Proxies in Kubernetes
◾️https://kubernetes.io/docs/concepts/cluster-administration/proxies/
Cracking Kubernetes Node Proxy (aka kube-proxy)

◾️https://arthurchiao.art/blog/cracking-k8s-node-proxy/

Connection Tracking (conntrack)
◾️https://arthurchiao.art/blog/conntrack-design-and-implementation/
A Deep Dive into Iptables and Netfilter Architecture
◾️https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
Awesome BPF Resources
◾️https://arthurchiao.art/blog/awesome-bpf/
#container #kubernetes #opensource #devops #devsecops #networking
〰️〰️〰️〰️〰️〰️
© @DevOpsEx

⚡️What is DevSecOps?⚡️
DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
Refs:
◾️DevSecOps Redhat
◾️GitHub Repo Resources
◾️OWASP DevSecOps
◾️DevSecOps Culture
◾️DevSecOps GitHub
#DevOps #DevSecOps #Security #Development #Operation #IT #Lifecycle #ITLifecycle #Hardening
〰️〰️〰️〰️〰️
©️ @DevOpsEx

⚡️A Linux SysAdmin's Introduction To Cgroups⚡️
Control groups (cgroups) are a Linux kernel mechanism for fine-grained control of resources. Originally put forward by Google engineers in 2006, cgroups were eventually merged into the Linux kernel around 2007.
While there are currently two versions of cgroups, most distributions and mechanisms use version 1, as it has been in the kernel since 2.6.24. Like with most things added into the mainline kernel, there was not a huge adoption rate at first.
Version 2 continues this trend, having been around for almost half a decade but still not widely deployed.
Links:
◾️https://www.redhat.com/sysadmin/cgroups-part-one
◾️https://www.redhat.com/sysadmin/cgroups-part-two
◾️https://www.redhat.com/sysadmin/cgroups-part-three
◾️https://www.redhat.com/sysadmin/cgroups-part-four
Pic Source:

◻️https://twitter.com/b0rk

#DevOps #DevSecOps #Security #Development #Operation #IT #Linux #Kernel
〰️〰️〰️〰️〰️
©️ @DevOpsEx

خب بعد از چند وقت بریم سراغ ادامه تاپیک جذاب همیشگی یعنی Container Networking ولی اینبار یکمی دقیق‌تر راجب طرز پیاده‌سازیش تو Kubernetes و نگاهی به بخشی از بقولی Under The Hood مکانیزم‌های استفاده‌شده برای تحقق این موضوع، چیزهایی مثل طرز پیاده‌سازی سرویس Kube-Proxy تو دو مد iptables و IPVS و تفاوت‌هاشون به شکل دقیق و همینطور روش‌هایی که CNI هایی مثل Calico برای Advertise کردن CIDR پاد استفاده می‌کنن یعنی دو تکنولوژی BGP و BIRD و درنهایت پیاده‌سازی OverLay Network به کمک مفاهیمی چون VXLAN و IPinIP.
◽️این پست ادامه بحث این پسته.
◽️عمده ریسورس‌های معرفی‌شده در لینک‌های زیر توسط آقای Dustin Specker نوشته شده است یکی از بهترین‌های این حوزه!
⚡️Links⚡️
Container Networking Series:

...
iptables: How Kubernetes Services Direct Traffic to Pods
IPVS: How Kubernetes Services Direct Traffic to Pods
Kubernetes Networking from Scratch: Using BGP and BIRD to Advertise Pod Routes
...

◾️https://dustinspecker.com/series/container-networking/
Deep Dive Kube-Proxy With iptables Mode:
◾️https://serenafeng.github.io/2020/03/26/kube-proxy-in-iptables-mode/
Container Networking From Scratch - Kristen Jacobs:
◾️https://www.youtube.com/watch?v=6v_BDHIgOY8
#container #kubernetes #opensource #devops #devsecops #networking
〰️〰️〰️〰️〰️〰️
© @DevOpsEx