DEVOPS WEEKLY ISSUE #556 - 22nd August 2021
Identify and access management, data operations, root cause analysis, SLOs and a few interesting Kubernetes security posts and tools this week.
StackHawk sponsors Devops Weekly
Trying to automate application and API security testing? See how StackHawk and Burp Suite Enterprise stack up:
https://sthwk.com/burp
News
Access and Identify is a deep topic, no more so when it comes to AWS. This post does a good job of explaining the current situation and related problems, and discusses potential improvements.
https://ben11kehoe.medium.com/aws-doesnt-know-who-i-am-here-s-why-that-s-a-problem-4aeca591b0a6
Gatekeeper (the Kubernetes policy enforcement tool) now has an alpha capability to mutate resources. This post is a good introduction, including an example of automatically fixing pod security admission issues.
https://medium.com/@LachlanEvenson/mutating-kubernetes-resources-with-gatekeeper-3e5585d49ead
Everyone likes the idea of a single root cause when a problem occurs. This post compares that to how we think about successes, to make the point about the fragility of looking for a singular root cause.
https://surfingcomplexity.blog/2021/08/13/root-cause-of-failure-root-cause-of-success
A detailed post on how best to audit and secure an AWS account.
https://acloudguru.com/blog/engineering/how-to-audit-and-secure-an-aws-account
A good post on service level objectives. It starts out with a good introduction, but it’s nice to see concrete examples and discussion of how to implement this in code, in this case with Ruby and Java.
https://www.betterment.com/resources/service-level-objectives-slo
If you’ve read much about SRE, you’ll probably have heard of the four golden signs of monitoring. This post provides a quick introduction and suggests some improvements and gaps.
https://rootly.io/blog/how-to-improve-upon-google-s-four-golden-signals-of-monitoring
The infrastructure for storage and usage of internal data is an ever-growing part of lots of operations teams responsibilities. This post provides a useful high level view of such a modern data platform.
https://towardsdatascience.com/the-anatomy-of-an-active-metadata-platform-13473091ad0d
Tools
Secrets and Kubernetes can be a challenge. This webhook provides one option, injecting secrets into Kubernetes resources from various secrets managers including Vault, AWS, GCP and Azure secrets managers.
https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook
Kubescape is a new security scanning tool for checking the setup of a Kubernetes cluster, based on the recently published NSA and CISA guidance.
https://github.com/armosec/kubescape