From 11a08345af8f9d03c2a740a72719a0df17562930 Mon Sep 17 00:00:00 2001
From: Nicolai Ort <info@nicolai-ort.com>
Date: Thu, 21 Mar 2024 14:27:24 +0100
Subject: [PATCH] day3 part1 + build

---
 Dockerfile                           |  5 +-
 content/day3/01_stop_leaing_dns.md   | 81 ++++++++++++++++++++++++++++
 content/day3/02_poduct_market_misfit |  5 ++
 content/day3/_index.md               |  7 +++
 hugo.yaml                            | 20 ++-----
 nginx.conf                           | 49 +++++++++++++++++
 6 files changed, 150 insertions(+), 17 deletions(-)
 create mode 100644 content/day3/01_stop_leaing_dns.md
 create mode 100644 content/day3/02_poduct_market_misfit
 create mode 100644 content/day3/_index.md
 create mode 100644 nginx.conf

diff --git a/Dockerfile b/Dockerfile
index 49c61e6..a303f1b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,9 @@
-FROM betterweb/hugo:latest as build
+FROM registry.odit.services/hub/betterweb/hugo:latest as build
 WORKDIR /app
 
 COPY . /app/
 RUN hugo
 
-FROM registry.odit.services/library/nginx-brotli
+FROM registry.odit.services/library/nginx-brotli:3.15
+COPY ./nginx.conf /etc/nginx/nginx.conf
 COPY --from=build /app/public /usr/share/nginx/html
\ No newline at end of file
diff --git a/content/day3/01_stop_leaing_dns.md b/content/day3/01_stop_leaing_dns.md
new file mode 100644
index 0000000..d00f050
--- /dev/null
+++ b/content/day3/01_stop_leaing_dns.md
@@ -0,0 +1,81 @@
+---
+title: Stop leaking Kubernetes service information via DNS
+weight: 1
+---
+
+A talk by Google and Ivanti.
+
+## Background
+
+* RBAC is ther to limit information access and control
+* RBAC can be used to avoid interfearance in shared envs
+* DNS is not really applicable when it comes to RBAC
+
+### DNS in Kubernetes
+
+* DNS Info is always public -> No auth
+* Services are exposed to all clients
+
+## Isolation and Clusters
+
+### Just don't share
+
+* Specially for smaller, high growth companies with infinite VC money
+* Just give everyone their own cluster -> Problem solved
+* Smaller (<1000) typicly use many small clusters
+
+### Shared Clusters
+
+* Becomes imporetant when cost is a question and engineers don't have any platform knowledge
+* A dedicated kube team can optimize both hardware and deliver updates fast -> Increased productivity by utilizing specialists
+* Problem: Noisy neighbors by leaky DNS
+
+## Leaks (demo)
+
+### Base scenario
+
+* Cluster with a bunch of deployments and services
+* Creating a simple pod results in binding to default RBAC -> No access to anything
+* Querying DNS info (aka services) still leaks everything (namespaces, services)
+
+### Leak mechanics
+
+* Leaks are based on the `<service>.<nemspace>.<svc>.cluster.local` pattern
+* You can also just reverse looku the entire service CIDR
+* SRV records get created for each service including the service ports
+
+## Fix the leak
+
+### CoreDNS Firewall Plugin
+
+* External plugin provided by the coredns team
+* Expression engine built-in with support for external policy engines
+
+```mermaid
+flowchart LR
+    req-->metadata
+    metadata-->firewall
+    firewall-->kube
+    kube-->|Adds namespace/clientnamespace metadata|firewall
+    firewall-->|send nxdomain|metadata
+    metadata-->res
+```
+
+### Demo
+
+* Firwall rule that only allows queries from the same namespace, kube-system or default
+* Every other cross-namespace request gets blocked
+* Same SVC requests from before now return NXDOMAIN
+
+### Why is this a plugin and not default?
+
+* Requires `pods verified` mode -> Puts the watch on pods and only returns a query result if the pod actually exists
+* Puts a watch on all pods -> higher API load and coredns mem usage
+* Potential race conditions with initial lookups in larger clusters -> Alternative is to fail open (not really secure)
+
+### Per tenant DNS
+
+* Just run a cporedns instance for each tenant
+* Use a mutating webhook to inject the right dns into each pod
+* Pro: No more pods verified -> Aka no more constant watch
+* Limitation: Platform services still need a central coredns
diff --git a/content/day3/02_poduct_market_misfit b/content/day3/02_poduct_market_misfit
new file mode 100644
index 0000000..af60a74
--- /dev/null
+++ b/content/day3/02_poduct_market_misfit
@@ -0,0 +1,5 @@
+---
+title: "Product market misfit: Adventures in user empathy"
+weight: 2
+---
+
diff --git a/content/day3/_index.md b/content/day3/_index.md
new file mode 100644
index 0000000..6f012d1
--- /dev/null
+++ b/content/day3/_index.md
@@ -0,0 +1,7 @@
+---
+archetype: chapter 
+title: Day 3
+weight: 3
+---
+
+Spent most of the early day with headache.
diff --git a/hugo.yaml b/hugo.yaml
index 918ebb7..3750496 100644
--- a/hugo.yaml
+++ b/hugo.yaml
@@ -27,19 +27,9 @@ params:
 menu:
   shortcuts:
   - identifier: ds
-    name: <i class='fa-fw fab fa-github'></i> GitHub repo
-    url: https://github.com/McShelby/hugo-theme-relearn
+    name: Imprint
+    url: https://nicolai-ort.com/imprint
     weight: 10
-  - name: <i class='fa-fw fas fa-camera'></i> Showcases
-    url: showcase/
-    weight: 11
-  - identifier: hugodoc
-    name: <i class='fa-fw fas fa-bookmark'></i> Hugo Documentation
-    url: https://gohugo.io/
-    weight: 20
-  - name: <i class='fa-fw fas fa-bullhorn'></i> Credits
-    url: more/credits/
-    weight: 30
-  - name: <i class='fa-fw fas fa-tags'></i> Tags
-    url: tags/
-    weight: 40
\ No newline at end of file
+  - name: Privacy
+    url: https://nicolai-ort.com/privacy
+    weight: 11
\ No newline at end of file
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..6d5d885
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,49 @@
+events {
+}
+http {
+    include mime.types;
+    sendfile on;
+    server {
+        error_page 404 /index.html;
+        root /usr/share/nginx/html;
+        location ~ /index\.html$ {
+            internal;
+            add_header Cache-Control 'no-store';
+        }
+        location ~* \.(png|jpg|jpeg|webp|gif|ico|woff|otf|ttf|eot|svg|txt|pdf|docx?|xlsx?)$ {
+            access_log off;
+            expires 1y;
+        }
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+        # --- GZIP
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types application/javascript
+        application/rss+xml
+        application/vnd.ms-fontobject
+        application/x-font
+        application/x-font-opentype
+        application/x-font-otf
+        application/x-font-truetype
+        application/x-font-ttf
+        application/x-javascript
+        application/xhtml+xml
+        application/xml
+        font/opentype
+        font/otf
+        font/ttf
+        image/svg+xml
+        image/x-icon
+        text/css
+        text/javascript
+        text/plain
+        text/xml;
+    }
+}
\ No newline at end of file