AWS |
AWS News Blog |
AWS Week in Review – January 23, 2023 |
https://aws.amazon.com/blogs/aws/aws-week-in-review-january-23-2023/
|
AWS Week in Review January Welcome to my first AWS Week in Review of As usual it has been a busy week so let s dive right in Last Week s Launches Here are some launches that caught my eye last week Amazon Connect You can now deliver long lasting persistent chat experiences for your customers with the ability to … |
2023-01-23 18:04:22 |
AWS |
AWS Partner Network (APN) Blog |
Unlocking the Power of Machine Data with SmartInsights from TensorIoT |
https://aws.amazon.com/blogs/apn/unlocking-the-power-of-machine-data-with-smartinsights-from-tensoriot/
|
Unlocking the Power of Machine Data with SmartInsights from TensorIoTTensorIoT recognized the need for solutions that help companies collect and interpret equipment and process data Learn how SmartInsights from TensorIoT is an AWS based customizable end to end solution that industrial and commercial customers use to rapidly connect and derive actionable insights from operational systems SmartInsights reduces the level of technical know how and skill needed to implement a functional solution and accelerates time to value for manufacturers and other industrial customers |
2023-01-23 18:03:57 |
AWS |
AWS Compute Blog |
AWS Lambda: Resilience under-the-hood |
https://aws.amazon.com/blogs/compute/aws-lambda-resilience-under-the-hood/
|
AWS Lambda Resilience under the hoodThis post is written by Adrian Hornsby Principal System Dev Engineer and Marcia Villalba Principal Developer Advocate AWS Lambda comprises over services working together to provide the serverless compute service that it offers to customers Under the hood many of these services are built on top of Amazon Elastic Compute Cloud Amazon EC instances … |
2023-01-23 18:24:10 |
AWS |
AWS Security Blog |
AWS CloudHSM is now PCI PIN certified |
https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-pci-pin-certified/
|
AWS CloudHSM is now PCI PIN certifiedAmazon Web Services AWS is pleased to announce that AWS CloudHSM is certified for Payment Card Industry Personal Identification Number PCI PIN version With CloudHSM you can manage and access your keys on FIPS Level certified nbsp hardware protected with customer owned single tenant hardware security module HSM instances that run in your own virtual private … |
2023-01-23 18:22:02 |
AWS |
AWS |
AWS for Every Application | Amazon Web Services |
https://www.youtube.com/watch?v=sy3jIKtK4ls
|
AWS for Every Application Amazon Web ServicesAWS offers the most comprehensive set of capabilities and continually innovates across our infrastructure and services so you can build run and scale applications in the cloud on premises and at the edge Millions of customers including large global enterprises government organizations and startups trust the capabilities reliability and security of AWS to run their most mission critical applications Learn more about AWS for Every Application at Subscribe More AWS videos More AWS events videos ABOUT AWSAmazon Web Services AWS is the world s most comprehensive and broadly adopted cloud platform offering over fully featured services from data centers globally Millions of customers ーincluding the fastest growing startups largest enterprises and leading government agencies ーare using AWS to lower costs become more agile and innovate faster AWS AmazonWebServices CloudComputing |
2023-01-23 18:09:53 |
AWS |
AWS Security Blog |
AWS CloudHSM is now PCI PIN certified |
https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-pci-pin-certified/
|
AWS CloudHSM is now PCI PIN certifiedAmazon Web Services AWS is pleased to announce that AWS CloudHSM is certified for Payment Card Industry Personal Identification Number PCI PIN version With CloudHSM you can manage and access your keys on FIPS Level certified nbsp hardware protected with customer owned single tenant hardware security module HSM instances that run in your own virtual private … |
2023-01-23 18:22:02 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
ReazonSpeechが全く音声認識してくれない件 |
https://qiita.com/user-touma/items/d010be623034ed894cdc
|
reazonspeech |
2023-01-24 03:51:56 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
モンテカルロ法によるπの計算 |
https://qiita.com/fygar256/items/6954793b4b277b9d3f9b
|
fopen |
2023-01-24 03:19:49 |
海外TECH |
MakeUseOf |
How to Choose the Best Dating App for You |
https://www.makeuseof.com/how-to-choose-best-dating-app-for-you/
|
youdating |
2023-01-23 18:30:15 |
海外TECH |
DEV Community |
Kube-bench and Popeye: A Power Duo for AKS Security Compliance |
https://dev.to/the_cozma/kube-bench-and-popeye-a-power-duo-for-aks-security-compliance-38
|
Kube bench and Popeye A Power Duo for AKS Security ComplianceIn today s world security is a top priority for any organization or at least it should be With the rise of cloud computing the number of security threats has increased exponentially So how do we keep up Where do we start Microsoft has created a set of security benchmarks to give users a starting point for setting up their security configurations The Microsoft cloud security benchmark MCSB is the successor of Azure Security Benchmark ASB which was rebranded in October Currently in public preview In this post I would like to go over the Azure security baseline for Azure Kubernetes Service and give a shoutout to two tools that can aid you in the process of establishing your compliance with the baseline Azure Security Baseline for AKSThe Azure Security Baseline for Azure Kubernetes Service AKS is a set of recommendations for securing your AKS cluster It is an exhaustive list of various aspects of AKS security and it also provides the corresponding actions to be taken in each case From the documentation s overview You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard When a section has relevant Azure Policy Definitions they are listed in this baseline to help you measure compliance to the Azure Security Benchmark controls and recommendations Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios It is based on the CIS Kubernetes Benchmark and the Azure Security Benchmark v CIS Benchmarks are best practices for the secure configuration of a target system Available for more than CIS Benchmarks across vendor product families CIS Benchmarks are developed through a unique consensus based process comprised of cybersecurity professionals and subject matter experts around the world CIS Benchmarks are the only consensus based best practice security configuration guides both developed and accepted by government business industry and academia For more information on CIS Benchmark please check CIS Benchmark FAQ For more information on the CIS Benchmark for Kubernetes please check the kubernetes benchmark In the CIS Benchmark for Kubernetes document there are instructions for both Master nodes and Worker nodes But when using AKS we don t have access to the master nodes In this case we can make use of the CIS Benchmark document for AKS What could we use to help us check our AKS setup against this benchmark We can start by looking at the Azure Portal and Microsoft Defender for Cloud checking out CIS compliance with Kube bench and any configuration mismatches with Popeye I will go into more detail on the last two tools But first let s see what Microsoft Defender for Cloud looks like and what can you get from it Microsoft Defender for CloudAs suggested by Microsoft we can start with Microsoft Defender for Cloud If you go to Azure Portal and search for Microsoft Defender for Cloud then filter by Assessed Resources and select your cluster you will see a list of all the cluster details and Recommendations and the Alerts tab as well Let s take the first recommendation as an example Azure Kubernetes Service clusters should have Defender profile enabledIf you click on it and expand it will give you the following information You can choose to Exempt it meaning you have either fixed this issue or you don t want to fix it or Enforce it meaning you want to enforce this setting by adding it to an Azure Policy definition There is also a nice description of the issue and suggested remediation steps to take Kube benchThe official repository can be found here with detailed installation instructions kube bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark There are multiple ways of running this tool that you can check here Setting it upTo test out this tool I decided to just apply it to my local cluster so the first thing I did was start my minikube instance and then I ran the following command gt minikube startminikube v on Darwin Using the hyperkit driver based on existing profileStarting control plane node minikube in cluster minikubeUpdating the running hyperkit minikube VM minikube is available Download it To disable this notice run minikube config set WantUpdateNotification false Preparing Kubernetes v on Docker Verifying Kubernetes components Using image gcr io ks minikube storage provisioner vEnabled addons storage provisioner default storageclass usr local bin kubectl is version which may have incompatibilites with Kubernetes Want kubectl v Try minikube kubectl get pods A Done kubectl is now configured to use minikube cluster and default namespace by default Download the job yaml file gt curl gt job yaml gt kubectl apply f job yamljob batch kube bench created gt kubectl get pods A at minikube ⎈NAMESPACE NAME READY STATUS RESTARTS AGEdefault kube bench tfgh ContainerCreating s gt kubectl get pods A at minikube ⎈NAMESPACE NAME READY STATUS RESTARTS AGEdefault kube bench tfgh Completed sYou can run Kube bench inside a pod but it will need access to the host s PID namespace to check the running processes as well as access to some directories on the host where config files and other files are stored The supplied job yaml file can be applied to run the tests as a job This was enough for me to run locally to get a feel of what the tool does and how it generates the report Next after having run the tests I wanted to get the report The results of the tests can be found in the logs of the pod which you can get by running gt kubectl logs kube bench tfghKube bench generates a report that looks like the following INFO Master Node Security Configuration INFO Master Node Configuration Files PASS Ensure that the API server pod specification file permissions are set to or more restrictive Automated PASS Ensure that the API server pod specification file ownership is set to root root Automated PASS Ensure that the controller manager pod specification file permissions are set to or more restrictive Automated PASS Ensure that the controller manager pod specification file ownership is set to root root Automated PASS Ensure that the scheduler pod specification file permissions are set to or more restrictive Automated PASS Ensure that the scheduler pod specification file ownership is set to root root Automated PASS Ensure that the etcd pod specification file permissions are set to or more restrictive Automated PASS Ensure that the etcd pod specification file ownership is set to root root Automated WARN Ensure that the Container Network Interface file permissions are set to or more restrictive Manual WARN Ensure that the Container Network Interface file ownership is set to root root Manual FAIL Ensure that the etcd data directory permissions are set to or more restrictive Automated FAIL Ensure that the etcd data directory ownership is set to etcd etcd Automated PASS Ensure that the admin conf file permissions are set to or more restrictive Automated PASS Ensure that the admin conf file ownership is set to root root Automated PASS Ensure that the scheduler conf file permissions are set to or more restrictive Automated PASS Ensure that the scheduler conf file ownership is set to root root Automated PASS Ensure that the controller manager conf file permissions are set to or more restrictive Automated PASS Ensure that the controller manager conf file ownership is set to root root Automated FAIL Ensure that the Kubernetes PKI directory and file ownership is set to root root Automated WARN Ensure that the Kubernetes PKI certificate file permissions are set to or more restrictive Manual WARN Ensure that the Kubernetes PKI key file permissions are set to Manual INFO API Server WARN Ensure that the anonymous auth argument is set to false Manual PASS Ensure that the token auth file parameter is not set Automated PASS Ensure that the kubelet https argument is set to true Automated PASS Ensure that the kubelet client certificate and kubelet client key arguments are set as appropriate Automated FAIL Ensure that the kubelet certificate authority argument is set as appropriate Automated PASS Ensure that the authorization mode argument is not set to AlwaysAllow Automated PASS Ensure that the authorization mode argument includes Node Automated PASS Ensure that the authorization mode argument includes RBAC Automated WARN Ensure that the admission control plugin EventRateLimit is set Manual PASS Ensure that the admission control plugin AlwaysAdmit is not set Automated WARN Ensure that the admission control plugin AlwaysPullImages is set Manual WARN Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used Manual PASS Ensure that the admission control plugin ServiceAccount is set Automated PASS Ensure that the admission control plugin NamespaceLifecycle is set Automated FAIL Ensure that the admission control plugin PodSecurityPolicy is set Automated PASS Ensure that the admission control plugin NodeRestriction is set Automated PASS Ensure that the insecure bind address argument is not set Automated PASS Ensure that the insecure port argument is set to Automated PASS Ensure that the secure port argument is not set to Automated FAIL Ensure that the profiling argument is set to false Automated FAIL Ensure that the audit log path argument is set Automated FAIL Ensure that the audit log maxage argument is set to or as appropriate Automated FAIL Ensure that the audit log maxbackup argument is set to or as appropriate Automated FAIL Ensure that the audit log maxsize argument is set to or as appropriate Automated WARN Ensure that the request timeout argument is set as appropriate Manual PASS Ensure that the service account lookup argument is set to true Automated PASS Ensure that the service account key file argument is set as appropriate Automated PASS Ensure that the etcd certfile and etcd keyfile arguments are set as appropriate Automated PASS Ensure that the tls cert file and tls private key file arguments are set as appropriate Automated PASS Ensure that the client ca file argument is set as appropriate Automated PASS Ensure that the etcd cafile argument is set as appropriate Automated WARN Ensure that the encryption provider config argument is set as appropriate Manual WARN Ensure that encryption providers are appropriately configured Manual WARN Ensure that the API Server only makes use of Strong Cryptographic Ciphers Manual INFO Controller Manager WARN Ensure that the terminated pod gc threshold argument is set as appropriate Manual FAIL Ensure that the profiling argument is set to false Automated PASS Ensure that the use service account credentials argument is set to true Automated PASS Ensure that the service account private key file argument is set as appropriate Automated PASS Ensure that the root ca file argument is set as appropriate Automated PASS Ensure that the RotateKubeletServerCertificate argument is set to true Automated PASS Ensure that the bind address argument is set to Automated INFO Scheduler FAIL Ensure that the profiling argument is set to false Automated PASS Ensure that the bind address argument is set to Automated Remediations master Run the below command based on the file location on your system on the master node For example chmod lt path to cni files gt Run the below command based on the file location on your system on the master node For example chown root root lt path to cni files gt On the etcd server node get the etcd data directory passed as an argument data dir from the below command ps ef grep etcdRun the below command based on the etcd data directory found above For example chmod var lib etcd On the etcd server node get the etcd data directory passed as an argument data dir from the below command ps ef grep etcdRun the below command based on the etcd data directory found above For example chown etcd etcd var lib etcd Run the below command based on the file location on your system on the master node For example chown R root root etc kubernetes pki Follow the Kubernetes documentation and setup the TLS connection betweenthe apiserver and kubelets Then edit the API server pod specification file etc kubernetes manifests kube apiserver yaml on the master node and set the kubelet certificate authority parameter to the path to the cert file for the certificate authority kubelet certificate authority lt ca string gt Follow the Kubernetes documentation and set the desired limits in a configuration file Then edit the API server pod specification file etc kubernetes manifests kube apiserver yamland set the below parameters enable admission plugins EventRateLimit admission control config file lt path to configuration file gt Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the enable admission plugins parameter to includeAlwaysPullImages enable admission plugins AlwaysPullImages Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the enable admission plugins parameter to includeSecurityContextDeny unless PodSecurityPolicy is already in place enable admission plugins SecurityContextDeny Follow the documentation and create Pod Security Policy objects as per your environment Then edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the enable admission plugins parameter to avalue that includes PodSecurityPolicy enable admission plugins PodSecurityPolicy Then restart the API Server Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the below parameter profiling false Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the audit log path parameter to a suitable path andfile where you would like audit logs to be written for example audit log path var log apiserver audit log Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the audit log maxage parameter to or as an appropriate number of days audit log maxage Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the audit log maxbackup parameter to or to an appropriatevalue audit log maxbackup Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the audit log maxsize parameter to an appropriate size in MB For example to set it as MB audit log maxsize Edit the API server pod specification file etc kubernetes manifests kube apiserver yamland set the below parameter as appropriate and if needed For example request timeout s Follow the Kubernetes documentation and configure a EncryptionConfig file Then edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the encryption provider config parameter to the path of that file encryption provider config lt path to EncryptionConfig File gt Follow the Kubernetes documentation and configure a EncryptionConfig file In this file choose aescbc kms or secretbox as the encryption provider Edit the API server pod specification file etc kubernetes manifests kube apiserver yamlon the master node and set the below parameter tls cipher suites TLS ECDHE ECDSA WITH AES GCM SHA TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE ECDSA WITH CHACHA POLY TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE RSA WITH CHACHA POLY TLS ECDHE ECDSA WITH AES GCM SHA Edit the Controller Manager pod specification file etc kubernetes manifests kube controller manager yamlon the master node and set the terminated pod gc threshold to an appropriate threshold for example terminated pod gc threshold Edit the Controller Manager pod specification file etc kubernetes manifests kube controller manager yamlon the master node and set the below parameter profiling false Edit the Scheduler pod specification file etc kubernetes manifests kube scheduler yaml fileon the master node and set the below parameter profiling false Summary master checks PASS checks FAIL checks WARN checks INFO INFO Etcd Node Configuration INFO Etcd Node Configuration Files PASS Ensure that the cert file and key file arguments are set as appropriate Automated PASS Ensure that the client cert auth argument is set to true Automated PASS Ensure that the auto tls argument is not set to true Automated PASS Ensure that the peer cert file and peer key file arguments are set as appropriate Automated PASS Ensure that the peer client cert auth argument is set to true Automated PASS Ensure that the peer auto tls argument is not set to true Automated PASS Ensure that a unique Certificate Authority is used for etcd Manual Summary etcd checks PASS checks FAIL checks WARN checks INFO INFO Control Plane Configuration INFO Authentication and Authorization WARN Client certificate authentication should not be used for users Manual INFO Logging WARN Ensure that a minimal audit policy is created Manual WARN Ensure that the audit policy covers key security concerns Manual Remediations controlplane Alternative mechanisms provided by Kubernetes such as the use of OIDC should beimplemented in place of client certificates Create an audit policy file for your cluster Consider modification of the audit policy in use on the cluster to include these items at aminimum Summary controlplane checks PASS checks FAIL checks WARN checks INFO INFO Worker Node Security Configuration INFO Worker Node Configuration Files PASS Ensure that the kubelet service file permissions are set to or more restrictive Automated PASS Ensure that the kubelet service file ownership is set to root root Automated PASS If proxy kubeconfig file exists ensure permissions are set to or more restrictive Manual PASS If proxy kubeconfig file exists ensure ownership is set to root root Manual PASS Ensure that the kubeconfig kubelet conf file permissions are set to or more restrictive Automated PASS Ensure that the kubeconfig kubelet conf file ownership is set to root root Automated WARN Ensure that the certificate authorities file permissions are set to or more restrictive Manual WARN Ensure that the client certificate authorities file ownership is set to root root Manual PASS Ensure that the kubelet config configuration file has permissions set to or more restrictive Automated PASS Ensure that the kubelet config configuration file ownership is set to root root Automated INFO Kubelet PASS Ensure that the anonymous auth argument is set to false Automated PASS Ensure that the authorization mode argument is not set to AlwaysAllow Automated PASS Ensure that the client ca file argument is set as appropriate Automated PASS Ensure that the read only port argument is set to Manual PASS Ensure that the streaming connection idle timeout argument is not set to Manual FAIL Ensure that the protect kernel defaults argument is set to true Automated PASS Ensure that the make iptables util chains argument is set to true Automated WARN Ensure that the hostname override argument is not set Manual WARN Ensure that the event qps argument is set to or a level which ensures appropriate event capture Manual WARN Ensure that the tls cert file and tls private key file arguments are set as appropriate Manual PASS Ensure that the rotate certificates argument is not set to false Automated PASS Verify that the RotateKubeletServerCertificate argument is set to true Manual WARN Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers Manual Remediations node Run the following command to modify the file permissions of the client ca file chmod lt filename gt Run the following command to modify the ownership of the client ca file chown root root lt filename gt If using a Kubelet config file edit the file to set protectKernelDefaults true If using command line arguments edit the kubelet service file etc systemd system kubelet service d kubeadm conf on each worker node andset the below parameter in KUBELET SYSTEM PODS ARGS variable protect kernel defaults trueBased on your system restart the kubelet service For example systemctl daemon reloadsystemctl restart kubelet service Edit the kubelet service file etc systemd system kubelet service d kubeadm confon each worker node and remove the hostname override argument from theKUBELET SYSTEM PODS ARGS variable Based on your system restart the kubelet service For example systemctl daemon reloadsystemctl restart kubelet service If using a Kubelet config file edit the file to set eventRecordQPS to an appropriate level If using command line arguments edit the kubelet service file etc systemd system kubelet service d kubeadm conf on each worker node andset the below parameter in KUBELET SYSTEM PODS ARGS variable Based on your system restart the kubelet service For example systemctl daemon reloadsystemctl restart kubelet service If using a Kubelet config file edit the file to set tlsCertFile to the locationof the certificate file to use to identify this Kubelet and tlsPrivateKeyFileto the location of the corresponding private key file If using command line arguments edit the kubelet service file etc systemd system kubelet service d kubeadm conf on each worker node andset the below parameters in KUBELET CERTIFICATE ARGS variable tls cert file lt path to tls certificate file gt tls private key file lt path to tls key file gt Based on your system restart the kubelet service For example systemctl daemon reloadsystemctl restart kubelet service If using a Kubelet config file edit the file to set TLSCipherSuites toTLS ECDHE ECDSA WITH AES GCM SHA TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE ECDSA WITH CHACHA POLY TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE RSA WITH CHACHA POLY TLS ECDHE ECDSA WITH AES GCM SHA TLS RSA WITH AES GCM SHA TLS RSA WITH AES GCM SHAor to a subset of these values If using executable arguments edit the kubelet service file etc systemd system kubelet service d kubeadm conf on each worker node andset the tls cipher suites parameter as follows or to a subset of these values tls cipher suites TLS ECDHE ECDSA WITH AES GCM SHA TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE ECDSA WITH CHACHA POLY TLS ECDHE RSA WITH AES GCM SHA TLS ECDHE RSA WITH CHACHA POLY TLS ECDHE ECDSA WITH AES GCM SHA TLS RSA WITH AES GCM SHA TLS RSA WITH AES GCM SHABased on your system restart the kubelet service For example systemctl daemon reloadsystemctl restart kubelet service Summary node checks PASS checks FAIL checks WARN checks INFO INFO Kubernetes Policies INFO RBAC and Service Accounts WARN Ensure that the cluster admin role is only used where required Manual WARN Minimize access to secrets Manual WARN Minimize wildcard use in Roles and ClusterRoles Manual WARN Minimize access to create pods Manual WARN Ensure that default service accounts are not actively used Manual WARN Ensure that Service Account Tokens are only mounted where necessary Manual WARN Avoid use of system masters group Manual WARN Limit use of the Bind Impersonate and Escalate permissions in the Kubernetes cluster Manual INFO Pod Security Policies WARN Minimize the admission of privileged containers Automated WARN Minimize the admission of containers wishing to share the host process ID namespace Automated WARN Minimize the admission of containers wishing to share the host IPC namespace Automated WARN Minimize the admission of containers wishing to share the host network namespace Automated WARN Minimize the admission of containers with allowPrivilegeEscalation Automated WARN Minimize the admission of root containers Automated WARN Minimize the admission of containers with the NET RAW capability Automated WARN Minimize the admission of containers with added capabilities Automated WARN Minimize the admission of containers with capabilities assigned Manual INFO Network Policies and CNI WARN Ensure that the CNI in use supports Network Policies Manual WARN Ensure that all Namespaces have Network Policies defined Manual INFO Secrets Management WARN Prefer using secrets as files over secrets as environment variables Manual WARN Consider external secret storage Manual INFO Extensible Admission Control WARN Configure Image Provenance using ImagePolicyWebhook admission controller Manual INFO General Policies WARN Create administrative boundaries between resources using namespaces Manual WARN Ensure that the seccomp profile is set to docker default in your pod definitions Manual WARN Apply Security Context to Your Pods and Containers Manual WARN The default namespace should not be used Manual Remediations policies Identify all clusterrolebindings to the cluster admin role Check if they are used andif they need this role or if they could use a role with fewer privileges Where possible first bind users to a lower privileged role and then remove theclusterrolebinding to the cluster admin role kubectl delete clusterrolebinding name Where possible remove get list and watch access to secret objects in the cluster Where possible replace any use of wildcards in clusterroles and roles with specificobjects or actions Where possible remove create access to pod objects in the cluster Create explicit service accounts wherever a Kubernetes workload requires specific accessto the Kubernetes API server Modify the configuration of each default service account to include this valueautomountServiceAccountToken false Modify the definition of pods and service accounts which do not need to mount serviceaccount tokens to disable it Remove the system masters group from all users in the cluster Where possible remove the impersonate bind and escalate rights from subjects Create a PSP as described in the Kubernetes documentation ensuring thatthe spec privileged field is omitted or set to false Create a PSP as described in the Kubernetes documentation ensuring that the spec hostPID field is omitted or set to false Create a PSP as described in the Kubernetes documentation ensuring that the spec hostIPC field is omitted or set to false Create a PSP as described in the Kubernetes documentation ensuring that the spec hostNetwork field is omitted or set to false Create a PSP as described in the Kubernetes documentation ensuring that the spec allowPrivilegeEscalation field is omitted or set to false Create a PSP as described in the Kubernetes documentation ensuring that the spec runAsUser rule is set to either MustRunAsNonRoot or MustRunAs with the range ofUIDs not including Create a PSP as described in the Kubernetes documentation ensuring that the spec requiredDropCapabilities is set to include either NET RAW or ALL Ensure that allowedCapabilities is not present in PSPs for the cluster unlessit is set to an empty array Review the use of capabilites in applications running on your cluster Where a namespacecontains applicaions which do not require any Linux capabities to operate consider addinga PSP which forbids the admission of containers which do not drop all capabilities If the CNI plugin in use does not support network policies consideration should be given tomaking use of a different plugin or finding an alternate mechanism for restricting trafficin the Kubernetes cluster Follow the documentation and create NetworkPolicy objects as you need them if possible rewrite application code to read secrets from mounted secret files rather thanfrom environment variables Refer to the secrets management options offered by your cloud provider or a third partysecrets management solution Follow the Kubernetes documentation and setup image provenance Follow the documentation and create namespaces for objects in your deployment as you needthem Use security context to enable the docker default seccomp profile in your pod definitions An example is as below securityContext seccompProfile type RuntimeDefault Follow the Kubernetes documentation and apply security contexts to your pods For asuggested list of security contexts you may refer to the CIS Security Benchmark for DockerContainers Ensure that namespaces are created to allow for appropriate segregation of Kubernetesresources and that all new resources are created in a specific namespace Summary policies checks PASS checks FAIL checks WARN checks INFO Summary total checks PASS checks FAIL checks WARN checks INFOThis can also be run inside the AKS cluster by following the instructions here As a reminder Kube bench cannot be run on AKS master nodes It can only be run on worker nodes this is not a limitation of Kube bench but of AKS as mentioned before The report breakdownFrom the report above you can see that Kube bench benchmarks sections of your configurations which are the following Control Plane ComponentsEtcdControl Plane ConfigurationsWorker NodesPoliciesEach section starts by describing which section it targets the lines having the INFO tag For example INFO Kubernetes Policies INFO RBAC and Service AccountsThen it lists the checks that are performed for that section Each check gets a PASS FAIL or WARN status For example WARN Ensure that the cluster admin role is only used where required Manual And after the tests run it also suggests remediations for the check that got a WARN FAIL status For example Remediations policies Identify all clusterrolebindings to the cluster admin role Check if they are used andif they need this role or if they could use a role with fewer privileges Where possible first bind users to a lower privileged role and then remove theclusterrolebinding to the cluster admin role kubectl delete clusterrolebinding name And at the end you can find a summary of the section Summary policies checks PASS checks FAIL checks WARN checks INFO Potential use casesBy running it as a CronJon in your cluster Kube bench can help you identify potential security issues in your cluster It is a great tool to have in your toolbox and it is very easy to use You can configure it to run on a schedule like every week or month and get a report on the security of your cluster while also taking into account the specific CIS benchmark for your cloud provider For example you can set up and run the job aks yaml file to run the tests on an AKS cluster Popeye A Kubernetes Cluster SanitizerThe repository for the tool can be found here This is a read only utility that scans live Kubernetes clusters and reports potential issues with deployed resources and configurations What I liked about this tool is that it is very easy to install and use and it achieves what it promises it reduces the cognitive overload one faces when operating a Kubernetes cluster in the wild Setting it upPopeye can be used standalone using the command line using a spinach yml file or running directly in the cluster as a CronJob In this post I will be using the command line option on a mac So to install it I just ran Install popeye gt brew install derailed popeye popeye Check popeye version gt popeye version K V s gt a Biffs em and Buffs em Version Commit aeabdaeeaacDate T ZLogs var folders vp ldlqgnxfvkshmzlmgn T popeye log Connected to my AKS cluster Check the context I am using gt kubectl config current context Run popeye gt popeye The report breakdownThe report will be printed to the console and it will look something like the following snippet below I have removed some of the output for brevity and to give you an idea of the output format and the types of checks that are performed and the results The report is nicely split into sections and each section has a summary of the checks performed and the results It ends with giving a grade to the cluster The color coding is also very helpful to quickly identify the issues LevelIconJurassicColorDescriptionOkOKGreenHappy InfoIBlueGreenFYIWarnWYellowPotential IssueErrorERedAction required gt popeye K V s gt a Biffs em and Buffs em GENERAL AKS STAGING ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·Connectivity ·MetricServer CLUSTER SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·Version POP Ks version OK CLUSTERROLES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·azure policy webhook cluster role ·dapr operator admin ·dashboard reader ·gatekeeper manager role ·grafana agent ·keda operator ·keda operator external metrics reader ·kong kong ·omsagent reader ·policy agent ·system coredns autoscaler ·system metrics server ·system prometheus CLUSTERROLEBINDINGS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·azure policy webhook cluster rolebinding ·dapr operator ·dapr role tokenreview binding POP References a ClusterRole system auth delegator which does not exist ·dashboard reader global ·gatekeeper manager rolebinding ·grafana agent ·keda operator ·keda operator hpa controller external metrics ·keda operator system auth delegator POP References a ClusterRole system auth delegator which does not exist ·kong kong ·kubelet api admin POP References a ClusterRole system kubelet api admin which does not exist ·metrics server system auth delegator POP References a ClusterRole system auth delegator which does not exist ·omsagentclusterrolebinding ·policy agent ·replicaset controller POP References a ClusterRole system controller replicaset controller which does not exist ·system coredns autoscaler ·system discovery POP References a ClusterRole system discovery which does not exist ·system metrics server ·system prometheus CONFIGMAPS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system kube root ca crt POP Used Unable to locate resource reference ·dapr system operator dapr io POP Used Unable to locate resource reference ·dapr system webhooks dapr io POP Used Unable to locate resource reference ·default kube root ca crt POP Used Unable to locate resource reference DAEMONSETS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·kube system azure ip masq agent ·kube system cloud node manager ·kube system cloud node manager windows ·kube system csi azuredisk node ·kube system csi azuredisk node win ·kube system csi azurefile node ·kube system csi azurefile node win ·kube system kube proxy kube proxy POP No resource limits defined kube proxy bootstrap POP No resource limits defined ·prometheus agent grafana agent agent POP No resources requests limits defined DEPLOYMENTS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr dashboard dapr dashboard POP Unnamed port ·dapr system dapr operator dapr operator POP Unnamed port ·dapr system dapr sentry dapr sentry POP Unnamed port ·dapr system dapr sidecar injector ·gatekeeper system gatekeeper audit ·gatekeeper system gatekeeper controller ·keda system keda operator ·keda system keda operator metrics apiserver ·kong kong kong ingress controller POP No resources requests limits defined proxy POP No resources requests limits defined ·kube system azure policy ·kube system azure policy webhook ·kube system coredns ·kube system coredns autoscaler ·kube system konnectivity agent ·kube system metrics server HORIZONTALPODAUTOSCALERS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·HPA POP If ALL HPAs triggered m will match exceed cluster CPU m capacity by m POP If ALL HPAs triggered Mi will match exceed cluster memory Mi capacity by Mi ·my service keda hpa my service ·my service keda hpa my service POP Replicas at burst will match exceed cluster CPU m capacity by m POP Replicas at burst will match exceed cluster memory Mi capacity by Mi INGRESSES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·my service my service ·kong kong dapr NAMESPACES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system ·default POP Used Unable to locate resource reference ·gatekeeper system ·keda system ·kong ·kube node lease POP Used Unable to locate resource reference ·kube public POP Used Unable to locate resource reference ·kube system ·logstash ·prometheus agent NETWORKPOLICIES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·kube system konnectivity agent ·kube system tunnelfront NODES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·aks default vmss POP Memory threshold reached ·aks default vmss POP Memory threshold reached ·aks default vmssa PERSISTENTVOLUMES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·pvc ·pvc ·pvc PERSISTENTVOLUMECLAIMS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system raft log dapr placement server ·dapr system raft log dapr placement server ·dapr system raft log dapr placement server PODS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr dashboard lq POP Connects to API Server ServiceAccount token is mounted dapr dashboard POP No probes defined POP Unnamed port ·dapr system dapr operator chmmq POP Connects to API Server ServiceAccount token is mounted dapr operator POP Pod was restarted times POP Liveness probe uses a port prefer a named port POP Readiness probe uses a port prefer a named port POP Unnamed port ·dapr system dapr placement server POP Connects to API Server ServiceAccount token is mounted POP Pod could be running as root user Check SecurityContext Image dapr placement server POP Liveness probe uses a port prefer a named port POP Readiness probe uses a port prefer a named port POP Container could be running as root user Check SecurityContext Image PODDISRUPTIONBUDGETS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr dashboard disruption budget ·dapr system dapr operator disruption budget ·dapr system dapr placement server disruption budget ·dapr system dapr sentry budget ·dapr system dapr sidecar injector disruption budget ·kube system coredns pdb POP Deprecated PodDisruptionBudget API group policy vbeta Use policy v instead ·kube system konnectivity agent POP Deprecated PodDisruptionBudget API group policy vbeta Use policy v instead ·logstash logstash logstash pdb PODSECURITYPOLICIES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·Nothing to report REPLICASETS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr dashboard ·dapr system dapr operator ·dapr system dapr sentry ·dapr system dapr sidecar injector ·keda system keda operator ·keda system keda operator metrics apiserver ROLES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·default secret reader ·gatekeeper system gatekeeper manager role ·kong kong kong ·kube system azure policy webhook role ·kube system policy pod agent ROLEBINDINGS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·default dapr secret reader ·gatekeeper system gatekeeper manager rolebinding ·kong kong kong ·kube system azure policy webhook rolebinding ·kube system keda operator auth reader POP References a Role kube system extension apiserver authentication reader which does not exist ·kube system metrics server auth reader POP References a Role kube system extension apiserver authentication reader which does not exist ·kube system policy pod agent SECRETS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr operator token tdnb POP Used Unable to locate resource reference ·dapr system dapr sidecar injector cert ·dapr system dapr trust bundle SERVICES SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr api POP Use of target port for service port TCP Prefer named port ·dapr system dapr dashboard POP Use of target port for service port TCP Prefer named port POP Only one Pod associated with this endpoint ·dapr system dapr placement server POP Use of target port for service port TCP api Prefer named port POP Use of target port for service port TCP raft node Prefer named port ·dapr system dapr sentry POP Use of target port for service port TCP Prefer named port ·dapr system dapr sidecar injector ·dapr system dapr webhook POP No target ports match service port TCP ·default dapr eventgrid func dapr POP No pods match service selector POP No associated endpoints ·default kubernetes SERVICEACCOUNTS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr operator ·dapr system dashboard reader ·dapr system default POP Used Unable to locate resource reference ·default default POP Used Unable to locate resource reference ·domain event emitter default ·domain start default ·gatekeeper system default POP Used Unable to locate resource reference ·gatekeeper system gatekeeper admin STATEFULSETS SCANNED ٪┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ ·dapr system dapr placement server ·logstash logstash logstash SUMMARY┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅Your cluster score B o o B o gt a Popeye has a bit of a different scope than Kube bench in the sense that it scans your cluster for best practices and potential issues It is not a security scanner like Kube bench but it can be used to find potential security issues and for your cluster management It targets the following nodesnamespacespodsservicesIts main scope is to find misconfigurations like port mismatches dead or unused resources etc You can find the full list of available sanitizers here Potential use casesShould you choose it to run in a pipeline or as a job you can build on it and make action items to fix based on the errors reported in the report Or this could just be a little helpful tool to run on your cluster to get a quick overview of the state of your cluster And you can extract any action items for yourself In this case you can save the report using the save flag and attach it to your JIRA Ticket or PR This will save the report in your current working directory gt popeye save var folders vp ldlqgnxfvkshmzlmgn T popeye sanitizer aks staging txt SummaryI quite enjoyed using both Popeye and Kube bench They are both very useful in different ways Popeye is more of a cluster management tool while Kube bench is more of a security scanner But they can both be used to improve the security of your cluster In the next posts from this series we will take a deeper look at the reports in more detail focusing on the errors and seeing what we can do to improve our cluster score Until then thank you for reading and I hope you found this useful Let me know what other tools you use |
2023-01-23 18:22:01 |
海外TECH |
DEV Community |
7 Soft Skills Every Software Engineer Should Have in 2023⚡🧑💻 |
https://dev.to/iamdevmarcos/7-soft-skills-every-software-engineer-should-have-in-2023-38ni
|
Soft Skills Every Software Engineer Should Have in What are Soft Skills First hard skills are basically skills that can be measured or quantified in some way They are job specific and can be learned in institutions or through apprenticeship courses Soft skills are less defined and more universal as they cut across all careers that exist today Effective and assertive communicationYou must communicate clearly which means you must always put yourself in your listener s shoes whether they are a user a product manager or a teammate Show genuine appreciation for people and their work people can always feel it when you do These tips lead to a better work environment where everyone feels seen heard and valued Self awarenessThis is a very important skill to hone It involves understanding yourself at all times Working as a developer it s important in your day to day life to be very confident to express what you know and very capable of expressing or communicating what you don t yet know It s a sign of strength to respond with I still have no idea how this works Show honesty and willingness to learn Time managementTime management skills are super important in every developer s life as almost every project you ll be working on has a deadline One tip is to create a schedule for yourself and stick to it Also creating healthy breaks and having boundaries can be very helpful You have to make time to eat exercise rest and work EmpathyThis simply means putting yourself in other people s shoes this would mostly involve your daily interactions at work Do you remember to make sure the codebase is as readable as possible for the next person accessing it Practice being understanding when teammates underperform try to find out if they are dealing with anything in their personal lives ResponsibilityTaking ownership of your decisions choices and actions at every point of your journey is also another very important skill to have Realizing that everyone makes mistakes and failure isn t necessarily a bad thing will help a lot Some of the mistakes you ll make as a developer can be less impactful for the company or team while others can have a huge negative impact Bonus gt Open MindDevelopers by nature are often strongly opinionated and this applies to everything in your everyday life Having an open mind can be a great skill to have You can be very stubborn but you are still open to new things new ideas and a new framework to achieve your goals better and more effectively |
2023-01-23 18:15:12 |
Apple |
AppleInsider - Frontpage News |
Apple hit new record high for lobbying in 2022, but still behind peers |
https://appleinsider.com/articles/23/01/23/apple-hit-new-record-high-for-lobbying-in-2022-but-still-behind-peers?utm_medium=rss
|
Apple hit new record high for lobbying in but still behind peersApple significantly increased its spending on lobbying in increasing by compared to but the company is still spending less than its peers Apple increased lobbying efforts in A report from July revealed that Apple spent a record million in the first half of which was million higher than The company s number of in house and outside lobbyists has increased by more than since but its total pool of lobbyists is smaller than competitors Read more |
2023-01-23 18:43:46 |
Apple |
AppleInsider - Frontpage News |
Apple's iPadOS 16.3 is out with support for security keys |
https://appleinsider.com/articles/23/01/23/apples-ipados-163-is-out-with-support-for-security-keys?utm_medium=rss
|
Apple x s iPadOS is out with support for security keysApple has released iPadOS to the public with support for physical security keys that can add another layer of protection for Apple ID iPadOS is out nowThe iPadOS update is is available to download by the public It is a relatively minor release compared to iPadOS with its most significant feature being support for security keys Read more |
2023-01-23 18:25:03 |
Apple |
AppleInsider - Frontpage News |
Apple issues watchOS 9.3 update for Apple Watch |
https://appleinsider.com/articles/23/01/23/apple-issues-watchos-93-update-for-apple-watch?utm_medium=rss
|
Apple issues watchOS update for Apple WatchThe public release of watchOS includes bug fixes and under the hood improvements for the Apple Watch ーand it s now available to everybody watchOS Apple Watch users can update watchOS by opening the iOS Watch app selecting General then Software Update and following the onscreen prompts Read more |
2023-01-23 18:20:56 |
Apple |
AppleInsider - Frontpage News |
Apple releases macOS Ventura 13.2 with security key support |
https://appleinsider.com/articles/23/01/23/apple-releases-macos-ventura-132-with-security-key-support?utm_medium=rss
|
Apple releases macOS Ventura with security key supportThe new macOS Ventura is now rolling out to users with improved security features including rapid response updates Following the usual multiple beta test releases macOS is now available and will come pre installed on all new Macs This release is chiefly concerned with beginning the implementation of new security features that Apple has announced it will continue introducing over the next few months Read more |
2023-01-23 18:12:41 |
Apple |
AppleInsider - Frontpage News |
iOS 16.3 now available with support for new HomePod, security keys |
https://appleinsider.com/articles/23/01/23/ios-163-now-available-with-support-for-new-homepod-security-keys?utm_medium=rss
|
iOS now available with support for new HomePod security keysApple has released iOS bringing support for the newly announced HomePod and physical security keys used for two factor authentication iOS is now availableFollowing a beta period that started on December the update for iOS is now downloadable to iPhone It doesn t appear to have many user facing updates though it ensures compatibility with the new HomePod and its features Read more |
2023-01-23 18:12:19 |
Apple |
AppleInsider - Frontpage News |
Save up to $500 on MacBooks, iPads, Apple TV 4K at Amazon this week |
https://appleinsider.com/articles/23/01/23/save-up-to-500-on-macbooks-ipads-apple-tv-4k-at-amazon-this-week?utm_medium=rss
|
Save up to on MacBooks iPads Apple TV K at Amazon this weekThis week s best Amazon deals are all about MacBooks with discounts knocking up to off retail prices on M Pro and M Max MacBook Pros MacBooks and iPhones on sale this week at Amazon With Apple introducing the M MacBook Pro lineup last week that means deals on M Pro and M Max inch models up to off this week Also take off M Pro inch models off M MacBook Air or off M MacBook Pro inch Read more |
2023-01-23 18:09:54 |
ニュース |
BBC News - Home |
Key questions about ex-chancellor's tax affairs |
https://www.bbc.co.uk/news/uk-politics-64372528?at_medium=RSS&at_campaign=KARANGA
|
settlement |
2023-01-23 18:22:39 |
ニュース |
BBC News - Home |
Firefighter critically injured in Jenners blaze in Edinburgh |
https://www.bbc.co.uk/news/uk-scotland-64379840?at_medium=RSS&at_campaign=KARANGA
|
edinburgh |
2023-01-23 18:01:46 |
ニュース |
BBC News - Home |
Richard Sharp: Watchdog review begins into BBC chairman's hiring |
https://www.bbc.co.uk/news/uk-64377685?at_medium=RSS&at_campaign=KARANGA
|
public |
2023-01-23 18:34:38 |
ニュース |
BBC News - Home |
Murder arrest after mobility scooter robbery victim dies |
https://www.bbc.co.uk/news/uk-england-gloucestershire-64377516?at_medium=RSS&at_campaign=KARANGA
|
stroud |
2023-01-23 18:22:41 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
東京・神奈川「中学受験」人気校の最新状況【2023年男子受験生編】 - 中学受験への道 |
https://diamond.jp/articles/-/316459
|
中学受験 |
2023-01-24 03:50:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
マイクロソフト、IT大手最高のハードルに直面 - WSJ PickUp |
https://diamond.jp/articles/-/316541
|
wsjpickup |
2023-01-24 03:45:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
冬の戦闘、ロシア軍が不利になる可能性も - WSJ PickUp |
https://diamond.jp/articles/-/316540
|
wsjpickup |
2023-01-24 03:40:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
消費者に悲観ムード、不安示す4つの経済指標 - WSJ PickUp |
https://diamond.jp/articles/-/316539
|
wsjpickup |
2023-01-24 03:35:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【91歳の医師が明かす】 よくありがちだけど認知症のリスクを高める“驚きの真実” - 91歳の現役医師がやっている 一生ボケない習慣 |
https://diamond.jp/articles/-/314000
|
【歳の医師が明かす】よくありがちだけど認知症のリスクを高める“驚きの真実歳の現役医師がやっている一生ボケない習慣「あれいま何しようとしてたんだっけ」「ほら、あの人、名前なんていうんだっけ」「昨日の晩ごはん、何食べんたんだっけ」……若い頃は気にならなかったのに、いつの頃からか、もの忘れが激しくなってきた。 |
2023-01-24 03:30:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【科学者が語る】木々はどうやって「他者」を認識し、信号を送っているのか? - マザーツリー |
https://diamond.jp/articles/-/315808
|
【科学者が語る】木々はどうやって「他者」を認識し、信号を送っているのかマザーツリー森林は「インターネット」であり、菌類がつくる「巨大な脳」だったー。 |
2023-01-24 03:25:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【お金の専門家が教える】お金を節約したいなら、まずは一日、平日に休みを取りなさい - ひとりで楽しく生きるためのお金大全 |
https://diamond.jp/articles/-/316403
|
【お金の専門家が教える】お金を節約したいなら、まずは一日、平日に休みを取りなさいひとりで楽しく生きるためのお金大全おひとりさまの老後には、現役時代には見えにくい落とし穴があるそれも踏まえた、お金老後の対策が必須です男性の人に人、女性は人に人が生涯未婚と、独身者は急増中ですが、税金や社会保険などの制度は結婚して子どもがいる人を中心に設計されており、知らずにいると独身者は損をする可能性も。 |
2023-01-24 03:23:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【医者が教える】白い砂糖は体に毒! は本当か?「子どもが摂るべき砂糖」の正解 - 医師が教える 子どもの食事 50の基本 |
https://diamond.jp/articles/-/316516
|
食事 |
2023-01-24 03:20:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
口数は少ないのにコミュ力が高い人が実践している「会話の質」を高める方法とは? - 1秒で答えをつくる力 お笑い芸人が学ぶ「切り返し」のプロになる48の技術 |
https://diamond.jp/articles/-/316534
|
|
2023-01-24 03:15:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
東南アジアで「日本人とは会いたくない」というスタートアップが増えた理由 - アジャイル仕事術 |
https://diamond.jp/articles/-/316515
|
|
2023-01-24 03:13:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【「世界一受けたい授業」で話題】カリスマ保育士てぃ先生が答える! チャイルドシートをいやがる子が素直に乗るようになる方法 - カリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中! |
https://diamond.jp/articles/-/316241
|
【「世界一受けたい授業」で話題】カリスマ保育士てぃ先生が答えるチャイルドシートをいやがる子が素直に乗るようになる方法カリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中【YouTube万人、Twitter万人、Instagram万人】今どきのママパパに圧倒的に支持されているカリスマ保育士・てぃ先生の子育てアドバイス本第弾『子どもにもっと伝わるスゴ技大全カリスマ保育士てぃ先生の子育てのみんなの悩み、お助け中』ができましたテレビやSNSで大人気、今どきのママパパに圧倒的に支持されている現役保育士・てぃ先生。 |
2023-01-24 03:10:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
【精神科医が教える】 良かれと思ってやったことが裏目に…心が凹んだときの対処法 - 精神科医Tomyが教える 心の執着の手放し方 |
https://diamond.jp/articles/-/315524
|
【精神科医が教える】良かれと思ってやったことが裏目に…心が凹んだときの対処法精神科医Tomyが教える心の執着の手放し方誰しも悩みや不安は尽きない。 |
2023-01-24 03:05:00 |
ビジネス |
ダイヤモンド・オンライン - 新着記事 |
ひとりっ子の親ほど育児ノイローゼになりやすいワケ - ひとりっ子の学力の伸ばし方 |
https://diamond.jp/articles/-/316518
|
育児ノイローゼ |
2023-01-24 03:03:00 |
コメント
コメントを投稿