April 2023 – Hackfi

On demand ecs fargate as Jenkins worker node

Create separate ecs-farget template for different kind of workload.
Do the proper tagging of resources so that we get proper costing

Docker with TLS:

###### server
dockerd \
    --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=server-cert.pem \
    --tlskey=server-key.pem \
    -H=0.0.0.0:2376

##### client
docker --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \
    --tlskey=key.pem \
    -H=$HOST:2376 version

##### secure by default
mkdir -pv ~/.docker
cp -v {ca,cert,key}.pem ~/.docker
export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1


##### make sure to have correct host/DNS name while creating the server cert

https://aws.amazon.com/blogs/containers/building-container-images-on-amazon-ecs-on-aws-fargate/

Read the secrets data from etcd of kubernetes

Find out etcd procecss id

ps -ef | grep etcd

Go to process directory of ectd

cd /proc/2626577/fd

List the files and look for “/var/lib/etcd/member/snap/db“

ls -ltr | grep db

To read any secret that is currently created by user in k8

#create secret

kubectl create secret generic secret1 --from-literal=secretname=helloworld

#read secret directly from etcd

cat /var/lib/etcd/member/snap/db | strings | grep secret1 -C 10

Encrypting Secret Data at Rest – https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-8-runtime-security-system-9f705872c17

CKS Practice questions 2023

Create runtimeclass named sandboxed with handler runsc and run new pod using runtime as sandboxed with image nginx.
Set min TLS version to VersionTLS12 and cipher to TLS_AES_128_GCM_SHA256 for Kubelet nad kubeapi server
etcd with –-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Node-authrization to minimize the cluster role and remove clusterrole and anonymous access.
ImagePolicyWebhook with default deny add correct app endpoint url in kubeconfig file
auditing with maxage=10, rotate=5
falco runtime format %evt,%user.name,%user.id,%proc.name
network policy default deny, pod with name and namespace selector
create service account bind with role/clusterrole binding and create a pod, delete unsed sa
create a secret and mount to pod with readonly
Create service account with automounttoken off
create a pod with /root/profile using apparmor. podname=xyz, image=nginx
analyse 2 issues in Dockerfile and Deployment file
scan image with trivy and delete critical severity pod
fix kube-bench report for kube-api , kubelet, kube-controler
Upgrade k8 cluster from 1.25.4 to 1.26.0

Vega ARIES v3.0 – THEJAS32 Development Boards

Can it work on 5 volt? Yes
What is the power consumption ? 0.4-0.5 Watt
Short current from GND and GPIO 21 = 53mA
With 5v relay load 30.2mA

https://vegaprocessors.in/devboards/ariesv3.html

Docker socket remote access

Remote access docker:

   ┌─────────┐               port ┌────────┐
   │         │                    │        │
   │         │               2375 │        │
   │         ├────────────────────┤        │
   │         │           2376(TLS)│        │
   └─────────┘                    └────────┘
      client                      Docker Host

    192.168.0.10                  192.168.0.11

On docker client:

export DOCKER_HOST="tcp://192.168.0.11:2375"

With socat:

On docker host(192.168.0.114):

socat TCP-LISTEN:6644,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock

On docker client:

socat UNIX-LISTEN:/var/run/docker.sock,fork,reuseaddr,unlink-early,user=root,group=docker,mode=770 TCP:192.168.0.114:6644

Docker client:

root@lp-arm-2:~# docker ps
CONTAINER ID   IMAGE         COMMAND                  CREATED          STATUS          PORTS           NAMES
18f7aff52a13   docker:dind   "dockerd-entrypoint.…"   32 minutes ago   Up 32 minutes   2375-2376/tcp   nostalgic_jang

https://unix.stackexchange.com/questions/683688/is-it-possible-to-access-a-unix-socket-over-the-network

https://serverfault.com/questions/127794/forward-local-port-or-socket-file-to-remote-socket-file