Category Archives: Security

AWS: Kubernetes – AWS Secrets Manager and Parameter Store integration

22 July 2023
 

  Storing access data in Kubernetes Secrets has an important drawback, because they are only available within the Kubernetes cluster itself. To make them available to external services, we can use Hashicorp Vault and integrate it with Kubernetes using solutions such as vault-k8sor use services from AWS – Secrets Manager or Parameter Store. Integrating AWS Secrets Manager and Parameter… Read More »

AWS: EKS, OpenID Connect, and ServiceAccounts

8 July 2023
 

  Currently, I’m setting up a new EKS cluster. Among other things, I’m running ExternalDNS on it, which uses a Kubernetes ServiceAccount to authenticate to AWS in order to be able to make changes to the domain zone in Route53. However, I forgot to configure the Identity Provider in AWS IAM and ExternalDNS threw an… Read More »

AWS: security – Instance Metadata Service v1 vs IMDS v2, Kubernetes Pod and Docker containers

24 April 2023
 

  Instance metadata (IMDS – Instance Metadata Service) – data about an EC2 instance, such as information about AMI, IP, hostname, etc. You can also add User Data to Instance Metadata to store some parameters, which can then be retrieved inside the instance. See Instance metadata and user data and Instance metadata categories. From the beginning of the… Read More »

Pritunl: running VPN in Kubernetes

5 October 2022
 

  Pritunl is a VPN server with a bunch of advanced security and access control features. In fact, it is just a wrapper over OpenVPN, adding such Access Control Lists to it in the form of Organizations, users, and routes. The task is to deploy a Pritunl test instance in Kubernetesб so we can take a… Read More »

AWS: VPC Flow Logs – an overview and example with CloudWatch Logs Insights

19 July 2022
 

  AWS VPC Flow Logs allow you to log traffic information between network interfaces in a VPC. Further, these logs can be stored in AWS S3 or sent to AWS CloudWatch Logs, while enabling traffic logging does not affect the performance of the network interface in any way. Let’s briefly review the basic concepts, and… Read More »

AWS: Trusted Advisor, part 2 – CloudWatch Alarms and Slack notifications

29 November 2021
 

 Continuing with the theme of the AWS Trusted Advisor service, let’s see how can we configure notifications about new findings. The first part: AWS: Trusted Advisor, part 1 – its features overview. To have notifications, we can use Trusted Advisor metrics from the CloudWatch, see their list on the Trusted Advisor metrics and dimensions page.… Read More »

AWS: Trusted Advisor, part 1 – its features overview

29 November 2021
 

 AWS Trusted Advisor is another service that allows monitoring your accountant its resources in use for their cost-effectiveness, performance, security, and more. Keep in mind, that Trusted Advisor’s checks that are available for you depend on the AWS Support Plan of your account. вашего аккаунта. Fortunately, we have Premium so I’m able to how all… Read More »

Kubernetes: Helm – “x509: certificate signed by unknown authority”, and ServiceAccount for Pod

29 September 2021
 

 We have Github runners in our AWS Elastic Kubernetes service cluster, that are used to build Docker images and deploy them with Helm or ArgoCD. On the first helm install run in a Github runner’s Pod, we are getting the “x509: certificate signed by unknown authority” error: [simterm] # helm –kube-apiserver=https://kubernetes.default.svc.cluster.local list Error: Kubernetes cluster unreachable:… Read More »