I have to admit, I did this procedure manually way too many times; Until this one time that I forgot a command along the way, and troubleshooting it was just time (and motivation) consuming.
Eventually, inevitably, an (obvious) solution will appear; So I sat myself down and wrote a “little” Ansible Playbook that just does everything for that operation to work, from start to finish, and the only regret that I have is that I did not do it sooner.
Full Disclosure — I wrote it for personal use, and as such — it is written as a “PoC” —…
Recently as part of my work at Red Hat, a customer reached out to me and asked for my help in editing monitoring related configurations;
The customer wanted to do pretty simple things like generating new alerting rules that are related to the infrastructure, fetch infrastructure-related metrics, rename/relabel some of them, etc.
Openshift 4.x comes with a built-in monitoring stack (Prometheus, Grafana & Alertmanager); The main Prometheus instance that is responsible for scraping infrastructure-related metrics is located in the Openshift-Monitoring namespace and it is managed by the cluster-monitoring-operator.
Here comes the catch - This main Prometheus instance is almost uneditable…
How did I even get to this topic?
During my work as a Senior Red Hat consultant, I’ve run into a very problematic bug that included kernel bugs with RHCOS.
We’ve experienced freeze in our nodes, without a lot of information in the logs. We noticed multiple soft CPU lockup error message in the dmesg of the relevant nodes, but we could not associate the issue with a specific process that may cause this bug to occur.
As part of our troubleshooting process, we’ve got introduced to a Tech-Preview feature which is called “Kdump”, and in this medium article, I…
Welcome, we meet once again.
All of those who want to deploy 3Scale are probably familiar with the following, most common deployment option;
But there is another case, less intuitive;
So recently someone asked me “Is it secured to expose all my backends via the same two main APICasts (Staging & Production) that come built-in with 3Scale?”
First, I got goosebumps.
You need to understand — it is quite rare that someone got a security-oriented epiphany out of the blue, and on top of that — it is a great question in general that many won’t even get to think about unless they deployed multiple 3scales in multiple environments.
So, following that goosebumps moment, I ran to my drawing board to explain to him what are his options in that…
So I’ve been wanted to do this series for a long time now; Openshift is the leading platform orchestration solution for Kubernetes environments, and it has a great adoption rate and a proactive community that keeps enriching it constantly.
This entire series is going to surround the Openshift 4.x versions, I see many customers who ask repeatedly about changes from Openshift 3.x to 4.x, the security concerns, and the new security features that they should take into consideration; They obviously right and there are many relevant changes so I figured “Why Not” and just started writing.
In this series of…
This article is a little bonus for those who read my previous entries:
In both, I tried to convey reasonable arguments for why we even need to know about these features and some best practices for each of them, including examples of course.
But I’ve never displayed how they integrate with one another.
So it’s time to tackle that oversight;
$ oc get scc restricted -o yaml > /tmp/my-less-restricted-scc-with-net-bind-capability.yaml
I’m kidding obviously, but not as much as you might hope;
Last time I explained what’s RBAC on Kubernetes & OCP, why is it a super important concept to grasp correctly before you let people within your organization access to work on your cluster, and everything looked pretty bright back then.
SCC is a complicated topic, it lives in the twilight zone between the platform and the infrastructure itself, and it includes some crucial topics of our Cluster, but first, we need to understand how it works behind the scenes.
Before we begin I promise that I’ll do my best…
So far in my articles, I mostly presented “add-ons” products that provide additional security capabilities to our cloud-driven applications such as API Management (3scale), Service Mesh, OpenID Connect (RH-SSO) — but non of them actually secure the day-to-day operations on the Openshift platform itself.
Note!! You can definitely deploy each of the other products I mentioned to secure OCP — I just didn't write an article on that yet; e.g. Secure access to Kubernetes/OCP APIs by using 3scale, Secure authentication to OCP using OIDC with RH-SSO, etc.
So let’s jump right into it.
There’s a difficulty when it comes to…
In order to implement a decent an end-to-end “security cover” for your apps, it is very important to understand the threats that a malicious entity will wish to exploit in order to get a solid grip within the organization;
When it comes to exposed APIs, security gets tricky. APIs are by design meant to be exposed to external/internal clients/partners, etc. …