visual studio team services, setting up VTST build Agents, Integrating VSTS with SonarQube, NDepend,) , Complete automation of pushing code into VSTS from Visual Studio, Building Code by a Jenkin Server hosted on Azure and pushing that successful build on to Azure Web App via Release Pipeline or directly from Jenkins,VSTS Default agents, Setting up local agent from scratch, Setting up agents for code build, VSTS, Visual Studio Online Agents, Agent Pools, Hosted Agents, Hosted VS2017. Hosted Linux Agents, Setting up agent on VS Dev Test Labs, Setting up Template Parameters for Continuos Pipeline, Build Agent Creation Dynamically, Random Machine Name, Random Passwords, Dynamic Agent creation in VS Dev Test labs, Sonarcube, Code quality, Code Analysis, MSBuild, Integrate VSTS Build with NDepend, Package manager, Monolithic Architecture, Nuget, Package management, Npm js.com, Semantic versioning, Creating a nuget package, nuspec file, GitVersion Plugin, FeedURL, Chocolatey for package management, Chocolatey, chocolatey workflow,
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
Alfonso described how Weave open source projects (Weave Net and Weave Scope) can help with networking, visualization, and control for ECS. Specifically, Weave acts as a key communicator for networking containers with its multi-host overlay and additional features (including automatic DNS service discovery and multicast).
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen. @BASTAcon #BASTA17 @qaware #CloudNativeNerd
https://basta.net/microservices-services/cloud-native-net-microservices-mit-kubernetes/
Terraform is used to manage infrastructure as code. InSpec is a powerful framework for validating that infrastructure. In combination they allow for fast, safe infrastructure automation.
A Developer’s Guide to Kubernetes SecurityGene Gotimer
Kubernetes is spreading like crazy across our industry, but most of us are just thrown into the deep end and expected to learn it ourselves. And we do, sort of. We figure out just enough to get our job done, but we don’t have the experience to know if we are doing it right. There is a lot to learn in a technology that is rapidly evolving. The good news is that there are tools and practices to help show us the way.
Join Gene as he shows you what you need to know as a developer to use Kubernetes safely and effectively. He’ll show you some tools you can use to ensure your containers are available, resilient, and secure. They won’t slow you down, won’t cost an arm and a leg, and won’t need you to be a security expert or experienced cloud architect. We’ll use Kubernetes to help us deploy software, not worrying if it will get us fired.
Continuous Security: From tins to containers - now what!Michael Man
The document discusses securing containers throughout their lifecycle from selection of base images and configuration to runtime. It emphasizes applying security controls at each stage including static analysis of Dockerfiles, scanning of images for vulnerabilities, and using admission controllers in Kubernetes to enforce policies for privileges, network access, and resource usage. The document demonstrates potential security risks if containers are not secured properly and provides examples of admission controllers and best practices to mitigate those risks in Kubernetes.
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
Behind the Code 'September 2022 // by ExnessMaxim Gaponov
The presentation discussed the evolution of hacks from 2009 to the present. Key hacks included the RockYou breach in 2009, Stuxnet in 2010, Shamoon in 2012, emergence of IoT hacks in 2014, Visa-Mastercard breach in 2015, WannaCry in 2017, Bangladesh Bank heist in 2016, and the FireEye hack in 2021. The presentation concluded that people will continue to be the main source of attacks, defenses need to move from reactive to resilient approaches, cloud security is important, and more interconnections will create new vulnerabilities as technology evolves.
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
Kubernetes enable enterprises to automate many aspects of application deployment, providing tremendous business benefits. This talk aims to discuss best practices around Kubernetes security and how threats and exploits can be mitigated, minimizing service disruption on Kubernetes platform.
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
Shifting left - How to use Continuous Integration tools to bring security into the DevOps world
In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework.
Key Takeaways:
○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks
○ How to automate the delivery of trusted images using a policy-driven approach
○ Empowering developers to secure their applications, while maintaining segregation of duties
○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images
○ Enforcing immutability of containers, preventing container-image drift
Learn more about the role and tasks of a container management solution and analyze how four common container management solutions - Amazon EC2 Container Service, Docker for AWS, Kubernetes, and Apache Mesos - stack against each other.
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
Cloud-native .NET Microservices mit KubernetesQAware GmbH
Mario-Leander Reimer presented on building cloud-native .NET microservices with Kubernetes. He discussed key principles of cloud native applications including designing for distribution, performance, automation, resiliency and elasticity. He also covered containerization with Docker, composing services with Kubernetes and common concepts like deployments, services and probes. Reimer provided examples of Dockerfiles, Kubernetes definitions and using tools like Steeltoe and docker-compose to develop cloud native applications.
WWCode Dallas - Kubernetes: Learning from Zero to ProductionRosemary Wang
The document discusses various Kubernetes concepts and tools including:
- Using Minikube to deploy a local Kubernetes cluster for learning.
- Using kops to deploy a Kubernetes cluster on cloud infrastructure like AWS.
- Key Kubernetes objects like pods, deployments, services, ingress controllers, daemonsets, statefulsets and jobs.
- Cluster operations such as logging/metrics, autoscaling, upgrades, backups and testing.
- Security practices including secrets management, vulnerability scanning and network policies.
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Jeffrey Holden
This document discusses deploying cloud native red team infrastructure using Kubernetes, Istio and Envoy. It provides introductions to Larry Suto and Jeff Holden and their backgrounds. It then covers goals of being automated, portable and scriptable. Key points covered include using Kubernetes for its infrastructure as code capabilities. It discusses concepts like Docker, Kubernetes, Kops, External DNS, SSL Cert Manager and recipes for containerizing tools like Cobalt Strike, Merlin and configuring deployments.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
Dive into DevOps | March, Building with Terraform, Volodymyr TsapProvectus
This document is a presentation on using Terraform to manage infrastructure as code. It introduces Terraform and explains why it is useful compared to other configuration management tools. It provides examples of defining AWS resources like EC2 instances, Auto Scaling groups, and load balancers in Terraform code. It also demonstrates passing variables, using modules, and rolling out updates. The presentation emphasizes how Terraform allows defining infrastructure in a declarative way and improves reproducibility of environments.
Similar to Keeping Your Kubernetes Cluster Secure (20)
KCDC- Keeping Secrets Out of Your PipelineGene Gotimer
Commit your code, push a button, and everything is deployed – the Holy Grail of DevOps. Nobody has to type any commands or passwords to push your app live, everything lives in source control and it all just works.
Wait a second! My passwords are in source code? How did they get in there? How can I stop it from happening again? And how can I keep credentials out of source code and still make them available to my DevOps pipeline?
We’ll talk about using the open-source TruffleHog tool to find sensitive information in our source code repositories. And how to catch credentials before they are exposed. Finally, we’ll look at HashiCorp Vault, another open-source tool designed specifically to securely store and retrieve secrets from the pipeline without making them available to everyone.
How Fast Is My App? Performance Testing 101Gene Gotimer
Product owners and stakeholders love to ask about performance. “Is the app fast? How fast?” What do those questions even mean? Are they interested in the number of transactions per second? The time for the page to load? How many users it can support at once? Performance testing is a much broader topic than just being able to say an application is “fast” or “slow.” There is load testing, stress testing, and soak testing. You can measure transaction times, concurrency, and capacity. You can address some performance issues with more systems, others with more memory or faster processors or a better network. It all depends on what you mean by "How fast?" Join Gene Gotimer as he showcases open source tools like JMeter and Gatling to measure different types of performance testing. He'll also discuss how Firefox and Chrome can show what the user experience is like in terms of performance. You will leave with a better understanding of what performance testing is, as well as some tools to get started implementing it in your delivery pipeline.
How I Learned to Stop Worrying and Love Legacy CodeGene Gotimer
Many developers would love to work on brand-new, cutting-edge, greenfield projects, never dealing with the mess of unintelligible code someone else left behind. But most of us spend most of our time maintaining existing code, and it is often spaghetti code with no unit tests, no documentation, and, if we are lucky, a comment that says, “Not sure how this works, but it does so don’t touch it.” We need to make changes, but we can’t even figure out what the code is supposed to do. You know your changes will pile on and make it worse. You can’t change the code safely without adding tests, but you can’t add tests without making changes. So how do you tackle this chicken-and-egg problem? You do it slowly and methodically, building a safety net along the way.
Join Gene as he talks about helping to maintain and improve code on an infamous software project- it was so bad it made the national news. He’ll explain his approach to breaking the code into manageable, maintainable chunks. He’ll talk about adding unit tests that actually test the code using mutation testing- one of his favorite subjects. If you have inherited a pile of code and want to clean it up into something you aren’t afraid to touch, this talk is for you. You’ll hear about some tools and approaches to help you turn legacy code into code you don’t hate.
“We’ll do whatever it takes to make DevOps work!" followed by, "No, we can’t change that!” Almost every organization manages to sabotage its own DevOps transformation or get in its own way to ensure that successful adoption isn’t likely. Henry Ford called it when it comes to change: “Whether you think you can or you think you can’t, you’re right.” Organizations that don’t want to change or don’t think they can almost always fail. Those that change themselves and their processes get to the culture they want. Based on experiences working with government agencies, Gene Gotimer highlights ten practices that doom a DevOps effort from the get-go and describes the DevOps-enabling alternative.
Keeping your Kubernetes Cluster SecureGene Gotimer
Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Explain DevOps To Me Like I’m Five: DevOps for ManagersGene Gotimer
Organizations and leaders are often supportive of DevOps, but they don’t always understand what DevOps is and what it will change. It isn’t a one-size-fits-all issue; different environments need different benefits from a DevOps transformation. Join Gene Gotimer as he explains the most important parts of understanding DevOps. We'll discuss how to determine what parts of DevOps your organization needs to concentrate on first and how you should measure improvement. This session boils DevOps down to its most basic parts and makes sure you have a foundation for understanding how to make it work for your situation and organization.
Keeping your Kubernetes Cluster SecureGene Gotimer
From NOVA Cloud and Software Engineering Group meetup, Feb. 17, 2021 https://youtu.be/a5uPm1mPLKQ.
Hardening a Kubernetes cluster happens at different levels. We have to examine the nodes where Kubernetes is running. We want to secure the Kubernetes objects and workloads and review the files we used to create them. And we need to look for vulnerabilities in the containers we are using. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. All of them can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Gene Gotimer is the meetup organizer and a DevSecOps Senior Engineer at Steampunk, focusing on agile processes, secure development practices, and automation. Gene feels strongly that repeatability, quality, and security are all strongly intertwined; each depends on the other two, making agile and DevSecOps that much more crucial to software development.
Creative Solutions to Already Solved Problems IIGene Gotimer
This document contains 20 sections summarizing various issues and annoyances Gene has encountered in codebases, including verbose null checks and conditionals, hardcoded log levels causing large test outputs, unused exceptions, and constants defined separately from their values instead of using enums. It advocates for clearer documentation, more readable code, and avoiding logic in catch blocks that always throw exceptions.
Creative Solutions to Already Solved ProblemsGene Gotimer
Creative Solutions to Already Solved Problems is our name for the ridiculous code that our team has found in our project. These show a massive lack of understanding of common Java constructs and tools. Unfortunately, these examples are real and we had plenty to choose from.
Get to Green: How to Safely Refactor Legacy CodeGene Gotimer
For many of us, legacy code is a fact of life. Code without tests -- no safe way to make changes, no safety net, no hope of untangling the web of accumulated ugliness, an incomplete understanding (or less) of how it really behaves. And your next set of changes is just going to add to the garbage pile and make it worse. You need tests so you can safely make changes, but you can't add tests without changing the code. It is a chicken-and-egg problem.
So how do you turn legacy code into code you can change confidently? Slowly, one step at a time. Join Gene as he shares his experiences working with a monolithic codebase that was so bad it made national news. He'll go over the steps he and his team used to refactor the code safely by using mocking frameworks, mutation testing, and patience to build an understanding of how the code worked so that they could change it confidently.
This talk is for anyone that has inherited legacy code that they aren't confident in and wants to make it something they can work on and improve. You'll leave with some tools and techniques that will help you change your legacy code into something maintainable.
To survive in today’s market, organizations need to deliver higher quality, more secure software than ever before, and they need to do it faster. Today’s leaders need to understand what DevOps is all about and how to implement it across the enterprise to remain competitive, react to changing conditions, and facilitate growth. This interactive workshop will explain what DevOps is and isn’t, what benefits we should expect adopting it, and what we need to do to adjust to a DevOps mindset. We’ll look at our current delivery processes and discuss how we can deliver higher quality, more secure software, and how we can do it faster, more reliably, and have more confidence in the result. We will focus on the culture and process, only touching on the tools that enable us to work better. It is not a technical deep dive. This workshop is designed for executives and leaders, managers, project managers, and team leads to help them prepare for successful DevOps transformation and leadership.
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsGene Gotimer
Notes from Pyramid Discussion: DevOps Adoption in Large, Slow Organizations at Agile + DevOps West 2019.
Are you in a large, plodding enterprise that's beginning, in the midst of, or considering a move toward DevOps? Unsure how or even if it will work, but know you have to make a move anyway? Do you want to hear from your peers about how they've managed so far? A pyramid discussion starts as a series of one-on-one conversations between the participants. After each pair hashes out their thoughts with each other, they join another couple to refine their points and hear pros and cons. After a while, those four join with four more, and so on until there is only one discussion, with everyone sharing and discussing. All attendees will get a chance to have their ideas and experiences heard while building on the thoughts and experiences of others. Even if you aren't ready to take over the discussion in a room of peers, you can proceed through the pyramid of smaller debates to get answers to your questions and hear how others are bringing DevOps to a large, slow organization.
A better faster pipeline for software delivery, even in the governmentGene Gotimer
The software delivery pipeline is the process of taking features from developers and getting them delivered to customers. The earliest tests should be the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing should increase confidence that the code is a viable candidate for production and that more expensive tests—be it time, effort, cost—are justified. Manual testing should be performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to problems progressing down the pipeline.
In this interactive workshop, Gene Gotimer and Ryan Kenney will discuss how to arrange your pipeline, automated or not, and so each round of tests provides just enough testing to give you confidence that the next set of tests is worth the investment. We'll explore how to get the right types of testing into your pipeline at the right points so that you can determine which builds are viable candidates for production. And we’ll explain some of the experiences we’ve had with clients, especially in the federal government, trying to build out delivery pipelines.
Attendees should be at least roughly familiar with their current delivery process, automated or not, or they should at least have a process in mind. No prior knowledge of DevOps, continuous delivery, or automation is assumed.
I often suggest to teams that they should be using all sorts of tools in their pipelines- from simple static analysis checks and automated builds to security scans and performance testing. I've done presentations and talks at conferences. I've lobbied to clients. I've commiserated with my colleagues. But I've never put together my dream pipeline in one of my own projects.
There are always reasons that some tests and tools get left out- our policies won't allow them, they will take too long to get approved, we don't have time, we have bigger problems to deal with, it just isn't what the client is looking for right now. And I usually think, if only I were in charge, I'd make sure we were using those...
In late 2017 I took over maintenance on an open-source project. Now I have no restrictions. The sky's the limit. No one is around to tell me what I can't do. So why don't I have my dream pipeline in place yet?
I'll talk about the trade-offs and compromises I made when building out the pipeline. Why I decided to focus on some tools and tests but skipped others, and what I need to do or change to make this delivery process the pipeline I've always dreamed about, now that I have no one else to blame.
Coveros is a company that helps other companies accelerate software delivery using agile methods. It provides consulting services for agile transformations, software development, testing, automation, and security. Coveros stresses the importance of having a delivery pipeline that provides early and rapid feedback while avoiding late surprises. It recommends including various types of testing early in the pipeline such as unit testing, functional testing, security testing, and performance monitoring to determine if a code change is viable for production. Testing should continue to evolve and improve over time.
DevOps needs to consider many different aspects of software quality, including security. The term DevSecOps was developed to highlight that security is a focus of the pipeline, not a second-class citizen.
Fortunately, we can define done for our pipeline so that it includes security. Continuous integration can invoke static analysis tools to test for security errors and check if we are using components with known vulnerabilities. Automated deployments and virtualization make dynamic environments available for testing in a production-like setting. Regression tests can drive traffic through proxies for security analysis. From the code to the systems where we deploy the software, the process can be designed to make sure that we follow security best practices, and not produce insecure software.
Participants will learn how to construct a definition of done that focuses on security in a DevOps pipeline. They will see how to define security practices that build confidence that they are doing DevSecOps, and how those practices and criteria might mature over time.
A Better, Faster Pipeline for Software DeliveryGene Gotimer
The software delivery pipeline is the process of taking new or changed features from developers and getting them quickly delivered to the customers by getting the feature deployed into production. Testing within continuous delivery pipelines should be designed so the earliest tests are the quickest and easiest to run, giving developers the fastest feedback. Successive rounds of testing lead to increased confidence that the code is a viable candidate for production and that more expensive tests—be it time, effort, cost—are justified. Manual testing is performed toward the end of the pipeline, leaving computers to do as much work as possible before people get involved. Although it is tempting to arrange the delivery pipeline in phases (e.g., functional tests, then acceptance tests, then load and performance tests, then security tests), this can lead to serious problems progressing far down the pipeline before they are caught.
Be prepared to discuss your pipeline, automated or not, and talk about what you think is slowing you down and what is keeping you up at night. In this interactive workshop, we will discuss how to arrange your tests so each round provides just enough testing to give you confidence that the next set of tests is worth the investment. We'll explore how to get the right types of testing into your pipeline at the right points so that you can determine quickly which builds are viable candidates for production.
Open Source Security Tools for the PipelineGene Gotimer
Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, quality testing of all types must be incorporated throughout the process in order to be sure that problems aren’t slipping through. Those checks must include security, or else you risk quickly and efficiently developing insecure software. Fortunately, the delivery pipeline opens up opportunities to add more security testing to the delivery process.
This talk is aimed at people that are trying to build more security into their continuous delivery pipeline. I walk through specific open-source tools I have used to supplement our security testing even when security wasn’t explicitly my responsibility. I don’t get into how to use each tool-- this is more of a series of teasers to encourage people to look into the tools, and even letting them know what types of tools and testing opportunities are out there.
Which Development Metrics Should I Watch?Gene Gotimer
W. Edwards Deming noted that “people with targets and jobs dependent upon meeting them will probably meet the targets – even if they have to destroy the enterprise to do it.” While metrics can be a great tool for evaluating performance and software quality, becoming beholden to reaching metrics goals, especially the wrong ones, can be detrimental to the project. Each team needs to take care and understand what targets are appropriate for their project. They also need to consider the current and desired states of the source code and product and the capabilities and constraints of the team.
As one of the lead architects working with a huge codebase on a government project, I often have the opportunity to influence the teams around me into watching or ignoring various metrics. I will walk through some measures that are available to most projects and discuss what they really mean, various misconceptions about their meaning, the tools that can be used to collect them, and how you can use them to help your team. I’ll discuss experiences and lessons learned (often the hard way) about using the wrong metrics and the damage they can do.
This session is aimed at development leads and others that are trying to choose the right metrics to measure or trying to influence what metrics to avoid.
Add Security Testing Tools to Your Delivery PipelineGene Gotimer
Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, quality testing of all types must be incorporated throughout the process to ensure that problems aren’t slipping through. Those checks must include security, or you risk developing insecure software. Fortunately, the delivery pipeline opens up opportunities to add more security testing to the delivery process. Continuous integration builds can add static analysis tools to test for simple security errors and check if components with known vulnerabilities are being used. Gene Gotimer introduces several types of open-source and free security testing tools, that can be quickly added to a delivery pipeline. Security tools reduce the initial investment of both time and money, and help eliminate some barriers to adding security testing to the process.
What is OCR Technology and How to Extract Text from Any Image for FreeTwisterTools
Discover the fascinating world of Optical Character Recognition (OCR) technology with our comprehensive presentation. Learn how OCR converts various types of documents, such as scanned paper documents, PDFs, or images captured by a digital camera, into editable and searchable data. Dive into the history, modern applications, and future trends of OCR technology. Get step-by-step instructions on how to extract text from any image online for free using a simple tool, along with best practices for OCR image preparation. Ideal for professionals, students, and tech enthusiasts looking to harness the power of OCR.
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...Hironori Washizaki
Hironori Washizaki, "Charting a Course for Equity: Strategies for Overcoming Challenges and Promoting Inclusion in the Metaverse", IEEE COMPSAC 2024 D&I Panel, 2024.
Attendance Tracking From Paper To DigitalTask Tracker
If you are having trouble deciding which time tracker tool is best for you, try "Task Tracker" app. It has numerous features, including the ability to check daily attendance sheet, and other that make team management easier.
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...onemonitarsoftware
Unlock the full potential of mobile monitoring with ONEMONITAR. Our advanced and discreet app offers a comprehensive suite of features, including hidden call recording, real-time GPS tracking, message monitoring, and much more.
Perfect for parents, employers, and anyone needing a reliable solution, ONEMONITAR ensures you stay informed and in control. Explore the key features of ONEMONITAR and see why it’s the trusted choice for Android device monitoring.
Share this infographic to spread the word about the ultimate mobile spy app!
In this talk, we will explore strategies to optimize the success rate of storing and retaining new information. We will discuss scientifically proven ideal learning intervals and content structures. Additionally, we will examine how to create an environment that improves our focus while you remain in the “flow”. Lastly we will also address the influence of AI on learning capabilities.
In the dynamic field of software development, this knowledge will empower you to accelerate your learning curve and support others in their learning journeys.
A Comparative Analysis of Functional and Non-Functional Testing.pdfkalichargn70th171
A robust software testing strategy encompassing functional and non-functional testing is fundamental for development teams. These twin pillars are essential for ensuring the success of your applications. But why are they so critical?
Functional testing rigorously examines the application's processes against predefined requirements, ensuring they align seamlessly. Conversely, non-functional testing evaluates performance and reliability under load, enhancing the end-user experience.
Are you wondering how to migrate to the Cloud? At the ITB session, we addressed the challenge of managing multiple ColdFusion licenses and AWS EC2 instances. Discover how you can consolidate with just one EC2 instance capable of running over 50 apps using CommandBox ColdFusion. This solution supports both ColdFusion flavors and includes cb-websites, a GoLang binary for managing CommandBox websites.
Lots of bloggers are using Google AdSense now. It’s getting really popular. With AdSense, bloggers can make money by showing ads on their websites. Read this important article written by the experienced designers of the best website designing company in Delhi –
A captivating AI chatbot PowerPoint presentation is made with a striking backdrop in order to attract a wider audience. Select this template featuring several AI chatbot visuals to boost audience engagement and spontaneity. With the aid of this multi-colored template, you may make a compelling presentation and get extra bonuses. To easily elucidate your ideas, choose a typeface with vibrant colors. You can include your data regarding utilizing the chatbot methodology to the remaining half of the template.
4. Define and Design the Optimal Survey Experience
INFRASTRUCTURE
Hardening
Kubernetes Hardening Guidance,
National Security Agency (NSA) and
Cybersecurity and Infrastructure Security Agency (CISA).
• Start with the kubernetes.io article
Kubernetes Security Technical Implementation Guide,
Cybersecurity and Infrastructure Security Agency (CISA).
• Start with the stigviewer.com client.
CIS Kubernetes Benchmark,
Center for Internet Security (CIS),
non-government, non-profit.
https://www.cisecurity.org/benchmark/kubernetes/
@OtherDevOpsGene #AllThingsOpen
4
6. INFRASTRUCTURE
@OtherDevOpsGene #AllThingsOpen
6
Cluster
configuration
$ kubectl logs kube-bench-kc82n
[INFO] 3 Worker Node Security Configuration
[INFO] 3.1 Worker Node Configuration Files
[PASS] 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)
[PASS] 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)
[PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)
[PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Manual)
[INFO] 3.2 Kubelet
[PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)
[PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
[PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Manual)
[PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
[PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
[PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
[PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
[PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Manual)
[WARN] 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture
(Automated)
[PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Manual)
[PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)
[INFO] 3.3 Container Optimized OS
[WARN] 3.3.1 Prefer using Container-Optimized OS when possible (Manual)
8. Static code analysis
BUILD
@OtherDevOpsGene #AllThingsOpen
8
Are resources configured properly?
• Use Checkov by Bridgecrew
• Scans source code for
• Dockerfiles
• Kubernetes manifests
• Terraform
9. Static code analysis
BUILD
@OtherDevOpsGene #AllThingsOpen
9
$ checkov -d manifests --quiet --compact
kubernetes scan results:
Passed checks: 1066, Failed checks: 166, Skipped checks: 0
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.sock-shop.carts
File: /manifests/01-carts-dep.yaml:2-51
25. Define and Design the Optimal Survey Experience
RUNTIME
Network isolation
Can Kubernetes resources reach others they don’t
need to?
• Use a service mesh or CNI
• Build a network policy
• Network Policy editor
• https://networkpolicy.io
@OtherDevOpsGene #AllThingsOpen
25
26. Define and Design the Optimal Survey Experience
RUNTIME
Network isolation
@OtherDevOpsGene #AllThingsOpen
26
30. Define and Design the Optimal Survey Experience
WRAP-UP
Key takeaways
• Enforce the principle of least privilege.
• Keep everything up to date.
• Scan your container images frequently,
before and after deployment.
• Monitor your systems for expected and
unexpected behavior.
• And disk space.
@OtherDevOpsGene #AllThingsOpen
30
31. Define and Design the Optimal Survey Experience
WRAP-UP
Reading list
Kubernetes Hardening Guidance,
National Security Agency (NSA) and
Cybersecurity and Infrastructure Security Agency (CISA).
https://media.defense.gov/2021/Aug/03/2002820425/-1/-
1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
A Closer Look at NSA/CISA Kubernetes Hardening Guidance,
Jim Angel, Pushkar Joglekar, and Savitha Raghunathan.
https://kubernetes.io/blog/2021/10/05/nsa-cisa-
kubernetes-hardening-guidance/
Kubernetes Security Technical Implementation Guide,
Cybersecurity and Infrastructure Security Agency (CISA).
https://public.cyber.mil/stigs/downloads/
CIS Kubernetes Benchmark,
Center for Internet Security (CIS),
https://www.cisecurity.org/benchmark/kubernetes/
@OtherDevOpsGene #AllThingsOpen
31
32. Define and Design the Optimal Survey Experience
WRAP-UP
Tools
Aqua Security kube-bench:
https://github.com/aquasecurity/kube-bench
Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov
Aqua Security Trivy: https://github.com/aquasecurity/trivy
Anchore Grype: https://github.com/anchore/grype
Anchore Syft: https://github.com/anchore/syft
OWASP Dependency-Track: https://dependencytrack.org
Open Policy Agent: https://www.openpolicyagent.org
Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks
Network Policy Editor: https://networkpolicy.io
Falco: https://falco.org
@OtherDevOpsGene #AllThingsOpen
32
We will look at 10 tools across 3 rough layers of the Kubernetes ecosystem.
All are open-source and/or freely available
Also, some publicly available guidance
Security is a type of quality
You cannot be insecure and have high quality
You cannot have low quality but high security
Kubernetes clusters consist of servers acting as master nodes and worker nodes. The operating system and processes on these servers have to be secured just like any others.
These are the tasks traditionally done by Ops and Security
YAGNI
K8s hosts need the same security as other hosts
Keep the systems up-to-date
Easiest to do. Just regularly run apt-get update or dnf update or yum update
CISA recommends the following remediation timelines:
Critical vulnerabilities should be remediated within 15 calendar days of initial detection.
High vulnerabilities should be remediated within 30 calendar days of initial detection.
Least privilege
Ronald Reagan 1986 – The nine most terrifying words in the English language are "I'm from the Government and I'm here to help."
Google both terms,
See the Kubernetes.io article from Oct 2021.
See the stigviewer.com link
Also, not specific to k8s, but Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. Can request Cyber Hygiene Services at no cost from CISA.
CIS is not a government agency, but it is non-profit. CIS Benchmarks are free checklists, very similar to STIGs, easier to read.
"checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark."
If you are running in a managed Kubernetes cluster, such as Amazon EKS or Azure AKS, kube-bench does not have access to the master nodes but can still evaluate the worker nodes.
Runs as a kubectl job
Runs as a kubectl job
cd ~/git/ggkube/Book/code
kubectl apply -f kube-bench-job-eks.yaml
kubectl get pods
kubectl logs kube-bench-kc82n
These tasks are typically going to fall to the development teams while they are producing their software for deployment
All of this is a moot point if the application is security swiss cheese.
Least privilege
Checkov by Bridgecrew
Frequent updates, sometimes daily
I use this extensively on Terraform code
Python pip install or use Docker container
pushd ./microservices-demo/deploy/Kubernetes
checkov -d manifests --quiet --compact
Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
Installs as package, from script, container, etc.
trivy config manifests/01-carts-dep.yaml
Other options are Clair by Red Hat
Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
grype weaveworksdemos/carts:0.4.8
Can feed that back to Grype
Can feed that back to Grype
syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json
grype sbom:carts-0.4.8.json
syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
This is the Ops piece of DevSecOps. After you deploy, the job isn’t finished.
Keep monitoring. It is embarrassing how often companies that spend millions to staff a 24x7 SOC have apps go down when they run out of disk space