diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..1d74e219 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode/ diff --git a/docs/images/kubernetes-security-controls-landscape.jpg b/docs/images/kubernetes-security-controls-landscape.jpg new file mode 100644 index 00000000..1fbb9d36 Binary files /dev/null and b/docs/images/kubernetes-security-controls-landscape.jpg differ diff --git a/docs/images/kubernetes-security-controls-landscape.jpg:Zone.Identifier b/docs/images/kubernetes-security-controls-landscape.jpg:Zone.Identifier new file mode 100644 index 00000000..71a9e7b6 --- /dev/null +++ b/docs/images/kubernetes-security-controls-landscape.jpg:Zone.Identifier @@ -0,0 +1,4 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=https://www.linkedin.com/feed/ +HostUrl=https://media-exp1.licdn.com/dms/image/C5622AQEoXqn08Kv6zg/feedshare-shrink_2048_1536/0?e=1593043200&v=beta&t=Z2lW35H59s1ymf2Y2hvf_A9drcbubJ0UdgviOIk75Pg diff --git a/docs/index.md b/docs/index.md index 6ad687a3..26096c8c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -51,7 +51,7 @@ Microservices architectures rely on DevOps practices, automation, CI/CD (continu - [CI/CD - Continuous Integration & Continuous Delivery](cicd.md) - [Git & Git Patterns. Trunk Devel, Git Flow & Feature Flags. Merge BOTs 🌟](git.md) - [Jenkins & CloudBees 😀](jenkins.md) - - [Jenkins Scripts](scripts/README.md) + - [Jenkins Scripts 🌟](scripts/README.md) - [Performance testing with Jenkins and JMeter or Gatling](performance-testing-with-jenkins-and-jmeter.md) - [OpenShift Pipelines with Jenkins, Tekton and more... 🌟](openshift-pipelines.md) - [Jenkins Alternatives for Continuous Integration](jenkins-alternatives.md) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 0255970c..86f95be4 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -37,6 +37,7 @@ - [Project Calico](#project-calico) - [Kubernetes Sidecars](#kubernetes-sidecars) - [Kubernetes Security](#kubernetes-security) + - [Security Best Practices Across Build, Deploy, and Runtime Phases](#security-best-practices-across-build-deploy-and-runtime-phases) - [Kubernetes Authentication and Authorization](#kubernetes-authentication-and-authorization) - [Kubernetes Authentication Methods](#kubernetes-authentication-methods) - [X.509 client certificates](#x509-client-certificates) @@ -139,6 +140,7 @@ * [learnk8s.io: Provisioning cloud resources (AWS, GCP, Azure) in Kubernetes 🌟](https://learnk8s.io/cloud-resources-kubernetes) * [padok.fr: Kubernetes’ Architecture: Understanding the components and structure of clusters 🌟](https://www.padok.fr/en/blog/kubernetes-architecture-clusters) * [medium.com: Top 15 Online Courses to Learn Docker, Kubernetes, and AWS for Fullstack Developers and DevOps Engineers](https://medium.com/javarevisited/top-15-online-courses-to-learn-docker-kubernetes-and-aws-for-fullstack-developers-and-devops-d8cc4f16e773) +* [Allocatable memory and CPU in Kubernetes Nodes 🌟](https://learnk8s.io/allocatable-resources) Not all CPU and memory in your Kubernetes nodes can be used to run Pods. In this article, you will learn how managed Kubernetes Services such AKS, EKS and GKE reserve resources for workloads, operating systems, daemons and Kubernetes agent. [![Kubernetes architecture](images/kubernetes-pod-creation.png)](https://www.padok.fr/en/blog/kubernetes-architecture-clusters) @@ -437,6 +439,35 @@ kubectl get secret --namespace= -o yaml | sed ‘s/names * [Microsoft.com: Attack matrix for Kubernetes 🌟](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/) * [codeburst.io: 7 Kubernetes Security Best Practices You Must Follow](https://codeburst.io/7-kubernetes-security-best-practices-you-must-follow-ae32f1ed6444) +### Security Best Practices Across Build, Deploy, and Runtime Phases +- [Kubernetes Security 101: Risks and 29 Best Practices 🌟](https://www.stackrox.com/post/2020/05/kubernetes-security-101/) +- Build Phase: + 1. Use minimal base images + 2. Don’t add unnecessary components + 3. Use up-to-date images only + 4. Use an image scanner to identify known vulnerabilities + 5. Integrate security into your CI/CD pipeline + 6. Label non-fixable vulnerabilities +- Deploy Phase: + 1. Use namespaces to isolate sensitive workloads + 2. Use Kubernetes network policies to control traffic between pods and clusters + 3. Prevent overly permissive access to secrets + 4. Assess the privileges used by containers + 5. Assess image provenance, including registries + 6. Extend your image scanning to deploy phase + 7. Use labels and annotations appropriately + 8. Enable Kubernetes role-based access control (RBAC) +- Runtime Phase: + 1. Leverage contextual information in Kubernetes + 2. Extend vulnerability scanning to running deployments + 3. Use Kubernetes built-in controls when available to tighten security + 4. Monitor network traffic to limit unnecessary or insecure communication + 5. Leverage process whitelisting + 6. Compare and analyze different runtime activity in pods of the same deployments + 7. If breached, scale suspicious pods to zero + +[![kubernetes security controls landscape](images/kubernetes-security-controls-landscape.jpg)](https://www.stackrox.com/post/2020/05/kubernetes-security-101/) + ### Kubernetes Authentication and Authorization * [kubernetes.io: Authenticating](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) * [kubernetes.io: Access Clusters Using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/) diff --git a/docs/monitoring.md b/docs/monitoring.md index 555de9b7..7f6e7243 100644 --- a/docs/monitoring.md +++ b/docs/monitoring.md @@ -691,28 +691,28 @@ JMeter|Artemis Grafana|Artemis Dashboard - Thread Dump Analyzers: [fastThread](https://fastthread.io/), [Spotify TDA](https://spotify.github.io/threaddump-analyzer/), [IBM Thread and Monitor Dump Analyzer for Java](https://www.ibm.com/support/pages/ibm-thread-and-monitor-dump-analyzer-java-tmda), [TDA - Thread Dump Analyzer](https://github.com/irockel/tda) - [FastThread.io](https://fastthread.io/): Thread dumps can be uploaded via Web or API Call from within the POD (jstack must be available within the container): - ```bash - #!/bin/sh - # Generate N thread dumps of the process PID with an INTERVAL between each dump. - if [ $# -ne 3 ]; then -    echo Generates Java thread dumps using the jstack command. -    echo -    echo usage: $0 process_id repetitions interval -    exit 1 - fi  - PID=$1 - N=$2 - INTERVAL=$3  - for ((i=1;i<=$N;i++)) - do -    d=$(date +%Y%m%d-%H%M%S) -    dump="threaddump-$PID-$d.txt" -    echo $i of $N: $dump -    jstack -l $PID > $dump -    curl -X POST --data-binary @./$dump https://fastthread.io/fastthread-api?apiKey= --header "Content-Type:text" -    sleep $INTERVAL - done - ``` +```bash +#!/bin/sh +# Generate N thread dumps of the process PID with an INTERVAL between each dump. +if [ $# -ne 3 ]; then +   echo Generates Java thread dumps using the jstack command. +   echo +   echo usage: $0 process_id repetitions interval +   exit 1 +fi  +PID=$1 +N=$2 +INTERVAL=$3  +for ((i=1;i<=$N;i++)) +do +   d=$(date +%Y%m%d-%H%M%S) +   dump="threaddump-$PID-$d.txt" +   echo $i of $N: $dump +   jstack -l $PID > $dump +   curl -X POST --data-binary @./$dump https://fastthread.io/fastthread-api?apiKey= --header "Content-Type:text" +   sleep $INTERVAL +done +``` - How to run this script from within the POD: ```./script_thread_dump.sh 1 15 3```, where: - “1”: PID of java process (“1” in containers running a single process, check with “ps ux” command). diff --git a/docs/openshift.md b/docs/openshift.md index 157eee13..23c5ea2b 100644 --- a/docs/openshift.md +++ b/docs/openshift.md @@ -324,16 +324,17 @@ Industry momentum has aligned behind Kubernetes as the orchestration platform fo - The supported method of using **Helm charts** with Openshift is via the [Helm Operator](https://www.openshift.com/blog/build-kubernetes-operators-from-helm-charts-in-5-steps) - [twitter.com/operatorhubio](https://twitter.com/operatorhubio) - View the list of Operators available to the cluster from the OperatorHub: - ```bash - $ oc get packagemanifests -n openshift-marketplace - NAME AGE - amq-streams 14h - packageserver 15h - couchbase-enterprise 14h - mongodb-enterprise 14h - etcd 14h myoperator 14h - ... - ``` + +```bash +$ oc get packagemanifests -n openshift-marketplace +NAME AGE +amq-streams 14h +packageserver 15h +couchbase-enterprise 14h +mongodb-enterprise 14h +etcd 14h myoperator 14h +... +``` ![OCP Operators](images/ocp_operators.png) @@ -520,13 +521,13 @@ OpenShift 4.1|5.6.16|?|5.6.16|No - Openshift 4 on your laptop: There is a working solution for single node OpenShift cluster. It is provided by a new project called [CodeReady Containers](https://github.com/code-ready/crc/). - [Procedure:](https://developers.redhat.com/blog/2019/09/05/red-hat-openshift-4-on-your-laptop-introducing-red-hat-codeready-containers/) - ```bash - untar - crc setup - crc start - environment variables - oc login - ``` +```bash +untar +crc setup +crc start +environment variables +oc login +``` - [Red Hat OpenShift 4.2 on your laptop: Introducing Red Hat CodeReady Containers](https://developers.redhat.com/blog/2019/09/05/red-hat-openshift-4-on-your-laptop-introducing-red-hat-codeready-containers/) diff --git a/docs/scripts/README.md b/docs/scripts/README.md index 61b1a6e2..4ab9e7ef 100644 --- a/docs/scripts/README.md +++ b/docs/scripts/README.md @@ -6,3 +6,6 @@ Grab them from here: [awesome-kubernetes/scripts](https://github.com/inafev/awesome-kubernetes/tree/master/scripts) +## Jenkins Configuration as Code on Kubernetes +* [Jenkins Configuration as Code on Kubernetes 🌟](https://github.com/inafev/jenkins-CasC-kubernetes-demo) A Codecentric/Jenkins Helm 3 Sample Chart on Digital Ocean Kubernetes with Spring Petclinic Demo Pipeline +