Skip to content

Commit 06cd545

Browse files
networkandcodenetworkandcode
committed
update
1 parent 4130b05 commit 06cd545

File tree

3 files changed

+276
-8
lines changed

3 files changed

+276
-8
lines changed

_posts/2016-01-23-numbers-to-remember.html

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,12 @@
1818
original_post_id: '33'
1919
_wp_old_slug: '33'
2020
switch_like_status: '1'
21-
author:
22-
login: shak1r
23-
email: [email protected]
24-
display_name: shakir
25-
first_name: ''
26-
last_name: ''
21+
#author:
22+
#login: shak1r
23+
#email: [email protected]
24+
#display_name: shakir
25+
#first_name: ''
26+
#last_name: ''
2727
permalink: "/2016/01/23/numbers-to-remember/"
2828
---
2929
<p>89 - OSPF's IP Protocol number</p>

_posts/2021-10-12-install-appwrite-on-aws.md

Lines changed: 164 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,164 @@
1+
---
2+
#categories: aws
3+
#title: appwrite > install on aws eks
4+
---
5+
6+
Appwrite is an opensource self hosted backend server, that helps offloading tasks such as
7+
authentication, storage, database etc. So that developers can focus mainly on their frontend
8+
development. In this post we shall install Appwrite on AWS EKS(Elastic Kubernetes Service), as a
9+
deployment and expose it with a LoadBalancer service.
10+
11+
The minimum [resource requirements](https://appwrite.io/docs/installation#systemRequirements) for
12+
Appwrite are 1CPU, and 2GB RAM, these specs should help while we write the
13+
[CPU](https://networkandcode.github.io/2019/03/28/kubernetes-pods-containers-resources-cpu/) and
14+
[Memory](https://networkandcode.github.io/2019/03/28/kubernetes-pods-containers-resources-memory/)
15+
restrictions in the
16+
[YAML](https://yaml.org/spec/1.1/#:~:text=YAML%20uses%20three%20dashes%20(%E2%80%9C%20%2D%2D%2D,%E2%80%9D%20%2D%20%E2%80%9C%20%23%20%E2%80%9D).)
17+
manifest of our kubernetes deployment.
18+
19+
Let's launch an EKS cluster with
20+
[eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html).
21+
```
22+
$ eksctl create cluster \
23+
--name hacktoberfest-2021 \
24+
--region us-west-2 \
25+
--fargate
26+
```
27+
28+
For more cluster customizations, you may visit the
29+
[EKS getting started guide](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html).
30+
Also install [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) and
31+
[AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) on your machine.
32+
33+
Let's check the list of clusters using
34+
[aws eks cli](https://docs.aws.amazon.com/cli/latest/reference/eks/index.html). We need to specify the
35+
region or configure the default region prior to listing. In my case its us-west-2.
36+
```
37+
$ aws eks list-clusters --region us-west-2
38+
{
39+
"clusters": [
40+
"hacktoberfest-2021"
41+
]
42+
}
43+
```
44+
45+
There is only one cluster as shown above. We shall update the kubeconfig, so that we can use kubectl
46+
to interact with our aks cluster.
47+
```
48+
$ aws eks update-kubeconfig --name hacktoberfest-2021 --region us-west-2
49+
Added new context arn:aws:eks:us-west-2:<account-id>:cluster/hacktoberfest-2021 to /home/networkandcode/.kube/config
50+
```
51+
52+
We can now start using kubectl, lets validate the context first.
53+
```
54+
$ kubectl config current-context
55+
arn:aws:eks:us-west-2:<account-id>:cluster/hacktoberfest-2021
56+
```
57+
58+
Let's create a separate namespace where we can deploy appwrite.
59+
```
60+
$ kubectl create ns appwrite
61+
namespace/appwrite created
62+
```
63+
64+
I am now going to write the manifest for the Appwrite
65+
[deployment](https://networkandcode.github.io/2019/04/02/kubernetes-deployment/) and
66+
[service](https://networkandcode.github.io/2019/09/04/kubernetes-expose-pods-using-services/). I would
67+
be using the image tag
68+
[0.10.4](https://hub.docker.com/layers/appwrite/appwrite/0.10.4/images/sha256-5eb01c3fb7da40a9ade0862e3669a8ccd23c88c780bfeb835720af0d4df3fbf6?context=explore).
69+
```
70+
$ cat appwrite.yaml
71+
apiVersion: apps/v1
72+
kind: Deployment
73+
metadata:
74+
name: appwrite
75+
spec:
76+
selector:
77+
matchLabels:
78+
name: appwrite
79+
template:
80+
metadata:
81+
labels:
82+
name: appwrite
83+
spec:
84+
containers:
85+
- name: appwrite
86+
image: appwrite/appwrite:0.10.4
87+
resources:
88+
requests:
89+
cpu: 1
90+
memory: 2Gi
91+
limits:
92+
cpu: 1.2
93+
memory: 2.4Gi
94+
---
95+
apiVersion: v1
96+
kind: Service
97+
metadata:
98+
name: appwrite
99+
spec:
100+
selector:
101+
name: appwrite
102+
ports:
103+
- name: http
104+
port: 80
105+
type: LoadBalancer
106+
```
107+
108+
It's time to create the kubernetes deployment and service for appwrite.
109+
```
110+
$ kubectl create -f appwrite.yaml
111+
deployment.apps/appwrite created
112+
service/appwrite created
113+
```
114+
115+
The pod should be up in some time.
116+
```
117+
$ kubectl get po
118+
NAME READY STATUS RESTARTS AGE
119+
appwrite-995bd5c85-b6t28 1/1 Running 0 119s
120+
```
121+
122+
Let's check its events.
123+
```
124+
$ kubectl describe po appwrite-995bd5c85-b6t28 | grep -A 15 Events:
125+
Events:
126+
Type Reason Age From Message
127+
---- ------ ---- ---- -------
128+
Warning LoggingDisabled 12m fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found
129+
Normal Scheduled 11m fargate-scheduler Successfully assigned default/appwrite-995bd5c85-b6t28 to fargate-ip-192-168-154-212.us-west-2.compute.internal
130+
Normal Pulling 11m kubelet Pulling image "appwrite/appwrite:0.10.4"
131+
Normal Pulled 11m kubelet Successfully pulled image "appwrite/appwrite:0.10.4" in 17.415206687s
132+
Normal Created 11m kubelet Created container appwrite
133+
Normal Started 11m kubelet Started container appwrite
134+
```
135+
136+
All seems good so far, let's now see if the endpoints are ok.
137+
```
138+
$ kubectl get ep appwrite
139+
NAME ENDPOINTS AGE
140+
appwrite 192.168.154.212:80 15m
141+
```
142+
143+
And this IP should be of our Appwrite pod.
144+
```
145+
$ kubectl get po -o wide | grep 192.168.154.212
146+
appwrite-995bd5c85-b6t28 1/1 Running 0 15m 192.168.154.212 fargate-ip-192-168-154-212.us-west-2.compute.internal <none> <none>
147+
```
148+
149+
Excellent, let's now get the external IP of our service
150+
```
151+
$ kubectl get svc appwrite
152+
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
153+
appwrite LoadBalancer 10.100.166.56 ab3d79aa8f6344be295e2a935af952d2-763666154.us-west-2.elb.amazonaws.com 80:30109/TCP 16m
154+
155+
$ kubectl get svc appwrite | awk '{print $4}'
156+
EXTERNAL-IP
157+
ab3d79aa8f6344be295e2a935af952d2-763666154.us-west-2.elb.amazonaws.com
158+
```
159+
160+
Use this IP(thats not an IP though, its an [FQDN](https://kb.iu.edu/d/aiuv)) to access the Appwrite UI
161+
over the browser.
162+
```
163+
164+

_posts/owaspjuiceshop/2021-07-08-owasp-juice-shop-scan-container-with-trivy.md

Lines changed: 106 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,111 @@ $ cat /tmp/audit.json | jq '.Metadata'
8989
9090
```
9191

92-
So, we have seen how to install Trivy and how to use it to scan the juice shop container image. Thank
93-
you for reading.
92+
We can also use Trivy check kubernetes configuration files and docker files for misconfiguration.
93+
```
94+
$ trivy config .
95+
2021-08-20T14:27:48.418+0530 INFO Need to update the built-in policies
96+
2021-08-20T14:27:48.418+0530 INFO Downloading the built-in policies...
97+
2021-08-20T14:29:31.874+0530 INFO Detected config files: 4
98+
99+
Dockerfile (dockerfile)
100+
=======================
101+
Tests: 23 (SUCCESSES: 23, FAILURES: 0, EXCEPTIONS: 0)
102+
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
103+
104+
105+
juice-shop-deploy.yaml (kubernetes)
106+
===================================
107+
Tests: 28 (SUCCESSES: 17, FAILURES: 11, EXCEPTIONS: 0)
108+
Failures: 11 (UNKNOWN: 0, LOW: 6, MEDIUM: 5, HIGH: 0, CRITICAL: 0)
109+
110+
+---------------------------+------------+----------------------------------------+----------+--------------------------------------------+
111+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
112+
+---------------------------+------------+----------------------------------------+----------+--------------------------------------------+
113+
| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Container 'juice-shop' of |
114+
| | | | | Deployment 'juice-shop' should set |
115+
| | | | | 'securityContext.allowPrivilegeEscalation' |
116+
| | | | | to false |
117+
| | | | | -->avd.aquasec.com/appshield/ksv001 |
118+
+ +------------+----------------------------------------+----------+--------------------------------------------+
119+
| | KSV003 | Default capabilities not dropped | LOW | Container 'juice-shop' of Deployment |
120+
| | | | | 'juice-shop' should add 'ALL' to |
121+
| | | | | 'securityContext.capabilities.drop' |
122+
| | | | | -->avd.aquasec.com/appshield/ksv003 |
123+
+ +------------+----------------------------------------+ +--------------------------------------------+
124+
| | KSV011 | CPU not limited | | Container 'juice-shop' of |
125+
| | | | | Deployment 'juice-shop' should |
126+
| | | | | set 'resources.limits.cpu' |
127+
| | | | | -->avd.aquasec.com/appshield/ksv011 |
128+
+ +------------+----------------------------------------+----------+--------------------------------------------+
129+
| | KSV012 | Runs as root user | MEDIUM | Container 'juice-shop' of |
130+
| | | | | Deployment 'juice-shop' should set |
131+
| | | | | 'securityContext.runAsNonRoot' to true |
132+
| | | | | -->avd.aquasec.com/appshield/ksv012 |
133+
+ +------------+----------------------------------------+----------+--------------------------------------------+
134+
| | KSV014 | Root file system is not read-only | LOW | Container 'juice-shop' of |
135+
| | | | | Deployment 'juice-shop' should set |
136+
| | | | | 'securityContext.readOnlyRootFilesystem' |
137+
| | | | | to true |
138+
| | | | | -->avd.aquasec.com/appshield/ksv014 |
139+
+ +------------+----------------------------------------+ +--------------------------------------------+
140+
| | KSV015 | CPU requests not specified | | Container 'juice-shop' of |
141+
| | | | | Deployment 'juice-shop' should |
142+
| | | | | set 'resources.requests.cpu' |
143+
| | | | | -->avd.aquasec.com/appshield/ksv015 |
144+
+ +------------+----------------------------------------+ +--------------------------------------------+
145+
| | KSV016 | Memory requests not specified | | Container 'juice-shop' of |
146+
| | | | | Deployment 'juice-shop' should |
147+
| | | | | set 'resources.requests.memory' |
148+
| | | | | -->avd.aquasec.com/appshield/ksv016 |
149+
+ +------------+----------------------------------------+ +--------------------------------------------+
150+
| | KSV018 | Memory not limited | | Container 'juice-shop' of |
151+
| | | | | Deployment 'juice-shop' should |
152+
| | | | | set 'resources.limits.memory' |
153+
| | | | | -->avd.aquasec.com/appshield/ksv018 |
154+
+ +------------+----------------------------------------+----------+--------------------------------------------+
155+
| | KSV019 | Seccomp policies disabled | MEDIUM | Container 'juice-shop' of |
156+
| | | | | Deployment 'juice-shop' should |
157+
| | | | | specify a seccomp profile |
158+
| | | | | -->avd.aquasec.com/appshield/ksv019 |
159+
+ +------------+----------------------------------------+ +--------------------------------------------+
160+
| | KSV020 | Runs with low user ID | | Container 'juice-shop' of |
161+
| | | | | Deployment 'juice-shop' should set |
162+
| | | | | 'securityContext.runAsUser' > 10000 |
163+
| | | | | -->avd.aquasec.com/appshield/ksv020 |
164+
+ +------------+----------------------------------------+ +--------------------------------------------+
165+
| | KSV021 | Runs with low group ID | | Container 'juice-shop' of |
166+
| | | | | Deployment 'juice-shop' should set |
167+
| | | | | 'securityContext.runAsGroup' > 10000 |
168+
| | | | | -->avd.aquasec.com/appshield/ksv021 |
169+
+---------------------------+------------+----------------------------------------+----------+--------------------------------------------+
170+
171+
juice-shop-svc.yaml (kubernetes)
172+
================================
173+
Tests: 28 (SUCCESSES: 28, FAILURES: 0, EXCEPTIONS: 0)
174+
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
175+
176+
177+
test/smoke/Dockerfile (dockerfile)
178+
==================================
179+
Tests: 23 (SUCCESSES: 21, FAILURES: 2, EXCEPTIONS: 0)
180+
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
181+
182+
+---------------------------+------------+--------------------+----------+------------------------------------------+
183+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
184+
+---------------------------+------------+--------------------+----------+------------------------------------------+
185+
| Dockerfile Security Check | DS001 | ':latest' tag used | MEDIUM | Specify a tag in the 'FROM' |
186+
| | | | | statement for image 'alpine' |
187+
| | | | | -->avd.aquasec.com/appshield/ds001 |
188+
+ +------------+--------------------+----------+------------------------------------------+
189+
| | DS002 | root user | HIGH | Specify at least 1 USER |
190+
| | | | | command in Dockerfile with |
191+
| | | | | non-root user as argument |
192+
| | | | | -->avd.aquasec.com/appshield/ds002 |
193+
+---------------------------+------------+--------------------+----------+------------------------------------------+
194+
```
195+
196+
So, we have seen how to install Trivy and how to use it to scan the juice shop container image and
197+
check misconfigurations in files. Thank you for reading.
94198

95199
--end-of-post--

0 commit comments

Comments
 (0)