After the big license change now someone talks about a big sell in Hashicorp 😦 https://archive.is/iPekU
Bash
To generate strong random #password you don’t need online suspicious services but just old plain bash/WSL. This function leverages your filesystem folder /dev/urandom, the output is cryptographically secure and we then match only acceptable characters in a list and finally cut a 16 length string.
Keep it with you as an alias in your .bashrc maybe 🙂
function getNewPsw(){
tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 16; echo
}
Here we’re going to see together how to solve a bugged Kubernetes architecture, thanks to a nice KodeKloud challenge, where:
The persistent volume claim can’t be bound to the persistent volume
Load the ‘AppArmor` profile called ‘custom-nginx’ and ensure it is enforced.
The deployment alpha-xyz use an insecure image and needs to mount the ‘data volume’.
‘alpha-svc’ should be exposed on ‘port: 80’ and ‘targetPort: 80’ as ClusterIP
Create a NetworkPolicy called ‘restrict-inbound’ in the ‘alpha’ namespace. Policy Type = ‘Ingress’. Inbound access only allowed from the pod called ‘middleware’ with label ‘app=middleware’. Inbound access only allowed to TCP port 80 on pods matching the policy
‘external’ pod should NOT be able to connect to ‘alpha-svc’ on port 80
1 Persistent Volume Claim
So first of all we notice the PVC is there but is pending, so let’s look into it
One of the first differences we notice is the kind of access which is ReadWriteOnce on the PVC while ReadWriteMany on the PV.
Also we want to check if that storage is present on the cluster.
Let’s fix that creating a local-storage resource:
Get the PVC YAML, delete the extra lines and modify access mode:
For this exercise the permitted images are: ‘nginx:alpine’, ‘bitnami/nginx’, ‘nginx:1.13’, ‘nginx:1.17’, ‘nginx:1.16’and ‘nginx:1.14’. We use ‘trivy‘ to find the image with the least number of ‘CRITICAL’ vulnerabilities.