how about making support not just to build ami for aws but also for GCE?

• New OSSEC
• Upload to AWS Marketplace

Have scripts for regular use.

• New OSSEC
• Upload to AWS Marketplace

Hey, not a lot of information online about other people running PCI compliant workloads on Kubernetes, so apologies for the question in advance!

I'm curious what kind of networking setup you're running on the PCI compliant kops clusters to fulfill the PCI requirement for a DMZ.

Do you satisfy inbound/outbound rules at the EC2 level w/ AWS network ACLs, or at the Kubernetes level w/ networking policies (calico)?

• VPC
  • Flow Logs

Enable VPC flow logs. Public to CloudWatch or S3. (be aware there is additional CloudWatch costs for VPC flow logs) Docs

• Create an Issue Template

Two tasks

Opshell/auditkube

 needs to have crons

Weekly update the software

Update aws marketplace

• install it using Kubernetes terraform helm plugin https://github.com/helm/charts/tree/master/stable/cluster-autoscaler

• FoxPass Instructions for GSuite / OKTA
• AWS Access Control via SAML

• New OSSEC
• Upload to AWS Marketplace

• New OSSEC
• Upload to AWS Marketplace

• AWS
• GCP
• Azure

https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html

• Cluster
• VPC (https://www.terraform.io/docs/providers/azurerm/r/virtual_network.html)

https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-max-instance-lifetime.html

Observation

Add CloudWatch Monitoring so we can keep track of all the changes in

Expected Result

Have AWS tracking the nodes metrics so we can see them in the AWS dashboard.

Why

There is no insight at the moment with default kops.

Blog Post

• Tell a story of the use case. Put yourself in the buyer's shoes
• The dilemma that the team sought to solve for its prospects or customers
• How are we solving it?
• What does it look like?
• How to use it?
• Reiterate the value prop

Tasks

• Write Blog Post

• Build It

• Add cloudwatch scripts http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html

• Need to have a way of tracking those changes.

• Test It

• Release Blog

• Release Notes (https://opszero.typeform.com/to/JMnLYH)

• Update Weebly

• Post on Product Hunt as New Features / Screenshots

• Send to Marketing Locations

There was some turmoil about filling the disk with the default logrotate configuration
kubernetes/kops#2816

I think we need to make our base image more stable in this regard and configure logrotates to be 10MB instead of 100MB as it is the default. To prevent from filling 10GB of disk instead and just 1GB as max.

• Cluster Module
• VPC Access
• Create GCP Cluster
• Configure GCP Green
• Configure GCP Blue
• Helm
• LogDNA
• Foxpass Bastion
  • Create a service account specifically for accessing the machine
  • Update the Packer image: https://github.com/foxpass/foxpass-ipsec-vpn to build on GCP
• Foxpass VPN
• ISTIO
• Enable Stackdriver and other HIPAA compliance related things
• GCP Create KMS Keys for each single tenant customer

Observation

Need to setup OpenSCAP as it provides an interface for compliance

Expected Result

Setup OpenSCAP as a default install on the image

Why

OpenSCAP is a default for compliance related issues.

Blog Post

• Tell a story of the use case. Put yourself in the buyer's shoes
• The dilemma that the team sought to solve for its prospects or customers
• How are we solving it?
• What does it look like?
• How to use it?
• Reiterate the value prop

Tasks

• Write Blog Post

• Build It

• Install OpenSCAP

• Make sure that it exports to an appropriate location.

• Test It

• Release Blog

• Release Notes (https://opszero.typeform.com/to/JMnLYH)

• Update Website

• Post on Product Hunt as New Features / Screenshots

Setup kubernetes autoscaling

[ ] Install it using Kubernetes terraform helm plugin https://github.com/helm/charts/tree/master/stable/cluster-autoscaler

I'm arduously going through PCI compliance right now with my current company. I was hoping to use AWS Inspector, but Im sad to learn that it's not supported on Debian.

Do any of your clients use AWS Inspector to be notified of vulnerable CVEs on their systems, or is there an alternative agent that's popular that I'm not aware of? I know this really isn't an issue with auditkube, but would love your input!

From one DevOps to another ❤️.

• New OSSEC
• Upload to AWS Marketplace

Observation

Have Package Level Auditing

Expected Result

Have the nodes being checked by AppCanary as an addon.

Why

Add additional node level security.

Blog Post

• Tell a story of the use case. Put yourself in the buyer's shoes
• The dilemma that the team sought to solve for its prospects or customers
• How are we solving it?
• What does it look like?
• How to use it?
• Reiterate the value prop

Tasks

• Write Blog Post

• Build It

• Add AppCanary API Key

• Create file in node.

• Test It

• Release Blog

• Release Notes (https://opszero.typeform.com/to/JMnLYH)

• Update Weebly

• Post on Product Hunt as New Features / Screenshots

• Update Adwords

• Send to Marketing Locations

• EKS Create KMS Keys for each single tenant customer

Observation

While we have support for Cluster Level Security we need to also address the Kubernetes layer of security

Expected Result

Have a tool that can generate secure RBAC configurations for HIPAA/PCI

Why

Currently, the default setup for Kubernetes is everything has access to everything and we want to change that.

Blog Post

• Tell a story of the use case. Put yourself in the buyer's shoes
• The dilemma that the team sought to solve for its prospects or customers
• How are we solving it?
• What does it look like?
• How to use it?
• Reiterate the value prop

Tasks

• Write Blog Post

• Build It

• https://kubernetes.io/docs/admin/authorization/rbac/

• Generate configurations for HIPAA/PCI that limits access so that people can't do everything but have a more limited set of things that they are allowed to do.

• Test It

• Release Blog

• Release Notes (https://opszero.typeform.com/to/JMnLYH)

• Update Weebly

• Post on Product Hunt as New Features / Screenshots

• Update Adwords

• Send to Marketing Locations

• Update ingress.sh to use helm3

• New OSSEC
• Upload to AWS Marketplace

• Bastion should have logging for who accessed the machine.
• This should be sent to LogDNA for logs

• New OSSEC
• Upload to AWS Marketplace

• Automatically give the Nodes IAM credentials to write to CloudWatch
• Install the agent

• RDS
• Prevent Delete for Databases

• Encryption
  • Aurora
• Encryption
  • Redis

ElastiCache for Redis - Enable encryption in transit and encryption at rest. Docs
ElastiCache for Redis - Enable Multi-AZ failover (for production) Docs

• Write Docs on using Encrypted Redis

• New OSSEC
• Upload to AWS Marketplace

• Install it using Kubernetes terraform if logdna_ingestion_key is set
• need to include the ossec dir as part of hte ingestion as well

Use different security groups for Aurora DB (looks like they’re using the same group as the EKS nodes), Aurora security group should only allow traffic from the EKS nodes (and other whitelisted services) @adam A

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file-wizard.html

Use STS to allow cloudwatch