Category Archives: Security

AWS: Kubernetes – AWS Secrets Manager and Parameter Store integration
0 (0)

22 July 2023

Storing access data in Kubernetes Secrets has an important drawback, because they are only available within the Kubernetes cluster itself. To make them available to external services, we can use Hashicorp Vault and integrate it with Kubernetes using solutions such as vault-k8sor use services from AWS – Secrets Manager or Parameter Store. Integrating AWS Secrets Manager and Parameter Store… Read More »

AWS: EKS, OpenID Connect, and ServiceAccounts
0 (0)

8 July 2023

Currently, I’m setting up a new EKS cluster. Among other things, I’m running ExternalDNS on it, which uses a Kubernetes ServiceAccount to authenticate to AWS in order to be able to make changes to the domain zone in Route53. However, I forgot to configure the Identity Provider in AWS IAM and ExternalDNS threw an error:… Read More »

AWS: security – Instance Metadata Service v1 vs IMDS v2, Kubernetes Pod and Docker containers
0 (0)

24 April 2023

Instance metadata (IMDS – Instance Metadata Service) – data about an EC2 instance, such as information about AMI, IP, hostname, etc. You can also add User Data to Instance Metadata to store some parameters, which can then be retrieved inside the instance. See Instance metadata and user data and Instance metadata categories. From the beginning of the IMDS,… Read More »

Pritunl: running VPN in Kubernetes
0 (0)

5 October 2022

Pritunl is a VPN server with a bunch of advanced security and access control features. In fact, it is just a wrapper over OpenVPN, adding such Access Control Lists to it in the form of Organizations, users, and routes. The task is to deploy a Pritunl test instance in Kubernetesб so we can take a closer… Read More »

AWS: VPC Flow Logs – an overview and example with CloudWatch Logs Insights
0 (0)

19 July 2022

AWS VPC Flow Logs allow you to log traffic information between network interfaces in a VPC. Further, these logs can be stored in AWS S3 or sent to AWS CloudWatch Logs, while enabling traffic logging does not affect the performance of the network interface in any way. Let’s briefly review the basic concepts, and available… Read More »

Cloudflare: speed up WordPress with Automatic Platform Optimization plugin
0 (0)

30 March 2022

The rtfm.co.ua blog is quite slow for users. For example, you can test your website using the https://gtmetrix.com: 4.3 seconds till full load! That’s awful. At the bottom of the results, you can check top of issues on a site: At first, the page size is 1.16 MB, which is big enough. The second thing… Read More »

SSH: the “Too many authentication failures” error and its solution
0 (0)

19 March 2022

During an SSH connection, I started getting the “Too many authentication failures” error message from a remote host. The error, and its cause Actually, the root cause is simple: during establishing a new SSH connection, the local ssh-client first tries to use keys, that are loaded by the local ssh-agent, and only after that will… Read More »

AWS: Trusted Advisor, part 2 – CloudWatch Alarms and Slack notifications
0 (0)

29 November 2021

Continuing with the theme of the AWS Trusted Advisor service, let’s see how can we configure notifications about new findings. The first part: AWS: Trusted Advisor, part 1 – its features overview. To have notifications, we can use Trusted Advisor metrics from the CloudWatch, see their list on the Trusted Advisor metrics and dimensions page.… Read More »

AWS: Trusted Advisor, part 1 – its features overview
0 (0)

29 November 2021

AWS Trusted Advisor is another service that allows monitoring your accountant its resources in use for their cost-effectiveness, performance, security, and more. Keep in mind, that Trusted Advisor’s checks that are available for you depend on the AWS Support Plan of your account. вашего аккаунта. Fortunately, we have Premium so I’m able to how all… Read More »

Kubernetes: Helm – “x509: certificate signed by unknown authority”, and ServiceAccount for Pod
0 (0)

29 September 2021

We have Github runners in our AWS Elastic Kubernetes service cluster, that are used to build Docker images and deploy them with Helm or ArgoCD. On the first helm install run in a Github runner’s Pod, we are getting the “x509: certificate signed by unknown authority” error: [simterm] # helm –kube-apiserver=https://kubernetes.default.svc.cluster.local list Error: Kubernetes cluster unreachable:… Read More »

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31