opszero / terraform-aws-kubespot Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://opszero.com
License: Other
Home Page: https://opszero.com
License: Other
how about making support not just to build ami for aws but also for GCE?
Have scripts for regular use.
Hey, not a lot of information online about other people running PCI compliant workloads on Kubernetes, so apologies for the question in advance!
I'm curious what kind of networking setup you're running on the PCI compliant kops clusters to fulfill the PCI requirement for a DMZ.
Do you satisfy inbound/outbound rules at the EC2 level w/ AWS network ACLs, or at the Kubernetes level w/ networking policies (calico)?
Enable VPC flow logs. Public to CloudWatch or S3. (be aware there is additional CloudWatch costs for VPC flow logs) Docs
Two tasks
Opshell/auditkube
Update aws marketplace
Add CloudWatch Monitoring so we can keep track of all the changes in
Have AWS tracking the nodes metrics so we can see them in the AWS dashboard.
There is no insight at the moment with default kops.
Write Blog Post
Build It
Add cloudwatch scripts http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html
Need to have a way of tracking those changes.
Test It
Release Blog
Release Notes (https://opszero.typeform.com/to/JMnLYH)
Update Weebly
Post on Product Hunt as New Features / Screenshots
Send to Marketing Locations
There was some turmoil about filling the disk with the default logrotate configuration
kubernetes/kops#2816
I think we need to make our base image more stable in this regard and configure logrotates to be 10MB instead of 100MB as it is the default. To prevent from filling 10GB of disk instead and just 1GB as max.
Need to setup OpenSCAP as it provides an interface for compliance
Setup OpenSCAP as a default install on the image
OpenSCAP is a default for compliance related issues.
Write Blog Post
Build It
Install OpenSCAP
Make sure that it exports to an appropriate location.
Test It
Release Blog
Release Notes (https://opszero.typeform.com/to/JMnLYH)
Update Website
Post on Product Hunt as New Features / Screenshots
Setup kubernetes autoscaling
[ ] Install it using Kubernetes terraform helm plugin https://github.com/helm/charts/tree/master/stable/cluster-autoscaler
I'm arduously going through PCI compliance right now with my current company. I was hoping to use AWS Inspector, but Im sad to learn that it's not supported on Debian.
Do any of your clients use AWS Inspector to be notified of vulnerable CVEs on their systems, or is there an alternative agent that's popular that I'm not aware of? I know this really isn't an issue with auditkube, but would love your input!
From one DevOps to another ❤️.
Have Package Level Auditing
Have the nodes being checked by AppCanary as an addon.
Add additional node level security.
Write Blog Post
Build It
Add AppCanary API Key
Create file in node.
Test It
Release Blog
Release Notes (https://opszero.typeform.com/to/JMnLYH)
Update Weebly
Post on Product Hunt as New Features / Screenshots
Update Adwords
Send to Marketing Locations
While we have support for Cluster Level Security we need to also address the Kubernetes layer of security
Have a tool that can generate secure RBAC configurations for HIPAA/PCI
Currently, the default setup for Kubernetes is everything has access to everything and we want to change that.
Write Blog Post
Build It
Generate configurations for HIPAA/PCI that limits access so that people can't do everything but have a more limited set of things that they are allowed to do.
Test It
Release Blog
Release Notes (https://opszero.typeform.com/to/JMnLYH)
Update Weebly
Post on Product Hunt as New Features / Screenshots
Update Adwords
Send to Marketing Locations
ElastiCache for Redis - Enable encryption in transit and encryption at rest. Docs
ElastiCache for Redis - Enable Multi-AZ failover (for production) Docs
Use different security groups for Aurora DB (looks like they’re using the same group as the EKS nodes), Aurora security group should only allow traffic from the EKS nodes (and other whitelisted services) @adam A
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.