Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Tower Defense_Javier Provecho_Codemo...

Codemotion
November 12, 2019
Technology
0
16

Kubernetes Tower Defense_Javier Provecho_Codemotion

In this live coding session, we'll create a secure cluster to deploy our apps safely. As in the popular game Tower Defense, we'll build lines of defense based on Pod Security Policies, Network Policies, and Webhooks to achieve the highest level of Defense In Depth approach.

About:
Javier Provecho Fernandez, Platform Engineer - Telefonica

Javier Provecho works at Telefónica, at the core of the 4th Platform, and engage with the community as a Google Developer Expert (Cloud GDE) and open source maintainer. He is passionate about new technologies and methodologies around the CNCF.

Codemotion

November 12, 2019
Tweet

More Decks by Codemotion

See All by Codemotion
GOTTARDO_From_managing_code_dependencies_to_managing_people__Codemotion_Berlin_.pdf
codemotion
0
20
From managing code dependencies to managing people_Sebastiano Gottardo_Codemotion Berlin 2019
codemotion
1
17
RAFFAELLA_ISIDORI_Codemoiton_Berlin_2019.pdf
codemotion
1
11
An Animated Poem built with CSS Drawings & Animations (CodePen Show & Tell)_Felipe Bernardes_Codemotion Berlin 2019
codemotion
0
71
Look Mom No Hands! Moving from a managed relational database to a serverless one_Renato Losio _Codemotion Berlin 2019
codemotion
0
18
Blockchain_Security_-_Zahin_and_Maria.pdf
codemotion
0
14
Dr. Aygul Zagidullina_Designing Your Career: Explore a Career Change and Do What You Love_Codemotion Berlin 2019
codemotion
0
25
Marcos Iglesias_Performance budgets: the what, why and how_Code-motion berlin slides
codemotion
0
21
Exploring programming patterns through game development_Derek Briggs_Codemotion Berlin 2019
codemotion
0
27

Other Decks in Technology

See All in Technology
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
300
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
【LT】ソフトウェア産業は進化しているのか? #Agilejapan
takabow
0
120
SSMRunbook作成の勘所_20241120
koichiotomo
3
180
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
310
SDNという名のデータプレーンプログラミングの歴史
ebiken
PRO
2
200
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
610
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
1
340
A Tour of Anti-patterns for Functional Programming
guvalif
0
890
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
230
JAWS UG 青森(弘前)クラウド・AWS入門
hiragahh
0
100

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Building Adaptive Systems
keathley
38
2.3k
Fireside Chat
paigeccino
34
3k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
440
How to Ace a Technical Interview
jacobian
276
23k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Building Your Own Lightsaber
phodgson
103
6.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
17k
Why Our Code Smells
bkeepers
PRO
334
57k
Making Projects Easy
brettharned
115
5.9k

Transcript

  1. Kubernetes Tower Defense Javier Provecho 12-13 November, 2019

  2. $ ./kubernetes-tower-defense @javierprovecho

  3. $ whoami # @javierprovecho - Google Developer Expert (Cloud) -

    Platform Engineer in Telefónica - Meetup organizer - - Docker (Madrid) - Cloud Native (Madrid) - Cylicon Valley (Valladolid)

  4. $ open tower-defense.png

  5. $ man defense_in_depth

  6. $ man defense_in_depth

  7. Platform Engineering Big Data

  8. $ cat ./checklist - External traffic - oAuth2 / OIDC

    - JWT / JWK - Internal traffic - Firewalled - Encrypted - Authorized

  9. $ rm single_line_of_defense

  10. $ internal-traffic - - Your business software - - API

    gateways - Backend Auth / Admin APIs - Other tools - - Monitoring

  11. $ find . -name features - - Pod Security Policies

    (1.4 BETA) - Network Policies (1.7 GA, 1.8 improved) - Role Based Access Control (1.8 GA)

  12. $ find . -name patches - - CVE-2017-1002101 subPath, fixed

    at 1.7 - CVE-2018-1002105 proxy upgrade, fixed at 1.10 - CVE-2019-11247 cluster scoped resources, fixed at 1.13

  13. 2019

  14. $ find . -name patches | grep cloud - -

    GKE - - Service account scopes

  15. $ find . -name patches | grep cloud - -

    GKE - - Service account scopes - - Metadata API still requires manual toggling of “--metadata disable-legacy-endpoints=true”

  16. $ find . -name patches | grep cloud - -

    GKE - - Service account scopes - - Metadata API still requires manual toggling of “--metadata disable-legacy-endpoints=true” - - Kubelet Read Only port Restrict with Network Policy

  17. $ find . -name patches | grep cloud - -

    EKS - - Metadata API use Kube2IAM or restrict using Network Policy

  18. $ find . -name patches | grep cloud - -

    EKS - - Metadata API use Kube2IAM or restrict using Network Policy - - Kubelet Read Only port

  19. $ man kubelet-readonly-port - - Deprecated - - List all

    PodSpecs running on the Node - - Sensitive leak: environment variables - - env -> name/value - env -> name/valueFrom - envFrom

  20. $ man metadata-api - - Used for Node bootstrapping -

    - Can be reused for new CSRs, therefore impersonating any Node - - List and retrieve all secrets for the corresponding Node - - List and retrieve all PodSpecs of the Cluster
  21. None

  22. $ ./eks-cluster-takedown

  23. $ thanks