updates

Signed-off-by: (Bit-Mage) <[email protected]>
rajp152k · Oct 13, 2024 · 7970c5e · 7970c5e
1 parent 0d4c65e
commit 7970c5e
Show file tree

Hide file tree

Showing 11 changed files with 111 additions and 2 deletions.
diff --git a/Content/20240215121050-kubernetes.org b/Content/20240215121050-kubernetes.org
@@ -10,7 +10,11 @@ see [[id:f822f8f6-89eb-4aa8-ac8f-fdcff3f06fb9][Orchestration]]
 * Stream
 ** 0x22E2
 - reading https://sookocheff.com/post/kubernetes/understanding-kubernetes-networking-model/
-- reading up on ConfigMaps
+- reading up on [[id:2244b835-3c8a-496e-b4bd-5ab0951c7d29][ConfigMap]]s
+- reading up on [[id:691a68cd-bef5-47c3-be5a-030cfffca5c5][Secret]]s
+- reading up on [[id:31fe99cb-2739-45cd-9a8b-755ffc018917][Resource Management]]
+- see https://github.com/OpenObservability/OpenMetrics.git
+- building up a [[id:68d08457-9ce7-4b48-8cef-c52134a99c40][Security]] node for K8s
 ** 0x22E1
  - the <git vc host>/kubernetes/hack/ is useful
  - charting the kubernetes source code

diff --git a/Content/20240728173614-helm.org b/Content/20240728173614-helm.org
@@ -2,4 +2,4 @@
 :ID:       28387722-d0ca-4c0b-8436-5c4c2ae4ba13
 :END:
 #+title: Helm
-#+filetags: :cloud-native:cncf:
+#+filetags: :k8s:cloud-native:cncf:
diff --git a/Content/20241013163139-configmap.org b/Content/20241013163139-configmap.org
@@ -0,0 +1,20 @@
+:PROPERTIES:
+:ID:       2244b835-3c8a-496e-b4bd-5ab0951c7d29
+:END:
+#+title: ConfigMap-K8S
+#+filetags: :k8s:
+
+* Definition:
+  - ConfigMap is an API object in Kubernetes used to store non-confidential data in key-value pairs.
+
+* Purpose:
+  - To decouple configuration artifacts from container images to make applications more secure and portable.
+
+* Limitations:
+  - They are not suited to store sensitive information such as passwords or keys; for that, [[id:691a68cd-bef5-47c3-be5a-030cfffca5c5][Kubernetes Secrets]] should be used.
+  - ConfigMaps are limited to 1MB each; exceeding this limit requires a different approach.
+
+
+* Resources
+- https://kubernetes.io/docs/concepts/configuration/configmap/
+- https://kubernetes.io/blog/2016/04/configuration-management-with-containers/
diff --git a/Content/20241013163342-secrets_k8s.org b/Content/20241013163342-secrets_k8s.org
@@ -0,0 +1,16 @@
+:PROPERTIES:
+:ID:       691a68cd-bef5-47c3-be5a-030cfffca5c5
+:END:
+#+title: Secrets-K8S
+#+filetags: :sec:k8s:
+
+* Basics
+  - Kubernetes secrets manage sensitive data, such as passwords, OAuth tokens, and SSH keys.
+  - Secrets are intended to decouple sensitive information from the application code, improving security.
+  - Deployments and pods can refer to secrets in Kubernetes, allowing controlled access.
+
+* Security Considerations
+  - Secrets, though more secure than embedding in application code, can still be exposed if someone gets access to the pod.
+  - Best practices include [[id:fc79b8ad-6f4c-4a0b-b75e-f6ffd1741b52][ACLs]], [[id:91e6eae5-ebc3-4bf2-8523-30a29c60354c][RBAC]] policies, and [[id:92342b8b-1c09-4e1f-9799-66d060678c31][encryption]] at rest using third-party solutions or Kubernetes features.
+* Resources
+- https://kubernetes.io/docs/concepts/configuration/secret/
diff --git a/Content/20241013165913-access_control_lists.org b/Content/20241013165913-access_control_lists.org
@@ -0,0 +1,5 @@
+:PROPERTIES:
+:ID:       fc79b8ad-6f4c-4a0b-b75e-f6ffd1741b52
+:END:
+#+title: Access Control Lists
+#+filetags: :cs:sec:
diff --git a/Content/20241013165926-role_based_access_control.org b/Content/20241013165926-role_based_access_control.org
@@ -0,0 +1,5 @@
+:PROPERTIES:
+:ID:       91e6eae5-ebc3-4bf2-8523-30a29c60354c
+:END:
+#+title: Role Based Access Control
+#+filetags: :cs:sec:
diff --git a/Content/20241013170359-resource_management_k8s.org b/Content/20241013170359-resource_management_k8s.org
@@ -0,0 +1,12 @@
+:PROPERTIES:
+:ID:       31fe99cb-2739-45cd-9a8b-755ffc018917
+:END:
+#+title: Resource Management-K8S
+#+filetags: :k8s:
+
+* Resources
+ - https://openmetrics.io/
+ - [[id:28387722-d0ca-4c0b-8436-5c4c2ae4ba13][Helm]]
+ - [[id:a204f9b7-a562-429b-8fb4-644a758f933b][Kustomize]]
+ - https://kubernetes.io/docs/concepts/workloads/management/
+ - https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
diff --git a/Content/20241013171158-kustomize.org b/Content/20241013171158-kustomize.org
@@ -0,0 +1,9 @@
+:PROPERTIES:
+:ID:       a204f9b7-a562-429b-8fb4-644a758f933b
+:END:
+#+title: Kustomize
+#+filetags: :k8s:
+
+
+* Resources
+- https://kustomize.io/
diff --git a/Content/20241013174258-security_k8s.org b/Content/20241013174258-security_k8s.org
@@ -0,0 +1,22 @@
+:PROPERTIES:
+:ID:       68d08457-9ce7-4b48-8cef-c52134a99c40
+:END:
+#+title: Security-K8S
+#+filetags: :sec:k8s:
+
+* K8S Security Mechanisms
+** Control Plane Protection
+ - data in transit encryption ([[id:06fa9da7-4126-4b08-a367-3a751f31de51][TLS]]):
+   - https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
+ - encryption at rest :
+   - https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+** [[id:691a68cd-bef5-47c3-be5a-030cfffca5c5][Secrets]]
+- maskable configs
+** Workload Protection
+- [[id:3556f180-8efb-4ece-9856-12c322d4bb3d][Network Policies-K8S]]
+- [[id:5bbc2e82-8c88-46cb-9f8c-40ed065d3c97][Runtime Classes-K8S]]
+
+** Auditing
+* Resources
+- https://kubernetes.io/docs/concepts/security/
+- https://kubernetes.io/docs/concepts/security/cloud-native-security/
diff --git a/Content/20241013175122-network_policies_k8s.org b/Content/20241013175122-network_policies_k8s.org
@@ -0,0 +1,8 @@
+:PROPERTIES:
+:ID:       3556f180-8efb-4ece-9856-12c322d4bb3d
+:END:
+#+title: Network Policies-K8S
+#+filetags: :sec:k8s:
+
+* Resources
+ - https://kubernetes.io/docs/concepts/services-networking/network-policies/
diff --git a/Content/20241013175852-runtime_classes_k8s.org b/Content/20241013175852-runtime_classes_k8s.org
@@ -0,0 +1,8 @@
+:PROPERTIES:
+:ID:       5bbc2e82-8c88-46cb-9f8c-40ed065d3c97
+:END:
+#+title: Runtime Classes-K8S
+#+filetags: :sec:k8s:
+
+* Resources
+ - https://kubernetes.io/docs/concepts/containers/runtime-class/