Generate CA key pair.
View certificate details
$ openssl x509 -in file-path.crt -text -noout

In current digital era where every service is going online like— Ecommerce sites, Banking, Payments and many other similar services. Security has become primary concerns, so it’s important to secure the online sites with best security practices. This way customers will gain confidence and trusts towords the websites and attract more customer to use your service against the competitors.

To secure the online websites, SSL or TLS comes into use. SSL or TLS certificates are used by websites to secure the communication between client and server or between two servers.

SSL (Secure Sockets Layer) is cryptographic protocol that secures the…


# Download binary from Internet using curl utility:
$ curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.4.0/kube-bench_0.4.0_linux_amd64.tar.gz -o kube-bench_0.4.0_linux_amd64.tar.gz
# Extract Tar File.
$ tar -xvf kube-bench_0.4.0_linux_amd64.tar.gz
# Sed search and replace String.
$ sed -i 's/SEARCH_REGEX/REPLACEMENT/g' <InputFile>
#
To make the pattern match case insensitive, use the I flag
$ sed -i 's/me/you/gI' <Inputfile.txt>
#find and replace a string that contains the delimiter character (/) you’ll need to use the backslash (\) to escape the slash.
$ sed -i 's/\/bin\/bash/\/usr\/bin\/zsh/g' <Inputfile.txt>
#

K8s Security

Security is always a primary concern for any organization as it can causes heavy damage or loss if compromised. Not only it damages the organization brand and values, but also loss customer trusts. Therefore, securing the systems is always put on highest priority by implementing the best practices and placing proper shields(tools) and remediating the critical vulnerabilities or system loop holes in time(Proactive manner).

As we all know, kubernetes has become the de-facto tool for container orchestration. Kubernetes is complex tool, securing the environment requires considering the different layers and components, be it kubernetes own component, the OS infrastructure, the Network layer or cloud provider.


Some of the important VI editor commands.

#1 To perform a global search and replace in vi, use the search and replace command in command mode:

:%s/search_string/replacement_string/gThe % is a shortcut that tells vi to search all lines of the file for search_string and change it to replacement_string. The global (g) flag at the end of the command tells vi to continue searching for other occurrences of search_string

Kubernetes clusters are accessed by application, processes or normal human users. As such, kubernetes don’t have in-built function to create users or manager users. The user authentication is managed using certificate. So, for any user to access the kubernetes cluster, a certificate needs to be created.

How do normal users get access to kubernetes cluster?

For a normal user to be able to authenticate and invoke an API. 
1. User must have certificate issued by the Kubernetes cluster.
2. Then present that certificate to the Kubernetes API.
# Create private Key:

In RBAC authorization mode we have discussed Role & Rolebinding are namespaced. Meaning they are created within namespace , if not specified they are created under default namespace.

Generally, namespace helps in grouping and isolating the resources — like POD , Deployment , services and Replicaset etc. However, there are few resources we can’t group or namespace them — like Nodes.( We can’t say the Node belong to xyz namespace….it can’t be). Node are cluster wide resources and they can’t be associated to any namespace.

In RBAC article, we have already learnt how to authorize users to namespaced resources (…


There is already another article i have written related to Authentication and Authorization.

RBAC is one of the Authorization mode used in kubernetes.

Steps in RBAC:-

  • Create a Role. ( use Role object)
  • Link the users to the Role ( Use Rolebinding object).

Sample developer Role:


Authentication:

Kubernetes cluster consists of various components- The mater node & worker nodes. There are different types of users accessing this clusters- The admin, developers , end user accessing the application and other third party applications accessing the cluster for integration purpose.

it’s necessary to secure the cluster. It may be related to internal communication between the components or management access to cluster through Authentication & Authorization .

Let’s look how we can secure kubernetes management through Authorization mechanism-

Primarily we will talk about user access to kubernetes cluster for administrative purpose. …


# Find the number of connections for particular process.
$netstat -anp | grep etcd
root@controlplane:~# netstat -anp |grep etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 3917/etcd
tcp 0 0 10.141.221.6:2379 0.0.0.0:* LISTEN 3917/etcd
tcp 0 0 10.141.221.6:2380 0.0.0.0:* LISTEN 3917/etcd
tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN 3917/etcd
tcp 0 0 127.0.0.1:2379 127.0.0.1:40224 ESTABLISHED 3917/etcd
tcp 0 0 127.0.0.1:2379 127.0.0.1:40680 ESTABLISHED 3917/etcd
tcp 0 0 10.141.221.6:2379 10.141.221.6:60666 ESTABLISHED 3917/etcd
tcp 0 0 127.0.0.1:2379 127.0.0.1:40558 ESTABLISHED 3917/etcd
tcp 0 0 127.0.0.1:2379 127.0.0.1:40972 ESTABLISHED 3917/etcd
#Check Network Interface Status. Here, checking the status of network interface docker0root@controlplane:~# ip link show | grep docker0
2: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
root@controlplane:~#

Khemnath chauhan

Stay hungry; Stay Foolish!!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store