DevSecOps Notes

 0. Overivew - Packet manager 1. Helm Provenance and Integrity - https://github.com/technosophos/k8s-helm/blob/master/docs/provenance.md - Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files. a) Overview   -  I ntegrity is established by comparing a chart to a provenance record. Provenance records are stored in   provenance files , which are stored alongside a packaged chart. For example, if a chart is named   myapp-1.2.3.tgz , its provenance file will be   myapp-1.2.3.tgz.prov .  -  Provenance files are generated at packaging time ( helm package --sign ... ), and can be checked by multiple commands, notable   helm install --verify . b) The workflow This section describes a potential workflow for using provenance data effectively. Prerequisites: A valid PGP keyp...

 1) Kubernetes Monitoring a) Enabling Service-Oriented Intelliegence - Sysdig ServiceVision -ServiceVision provides data enrichment with service- oriented metadata that exponentiallly increases the value of you information. e) new support kube-state-metrics with Sysdig Monitor -https://github.com/kubernetes/kube-state-metrics - state + health - state     * Pod status     * Number of deployments     * Number of replicas paused vs running vs desired per deployment     * Node allocatable capacity      * Pods available per DeamonSet     *etc  - health      * CPU for pod      * Memory for deployment      * JVM usage per deployment     * Container count per namespace     * etc

 1,) Kubernetes drops Docker support - Docker support in kubelet is now depreceted and will be removed in a future release. The kubelet uses a module called "dockershim" which implements CRI support for Docker and it has seen maintnance issues in the Kubernetes community. We encourage you to evaluate moving to a container runtime that is a full-fledged implementation of CRI(v1alpha1 or v1 compliant) as they become avaible. a) What does that mean? -Docker is just one of those container runtimes, but it is most popular, made containers popular -build of docker: Docker Engine -CLI -API -Server     *Container Runtime     *Volumes     *Network     *build images - Kubernetes need only one component from Docker -> Container Runtime - dockershim       *how kubernetes is communicating with Docker     *implements  CRI support for Docker        *part supportet by kubernetes     *this part wi...

 1.) What is EKS? -It is Managed Kubernetes Service -What AWS provides through EKS:     * AMS manages Master Nodes      * Necessary apps pre-installed          **Container Runtime          **Master Processes     * Scaling and Backups -You can focus on deploying your application -You are creating only working nodes 2.) How to use EKS ? a) basic confiruration - Create AWS account (free tier) - Create a VPC - Create an IAM role with Security Group ( Create AWS user with list of permissions) - Create Cluster Control Plane creatw with IAM role     * choose cluster name, k8s version     * choose region and VPC for your cluster     * set security for your cluster - Create Worker Nodes and connect to cluster ( EC2)     * Create as a Node Group (group of Nodes)     * Choose cluster it will attach to      * Define Security Group , select instan...

 1) Terraform Lociking state in S3 - terraform, as of v0.9, offeres locking remote state management. To get it up and running in AWS create a terraform s3 backend, an s3 bucket and a dynamoDB table. https://medium.com/@jessgreb01/how-to-terraform-locking-state-in-s3-2dc9a5665cb6

1.)  Terraform AWS Cloudtrail Automatic Re-enable - Automatic re-enable of CloudTrail in case of malicious or accidential disable. -This is a security enforce module for CloudTrail 2.) Why you need this -If somebody hacks your AWS account the first action would be disabled or delete the CloudTrail to cover his tracks. Receive an Alert in this case can save our business from huge and expensive disasters 3.) Purpose -The project catches 2 events one is the StopLogging the other is DeleteTrail.     * StopLogging cause the CloudTrail enabling again and sends an email to the SNS topic.     * DeleteTrail sends an email to the SNS topic. 4) Schema The Terraform module creates the components in the red square. 5) Prerequisites: These 2 elements should be created. -CloudTrail -SNS with Email confirmation 6) Creation  Use the code in terraform project module "cloudtrail-automatic-re-enable" {     source = "giuseppeborgese/cloudtrail-autmatic-re-enabled/aws"...

1. Basic YAML Syntax    - YAML is composed of key-value pairs, lists, and dictionaries   - Files open withthree hyphens on the first line and close with three periods  - List items are designed with a single hyphen and space   - Each list item should have the same indertation Dictioneries are designated with a colon and a space followed by idented key-value pairs    2. Multiline Line Values   - It is frequently useful when working on Ansible playbooks to format input with line breaks   - YAML has a means of letting us do this   - The pipe and right angle bracket (| and >) may be used to allow for line breaks within YAML   - Pipe will take each line break as part of the input in the data that follows it   - The right-angle bracket will ignore line breaks in the dbilityata that follows it   - A typical use case is breaking up parametr for readability   Example  - name: wri...

1.   - performance based   2. Preparing for the test   -quizzes  -flash cards  -study guide  -learning activities  -interacvtive diagram   3. Ansible 2.7 Exam Update -These update lessons cover the extra items listed under the objectives for the exam - The new exam uses Ansible 2.7 and Red Hat 7.5 - The old exam used Ansible 2.3 and Red Hat 7.3  -The Red Hat versions are not that different relation to the exam  -This objective is made up of the following:     * Install requiered packages     *Create a static host inventory file     *Create a configuration file  - 4.

- Ansible Tower provides a web server interface to ansible.  - System rewuierments are somewhat heavy.  - Tower is only free for minimal use. Working with more than a few system requires a paid lincense.  - The two keys benefots of Ansible Tower are user permissioning and the audit trail (only provided with license.  - Only touched on in EX4077  - How is ansible Tower installed on your system? Ansible Tower is provided in a tarball containing binaries, config files, and an installation script that must be ran.  - To populate an Ansible Tower project with source files can be used:        * file system of the Ansible Tower server        * git        * subversion  - features:        * an interface for running Ansible plays and playbooks against target hosts.       * Separate user accounts permissioned for selective access to Tower-managed ...