DEVOPS WEEKLY ISSUE #590 - 17th April 2022
Several security themed posts this week, from OpenID Connect enabled CD pipelines to security architecture and vulnerability disclosure to WAF. Plus good systems admin posts on networking and incidents.
StackHawk sponsors Devops Weekly
Breathe Life deals with sensitive (and highly regulated) data every day— that’s why they rely on StackHawk and Snyk to notify developers about security issues in proprietary code and open source dependencies. Learn how:
https://sthwk.com/breathe-life
News
A walkthrough of a Terraform pipeline setup. Most interesting for the use of OpenID Connect to remove the need for persistent credentials for AWS.
https://blog.symops.com/2022/04/14/terraform-pipeline-with-github-actions-and-github-oidc-for-aws/
Well written incident reports are always interesting. This one wanders through Kubernetes, gRPC, AWS networking and (of course) DNS.
https://www.datadoghq.com/blog/engineering/grpc-dns-and-load-balancing-incident/
A look at scaling interconnectivity between a cloud environment and a local data centre. Lots of good diagrams.
https://postmarkapp.com/blog/increasing-postmarks-capacity-a-parable-of-pipes
Proactively maintaining Prometheus, especially the underlying time series database, is critical to performance at scale. This post covers how to drop and delete unneeded metrics.
https://tanmay-bhat.medium.com/how-to-drop-and-delete-metrics-in-prometheus-7f5e6911fb33
A detailed walkthrough of a recently disclosed (and fixed) vulnerability in AWS RDS. The general point here, about extensions and the trade off between surface area and security is interesting more generally too.
https://blog.lightspin.io/aws-rds-critical-security-vulnerability
A post on scaling test infrastructure for a growing end-to-end test suite.
https://lumigo.io/blog/build-cypress-tests-infrastructure-serverless-applications/
Tools
Organization Formation is an infrastructure as code tool for AWS Organizations, providing an abstraction and easier starting point than the low level AWS APIs.
https://bahr.dev/2022/02/07/org-formation/
https://github.com/org-formation/org-formation-cli
Curiefense is a web traffic security tool for Kubernetes. Providing a web application security layer, integrated with Envoy and Nginx.
https://www.curiefense.io/
https://github.com/curiefense/curiefense