Tag Archives: security

Kubernetes: Helm – “x509: certificate signed by unknown authority”, and ServiceAccount for Pod
0 (0)

29 September 2021

We have Github runners in our AWS Elastic Kubernetes service cluster, that are used to build Docker images and deploy them with Helm or ArgoCD. On the first helm install run in a Github runner’s Pod, we are getting the “x509: certificate signed by unknown authority” error: [simterm] # helm –kube-apiserver=https://kubernetes.default.svc.cluster.local list Error: Kubernetes cluster unreachable:… Read More »

Loading

Git: scan repositories for secrets using Gitleaks
5 (1)

16 August 2021

A confidential data leak such as RDS keys or passwords to a Git repository, even if it is a private Github repository, is a very bad thing and it’s good to check your repositories to know if any developer pushed a commit with such data. Scanning utilities To check Git repositories for a leak, at… Read More »

Loading

Tableau: install Tableau Bridge to access a database server in a private network
0 (0)

9 August 2021

To access a database server, that has no public access (as it must be – access only inside an AWS VPC), Tableau suggests using its tool called Tableau Bridge. The idea is to have a Bridge service running in a network, which has access to a database server via its Private IP. Also, Bridge will… Read More »

Loading

AWS: Route53 Private Hosted Zones — hiding domains from the Internet
0 (0)

26 July 2021

Private Hosted Zone in AWS Route53 allows to limit access to DNS records of a domain, thus making it inaccessible for the DNS Enumeration (or DNS brute-force), when an attacker checks for available records in a domain to know endpoints list to check them for vulnerabilities. For such attacks, there is a lot of utilities… Read More »

Loading

AWS: WAF WebACL logging and Logz.io integration
0 (0)

22 July 2021

In the first post – AWS: Web Application Firewall overview, configuration, and its monitoring – we spoke about its main components, created a WebACL and Rules for it, and did basic monitoring. Also, we’ve configured WebACL’s logs collection with AWS Kinesis, but now it’s time to see them Logz.io, as CloudWatch Logs isn’t available for… Read More »

Loading

AWS: Web Application Firewall overview, configuration, and its monitoring
0 (0)

19 July 2021

AWS WAF (Web Application Firewall) is an AWS service for monitoring incoming traffic to secure a web application for suspicious activity like SQL injections. Can be attached to an AWS Application LoadBalancer, AWS CloudFront distribution, Amazon API Gateway, and AWS AppSync GraphQL API. In case of finding any request that sits WAF’s rules, it will… Read More »

Loading

ArgoCD: Okta integration, and user groups
0 (0)

17 May 2021

In the previous post ArgoCD: users, access, and RBAC we’ve checked how to manage users and their permissions in ArgoCD, now let’s add an SSO authentification. The idea is that we don’t add user accounts locally in the ArgoCD’s ConfigMap, but instead will use our Okta users databases and Okta will perform their authentication. And… Read More »

Loading

Kubernetes: ServiceAccounts, JWT-tokens, authentication, and RBAC authorization
0 (0)

22 November 2020

For the authentification and authorization, Kubernetes has such notions as User Accounts and Service Accounts. User Accounts – common user profiles used to access a cluster from the outside, while Service Accounts are used to grant access from inside of the cluster. ServiceAccounts are intended to provide an identity for a Kubernetes Pod to be… Read More »

Loading

Helm: helm-secrets – sensitive data encryption with AWS KMS and use it with Jenkins
0 (0)

16 May 2020

So, as a follow-up to the Helm: Kubernetes package manager – an overview, getting started post – let’s discuss about sensitive data in our Helm charts. What I want is to store a chart files in a repository, but even if such a repo will be a private Github repo – I still don’t want… Read More »

Loading