acumenix

Originally posted at http://pastebin.com/BjD84BQ3

Trigger warning: mention of suicidal ideation

tl;dr: I burned out as a developer at Amazon at the end of my second year. I’ve since found a healthy and sustainable work-life balance and enjoy work again. I write this to A) raise awareness, especially for new-hires and their families, and B) help give hope and advice to people going through the same at Amazon or other companies.

Hello, world

There’s been no shortage of anecdotes, opinions, and rebuttals regarding Amazon’s corporate culture as of late. I write this not to capitalize on the latest news-feed fad, but to share what I had already written and promptly deleted. I didn’t think anyone would want to hear my story, but it’s apparent people are going through a similar experience and don’t have a voice.

I’m a Software Development Engineer II at Amazon; SDE II basically means a software developer with at least 2–3 years of industry experience. I started at Amazon as an SDE I.

acumenix

Software Engineering Position:
Google Kubernetes Engine - Node Security

Full-time
Based in Sunnyvale, CA

Mission

To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D

acumenix

- macro: nginx_consider_syscalls
  condition: (evt.num < 0)

- macro: app_nginx
  condition: container and container.image contains "nginx"

# Any outbound traffic raises a WARNING

- rule: Unauthorized process opened an outbound connection (nginx)
  desc: A nginx process tried to open an outbound connection and is not whitelisted

acumenix

Anchore engine policy validator is now installed.

Create a validating webhook resources to start enforcement:

KUBE_CA=$(kubectl config view --minify=true --flatten -o json | jq '.clusters[0].cluster."certificate-authority-data"' -r)
cat > validating-webook.yaml <<EOF
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: analysis-anchore-policy-validator.admission.anchore.io

acumenix

$ kubectl describe pod db-6b8968c69-dq2v2
Name:               db-6b8968c69-dq2v2
Namespace:          example-voting-app
Node:               ip-10-0-0-12.ec2.internal/10.0.0.12
Controlled By:      ReplicaSet/db-6b8968c69
Labels:             app=example-voting-app
                    name=db
                    pod-template-hash=264524725
                    role=sqldb
IP:                 10.129.0.140

acumenix

$ kubectl describe service result
Name:              result
Namespace:         example-voting-app
Labels:            name=result
Annotations:       <none>
Selector:          app=example-voting-app,name=result,role=resultapp
Type:              ClusterIP
IP:                172.30.225.249
Port:              <unset>  80/TCP
TargetPort:        80/TCP

acumenix

# Split all objects and pass them to each filter below

# Create/Delete Namespace
(select(.verb == "create" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Created: name=" + .objectRef.name),

(select(.verb == "delete" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Deleted: name=" + .objectRef.name),

# Create/Delete Deployment

acumenix

Red Hat Security: Securing Containers & OpenShift (DO425)

Last update: Tue Jan 14 23:15:49 UTC 2020 by @luckylittle

---

Objectives

1. Understand, identify, and work with containerization features
2. Deploy a preconfigured application and identify crucial features such as namespaces, SELinux labels, and cgroups

acumenix

My Openshift Cheatsheet

Openshift build secrets for cloning git repos using SSH Keys

• To create ssh secret:

oc create secret generic sshsecret \
    --from-file=ssh-privatekey=$HOME/.ssh/id_rsa

acumenix

#!/usr/bin/env bash
set -e

function echo_help {
  echo "usage: $0 [options]"
  echo ""
  echo "example: aws cloudformation deploy ... | $0 [options]"
  echo ""
  echo "options:"
  echo "  --stack-name"