luckylittle

Red Hat Security: Securing Containers & OpenShift (DO425)

Last update: Tue Jan 14 23:15:49 UTC 2020 by @luckylittle

---

Objectives

1. Understand, identify, and work with containerization features
2. Deploy a preconfigured application and identify crucial features such as namespaces, SELinux labels, and cgroups

snixon

#!/usr/bin/env python

import os
import boto3
import argparse
import json
# `pip install -U PTable` will get you the right fork of PrettyTable
from prettytable import PrettyTable

from botocore.exceptions import ClientError

mstemm

# Split all objects and pass them to each filter below

# Create/Delete Namespace
(select(.verb == "create" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Created: name=" + .objectRef.name),

(select(.verb == "delete" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Deleted: name=" + .objectRef.name),

# Create/Delete Deployment

qoomon

#!/usr/bin/env bash
set -o errexit  # exit when a command line fails
set -o pipefail # pipes exit code will be the last non-zero exit code of all pipe commands
set -o nounset  # exit on read a undeclared variable
#set -o xtrace   # enable debug logging

#### Source: https://gist.github.com/qoomon/d6633abe35eea297f475260478f86c8c 

### Usage ###
#

mateobur

$ kubectl describe pod db-6b8968c69-dq2v2
Name:               db-6b8968c69-dq2v2
Namespace:          example-voting-app
Node:               ip-10-0-0-12.ec2.internal/10.0.0.12
Controlled By:      ReplicaSet/db-6b8968c69
Labels:             app=example-voting-app
                    name=db
                    pod-template-hash=264524725
                    role=sqldb
IP:                 10.129.0.140

pietervogelaar

require 'fluent/plugin/filter'

# This filter detects the parser to use based on Kubernetes annotations.
#
# Annotation: fluentd.org/parser[_stream][-container]
#
# Suggest a pre-defined parser. The parser must be already registered by Fluentd. If present,
# the stream (stdout or stderr) will restrict that specific stream. If present, the container can
# override a specific container in a Pod.
#

pavgup

#!/bin/bash
aws_regions=(us-east-1 us-east-2 us-west-1 us-west-2 ap-south-1 ap-northeast-1 ap-northeast-2 ap-southeast-1 ap-southeast-2  eu-central-1 eu-west-1 sa-east-1 eu-west-2 ca-central-1)

echo "Total regions: "${#aws_regions[@]}

ec2_instance_count=0;
rds_instance_count=0;
elb_count=0;
elasticache_count=0;
redshift_count=0;

bzcorn

import aiohttp
import asyncio
import async_timeout
import gzip
import os
import json
import boto3
import urllib.parse
import botocore

alexanderilyin

For example your latest image with semantic versioning looks like this:

${DOCKER_HUB_ORG}/${DOCKER_HUB_REPO}:v1.20.0

Example provided above will do the folowing:

1. Generate token using your github username and password.
2. Get list of all tags from repository.

tallclair

Software Engineering Position:
Google Kubernetes Engine - Node Security

Full-time
Based in Sunnyvale, CA

Mission

To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D