- Access Control
- Create the cluster with a dedicated IAM role (automatically granted system:masters permissions and cannot be removed)
- Use IAM Roles when multiple users need identical access to the cluster
- Employ least privileged access
- IRSA (IAM Roles for Service Accounts)
- Update the aws-node daemonset to use IRSA
- Restrict Access to IMDS v1
- Use dedicated service accounts for each application
- Use PAC (Policy As Code) or PSS (Pod Security Standards)
- Mitigate the risks from hostPath, configure the spec.containers.volumeMounts as readOnly
_id field
The value of the _id field is also accessible in aggregations or for sorting, but doing so is discouraged as it requires to load a lot of data in memory. In case sorting or aggregating on the _id field is required, it is advised to duplicate the content of the _id field in another field that has doc_values enabled.
HarshadRanganathan
/ eks-upgrade-1.19-to-1.20.groovy
Last active
May 10, 2022 12:52
EKS Upgrade Jenkins Pipeline Scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env groovy | |
| final List<String> environments = Env.values().collect() { it.name() } | |
| pipeline { | |
| agent { | |
| label any | |
| } | |
| parameters { |
HarshadRanganathan
/ README.md
Last active
March 21, 2022 01:37
Things Cloud Engineers Should Know - Redhat
-
Multi Cloud Decisions
Key Enablers
- Workload Portability
- Ability to negotiate with suppliers
- Ability to select best tool for a given job
Keys
- Visibility - trusted single source of truth
-
Efficiency - across dev, qa, security and operations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE NETSCAPE-Bookmark-file-1> | |
| <!-- This is an automatically generated file. | |
| It will be read and overwritten. | |
| DO NOT EDIT! --> | |
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> | |
| <TITLE>Bookmarks</TITLE> | |
| <H1>Bookmarks</H1> | |
| <DL><p> | |
| <DT><H3 ADD_DATE="1578324816" LAST_MODIFIED="1644755499" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3> | |
| <DL><p> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wtf: | |
| colors: | |
| border: | |
| focusable: darkslateblue | |
| focused: orange | |
| normal: gray | |
| grid: | |
| columns: [32, 32, 32, 32, 90] | |
| rows: [10, 10, 10, 4, 4, 90] | |
| refreshInterval: 1 |
HarshadRanganathan
/ eks-upgrade-1.18-to-1.19.groovy
Last active
January 4, 2022 19:07
EKS Upgrade Jenkins Pipeline Scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env groovy | |
| final List<String> environments = Env.values().collect() { it.name() } | |
| pipeline { | |
| agent { | |
| label any | |
| } | |
| parameters { |
HarshadRanganathan
/ ecr_cleanup.sh
Created
December 13, 2021 19:00
Bash script to delete ECR images in a filtered repository
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ecr describe-repositories --output text | | |
| awk '{print $6}' | | |
| while read line; do | |
| if [[ $line == *"api"* ]]; then | |
| aws ecr list-images --repository-name $line --query 'imageIds[*]' --output text | |
| fi | | |
| while read imageDigest imageTag; do | |
| aws ecr batch-delete-image --repository-name $line --image-ids imageDigest=$imageDigest; | |
| done; | |
| done |
[1] Add this Dockerfile
FROM python:alpine
ARG CLI_VERSION=1.18.188
RUN apk -uv add --no-cache groff jq less mysql-client && \
pip install --no-cache-dir awscli==$CLI_VERSION