AWS |
AWS Management Tools Blog |
Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License Manager |
https://aws.amazon.com/blogs/mt/prepare-for-oracle-license-audits-in-aws-using-aws-audit-manager-and-aws-license-manager/
|
Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License ManagerMany of our customers who run Oracle databases need help with managing their Oracle licenses on AWS and ensuring that they have not fallen out of compliance with Oracle s licensing rules They must be prepared to provide relevant evidence in an auditor friendly format during an Oracle license audit Gathering evidence in a timely manner to … |
2021-04-11 16:57:33 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
GUIのYouTubeダウンローダーを作成した |
https://qiita.com/C0dalice/items/1261bf76bc3004f39a00
|
GUIのYouTubeダウンローダーを作成したはじめにyoutubedlにはたびたびお世話になっておりますが、「GUIでもっと簡単にダウンロードしたい」と思ったので作成しました。 |
2021-04-12 01:27:06 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
自分のrubyのバージョンとGemfileのrubyのバージョンが違うと言われる |
https://teratail.com/questions/332743?rss=all
|
|
2021-04-12 01:49:23 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
.httacess 二つの記述を一つにしたい |
https://teratail.com/questions/332742?rss=all
|
|
2021-04-12 01:33:11 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
cssが残ってしまって更新できない |
https://teratail.com/questions/332741?rss=all
|
デベロッパーツールで確認したところhappenigimgのクラスにpositionnbspabsoluteがかかっていますが、こちらをエディタの方では削除したのに残ってしまっています。 |
2021-04-12 01:32:48 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
android studio Codelab(Android Room with a View - Kotlin) 実行できない |
https://teratail.com/questions/332740?rss=all
|
androidstudioCodelabAndroidRoomwithaViewKotlin実行できないAndroidでRoomを理解するために、Codelabnbspnbspnbspnbspを取り組んでいるのですが、以下のエラーが出現し、解決方法が分かりません。 |
2021-04-12 01:04:13 |
Ruby |
Railsタグが付けられた新着投稿 - Qiita |
Fakerを使って英数混合のパスワードを作る |
https://qiita.com/takuo_maeda/items/70a3fb2cc190099f3a5e
|
FakerLoremcharactersminalphaminnumric検索目的Fakerで単体テストコードで英数混在の文字以上のパスワードをつくる。 |
2021-04-12 01:19:40 |
海外TECH |
DEV Community |
Writing a Kubernetes Admission Controller |
https://dev.to/fdns/writing-a-kubernetes-admission-controller-4eko
|
Writing a Kubernetes Admission ControllerWith the deprecation of PSP on Kubernetes v we will have to migrate to other methods to control the resource permissions in a cluster One case that I wanted to handle was running an untrusted job in a cluster to help review student s homework and leveraging kubernetes for resource allocation and security Here we will explore how to develop a new admission controller that will verify the fields of new jobs on a given namespace are secure enough to run untrusted code in a safe way Recommended policy enforcement applicationsIf you want to start defining policies for a production cluster you will probably want to use a ready to use application which have predefined policies and setup custom policies easily by using custom resources Some of them are KyvernoOPA Gatekeeperk rail Cluster requirementsThe api server must have the plugin ValidatingAdmissionWebhook enabled If you want to modify the resources you also need MutatingAdmissionWebhook Note that these plugins are disabled by default in a kind cluster Application goalIn our example we will write a validating admission webhook So we will not modify the resource that will check new jobs created in a namespace verifying as many security options of the pod as we can running as non root using gvisor as sandbox and many others The target container image that we are targeting is an untrusted job that can be potentially malicious Writing the admission controllerOur admission controller will be written in Go but you can use any language you know as the api use normal https json requests I will be trimming some of the code to make it more readable The full source code can be found at Listening to admission requestsFirst we will need to create a HTTPS listener TLS is mandatory You can use any http path to serve the requests but you must update the manifest afterwards with the correct location when we define the ValidatingAdmissionWebhook func main certs err tls LoadXKeyPair certFile keyFile server amp http Server Addr fmt Sprintf v port TLSConfig amp tls Config Certificates tls Certificate certs Define server handler handler AdmissionHandler RuntimeClass runtimeClass mux http NewServeMux mux HandleFunc validate handler handler server Handler mux go func log Printf Listening on port v port if err server ListenAndServeTLS err nil log Printf Failed to listen and serve webhook server v err os Exit Listen to the shutdown signal signalChan make chan os Signal signal Notify signalChan syscall SIGINT syscall SIGTERM lt signalChan log Printf Shutting down webserver server Shutdown context Background Handling admission requestWhen receiving the request you must load the body as an AdmissionReview object This object contains all the information of the objects that is being created import admission ks io api admission vbeta batchv ks io api batch v kmeta ks io apimachinery pkg apis meta v func handler AdmissionHandler handler w http ResponseWriter r http Request var body byte if r Body nil data err ioutil ReadAll r Body if err nil body data else log Printf Error v err http Error w Error reading body http StatusBadRequest return request admission AdmissionReview if err json Unmarshal body amp request err nil log Printf Error parsing body v err http Error w Error parsing body http StatusBadRequest return result err checkRequest request Request handler Validating the requestIn the checkRequest function we will check if we can handle the resource verifying the resource group kind operation and namespace func checkRequest request admission AdmissionRequest handler AdmissionHandler bool error if request RequestKind Group batch request RequestKind Kind Job request Operation CREATE log Printf Skipped resource v v v check rules to exclude this resource request RequestKind Group request RequestKind Kind request Operation return true nil The resource body In our case a Job must un unmarshal again before we can verify the parameters var job batchv Job err json Unmarshal request Object Raw amp job if err nil log Printf Error parsing job v err return true nil return checkJob job handler Checking the resourceOn the checkJob we will have full access to the resource parameters Most of the parameters that are not defined will be nil so you must verify that the parameters is defined before getting its value I will copy some of the rules as an example and the full list that I defined can be found here func checkJob request batchv Job handler AdmissionHandler bool error if request Spec ActiveDeadlineSeconds nil request Spec ActiveDeadlineSeconds return false fmt Errorf activeDeadlineSeconds must be set spec request Spec Template Spec if spec RuntimeClassName nil spec RuntimeClassName handler RuntimeClass return false fmt Errorf wrong RuntimeClass v is set for job v must be v spec RuntimeClassName request Name handler RuntimeClass if spec HostNetwork false return false fmt Errorf HostNetwork must not be set if spec SecurityContext nil amp amp len spec SecurityContext Sysctls gt return false fmt Errorf Sysctls must be empty for container range spec Containers if container SecurityContext nil return false fmt Errorf SecurityContext must be set for the container context container SecurityContext if context RunAsNonRoot nil context RunAsNonRoot true return false fmt Errorf RunAsNonRoot must be set per container return true nil Returning to the api serverAfter doing all the validations you must return an AdmissionResponse object that is json encoded In this object we will define if the objects is allowed or not in our cluster We can also append a message that will be displayed when the resource is not allowed so the developer can fix the resource according to the conditions you define result err checkRequest request Request handler response admission AdmissionResponse UID request Request UID Allowed result if err nil response Result amp kmeta Status Message fmt Sprintf v err Reason kmeta StatusReasonUnauthorized outReview admission AdmissionReview TypeMeta request TypeMeta Request request Request Response amp response json err json Marshal outReview if err nil http Error w fmt Sprintf Error encoding response v err http StatusInternalServerError else w Header Set Content Type application json if err w Write json err nil log Printf Error writing response v err http Error w fmt Sprintf Error writing response v err http StatusInternalServerError Building our projectAs this is a standard go project you can use a very simple Dockerfile to create the image This image can be built by running docker build tag fdns simple admission latest You can change the tag to the one you like FROM golang as builderWORKDIR GOPATH src github com fdns simple admissionCOPY go mod COPY go sum RUN go mod downloadCOPY RUN CGO ENABLED go build o go bin simple admissionFROM scratchCOPY from builder go bin simple admission go bin simple admissionENTRYPOINT go bin simple admission The only thing left is uploading it to our cluster Uploading controller to a kubernetes cluster Create TLS certificatesAs the webhook require the use of HTTPS to work we can create our own CA and certificate for the controller The CA keys can be dropped as soon as we sign the client certificate as the CA bundle is included in the ValidatingAdmissionWebhook object As the requests will come from a service object you will want to define as altnames in the certificate all the variations to call the services In the configuration this will look as something like the following alt names DNS service DNS service namespace DNS service namespace svcTo stop copying so much code you can find a simple script to generate the certificate at which we will call with the service name and namespace of our admission controller For example generate certs sh simple admission default The generated certificates must be mounted as a secret as we will need to mount them in our application save the ca pem file as we will need it later apiVersion vkind Secretmetadata creationTimestamp null name admission certs namespace defaultdata server key pem cat certs server key pem base tr d n server pem cat certs server crt base tr d n Creating the service and webhookYou can create the deployment and services the same way as any other deployment in your cluster Here it is recommended to increase the replica count to increase the availability apiVersion apps vkind Deploymentmetadata labels app simple admission name simple admissionspec replicas selector matchLabels app simple admission strategy template metadata labels app simple admission spec containers name simple admission image fdns simple admission latest imagePullPolicy IfNotPresent ports containerPort volumeMounts name admission certs mountPath certs readOnly true volumes name admission certs secret secretName admission certs apiVersion vkind Servicemetadata creationTimestamp null labels app simple admission name simple admissionspec ports name port protocol TCP targetPort selector app simple admission type ClusterIP Creating the ValidatingAdmissionWebhookFinally we will create the ValidatingAdmissionWebhook We can define multiple webhooks where in each one we must tell kubernetes the service path and CA to send the request to the admission controller For each one we can define the rules to filter the requests that are sent to our controller where in this case we will filter for jobs resources in namespaces labeled with the name default the namespace MUST be labeled in our example In case you want to audit your webook before applying it to your cluster you can change the failurePolicy from Fail to IgnoreapiVersion admissionregistration ks io vkind ValidatingWebhookConfigurationmetadata name simple admission default cluster local namespace defaultwebhooks name simple admission default cluster local clientConfig service name simple admission namespace default path validate caBundle cat certs ca pem base tr d n rules apiGroups batch apiVersions v resources jobs operations CREATE scope namespaceSelector matchExpressions key name operator In values default admissionReviewVersions v sideEffects None failurePolicy Fail Testing our admission controllerTo the newly applied admission controller you can simply try to create a basic job running kubectl create job test image busybox which in our case will output the following message error failed to create job admission webhook simple admission default cluster local denied the request activeDeadlineSeconds must be set ConclusionsCreating an admission controller is not difficult but making sure all the parameters to make your containers secure is a difficult task as not all fields are generally known and new fields must be taken into account when kubernetes release a new version When creating a new admission controller you should try to target a single problem like image verification or single fields of the resources like runtimeClass over your cluster In case you need more complex rules the use of the already available admission controllers is recommended as you can define the rules in your own CRD and allow you to iterate faster some of them have audit mode so you can check your cluster before enforcing a rule |
2021-04-11 16:05:13 |
海外TECH |
Engadget |
Last-minute battery deal keeps Ford, VW electric car plans on track |
https://www.engadget.com/lg-sk-ev-battery-deal-helps-ford-and-vw-162706493.html
|
battery |
2021-04-11 16:27:06 |
海外科学 |
NYT > Science |
Parents, Stop Talking About the ‘Lost Year’ |
https://www.nytimes.com/2021/04/11/health/pandemic-middle-school-mental-health.html
|
adults |
2021-04-11 16:23:30 |
海外ニュース |
Japan Times latest articles |
Scores killed in Myanmar crackdown as U.N. envoy calls for ‘strong action’ |
https://www.japantimes.co.jp/news/2021/04/11/asia-pacific/myanmar-aung-san-suu-kyi/
|
Scores killed in Myanmar crackdown as U N envoy calls for strong action Details of a brutal crackdown in the city of Bago km northeast of Yangon took a full day to emerge as residents told of |
2021-04-12 01:56:40 |
海外ニュース |
Japan Times latest articles |
Nadeshiko Japan beats Panama as Yuika Sugasawa nets hat trick |
https://www.japantimes.co.jp/sports/2021/04/11/soccer/nadeshiko-japan-beats-panama-as-yuika-sugasawa-nets-hat-trick/
|
Nadeshiko Japan beats Panama as Yuika Sugasawa nets hat trickAsako Takakura s side put on a goal scoring clinic against the outclassed Central American side in the first international game played at Tokyo s new National Stadium |
2021-04-12 01:29:22 |
ニュース |
BBC News - Home |
Coronavirus: UK sets new record for Covid jab second doses |
https://www.bbc.co.uk/news/uk-56709870
|
dosesa |
2021-04-11 16:48:34 |
ニュース |
BBC News - Home |
Iran nuclear: 'Terrorist act' at underground Natanz facility |
https://www.bbc.co.uk/news/world-middle-east-56708778
|
terrorism |
2021-04-11 16:26:11 |
ニュース |
BBC News - Home |
Bafta Film Awards 2021: Red carpet in pictures |
https://www.bbc.co.uk/news/entertainment-arts-56711339
|
london |
2021-04-11 16:08:32 |
ニュース |
BBC News - Home |
Lingard scores twice as West Ham survive late Leicester comeback |
https://www.bbc.co.uk/sport/football/56629084
|
Lingard scores twice as West Ham survive late Leicester comebackJesse Lingard continues his stunning form with West Ham by scoring twice in the first half to set the Hammers on course for a crucial victory over fellow Champions League hopefuls Leicester City |
2021-04-11 16:36:53 |
ニュース |
BBC News - Home |
Covid-19 in the UK: How many coronavirus cases are there in your area? |
https://www.bbc.co.uk/news/uk-51768274
|
cases |
2021-04-11 16:14:48 |
ニュース |
BBC News - Home |
Prince Philip: How can Prince Harry attend the funeral? |
https://www.bbc.co.uk/news/uk-56709506
|
duties |
2021-04-11 16:30:45 |
コメント
コメントを投稿