1
00:00:00.000 --> 00:00:01.199
Myles Brown: Cooper nettie security.
2
00:00:03.270 --> 00:00:08.069
Myles Brown: His topic is going to be Cooper nettie security what you need to know he's been an instructor.
3
00:00:09.929 --> 00:00:17.160
Myles Brown: For for many, many years across many different technologies i've worked with them, you know here at exit certified for a long time we.
4
00:00:17.400 --> 00:00:18.870
Michael Stapleton: Even work together, yes.
5
00:00:19.140 --> 00:00:38.370
Myles Brown: yeah we were together for many years, the session is being recorded, you may have just heard that mentioned, and you should get a recording within a day or two we usually send it out to everybody who registered so you'll have access to that recording and.
6
00:00:39.930 --> 00:00:52.140
Myles Brown: The you'll probably also get an email follow up i'll talk about it a little bit at the very end of the presentation we currently have a summer promo which gets you a pretty good deal on training courses.
7
00:00:52.560 --> 00:01:11.280
Myles Brown: And so i'll talk a little bit about some of the branches courses that that apply to this topic and and a little bit about that promotion, at the very end, and like I said Mike stapleton is he's a Cooper daddy's expert he's been working in it for.
8
00:01:12.480 --> 00:01:14.190
Myles Brown: 25 plus years, I think.
9
00:01:14.190 --> 00:01:15.690
Myles Brown: 33 or 30.
10
00:01:15.930 --> 00:01:16.620
Myles Brown: wow that's.
11
00:01:16.830 --> 00:01:19.680
Myles Brown: yeah Okay, a little more salt and pepper there yeah.
12
00:01:21.420 --> 00:01:22.170
Michael Stapleton: darkening yeah.
13
00:01:22.200 --> 00:01:27.120
Myles Brown: yeah alright well i'll let you take it away Mike and like I said i'll be manning the chat.
14
00:01:27.660 --> 00:01:36.420
Michael Stapleton: Okay, well, thank you very much miles yeah my name is Mike stapleton and, as he said, I, we do not have time to talk about me so.
15
00:01:36.810 --> 00:01:43.860
Michael Stapleton: we're here to talk about Cooper 90s security and what you need to know alright, so this is an overview.
16
00:01:44.520 --> 00:01:51.540
Michael Stapleton: In 45 minutes we don't really have time to go into all the details there's a lot to talk about here so it's going to come pretty quick.
17
00:01:52.530 --> 00:02:01.860
Michael Stapleton: we'll hopefully have time at the end to answer questions and stuff like that, if not hey i'll probably put up my email address at the end, and you can send me emails so.
18
00:02:02.400 --> 00:02:08.160
Michael Stapleton: So yeah so let's let's dig right into the agenda so we're going to start off with a refresher.
19
00:02:08.790 --> 00:02:18.810
Michael Stapleton: Hopefully you're not totally new to Cooper 90s you'll get a little more out of this, but we do got to make sure that we're kind of all in the same place so we'll start off with a refresher.
20
00:02:19.320 --> 00:02:27.480
Michael Stapleton: And we'll talk about the four c's of cloud native security see what that is when we get to it, the API server so Cooper 90s, has an.
21
00:02:27.960 --> 00:02:32.820
Michael Stapleton: API that everything goes through, we need to do with authentication authorization and.
22
00:02:33.690 --> 00:02:40.890
Michael Stapleton: Well, how does that all work networking security, both from the cluster level and within our actual services running in our pods.
23
00:02:41.490 --> 00:02:53.220
Michael Stapleton: Containers how container eyes are things right and Cooper 90s, and what, what are the issues related to that secrets management, so your credentials for your applications where are they and how do you manage that.
24
00:02:53.760 --> 00:03:03.090
Michael Stapleton: Content trust your images, the actual executable right i've seen a lot of articles recently talking about Cooper 90s security problems and.
25
00:03:03.330 --> 00:03:12.900
Michael Stapleton: Actually, most of them were just people running applications on companies that had security problems So how do you protect yourself from that right you don't want to be running images that.
26
00:03:13.560 --> 00:03:17.190
Michael Stapleton: will have known vulnerabilities and things like that so i'm going to talk about content trust.
27
00:03:17.670 --> 00:03:28.140
Michael Stapleton: And then, by the time we get to that you'll see there's a lot of things that you need to need to do right to have a secured as possible Cooper daddy's cluster.
28
00:03:28.710 --> 00:03:35.460
Michael Stapleton: So would it be nice if there was some tools, you could run that help you discover anything you missed right so we'll talk about compliance validation.
29
00:03:35.700 --> 00:03:46.980
Michael Stapleton: And finally miles we'll talk a little more about some of her Training, Certification offering and seriously Caribbean entities is complex there's a lot of things so training yeah.
30
00:03:48.870 --> 00:04:01.710
Michael Stapleton: Alright, so the architecture so just a big view here we're showing a communities clusters, we have some nodes in here we have worker nodes master nodes we got some separate machines running the scd databases.
31
00:04:02.940 --> 00:04:12.960
Michael Stapleton: This is kind of our cluster you can see there's a firewall around it Cooper daddy's by default and when I say default, I mean built in default.
32
00:04:13.650 --> 00:04:21.030
Michael Stapleton: Because it depends on your particular Cooper nettie is running and configured and how they set it up, but the built in default really relies on border security.
33
00:04:21.450 --> 00:04:31.800
Michael Stapleton: So make sure that it's not him these machines are not hanging on an Internet that like bad third not not good for that, so we have a cluster of machines, the.
34
00:04:32.730 --> 00:04:42.270
Michael Stapleton: What we call the control plane our groups as machines and processes that are running Cooper 90s itself so all the processes for monitoring and launching your pods and all that.
35
00:04:43.320 --> 00:04:53.190
Michael Stapleton: We have the worker that's our data plane temp typically we have more workers than masters, but there's kind of a minimum viable ha cluster.
36
00:04:53.730 --> 00:05:01.470
Michael Stapleton: got three of everything, the reason for three is mostly because of the scd database for high availability issues and that's a security issue.
37
00:05:02.100 --> 00:05:09.690
Michael Stapleton: It uses majority consensus algorithm which means you need three to be able to stay up in the event of a failure, so we.
38
00:05:10.200 --> 00:05:19.440
Michael Stapleton: Typically, end up with three of everything, at least, and then more now the the API server runs on these masters.
39
00:05:20.040 --> 00:05:25.590
Michael Stapleton: So we usually have well you're going to have a load balancer in front of the API server so we can see, we got a load balancer in here.
40
00:05:26.430 --> 00:05:32.880
Michael Stapleton: And we're firewall off from the whole world or at see database should be talking to nobody except the.
41
00:05:33.690 --> 00:05:40.440
Michael Stapleton: API server and for management purposes yeah you should be using some kind of a bastion host or a jump host.
42
00:05:40.800 --> 00:05:48.960
Michael Stapleton: And so you connect there and then from there you use your tools for example cube control right it talks to the API server and you can configure monitor and do.
43
00:05:49.470 --> 00:05:59.760
Michael Stapleton: What you need to do there, in addition, for your applications to be exposed on the Internet you're going to want to use an ingress controller of some sort will see that later on quickly.
44
00:06:00.930 --> 00:06:11.280
Michael Stapleton: yeah that's basically a reverse proxy that you configure to expose things and that's just the like, just a quick look at least one view of the architecture.
45
00:06:12.750 --> 00:06:18.090
Michael Stapleton: i'd like to take this opportunity to talk about a the controller pattern Cooper 90s.
46
00:06:19.320 --> 00:06:30.570
Michael Stapleton: You you're familiar with it all, or you looked at it a bit you'll hear about controllers controllers do everything, a controller is a piece of software running somewhere that registers, with the API server.
47
00:06:31.140 --> 00:06:38.310
Michael Stapleton: For events, if something happens it goes off and does something right it's asynchronous event driven programming model.
48
00:06:38.760 --> 00:06:50.400
Michael Stapleton: What happens is something makes a change through the API server the API server goes through its processes to mutate validate and authentication authorization all that, and if they make it through all those.
49
00:06:50.970 --> 00:06:57.360
Michael Stapleton: All those steps, then it gets written to the scd database and that's a change that's an event that something happens.
50
00:06:57.660 --> 00:07:06.720
Michael Stapleton: And then the API server will notify all of the controllers that care about that event, and then they can go off and do something, this is a fundamental architecture.
51
00:07:07.260 --> 00:07:15.870
Michael Stapleton: Inside communities it's also why, if you do something wrong and the command line as long as your specification your templates are valid.
52
00:07:16.740 --> 00:07:22.500
Michael Stapleton: You won't get an error, but then you come back and you know things aren't running because the controller had a problem.
53
00:07:23.370 --> 00:07:36.300
Michael Stapleton: Right so it's well makes troubleshooting a little interesting but it's an important pattern, you can make your own custom controllers to react to events and they could be security events that could be all kinds of things.
54
00:07:37.740 --> 00:07:49.050
Michael Stapleton: typical example is an ingress controller, so I mentioned to expose our applications we typically use a reverse proxy but how do you manage the configuration of the reverse proxy and ingress controller.
55
00:07:49.560 --> 00:07:55.770
Michael Stapleton: Cooper nettie does not come with an ingress controller, you need to select one and install it so your mileage will vary.
56
00:07:56.280 --> 00:08:08.520
Michael Stapleton: and security issues and how you tune things, how you configure things it depends on your particular ingress controller that you install but the basic idea of an ingress controller is actually configure is some kind of reverse proxy.
57
00:08:09.540 --> 00:08:18.540
Michael Stapleton: So an example of this pattern is an ingress controller it watches for changes to objects of kinda ingress if you make an ingress object.
58
00:08:18.990 --> 00:08:34.110
Michael Stapleton: template through the API server it will see that event and the specification in that ingress object is the proxy configuration rules so it'll see those configuration rules and it'll use it to configure the reverse proxy.
59
00:08:34.980 --> 00:08:46.410
Michael Stapleton: It also will monitor other objects like services so that it can keep track of the changes to your back end pods and stuff like that in the reverse proxies sending traffic to your pods right.
60
00:08:46.650 --> 00:08:51.270
Myles Brown: So Mike would you say that the ingress controller is part of the control plane.
61
00:08:54.120 --> 00:08:56.910
Myles Brown: it's kind of hard to say that question it.
62
00:08:56.940 --> 00:08:58.440
Myles Brown: yeah proxy.
63
00:08:59.550 --> 00:09:05.310
Michael Stapleton: It it yeah, I guess, he would I would I hadn't really thought of that but yeah I would consider part of the control plane.
64
00:09:05.400 --> 00:09:07.680
Myles Brown: Okay, I thought it was an interesting question I was like I know it.
65
00:09:07.680 --> 00:09:08.760
Michael Stapleton: is interesting yeah.
66
00:09:09.180 --> 00:09:26.130
Michael Stapleton: yeah absolutely so yeah an ingress controller effectively is just a reverse proxy that uses a controller pattern to manage its configuration very convenient and again important point here, it depends on your particular ingress controller that you install so watch out about that.
67
00:09:27.630 --> 00:09:40.230
Michael Stapleton: All right, another little look at the network architecture just kind of like processes and who talks to whom, so we have our API server everything goes through the API server so that's really significant the command line the controllers everything.
68
00:09:41.160 --> 00:09:49.710
Michael Stapleton: We make changes or controllers or something makes changes through the API server and that's gets persisted again the ncd database that's an event the controllers can be notified.
69
00:09:49.980 --> 00:10:03.720
Michael Stapleton: So there's something called a controller manager, it has all the built built in default controllers and, as I said, you can run your own and they could be running as pods on on the cluster or off the cluster long as they have access to the API server.
70
00:10:05.280 --> 00:10:20.520
Michael Stapleton: scheduling scheduling the workers yeah to blood so cupid some big guy for security, here it has an API that the API server communicates with and by default it's not secured, it does not do authentication and authorization.
71
00:10:22.560 --> 00:10:29.880
Michael Stapleton: So the network in between your master processes and your workers needs to be secured.
72
00:10:30.660 --> 00:10:38.010
Michael Stapleton: will see some ways of doing that in a bit, but that that's a that's comes back to what we were seeing there earlier border security.
73
00:10:38.820 --> 00:10:52.620
Michael Stapleton: If you are doing some kind of a cluster where you have some nodes on the cloud, and maybe some on Prem is that whole network connection, you know someone can launch anything on there well they might be able to talk to the.
74
00:10:53.880 --> 00:10:59.610
Michael Stapleton: cumulus that's a problem and, for example, you can exact things into your containers right.
75
00:11:00.570 --> 00:11:07.500
Michael Stapleton: pods well that's your applications and your containers they talk whatever protocols, they want so sure they can do http and.
76
00:11:08.010 --> 00:11:11.640
Michael Stapleton: A little bit of inter process communications on the nodes themselves so yeah you got also.
77
00:11:12.240 --> 00:11:23.580
Michael Stapleton: As a row i'm you know we're talking about Cooper nettie security here, of course, these are just operating systems typically running Linux could be running windows they got to be secured i'm not going to get into os.
78
00:11:24.210 --> 00:11:29.580
Michael Stapleton: Security right there but absolutely someone gets access root access on one of your worker nodes.
79
00:11:32.490 --> 00:11:43.380
Michael Stapleton: No don't let that happen right the four c's of native security what the heck is that well sure, so, if you look at running some containerized application.
80
00:11:44.370 --> 00:11:55.500
Michael Stapleton: Well, you have the actual executable code that comes from the images so that needs to be vetted and scanned monitored, make sure you're running the right code latest updated patch again.
81
00:11:56.160 --> 00:12:08.670
Michael Stapleton: It is containerized which simply means you have processes executing your code and Linux kernel features have been applied to it to contain it to restrict it to isolate it.
82
00:12:09.480 --> 00:12:18.030
Michael Stapleton: That needs to be configured appropriately that is configurable in Cooper nettie when you create a pod specifications say hey run this pod.
83
00:12:18.450 --> 00:12:33.360
Michael Stapleton: You can make it more contained you can apply greater security, greater containerization more Colonel features to it or less if someone can create a pod and you don't do something to control the specification of it.
84
00:12:33.990 --> 00:12:39.390
Michael Stapleton: yeah they can basically launch some processes on the nodes that they're running on that are have root access.
85
00:12:39.900 --> 00:12:56.100
Michael Stapleton: They can access the whole node so you absolutely have to control who you know who do you trust, what do you trust to create pods and have some way of enforcing configuration of those pods more on that in a second.
86
00:12:57.120 --> 00:13:06.450
Michael Stapleton: And then, of course, those containerized applications are running on a node cluster nodes so we have to worry about the networking in between the nodes and everything and then that's running on.
87
00:13:07.050 --> 00:13:15.720
Michael Stapleton: some kind of a network right so maybe it's a cloud, so the cloud api's and everything have to protect it, anyone who can delete your cluster.
88
00:13:16.200 --> 00:13:26.880
Michael Stapleton: right if you're using a managed communities service and so you're only as secure as your weakest link and this just gives you kind of a an overview of all the different places, you need to consider.
89
00:13:27.540 --> 00:13:34.200
Michael Stapleton: Of course we're just kind of looking at the Cooper nettie part in the middle here, but you need to think outside of the box to.
90
00:13:35.850 --> 00:13:41.940
Michael Stapleton: While we're talking about security, just as a general reminder right, we want a confidentiality.
91
00:13:43.050 --> 00:13:54.360
Michael Stapleton: not hide hide your data, so people can see the data being sent back for integrity, sometimes a little less off obvious you can't just encrypt data, you also got to protect it, so it can't be changed.
92
00:13:55.200 --> 00:14:07.320
Michael Stapleton: Because that's a vulnerability and availability is a security issue think of denial of service attacks right, so if your services go down, either on purpose or by accident everything needs to be no fault, tolerant and scalable.
93
00:14:07.980 --> 00:14:16.500
Michael Stapleton: So you got to consider all of that, at every level, some of the principles to think about is like the least privilege principle which just means.
94
00:14:16.920 --> 00:14:25.140
Michael Stapleton: Anything should only have the privileges and access to do what it needs to do when it needs to do it, so you don't have root access, if you don't need root access.
95
00:14:26.100 --> 00:14:37.470
Michael Stapleton: Reducing surface attack hiding so hiding and removing things so don't run things you don't need to be running don't have tools that you're not using.
96
00:14:38.580 --> 00:14:49.950
Michael Stapleton: minimize everything possible and then of the things that you do have they should be hidden from you know firewalls basically right megan and you got to do it everywhere, as I said.
97
00:14:51.090 --> 00:15:08.940
Michael Stapleton: Oh, you get that that's just basic right Okay, as I said, the details depends on your deployment Cooper daddy's is a framework you plug in how you want to do, networking, how you want to do monitoring how you so your mileage will vary let's say.
98
00:15:10.560 --> 00:15:20.910
Michael Stapleton: So yeah like if you install Cooper nettie is using Q badam yourself it's going to be very different what you have, as opposed to you know, Google Cooper daddy's engine or.
99
00:15:21.600 --> 00:15:37.080
Michael Stapleton: Amazon E ks or something right so everything i'm talking about here check your details knit depends right that's kind of an annoying thing so, for example, the networking how networking works if you've looked at that Cooper daddy's.
100
00:15:38.100 --> 00:15:47.790
Michael Stapleton: it's hard to figure out, and the reason is because there is no built in default way the networking works if you use cube Adam to set up your cluster maybe you install and networking plugin calico.
101
00:15:48.060 --> 00:15:55.680
Michael Stapleton: Will how actually networking works and what security features are available and how you tune, things will be very different if you use calico compared to let's say.
102
00:15:56.340 --> 00:16:11.250
Michael Stapleton: Amazon web services has a vpc CNI they call this different network plugin it works significantly different, so you got to check the documentation, so you got to know your cluster they're not all the same depends on who set up and what what they plugged into.
103
00:16:12.330 --> 00:16:21.030
Michael Stapleton: The authentication for the API server authentication is typically if you're using a managed cluster it's integrated with the cloud provider.
104
00:16:22.440 --> 00:16:32.910
Michael Stapleton: Okay check with their documentation if you're using a managed service absolutely check and figure out if you're doing your own to Adam on Prem or something well there's a lot of options there.
105
00:16:34.260 --> 00:16:39.960
Michael Stapleton: As I said, no default logging or monitoring you're going to need those things and there's no default ui.
106
00:16:41.850 --> 00:16:50.340
Michael Stapleton: Which personally not always a bad thing again, we want to minimize right so reduce the attack surface watch out about your tools.
107
00:16:50.610 --> 00:16:58.020
Michael Stapleton: And the tools that got to protect those as well, someone that's often how they end up with security problems people get access to the tools and then they get access to the cluster.
108
00:16:59.460 --> 00:17:00.810
Michael Stapleton: yeah check documentation.
109
00:17:01.830 --> 00:17:12.390
Michael Stapleton: Cooper nettie is not secure by default gotta say that right, if you really need to isolate things you really want to look at having more smaller clusters.
110
00:17:12.870 --> 00:17:24.150
Michael Stapleton: envisioning having one big Cooper natives cluster and just running everything on it is going to be problematic, you have to go out of your way to isolate things and secure stuff from it's from inside the cluster.
111
00:17:26.040 --> 00:17:38.340
Michael Stapleton: For example, odd pod all pods can communicate with all other pods and any processes running on the nodes by default so there's that border security inside everything to talk to everything right.
112
00:17:39.240 --> 00:17:49.620
Michael Stapleton: As I mentioned, the actual data plane to control plane communications isn't fully secured by default and check with your deployment.
113
00:17:50.460 --> 00:18:09.450
Michael Stapleton: containers, as I mentioned earlier, also containers are just processes that have Linux kernel features applied which ones right by default basic very little right compared to what you could do, and I pod spec decide so anyone that can create a pod can reduce it.
114
00:18:10.470 --> 00:18:25.500
Michael Stapleton: Containers can use all the resources on the node yet by default there's no limits it's not vm right so there's no limits on the amount of cpu memory, so at any one process in any one container on node can take out the whole machine.
115
00:18:28.830 --> 00:18:39.360
Michael Stapleton: Right so yeah denial of service attack on purpose are not there, so if you really dissect isolate things yeah you run them on separate nodes scheduling can help with that.
116
00:18:39.960 --> 00:18:48.210
Michael Stapleton: The scd database were significant it stores all of our configuration for everything and significantly, it also stores our.
117
00:18:48.720 --> 00:18:57.480
Michael Stapleton: secrets, which is used for credentials for applications it's not encrypted by default and it's not backed up by default there isn't a backup tool.
118
00:18:57.780 --> 00:19:09.330
Michael Stapleton: In Cooper daddy's if you just install it raw yourself, so you need to take care of that database and protect the data and, last but not least, it'll run anything you tell it to run.
119
00:19:11.310 --> 00:19:22.590
Michael Stapleton: Absolutely, all of these things can be addressed and that's what we're going to look at how you address them, but these are just like these are problems that you need to need to look at and be aware of right so so i'm saying it's kind of an overview but.
120
00:19:23.070 --> 00:19:31.050
Michael Stapleton: i'm gonna dig into these so starting off with the API server right, so the API server.
121
00:19:31.650 --> 00:19:39.990
Michael Stapleton: It has another type of controller that's really, really, really, really significant here the called admission controllers there's two types of them.
122
00:19:40.350 --> 00:19:49.260
Michael Stapleton: there's mutating admission controllers and validating admission controllers anytime anything, excuse me anything is making a change.
123
00:19:50.040 --> 00:19:56.130
Michael Stapleton: Through the API server maybe I server will do authentication authorization, so you have to have to be.
124
00:19:56.640 --> 00:19:59.880
Michael Stapleton: figure out who you are and then based on who you are you're allowed to do what you're doing.
125
00:20:00.300 --> 00:20:08.760
Michael Stapleton: And then it goes through the mutating admission controllers these things can change your template if you've ever created something and Cooper nettie.
126
00:20:09.000 --> 00:20:20.130
Michael Stapleton: you'll notice that if you create it, you have your template so you have what you configured if you then retrieve that configuration you do acute control get there's going to be a lot of stuff in there, that you didn't set.
127
00:20:20.610 --> 00:20:28.200
Michael Stapleton: mutating and mission controllers can change the template, this is a key way that we enforce security.
128
00:20:28.680 --> 00:20:39.000
Michael Stapleton: As earlier, we talked about pods and I said in the specification and we can reduce security by basically running privileged containers and giving them full access to nodes.
129
00:20:39.300 --> 00:20:53.430
Michael Stapleton: Well, not if we have a mutating admission controller that's adding or validating those security settings so mutating can change it validating just can say yes or no, so they can deny that no not going to do that.
130
00:20:54.780 --> 00:21:03.300
Michael Stapleton: And then, finally, if you make it through that then it gets persisted to the scd database and then the other controllers, the more common ones, then they actually.
131
00:21:03.960 --> 00:21:16.950
Michael Stapleton: Get they go off and do you know, create the pod or whatever it is the template that you created there so yeah mutating admission control is really important there's a bunch of built in ones we're going to see and again, you can create your own.
132
00:21:18.660 --> 00:21:27.510
Michael Stapleton: mm hmm alright so step number one the API server authentication there's no users in Cooper daddy's.
133
00:21:28.350 --> 00:21:40.080
Michael Stapleton: Basically, an authentication module which is pluggable there's a whole bunch of built in ones, and it does support web hooks so you can integrate with some external identity and access management system.
134
00:21:41.790 --> 00:21:48.150
Michael Stapleton: It resolves to a subject a subject is either a user with groups or a service account.
135
00:21:49.230 --> 00:22:02.490
Michael Stapleton: it's just a name right, so the if we go back here, we got the authentication and authorization it the authentication part just says yeah this is john and he belongs to the group test and Dev.
136
00:22:03.300 --> 00:22:08.370
Michael Stapleton: Then the authorization step uses that information to decide if they're allowed to do what they're doing.
137
00:22:09.420 --> 00:22:12.270
Michael Stapleton: So there's no users, that are pre created here.
138
00:22:13.590 --> 00:22:24.660
Michael Stapleton: Another little security issue in here yeah anonymous access by default again depending on your deployment, but the built in default is anonymous access is enabled.
139
00:22:25.290 --> 00:22:34.470
Michael Stapleton: So if you don't provide some kind of authentication information when the request is coming in, and you can see, we support pull out stuff built in.
140
00:22:35.370 --> 00:22:42.750
Michael Stapleton: Paris tokens open ID connect you can have a proxy server in front that adds the credentials as http headers it can do basic off.
141
00:22:43.200 --> 00:22:51.540
Michael Stapleton: If if none of those authenticate the user, then they will automatically be a user called system anonymous who belongs to a group system on the authenticated.
142
00:22:52.020 --> 00:23:01.470
Michael Stapleton: Which by default doesn't have permission to do anything just it's not that bad, but that can be turned off and for security purposes, I would.
143
00:23:03.180 --> 00:23:13.020
Michael Stapleton: The other subject type is a service account of service count is something you create it's in Cooper nettie so you get an object type that gets persisted in the etsy database.
144
00:23:13.380 --> 00:23:19.560
Michael Stapleton: When you create a service account it creates a secret and that secret has an open ID connect token in it.
145
00:23:20.310 --> 00:23:28.290
Michael Stapleton: So, if someone uses that open ID connect token to authenticate to the API server then they will be.
146
00:23:29.010 --> 00:23:40.290
Michael Stapleton: There subject type will be a service account of that name and then under authorizations, we can say well if it's this service account it's allowed to do X, Y and Z that's the idea of service accounts.
147
00:23:42.090 --> 00:23:51.990
Michael Stapleton: authorization so once we you're either a name and also the new ID in there as well, and or an array of groups that you belong to again just strings.
148
00:23:52.590 --> 00:23:56.220
Michael Stapleton: or a service account, then we have to decide, are you allowed to do what you're trying to do.
149
00:23:56.520 --> 00:24:01.560
Michael Stapleton: web hooks are supported again for integrating with your own identity and access management systems.
150
00:24:01.800 --> 00:24:17.370
Michael Stapleton: API server can basically do an http post to your external service saying hey this is john belong to these groups and he's trying to do you know, creating pots, are they allowed to do that and your server can say whatever you want to do so that's convenient.
151
00:24:18.960 --> 00:24:30.660
Michael Stapleton: But you'd have to create those the built in way of doing authorization is role based access control with role based access control, we create roles roles list privileges.
152
00:24:31.050 --> 00:24:35.040
Michael Stapleton: And so role is a list of what you're allowed to do it's only allows.
153
00:24:35.580 --> 00:24:49.080
Michael Stapleton: And then we need to associate a role with a subject this is through what we call binding we bind, a role which is a list of privileges to a subject so if someone authenticates as that subject or service account.
154
00:24:49.890 --> 00:24:59.160
Michael Stapleton: Type subject right, then they will have the privileges of that role and many roles can be bound to the same subjects.
155
00:24:59.850 --> 00:25:08.280
Michael Stapleton: really important key thing here is the the binding part we have what's called a cluster roll binding and roll binding cluster means it's cluster wide.
156
00:25:08.910 --> 00:25:19.890
Michael Stapleton: So for binding if use a cluster roll binding to bind a subject to a cluster role, you are giving them whatever those privileges into any namespace.
157
00:25:20.520 --> 00:25:22.590
Michael Stapleton: Across the end so anything within the cluster.
158
00:25:23.400 --> 00:25:36.600
Michael Stapleton: If you use a role binding something that doesn't have the cluster name in there, then that's created in a namespace and you are only giving them whatever privileges in that role or cluster role that they're bound to just within that namespace.
159
00:25:37.050 --> 00:25:43.290
Michael Stapleton: And so role binding grants permissions within the namespace whereas cluster roll binding grants that cluster wide.
160
00:25:44.580 --> 00:25:52.800
Michael Stapleton: So yeah we can restrict who can do what within a namespace that helps isolate and so that's comes along with the at least privilege idea.
161
00:25:54.660 --> 00:26:05.370
Michael Stapleton: here's an example just quick one of our back configuration, so this is again cube control it's in the ncd database, we have a role can be a cluster oldest would work as well.
162
00:26:06.060 --> 00:26:19.440
Michael Stapleton: And it's since it's a roles it's in a namespace cluster rules just aren't other than that they have rules which specifies what you're allowed to do so in this example the things you're allowed to do you can do get create a list for pods.
163
00:26:20.670 --> 00:26:30.660
Michael Stapleton: cool so you create that then we need to associate it with a subject and that's through a binding now we're using a role binding so that's in a namespace we're just going to give some subjects.
164
00:26:30.960 --> 00:26:49.950
Michael Stapleton: Access to whatever they're allowed to do in the role just within that space, so the name spaces development, the subject is a user that resolved to the string P quigley so P quigley will be allowed to do pod get created list within the development namespace.
165
00:26:51.600 --> 00:27:00.690
Michael Stapleton: And that's because of the role reference so we've you know P quigley with the role called pod create that's the binding right there, you can see it's an array to be a bunch of them.
166
00:27:02.010 --> 00:27:12.210
Michael Stapleton: Now, if this is the only role bound to them, then yeah they'll only be able to do that in that namespace there could be other bindings that give more no access.
167
00:27:13.410 --> 00:27:17.010
Michael Stapleton: that's kind of example of the built in role based access control.
168
00:27:19.080 --> 00:27:30.930
Michael Stapleton: yeah API server another important thing is auditing you want to make sure you know who's doing what when where that is configurable you need to create an audit policy file.
169
00:27:31.890 --> 00:27:40.110
Michael Stapleton: On the API server so wherever your API server is running you create a policy file and then there's arguments, the API server that specifies the name of the file.
170
00:27:40.530 --> 00:27:52.380
Michael Stapleton: Inside that policy file you control the level and what is audited, so you can increase auditing, you can only audit certain types of events that's all configurable.
171
00:27:53.190 --> 00:28:05.790
Michael Stapleton: You also tell it where to log to then kind of two built in options is a file on the API server or you can have the API server do http posts of the auditing events to an external server.
172
00:28:06.450 --> 00:28:15.000
Michael Stapleton: that's a good idea if you can do it bottom line is make sure you are doing auditing and that it's often sheets.
173
00:28:15.510 --> 00:28:21.300
Michael Stapleton: Somehow so if you're doing it to a log file you're going to want amount of volume or something there that so the date is often machines.
174
00:28:22.200 --> 00:28:31.980
Michael Stapleton: Again, if you're using a managed Cooper nettie service check with their documentation they might already have it, you know integrated with their like cloud trail or something if you're on Amazon.
175
00:28:35.130 --> 00:28:52.260
Michael Stapleton: Alright, networking security yeah pod networking so again all pods can communicate with each other, not good for at least privilege, so we can configure what are called network policies basically a firewall so you set up firewall rules that allow only certain pods to talk to other bugs.
176
00:28:53.430 --> 00:29:02.670
Michael Stapleton: That mileage will vary again depending on your network plugin so check with the documentation for your particular network plugin and your coordinates customer to see.
177
00:29:03.210 --> 00:29:10.590
Michael Stapleton: Whether they support it or not, so just creating a network policy doesn't mean it actually fire walling anything so test test test.
178
00:29:11.820 --> 00:29:19.920
Michael Stapleton: host networking when I create a pod I can just say that you know post network true in part of its specification.
179
00:29:20.400 --> 00:29:32.190
Michael Stapleton: Which means it's now just a process sitting on the tcp IP stack of the node it's hanging out on the network, it can use local host to talk to any other processes on that machine.
180
00:29:33.210 --> 00:29:40.440
Michael Stapleton: um so again you're going to want to control that so when pods are being created don't do that unless you really, really, really need to.
181
00:29:41.400 --> 00:29:48.150
Michael Stapleton: Right now, to help with security there's some other things that you can add in here the ingress controller absolutely.
182
00:29:48.750 --> 00:29:57.840
Michael Stapleton: You don't really just want to use port forwarding another option with services and Cooper daddy's to expose things ingress is much more flexible for sure.
183
00:29:58.380 --> 00:30:06.210
Michael Stapleton: nother idea is a service mesh so there's service meshes that support Cooper nettie is like probably all of them now.
184
00:30:06.840 --> 00:30:12.900
Michael Stapleton: Examples would be like is to or link or D a service mesh the basic idea is that, instead of your.
185
00:30:13.350 --> 00:30:24.450
Michael Stapleton: components your processes running in our containers and our pods instead of them talking directly to each other, they send everything to the service mesh so it's centralized is the configuration and management of.
186
00:30:25.470 --> 00:30:35.280
Michael Stapleton: Your network traffic right now the actual architecture, the traffic won't be it's not a bottleneck or anything so take a look at your particular service neck.
187
00:30:36.390 --> 00:30:46.200
Michael Stapleton: mesh on how it actually works, but from a management standpoint, it gives you centralized configuration and control of everything so that's really powerful.
188
00:30:48.090 --> 00:31:00.060
Michael Stapleton: So, using the service mesh is probably a really good idea it's much more flexible than just doing network policies, because it can do things like logging and monitoring metrics yeah they're pretty pretty darn cool take a look at if you haven't.
189
00:31:01.260 --> 00:31:14.730
Michael Stapleton: example Amazon Amazon Google Cooper daddy's engine gk one of the options is just a single checkbox hey Google create me a Cooper daddy's cluster and, by the way, I want us to and it's install so.
190
00:31:15.810 --> 00:31:19.140
Michael Stapleton: yeah check your documentation definitely something to take a look at.
191
00:31:20.490 --> 00:31:28.200
Michael Stapleton: The cluster itself the nodes, as I mentioned earlier, not all communications is secured between the data plane and the control plane.
192
00:31:29.610 --> 00:31:39.540
Michael Stapleton: If you have an unsecured network in between the nodes then regionally of what you can use, you can set up what's called ssh tunneling it's supported by Cooper nettie check.
193
00:31:39.990 --> 00:31:52.740
Michael Stapleton: Cuba days documentation, they have a new service called the connectivity service and effectively, does the same thing, except it's instead of just using ssh damon's for tunneling the traffic.
194
00:31:53.280 --> 00:32:01.620
Michael Stapleton: It uses dedicated processes do that basically acts like a process, the data plane is your worker notes.
195
00:32:02.640 --> 00:32:08.700
Michael Stapleton: Right so where your worker processes and the control plane is the all the processes for Cooper daddy's itself.
196
00:32:11.400 --> 00:32:18.510
Michael Stapleton: So yeah it's do as a service mesh you know their check check out this article.
197
00:32:19.830 --> 00:32:23.400
Michael Stapleton: yeah connectivity service yeah documentation in Cooper 90s.
198
00:32:24.900 --> 00:32:35.970
Michael Stapleton: For sure for sure also another little detail the API server listens on local host and any traffic coming from local host so from the same machine.
199
00:32:36.360 --> 00:32:46.860
Michael Stapleton: Well, same tcp IP stack there, and you know um yeah the it'll just accept whatever there's no authentication authentication authorization is bypassed by default.
200
00:32:47.190 --> 00:32:55.290
Michael Stapleton: So this is a good reason not to let your API server just you know run other things on it, and like pods.
201
00:32:55.950 --> 00:33:10.530
Michael Stapleton: So, if someone runs a pod on the same machine that's running your API server and they use host networking well, they can just talk directly to the API server and bypass your authentication authorization i'm.
202
00:33:14.190 --> 00:33:25.890
Michael Stapleton: A worker node is just the name for a computer that runs our right and we talked about data plane we're just talking at higher level, all you know where we run our processes and everything.
203
00:33:26.430 --> 00:33:31.770
Myles Brown: People are having fun with your your typos on control plane vs pain.
204
00:33:32.640 --> 00:33:35.460
Michael Stapleton: Okay yeah just noticed that it looks like.
205
00:33:35.520 --> 00:33:37.530
Myles Brown: And then plein de la vie en.
206
00:33:37.710 --> 00:33:39.480
Myles Brown: yeah any.
207
00:33:41.850 --> 00:33:43.920
Myles Brown: lips propane is actually an interesting one.
208
00:33:44.220 --> 00:33:45.660
Michael Stapleton: I think yeah I think I should leave that in.
209
00:33:46.620 --> 00:33:47.040
whoops.
210
00:33:49.170 --> 00:33:58.560
Michael Stapleton: yeah sorry um yeah cluster networking other little issues here like I mentioned the cube lit is not secure by default.
211
00:33:59.070 --> 00:34:09.300
Michael Stapleton: So, if someone can talk to the cube live port and listening on forget 10,000 something off top my head there yeah they can do things like exec into your containers.
212
00:34:10.020 --> 00:34:24.660
Michael Stapleton: So you gotta hide that there's command line arguments to Cuba, let the defaults are anonymous off flag true, so the just command line argument anonymous sauce it's set to true and authorization mode is set to always allow those are the defaults.
213
00:34:25.830 --> 00:34:26.130
Michael Stapleton: yeah.
214
00:34:27.420 --> 00:34:34.050
Michael Stapleton: If you change those you also have to reconfigure the API server because now it has to authenticate so you got to change these things at the same time.
215
00:34:34.860 --> 00:34:45.750
Michael Stapleton: yeah make sure people can't talk to the API server directly they can't talk too cute bullet directly watch about any tools you're using make sure you secure those as well right firewalls everywhere.
216
00:34:48.540 --> 00:35:04.020
Michael Stapleton: And these the containerization level so yeah you know if you can create a pod you can do the specification of nothing stopping you, you can run processes like that that's The bottom line right the.
217
00:35:04.650 --> 00:35:21.780
Michael Stapleton: How containerized settings within the pod specification is something called a security context, it can set default at the pod level or more details at the container level either way they could security context are used to increase or decrease how containerized something is.
218
00:35:22.980 --> 00:35:26.250
Michael Stapleton: By the way, they don't work on windows just say.
219
00:35:27.690 --> 00:35:38.190
Michael Stapleton: pod security policies can be enabled and use to enforce constraints and defaults on your security contexts.
220
00:35:38.610 --> 00:35:48.750
Michael Stapleton: And so you can say no, we don't support host networking nope you can't do privileged containers nope no, by the way you have to have these default security settings.
221
00:35:49.230 --> 00:36:06.480
Michael Stapleton: that's all in something called pod security policy soon as you enable that you have to create security policies and apply them using our back to controllers and users that want to actually create pods as soon as you enable this feature, no one can create pods nothing can create pause.
222
00:36:07.770 --> 00:36:20.370
Michael Stapleton: It is well deprecate it so it's been dedicated and they plan to remove it in 125 so it's more feature full replacement is basically using something called oh PA gatekeeper.
223
00:36:20.760 --> 00:36:33.690
Michael Stapleton: Oh PA gatekeeper is a mutating admission controller, among other things, and you can use it to validate and mutate, the security context, along with all kinds of other things.
224
00:36:34.410 --> 00:36:47.400
Michael Stapleton: So that's looking forward or presently to something take a look at currently it's still beta but it's being used by a lot of people much more features, whereas security policies were just for pods.
225
00:36:47.940 --> 00:36:56.220
Michael Stapleton: I guess the only thing I really liked about pod security policies as soon as you enabled it, you were secure, by default, at least as far as the security context configuration.
226
00:37:01.980 --> 00:37:10.200
Michael Stapleton: And natives pretty cool to i'm not mentioning everything that's out there, like guys, this is an overview give you a good idea of what's these are some of the more common things I guess.
227
00:37:11.520 --> 00:37:19.890
Michael Stapleton: yeah resource controls, I mentioned, you know if denial of service so pauses can execute was running in our containers can take out.
228
00:37:20.520 --> 00:37:27.810
Michael Stapleton: The whole note it's running on So if you need to protect things from each other, you, in the end, need to apply.
229
00:37:28.800 --> 00:37:43.620
Michael Stapleton: resource controls, but even if you do resource controls, like the basic resource controls for like cpu and memory there's more kernel resources than that So if you really, really need to isolate things, then they really should be running on separate nodes.
230
00:37:44.700 --> 00:37:48.420
Michael Stapleton: This is scheduling so part of your configuration.
231
00:37:49.020 --> 00:37:58.590
Michael Stapleton: is telling the scheduler, by the way, I want these things on separate notes the ways we can do that is in your pod spec you can create what's called a pod to.
232
00:37:58.860 --> 00:38:03.180
Michael Stapleton: topology spread its configuration that are hints to the scheduler.
233
00:38:03.480 --> 00:38:15.150
Michael Stapleton: or commands configurable saying hey run these over here it's related to notes, it could be related to just run them in separate availability zones on a cloud because I don't want to have all my pods.
234
00:38:15.330 --> 00:38:21.990
Michael Stapleton: running on nodes in the same availability zone, so if I have a failure of my cloud, you know I lose all my processes.
235
00:38:22.860 --> 00:38:34.470
Michael Stapleton: that's that's a one way, the other way, a little kind of newer more original way was pot affinity and anti affinity rules again this is in your pod specifications.
236
00:38:35.130 --> 00:38:46.650
Michael Stapleton: They again can be used to say run these things together or run them apart or run them uncertain nodes using your pod topology spread or affinity rules.
237
00:38:47.580 --> 00:38:50.730
Michael Stapleton: You can use that to run things together or separate.
238
00:38:51.420 --> 00:38:59.640
Michael Stapleton: definitely take a look at those scheduling as complex as lots of different ways of accomplishing the same things we also have what are called tanks and toleration.
239
00:39:00.090 --> 00:39:08.610
Michael Stapleton: are basically we can poison certain nodes so they will not run certain pods for a pod to run on that note, it has to have certain toleration.
240
00:39:09.060 --> 00:39:13.290
Michael Stapleton: So saying I don't run these on those machines paints and toleration.
241
00:39:14.040 --> 00:39:31.230
Michael Stapleton: pod topology spread one of its benefits is you can actually set defaults for it, it doesn't have to be configured into each and every pod specification, whereas affinity rules do again, you can use a mutating admission controller or something to enforce those.
242
00:39:32.310 --> 00:39:33.870
Michael Stapleton: If you needed to her to validate it.
243
00:39:35.520 --> 00:39:43.530
Michael Stapleton: Another issue resource controls is your ephemeral storage, so the by default you create a container they have a read, write layer
244
00:39:44.700 --> 00:39:47.040
Michael Stapleton: If your processes are writing just.
245
00:39:47.610 --> 00:40:01.500
Michael Stapleton: To a local directory it's using up space on the node so a process that maybe is creating incredible amounts of logs for some reason could fill up the root file systems on your nodes if you don't have that data, you know, on separate.
246
00:40:02.010 --> 00:40:04.920
Michael Stapleton: volumes of things which typically nowadays we don't.
247
00:40:05.730 --> 00:40:14.100
Michael Stapleton: want so yeah that that's another way they can take out the machine one way to address, that is to is a setting that you can do is a read only file system.
248
00:40:14.430 --> 00:40:22.380
Michael Stapleton: So we can set to read only file system on it and will now won't be able to actually it'll be denied, so that helps.
249
00:40:23.340 --> 00:40:27.450
Michael Stapleton: them some mutating controllers you're gonna want to look at limit ranger.
250
00:40:28.110 --> 00:40:35.790
Michael Stapleton: You create configuration objects for the limit ranger mutating Controller and it'll set default and enforce Max and Min.
251
00:40:36.210 --> 00:40:42.090
Michael Stapleton: resource controls, so you know Max memory Max cpu those kinds of things definitely going to want to set that up.
252
00:40:42.870 --> 00:40:50.580
Michael Stapleton: Quotas another mutating controller whenever you go to create things through the API server we can validate you don't have too many of something.
253
00:40:51.060 --> 00:40:58.530
Michael Stapleton: quotas can be used for total amount of memory so limit Rangers cool because you can enforce certain.
254
00:40:59.430 --> 00:41:06.150
Michael Stapleton: cpu memory limits and constraints on on our pod specifications, but then you can create as many pods as you want.
255
00:41:06.780 --> 00:41:17.820
Michael Stapleton: So then, you know, so if you want to control the total amount of memory or cpu across all the pods someone can create within you can use quotas to do that, or just a total number of pods or the total number of something.
256
00:41:18.990 --> 00:41:24.510
Michael Stapleton: These guys work also at the namespace level, so you can have different configurations and different name spaces.
257
00:41:25.590 --> 00:41:39.720
Michael Stapleton: And there's a new feature coming out to working on not sure if it's out of beta or anything but anyway ephemeral storage limits can be configured as well, so anything that's creating data is being written on your notes.
258
00:41:43.770 --> 00:41:51.810
Michael Stapleton: Just a femoral just data written to some directory on your nodes and when the pod goes away it gets what that's what we mean by ephemeral.
259
00:41:53.100 --> 00:42:05.640
Michael Stapleton: The scd database, where are your credentials kept and it's not encrypted it's not backed up check with communities.io for how to set up encryption and lots of.
260
00:42:06.120 --> 00:42:14.580
Michael Stapleton: training as well to help you do that, but by default you just did too bad them minutes not encryption at rest and it's not being backed up so make sure about that.
261
00:42:15.030 --> 00:42:25.770
Michael Stapleton: Now very useful idea for your credentials, at least, is to integrate it with some external secret management solution Cuban 80s secrets just.
262
00:42:26.280 --> 00:42:34.050
Michael Stapleton: You put the credentials in it and you're done, you know if you need to update credentials, or something you have to do that all yourself.
263
00:42:34.650 --> 00:42:44.070
Michael Stapleton: So, for example, like hashtag carp vault you can it's a secret management system it'll help rotate your secrets and secure them and.
264
00:42:44.460 --> 00:42:53.610
Michael Stapleton: You know, help you manage them the big one, is the rotating of the secrets and everything for you another example for Amazon, if you want to integrate with Amazon secret manager.
265
00:42:54.210 --> 00:43:13.230
Michael Stapleton: They have a secret store CSI driver it's not crime scene investigation there it's a container storage interface and basically plugin for volume management, it can be used to integrate you know credential management with aws secrets, and there are others out there, I want to look at that.
266
00:43:14.490 --> 00:43:24.120
Michael Stapleton: hey content trust, yes, so integrity of your images don't use the latest images for everything.
267
00:43:25.920 --> 00:43:32.880
Michael Stapleton: You know that's a whole nother issue to get into but you're going to want to make sure that your images are up to date.
268
00:43:34.230 --> 00:43:35.940
Michael Stapleton: You know vulnerabilities are discovered.
269
00:43:36.480 --> 00:43:55.980
Michael Stapleton: Some ways to do that is can be done, maybe by registry so, for example, Moran to secure registry, it can scan your images every time you're uploading them or reading them and and notify you of any known vulnerabilities Another example is amazon's elastic container registry.
270
00:43:57.210 --> 00:43:59.130
Michael Stapleton: Its support scanning as well.
271
00:44:01.260 --> 00:44:11.520
Michael Stapleton: Another thing is, if you don't have that well trivia trivia is a command line tool that you can use to scan images that aren't repository that doesn't.
272
00:44:12.300 --> 00:44:18.600
Michael Stapleton: So you might want to take a look at that either way you want to look for vulnerabilities in your images and keep them up to date.
273
00:44:19.440 --> 00:44:27.390
Michael Stapleton: Now signing yeah Another issue is, you would prefer not to just run any image right.
274
00:44:28.170 --> 00:44:45.180
Michael Stapleton: That that can be a problem, so we would like to validate what's in your images, maybe have security sign off on it and then somehow configure your cluster so it only runs images that have been digitally signed by your securities personnel.
275
00:44:46.530 --> 00:45:03.240
Michael Stapleton: So we're not just running anything one way, you can enforce that again with an admission controllers as admission controller cold connoisseur and yeah it'll validate that the pod spec whenever it tries to run something it's running a digitally signed image based on your specifications.
276
00:45:04.440 --> 00:45:20.490
Michael Stapleton: And again op a gatekeeper well yeah it can help make it can configure configuration so image configuration as well, they can help validate that as well, so yeah you're going to see more and more about oh PA gatekeeper for sure.
277
00:45:21.570 --> 00:45:31.680
Michael Stapleton: there's an awful lot of moving pieces in here, you know so yeah, how do you know you didn't miss anything compliance validation we're almost there.
278
00:45:32.670 --> 00:45:40.080
Michael Stapleton: yeah you're going to want to have some tools that you can execute that will look for known security vulnerabilities you're going to want to run this on a regular basis.
279
00:45:41.130 --> 00:45:50.730
Michael Stapleton: So for more details yeah check with the Center for Internet security they have a whole lot of documentation and benchmarks somebody's got to pay for some of its free.
280
00:45:51.360 --> 00:45:56.760
Michael Stapleton: A free tool that you can run that actually runs these security benchmarks is Q bench.
281
00:45:57.450 --> 00:46:08.550
Michael Stapleton: Open Source free tool, you can run it'll run these benchmarks that benchmarks is in compliance and validation when I hear benchmark i'm thinking what give me performance statistics but rather.
282
00:46:08.940 --> 00:46:15.840
Michael Stapleton: it's going to look for miss configuration so let's put it that way right so you're going to want to run something like that, on a regular basis.
283
00:46:18.600 --> 00:46:19.050
Michael Stapleton: and
284
00:46:20.250 --> 00:46:20.610
Michael Stapleton: yeah I.
285
00:46:21.120 --> 00:46:22.080
Myles Brown: can't believe you did it.
286
00:46:23.790 --> 00:46:30.000
Myles Brown: So, so I was talking to Mike before the session I thought wow you got a lot of ground to cover.
287
00:46:31.530 --> 00:46:45.870
Myles Brown: It is an overview level right and and so, if you want more information on Cooper nettie security obviously going in taking a course is probably the right way to do it, let me switch and I will, I will start driving.
288
00:46:47.070 --> 00:46:53.940
Myles Brown: From my slides and so let's talk a little bit about some of the certifications that are out there, especially around Cooper nettie security.
289
00:46:54.300 --> 00:47:01.320
Myles Brown: And then we'll get into some of the training that's available, and you know Mike Mike can comment on these things as we're going but.
290
00:47:02.250 --> 00:47:08.940
Myles Brown: If you're looking for Cooper nettie certification it's that the cnc F, the cloud native computing foundation there.
291
00:47:09.450 --> 00:47:18.570
Myles Brown: they've got three different certifications that the newest one is the Cooper nettie security specialist what they're calling the ck s it's definitely the newest CERT.
292
00:47:19.230 --> 00:47:35.640
Myles Brown: To to do that one there's an exam that you have to go in and do, but you first have to have the CPA that's by far the most popular of these certifications the certified Cooper 90s administrator so the cnc F is you know.
293
00:47:37.020 --> 00:47:45.450
Myles Brown: A large you know body that certifies a bunch of different things there's there's many companies are part of that foundation, including miranda's.
294
00:47:46.080 --> 00:47:56.730
Myles Brown: And these are the three vendor agnostic Cooper nettie certifications that they have they have one for application developers, they have the main one for administrators and then this newest ck s.
295
00:47:57.360 --> 00:47:58.710
Michael Stapleton: Their certifications.
296
00:47:59.010 --> 00:48:04.140
Myles Brown: Yes, yeah they're very tough and the cta is what is it a performance based right.
297
00:48:04.380 --> 00:48:05.670
Michael Stapleton: Like yeah they all are yeah.
298
00:48:05.910 --> 00:48:06.330
Myles Brown: yeah.
299
00:48:06.390 --> 00:48:07.710
And that's what no.
300
00:48:09.240 --> 00:48:11.460
Myles Brown: it's not just a multiple choice kind of question.
301
00:48:11.460 --> 00:48:11.700
Michael Stapleton: you're.
302
00:48:11.730 --> 00:48:26.400
Myles Brown: Not assigned to Ashton, you have to have some muscle memory in you know, creating these things provisioning them, you know trouble there's some troubleshooting even on the ck I haven't done the cta so you know i'll ask you Mike So these are very difficult.
303
00:48:27.450 --> 00:48:37.350
Myles Brown: And they're not for it's not like you take a three day class and say okay i'm ready to go and do the you know certification exam it's it's not those kinds of certifications.
304
00:48:38.310 --> 00:48:48.840
Myles Brown: But certainly training will help you in getting ready for it and I mentioned earlier, that when it comes to Cooper 90s exit certified partnered with a company called miranda's.
305
00:48:50.100 --> 00:48:51.540
Myles Brown: Their cloud native company.
306
00:48:51.540 --> 00:48:54.870
Myles Brown: dedicated to helping developers build and ship code faster.
307
00:48:55.080 --> 00:49:08.400
Myles Brown: Right exit certified is partnered with many vendors, but that that's the one that we we prefer for Cooper natives training so Dr Cooper 90s openstack i've created this ranches learning path document.
308
00:49:09.510 --> 00:49:17.430
Myles Brown: Which sort of outlines, you know some of the different offerings, but most of the you know the Cuban 80s for operations, people are for developers.
309
00:49:17.670 --> 00:49:23.910
Myles Brown: You know they kind of start the same there's a one day docker container ization essentials and then from there, you can go into.
310
00:49:24.450 --> 00:49:32.610
Myles Brown: Like a two day Cooper nettie essentials and then it starts to diverged if you're going to be an operations or administration versus development.
311
00:49:33.420 --> 00:49:43.170
Myles Brown: And we have some five day bundles where you save a little bit of money if you sign up for the five day class rather than the three individual classes.
312
00:49:43.680 --> 00:49:54.030
Myles Brown: And that sort of you know where we would expect you to know before you go and maybe take the CN 322 get ready for this seek him seek a certification right.
313
00:49:55.110 --> 00:50:00.000
Myles Brown: Once you have your cta certification there's the their newest class is the.
314
00:50:00.630 --> 00:50:13.620
Myles Brown: Advanced Cooper nettie security so a lot of the topics that Mike talked about today are covered in that two day class of course in two days, he can go in a much deeper than in 45 minutes right so.
315
00:50:14.280 --> 00:50:20.580
Myles Brown: You know, he was going at a furious pace and not going too deep but that's what exactly what we do in that class.
316
00:50:21.150 --> 00:50:31.800
Myles Brown: And, of course, that will help you prepare for the seat gas, as I mentioned there's there's other training that the brand has has they have their own cloud native platform.
317
00:50:32.280 --> 00:50:44.790
Myles Brown: And so you know you mentioned the Miranda secure registry, you know why so if you're a miranda's customer, then we have some other classes that might be more specific, for you, and then they also.
318
00:50:46.350 --> 00:51:04.140
Myles Brown: You know, do a really great job of openstack training, so we have those available to so this actually let me throw this link in the chat just so you can take a look at it right away, unless somebody already did that did somebody do that no Okay, so let me just throw that in there.
319
00:51:06.210 --> 00:51:06.480
Myles Brown: yeah.
320
00:51:07.590 --> 00:51:16.200
Myles Brown: And i'm sure we'll send this you know, in a follow up email as well, but if you get this a hold of this PDF, these are all.
321
00:51:16.800 --> 00:51:22.890
Myles Brown: You know hyperlink So if you click on the cm 330 it'll take us take you to our website where we talked about.
322
00:51:23.370 --> 00:51:29.970
Myles Brown: You know this class, and you know here's the the upcoming dates September 30 this classes, you know.
323
00:51:30.570 --> 00:51:39.870
Myles Brown: it's the most common ones are the the initial classes, so, so this is a class that might only run once a quarter, you know, on our schedule so.
324
00:51:40.770 --> 00:51:58.830
Myles Brown: The coordinating security like I said it's brand new class and and it is you know not everybody's going to be taking the security class so it's a kind of a more rare one, but if you go back and look at say the you know the CN 100 or something like that.
325
00:52:01.410 --> 00:52:09.630
Myles Brown: You know my view the schedule on that you know we have these classes running you know September 20 October 4 November, you know so runs much more often.
326
00:52:11.100 --> 00:52:19.800
Myles Brown: So that's some of the training that's available, I mentioned that we have a summer promo on right now, it runs until August 27.
327
00:52:20.400 --> 00:52:37.470
Myles Brown: And it's the promo code is summer 500 and basically the idea, there is, you can save $100 on one day course $200 on a two day course up to $500 on a five day course we also will give you, you know if you've got group that you want to send.
328
00:52:37.950 --> 00:52:49.950
Myles Brown: So we have public classes, where you know if you're just going to send one or two people from your company would do that, but if you've got a group of people, we also do private training right, and you know generally it's virtual.
329
00:52:50.670 --> 00:52:57.900
Myles Brown: But you know as things start to open up more we can send an instructor to you, you know sort of we'll see what happens with that, but.
330
00:52:58.740 --> 00:53:07.650
Myles Brown: The nice thing about the private training is you know we have a little more leeway to say Okay, well, we want to focus on this area, and not so much on that area.
331
00:53:08.490 --> 00:53:13.950
Myles Brown: You can maybe tweak the times, you know normally our classes run sort of you know, nine to five kind of.
332
00:53:14.820 --> 00:53:26.460
Myles Brown: But we've done really crazy things with the with the private classes, where we do a half day class over two weeks, instead of you know so there's a lot of there's a lot of options there in the private training.
333
00:53:27.870 --> 00:53:34.770
Myles Brown: One thing about the summer promo you have to register by August 27 and take the course by the end of September.
334
00:53:35.850 --> 00:53:45.000
Myles Brown: So that's that's sort of our current promotion, right now, and like I said, you know if you have any questions about.
335
00:53:46.050 --> 00:53:52.140
Myles Brown: about training, you can you can send those to me, let me just put my email address into the.
336
00:53:54.390 --> 00:54:02.730
Myles Brown: And i'll probably put you in touch with one of our salespeople but if it's just a question about what's the right course kind of thing you can send that to me and.
337
00:54:04.080 --> 00:54:09.150
Myles Brown: You know, like I said, we can build like a cross vendor you know kind of path if we need to.
338
00:54:09.600 --> 00:54:20.790
Myles Brown: And really figure out well hey you know our people all know docker but they don't know Cooper nettie well, then we can skip that first class and starting the second class, so you know I can I can work with you and figure that out.
339
00:54:21.720 --> 00:54:26.820
Myles Brown: We have a couple minutes left I think Mike you're you're not in a rush here we don't have to run out right.
340
00:54:26.820 --> 00:54:38.340
Myles Brown: away so if you have any further questions you can throw them in the chat and we'll take a couple minutes here to to answer I think we've answered most of the questions along the way.
341
00:54:41.160 --> 00:54:56.550
Myles Brown: yeah I don't I don't think we had any outstanding what is ingress Oh well, it ingress I mean in terms of Cooper daddy's and we talked about the ingress Controller and controls request coming in.
342
00:54:57.930 --> 00:55:05.460
Michael Stapleton: An ingress is a so an ingress it is confusing and ingress is a type of object that you can create incubus.
343
00:55:05.850 --> 00:55:18.540
Michael Stapleton: Have a template and it's kind of ingress and it represents configuration for a reverse proxy an ingress controller reacts to that specification and an ingress and configure as a reverse.
344
00:55:18.960 --> 00:55:27.690
Michael Stapleton: proxy generally when we just say ingress or ingress controller they're just talking that you have some kind of reverse proxy.
345
00:55:28.260 --> 00:55:37.530
Michael Stapleton: You have some kind of a controller that's configuring it through Cooper daddy's objects of some sort and it's used to expose your pods to you know outside the cluster.
346
00:55:40.140 --> 00:55:40.380
and
347
00:55:43.890 --> 00:55:45.030
Michael Stapleton: inbound traffic.
348
00:55:46.290 --> 00:55:46.650
Michael Stapleton: mm hmm.
349
00:55:48.990 --> 00:55:57.240
Michael Stapleton: can explain is to yes service meshes in general they've been around for a while now, they help solve the problem.
350
00:55:57.870 --> 00:56:05.490
Michael Stapleton: Of the fact that, when we do networking we configure how things communicate to each other and how they authenticate and everything all over the place.
351
00:56:05.790 --> 00:56:14.430
Michael Stapleton: If you ever done any troubleshooting with highly networked things you know you got to go from node to node to node to figure out who's talking to who and what's going on.
352
00:56:14.940 --> 00:56:22.110
Michael Stapleton: it's you know everything's just blasted across your space everything's all over the place, when it comes to configuration networking.
353
00:56:22.410 --> 00:56:32.880
Michael Stapleton: So any changes, you need to do, you need to figure out where you got to run around do it the general idea of a service meshes it's centralized is the management and configuration of your networking in one place, so you can.
354
00:56:34.140 --> 00:56:47.160
Michael Stapleton: The traffic now everyone's configured the same way, where do you send your traffic to the service mesh and then the service mesh will worry about getting the traffic to go to the right place and it can then do things like monitoring and metrics and.
355
00:56:47.700 --> 00:56:58.080
Michael Stapleton: authentication authorization it can do all kinds of things they're just very, very, very, very it's a cool thing and certain is to is one example of that yeah.
356
00:56:58.260 --> 00:57:15.210
Myles Brown: And you would say that these are these are important because, because of the with the architecture that we use with microservices where there's a lot of inter process, communication and the explosion of that communication really said hey we need.
357
00:57:15.420 --> 00:57:24.450
Michael Stapleton: We need help, yet tons of small inter connected processes running on different machines and how do you manage the networking for that yeah yeah so special.
358
00:57:24.510 --> 00:57:28.980
Myles Brown: about this question, how can we get tcp dump from Cooper nettie cluster.
359
00:57:30.030 --> 00:57:30.990
Michael Stapleton: In the ios.
360
00:57:32.190 --> 00:57:37.650
Michael Stapleton: So you log into your nodes and you do tcp dump number in the end it's just processes running in.
361
00:57:37.650 --> 00:57:42.630
Michael Stapleton: Linux your Linux host so you still have all your normal tools and everything they're not vm.
362
00:57:44.880 --> 00:57:46.380
Michael Stapleton: Oh yeah just regular tcp dump.
363
00:57:48.000 --> 00:57:53.280
Myles Brown: But this last question, do we have the miter attack framework supported for Cooper daddy's.
364
00:57:55.290 --> 00:57:55.890
Michael Stapleton: ever heard of it.
365
00:57:56.970 --> 00:57:58.740
Myles Brown: Earlier with that one yeah.
366
00:58:00.000 --> 00:58:03.930
Michael Stapleton: yeah doesn't matter how long you've been doing something there's always something new.
367
00:58:05.550 --> 00:58:06.690
Michael Stapleton: The new term for me.
368
00:58:07.950 --> 00:58:08.340
Michael Stapleton: and see.
369
00:58:12.240 --> 00:58:13.470
Later attack.
370
00:58:21.300 --> 00:58:25.020
Michael Stapleton: yeah I don't know that's I guess that's the right answer I have no idea.
371
00:58:25.320 --> 00:58:26.400
Michael Stapleton: yeah looking it up now.
372
00:58:27.870 --> 00:58:34.170
Myles Brown: How about this one, if a pod has deleted, how will take love for deleted pod.
373
00:58:35.190 --> 00:58:50.430
Myles Brown: is OK, not sure exactly what they're asking here, but I mean one of the one of the things you mentioned was that you know, we want to redirect any kinds of logs to sort of an external place so that.
374
00:58:50.610 --> 00:58:50.970
Michael Stapleton: Like.
375
00:58:51.000 --> 00:58:53.040
Myles Brown: You know those individual nodes if they get.
376
00:58:53.640 --> 00:58:58.500
Myles Brown: destroyed in some way, we still have the logs elsewhere right yeah.
377
00:59:01.680 --> 00:59:15.780
Michael Stapleton: And then and and of course we're like what the audit logs you'd like preferably to be proactively monitoring the logs but some kind of intelligent software to notify of yeah but that's totally outside of communities.
378
00:59:19.440 --> 00:59:23.220
Myles Brown: yeah certainly don't think you want to log anything to the ephemeral volumes.
379
00:59:25.020 --> 00:59:28.860
Myles Brown: That that's that's the exact opposite of what we want, with lungs.
380
00:59:36.900 --> 00:59:49.530
Myles Brown: Alright, well, it looks like things are slowing down Mike miles, thank you very much yeah Mike thanks for your thanks for your time that was great and like I said we're going to be sending the.
381
00:59:52.020 --> 01:00:05.370
Myles Brown: The recording of the presentation we may also send a PDF of the slides because there were some some links in there, that you might be looking for might have to clean up those spelling mistakes first but we'll we'll get that all to you.
382
01:00:06.060 --> 01:00:11.760
Myles Brown: In the next few days i'm not sure how long the the recording state probably a couple days.
383
01:00:12.000 --> 01:00:13.680
Michael Stapleton: wasn't me someone hacked my slides.
384
01:00:13.770 --> 01:00:14.460
Myles Brown: Yes, that's right.
385
01:00:16.020 --> 01:00:27.240
Myles Brown: Well, thank you for your time and yeah and keep keep your eyes open we've got lots of lots of webinars on lots of different topics we probably run you know, two to three webinars a month.
386
01:00:27.990 --> 01:00:43.470
Myles Brown: At exit certified across different vendors and different technologies but but we're always looking for you know ideas of you know what to do, webinars on a lot of times it's it's a it's an important topic, you know.
387
01:00:44.100 --> 01:00:53.640
Myles Brown: Very often it's like this one, where you know there's a lot of detail and so it's tip of the iceberg, and if you're interested, then you know hey.
388
01:00:54.060 --> 01:01:03.930
Myles Brown: I want to take this security class with that guy Mike stapleton and so that's that's kind of why we do it is, is to let you know you know, this is what you can expect.
389
01:01:04.290 --> 01:01:13.260
Myles Brown: But in a more intimate setting where you can ask a lot more questions easier and so that's that's ultimately you know I think what we do really well.
390
01:01:14.460 --> 01:01:20.550
Myles Brown: So thank you for your time today, and he i'm not sure about the chat Oh, I think, if you want the chat.
391
01:01:20.790 --> 01:01:21.780
Michael Stapleton: You can actually save it.
392
01:01:22.050 --> 01:01:27.600
Myles Brown: yeah if you click on the dot dot dot there's a save chat and so you can save that.
393
01:01:31.260 --> 01:01:36.660
Myles Brown: Somebody at the very beginning, mentioned the they had a link to the NSA.
394
01:01:37.530 --> 01:01:48.450
Myles Brown: Report on Cooper daddy's security, I was, I was flipping through it as as Mike was going through, and you know it, it was a lot of the same oh you don't have the dot dot dot option.
395
01:01:49.260 --> 01:02:03.840
Myles Brown: I guess the safe chat in webinar style we don't have to save chat hmm well, it may appear in the recordings i'm not sure how that works, but like I said you've got the links will be in this slide so we'll get those to you.
396
01:02:08.430 --> 01:02:11.730
Myles Brown: You have any plan for Cooper 90s on azure.
397
01:02:13.320 --> 01:02:21.060
Myles Brown: yeah well actually has a managed service called aka es, and that is covered in some of the azure classes, that we offer.
398
01:02:22.740 --> 01:02:27.660
Myles Brown: Right click select all and copy the team's got a great solution, yes.
399
01:02:30.480 --> 01:02:36.720
Myles Brown: Oh there Mike shared a file I don't know if you can save that file or not, but that's the safe chat.
400
01:02:37.860 --> 01:02:38.790
Myles Brown: it's probably got.
401
01:02:41.730 --> 01:02:41.970
Myles Brown: My.
402
01:02:42.330 --> 01:02:44.100
Myles Brown: Only my stuff yeah.
403
01:02:45.060 --> 01:02:45.750
Michael Stapleton: that's no good.
404
01:02:46.200 --> 01:02:47.250
Myles Brown: yeah that's not good.
405
01:02:47.850 --> 01:02:51.810
Michael Stapleton: Oh, and you know what hey sent their own file to anyway so okay so let's.
406
01:02:55.020 --> 01:02:55.800
Myles Brown: proceed is.
407
01:02:56.220 --> 01:02:56.610
Myles Brown: It called.
408
01:02:56.640 --> 01:02:57.930
Michael Stapleton: Amazon training.
409
01:02:58.590 --> 01:03:01.230
Myles Brown: whoops it's downloadable it's not right.
410
01:03:01.440 --> 01:03:02.430
Michael Stapleton: it's not the right yeah.
411
01:03:04.170 --> 01:03:07.650
Michael Stapleton: One of those days I tell you, so my last.
412
01:03:09.390 --> 01:03:12.540
Myles Brown: Alright well i'm going to stop the share and.
413
01:03:17.280 --> 01:03:17.550
Myles Brown: Show.