Merge branch 'main' into 2021-02-enix

slides/k8s/control-plane-auth.md

@@ -92,6 +92,29 @@
 
 ---
 
+## etcd authorization
+
+- etcd supports RBAC, but Kubernetes doesn't use it by default
+
+  (note: etcd RBAC is completely different from Kubernetes RBAC!)
+
+- By default, etcd access is "all or nothing"
+
+  (if you have a valid certificate, you get in)
+
+- Be very careful if you use the same root CA for etcd and other things
+
+  (if etcd trusts the root CA, then anyone with a valid cert gets full etcd access)
+
+- For more details, check the following resources:
+
+  - [etcd documentation on authentication](https://etcd.io/docs/current/op-guide/authentication/)
+
+  - [PKI The Wrong Way](https://www.youtube.com/watch?v=gcOLDEzsVHI) at KubeCon NA 2020
+
+---
+
+
 ## API server clients
 
 - The API server has a sophisticated authentication and authorization system

slides/k8s/kyverno.md

@@ -321,9 +321,9 @@ class: extra-details
 
 - Try to apply a few color labels:
   ```bash
-  kubectl label test-color-2 color=purple
-  kubectl label test-color-2 color=red
-  kubectl label test-color-2 color=blue --overwrite
+  kubectl label pod test-color-2 color=purple
+  kubectl label pod test-color-2 color=red
+  kubectl label pod test-color-2 color=blue --overwrite
   ```
 
 ]
@@ -432,9 +432,9 @@ class: extra-details
 
 - Try to apply a few color labels:
   ```bash
-  kubectl label test-color-3 color=purple
-  kubectl label test-color-3 color=red
-  kubectl label test-color-3 color-
+  kubectl label pod test-color-3 color=purple
+  kubectl label pod test-color-3 color=red
+  kubectl label pod test-color-3 color-
   ```
 
 ]

slides/k8s/netpol.md

@@ -427,26 +427,34 @@ troubleshoot easily, without having to poke holes in our firewall.
 
 ---
 
-## Further resources
+## Tools and resources
 
-- As always, the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a good starting point
+- [Cilium Network Policy Editor](https://editor.cilium.io/)
 
-- The API documentation has a lot of detail about the format of various objects: <!-- ##VERSION## -->
+- [Tufin Network Policy Viewer](https://orca.tufin.io/netpol/)
 
-  - [NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicy-v1-networking-k8s-io)
-
-  - [NetworkPolicySpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicyspec-v1-networking-k8s-io)
-
-  - [NetworkPolicyIngressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicyingressrule-v1-networking-k8s-io)
-
-  - etc.
-
-- And two resources by [Ahmet Alp Balkan](https://ahmet.im/):
+- Two resources by [Ahmet Alp Balkan](https://ahmet.im/):
 
   - a [very good talk about network policies](https://www.youtube.com/watch?list=PLj6h78yzYM2P-3-xqvmWaZbbI1sW-ulZb&v=3gGpMmYeEO8) at KubeCon North America 2017
 
   - a repository of [ready-to-use recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes) for network policies
 
+---
+
+## Documentation
+
+- As always, the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a good starting point
+
+- The API documentation has a lot of detail about the format of various objects: <!-- ##VERSION## -->
+
+  - [NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicy-v1-networking-k8s-io)
+
+  - [NetworkPolicySpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicyspec-v1-networking-k8s-io)
+
+  - [NetworkPolicyIngressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicyingressrule-v1-networking-k8s-io)
+
+  - etc.
+
 ???
 
 :EN:- Isolating workloads with Network Policies