day3 part1 + build
This commit is contained in:
parent
00d8ae29c4
commit
11a08345af
|
@ -1,8 +1,9 @@
|
|||
FROM betterweb/hugo:latest as build
|
||||
FROM registry.odit.services/hub/betterweb/hugo:latest as build
|
||||
WORKDIR /app
|
||||
|
||||
COPY . /app/
|
||||
RUN hugo
|
||||
|
||||
FROM registry.odit.services/library/nginx-brotli
|
||||
FROM registry.odit.services/library/nginx-brotli:3.15
|
||||
COPY ./nginx.conf /etc/nginx/nginx.conf
|
||||
COPY --from=build /app/public /usr/share/nginx/html
|
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
title: Stop leaking Kubernetes service information via DNS
|
||||
weight: 1
|
||||
---
|
||||
|
||||
A talk by Google and Ivanti.
|
||||
|
||||
## Background
|
||||
|
||||
* RBAC is ther to limit information access and control
|
||||
* RBAC can be used to avoid interfearance in shared envs
|
||||
* DNS is not really applicable when it comes to RBAC
|
||||
|
||||
### DNS in Kubernetes
|
||||
|
||||
* DNS Info is always public -> No auth
|
||||
* Services are exposed to all clients
|
||||
|
||||
## Isolation and Clusters
|
||||
|
||||
### Just don't share
|
||||
|
||||
* Specially for smaller, high growth companies with infinite VC money
|
||||
* Just give everyone their own cluster -> Problem solved
|
||||
* Smaller (<1000) typicly use many small clusters
|
||||
|
||||
### Shared Clusters
|
||||
|
||||
* Becomes imporetant when cost is a question and engineers don't have any platform knowledge
|
||||
* A dedicated kube team can optimize both hardware and deliver updates fast -> Increased productivity by utilizing specialists
|
||||
* Problem: Noisy neighbors by leaky DNS
|
||||
|
||||
## Leaks (demo)
|
||||
|
||||
### Base scenario
|
||||
|
||||
* Cluster with a bunch of deployments and services
|
||||
* Creating a simple pod results in binding to default RBAC -> No access to anything
|
||||
* Querying DNS info (aka services) still leaks everything (namespaces, services)
|
||||
|
||||
### Leak mechanics
|
||||
|
||||
* Leaks are based on the `<service>.<nemspace>.<svc>.cluster.local` pattern
|
||||
* You can also just reverse looku the entire service CIDR
|
||||
* SRV records get created for each service including the service ports
|
||||
|
||||
## Fix the leak
|
||||
|
||||
### CoreDNS Firewall Plugin
|
||||
|
||||
* External plugin provided by the coredns team
|
||||
* Expression engine built-in with support for external policy engines
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
req-->metadata
|
||||
metadata-->firewall
|
||||
firewall-->kube
|
||||
kube-->|Adds namespace/clientnamespace metadata|firewall
|
||||
firewall-->|send nxdomain|metadata
|
||||
metadata-->res
|
||||
```
|
||||
|
||||
### Demo
|
||||
|
||||
* Firwall rule that only allows queries from the same namespace, kube-system or default
|
||||
* Every other cross-namespace request gets blocked
|
||||
* Same SVC requests from before now return NXDOMAIN
|
||||
|
||||
### Why is this a plugin and not default?
|
||||
|
||||
* Requires `pods verified` mode -> Puts the watch on pods and only returns a query result if the pod actually exists
|
||||
* Puts a watch on all pods -> higher API load and coredns mem usage
|
||||
* Potential race conditions with initial lookups in larger clusters -> Alternative is to fail open (not really secure)
|
||||
|
||||
### Per tenant DNS
|
||||
|
||||
* Just run a cporedns instance for each tenant
|
||||
* Use a mutating webhook to inject the right dns into each pod
|
||||
* Pro: No more pods verified -> Aka no more constant watch
|
||||
* Limitation: Platform services still need a central coredns
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: "Product market misfit: Adventures in user empathy"
|
||||
weight: 2
|
||||
---
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
archetype: chapter
|
||||
title: Day 3
|
||||
weight: 3
|
||||
---
|
||||
|
||||
Spent most of the early day with headache.
|
18
hugo.yaml
18
hugo.yaml
|
@ -27,19 +27,9 @@ params:
|
|||
menu:
|
||||
shortcuts:
|
||||
- identifier: ds
|
||||
name: <i class='fa-fw fab fa-github'></i> GitHub repo
|
||||
url: https://github.com/McShelby/hugo-theme-relearn
|
||||
name: Imprint
|
||||
url: https://nicolai-ort.com/imprint
|
||||
weight: 10
|
||||
- name: <i class='fa-fw fas fa-camera'></i> Showcases
|
||||
url: showcase/
|
||||
- name: Privacy
|
||||
url: https://nicolai-ort.com/privacy
|
||||
weight: 11
|
||||
- identifier: hugodoc
|
||||
name: <i class='fa-fw fas fa-bookmark'></i> Hugo Documentation
|
||||
url: https://gohugo.io/
|
||||
weight: 20
|
||||
- name: <i class='fa-fw fas fa-bullhorn'></i> Credits
|
||||
url: more/credits/
|
||||
weight: 30
|
||||
- name: <i class='fa-fw fas fa-tags'></i> Tags
|
||||
url: tags/
|
||||
weight: 40
|
|
@ -0,0 +1,49 @@
|
|||
events {
|
||||
}
|
||||
http {
|
||||
include mime.types;
|
||||
sendfile on;
|
||||
server {
|
||||
error_page 404 /index.html;
|
||||
root /usr/share/nginx/html;
|
||||
location ~ /index\.html$ {
|
||||
internal;
|
||||
add_header Cache-Control 'no-store';
|
||||
}
|
||||
location ~* \.(png|jpg|jpeg|webp|gif|ico|woff|otf|ttf|eot|svg|txt|pdf|docx?|xlsx?)$ {
|
||||
access_log off;
|
||||
expires 1y;
|
||||
}
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
# --- GZIP
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types application/javascript
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font
|
||||
application/x-font-opentype
|
||||
application/x-font-otf
|
||||
application/x-font-truetype
|
||||
application/x-font-ttf
|
||||
application/x-javascript
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
font/otf
|
||||
font/ttf
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/javascript
|
||||
text/plain
|
||||
text/xml;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue