PyCon ID 2023 - Ridwan Fadjar Septian.pdf

•

1 j'aime•189 vues

I build security scanner prototype for Kubernetes with Python3 standard library only. I presented this slide at PyCon Indonesia 2023.

Technologie

BUILD A SECURITY SCANNER FOR
KUBERNETES BASED ON CIS BENCHMARK
WITH PYTHON3 STANDARD LIBRARY
Ridwan Fadjar Septian

TABLE OF
CONTENT
01.
02.
CIS BENCHMARK FOR K8S
BUILDING THE PROTOTYPE
How CIS Benchmark works for K8s
03. DEVELOPMENT TOOLS
04. PRE-COMMIT
Architecture and source code
Tools for building the prototype
Ensuring quality at before create pull request
05. GITHUB ACTION
Ensuring quality before merge
to master

HELLO!
I’m Ridwan Fadjar. Currently, I’m working as Cloud
Infrastructure Engineer at Dkatalis Digital Lab. I love to
create something with Python, Ansible or Terraform

CIS BENCHMARK
FOR K8S
01.
How CIS benchmark for Kubernetes

FREE TO USE
RATIONALE
CIS Benchmarks are freely
available in PDF format for
non-commercial use
https://www.cisecurity.org/b
enchmark/kubernetes
The reason why the control
should be remediate

REMEDIATION
AUDIT
Practical steps to remediate
any violation to CIS controls
for K8s
Best practice to check the
evidence againts controls
with straight forward
instructions

REFERENCES
IMPACT
Useful reference from
credible source that define
the audit control
possible risk that might surface if we
don’t remediate the control

BUILDING
Arhictecture and source code
02.

SUMMARY
argparse, for parsing command line
arguments from user
subprocess, for building utilities which
used by the scanner
typing, ensure data type that used as
parameters and return value are meet
expectation and secure
Python Standard Library which I used for
building this security scanner are only those
three below:

SCANNING WORKER NODE
SCANNING MASTER NODE
python3 kubus/kubus.py --dist minikube --target
worker
$ python3 kubus/kubus.py --dist minikube --target master

DEVELOPMET
TOOLS
Tools for building the prototype
03.

DEVELOPMENT TOOLS
Python3, latest edition of Python programming language (e.g. support
typing value)
Black, the uncompromising Python code formatter created by PSF
Ruff, an extremely fast Python linter and code formatter, written in Rust
created by Astral-sh (but I use the linter only)
Bandit, tool designed to find common security issues in Python code
created by PyCQA
Pre-commit, tools for performing multiple tasks as hook before you
commit your changes
Github Action, automation for software development workflows
I use several tools when building this security scanner:

PRE-COMMIT
Ensuring quality at before create pull request
04.

AT A GLANCE
Ensure that your project is Git initialized
Write pre-commit hooks file inside the project
Install pre-commit -> pip install pre-commit
Install dependencies -> pre-commit install
Run pre-commit manually -> pre-commit run --all-files

GITHUB ACTION
Ensuring quality before merge to master
05.

Q & A
Is there anyone who want to raise question?

THANK YOU
Github Repo:
https://github.com/ridwanbejo/kubus

Contenu connexe

Similaire à PyCon ID 2023 - Ridwan Fadjar Septian.pdf

✭✭ NOTE: a revised version of this lab is available at https://www.slideshare.net/williamyeh/rd-kubernetes-gdg-cloud-kh-201908-version ✭✭ 90-Minute Workshop held at Taiwan Cloud Edge Summit 2019 (台灣雲端大會). * 課程簡介 Kubernetes 是目前雲端環境的顯學。可是，傳統的程式，並不是原封不動搬上去，就能夠自動享受 Kubernetes 所宣稱的種種好處。新的環境，不僅需要新的 Ops 思維，也需要新的 Dev 思維。我們將以一個半小時的時間，從軟體研發者的角度，探討軟體的設計該做哪些最起碼的改變，從實作中體驗 Kubernetes 引進的新觀念及新效益。 * 課程目標從實例中體驗，傳統 web 應用程式在搬上 Kubernetes 時，可能會經歷哪些架構面的調整，才能享受新架構的效益： - 容器化 - 微服務 - 組態管理 - 多重環境管理：本機端與雲端（以 GKE 為例）

給 RD 的 Kubernetes 初體驗

William Yeh

Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER

Indrajit Poddar

Slides of a session that I have given/will give at various developer conferences in H1 2018. Niklas Heidloff http://twitter.com/nheidloff http://heidloff.net Summary Article http://heidloff.net/article/when-to-use-serverless-kubernetes OpenWhisk https://openwhisk.apache.org https://github.com/ibm-functions/composer https://github.com/nheidloff/openwhisk-debug-nodejs Kubernetes https://kubernetes.io https://istio.io IBM Cloud http://ibm.biz/nheidloff Abstract There is a lot of debate whether to use Serverless or Kubernetes to build cloud-native apps. Both have their advantages and unique capabilities which developers should take into consideration when planning new projects. We will throw some light on the topics ease of use, maturity, types of scenarios, developer productivity and debugging, supported languages, DevOps and monitoring, performance, community and pricing. Cloud-native architectures shift the complexity from within an application to orchestrations of Microservices. Both Kubernetes and Serverless have their strengths which we will discuss. Besides the core development topics, developers should also understand operational aspects how complicated it is to maintain your own systems versus using managed platforms.

When to use Serverless? When to use Kubernetes?

Niklas Heidloff

Continuous Integration using Jenkins with Python

Inexture Solutions

Ian huston getting started with cloud foundry

Jessica Willis

Ian Huston - "Deploying your data driven web app on Cloud Foundry"

Sheamus McGovern

devops ppt for hjs jsdjhjd hsdbusinees.pptx

Deepakgupta273447

See how Ian Whitestone (Data Scientist at Shopify) created Domi – #Toronto Apartment Finder app, using #Serverless Framework #Zappa for #Python on #AWS, #PostGIS, #Slack, and some #Regression Techniques: https://www.youtube.com/watch?v=JE_zEqe7M_8 http://ServerlessToronto.org thanks https://www.linkedin.com/company/trend-micro for catering, https://www.linkedin.com/company/myplanethq for hosting, and https://www.linkedin.com/company/manning-publications-co for book giveaways!

Using Data Science & Serverless Python to find apartment in Toronto

Daniel Zivkovic

Cncf checkov and bridgecrew

LibbySchulze

Princeton RSE Peer network first meeting

Henry Schreiner

Deploying Kubernetes without scaring off your security team - KubeCon 2017

Major Hayden

Software Quality Assurance Tooling - Wintersession 2024

Henry Schreiner

CloudLand, Juni/Juli 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware). == Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! == Kubernetes is the de-facto standard when it comes to container orchestration. But why is there is no established, standard and uniform way to spin-up and manage a single or even a whole farm of Kubernetes clusters yet? Instead, a whole bunch of different and mostly incompatible ways towards Kubernetes exist today. Each with its own pros and cons in regards to ease of use, flexibility and many other requirements. In this session we will have a closer look at the different available options to create, manage and operate Kubernetes clusters at scale.

Cluster-as-code. The Many Ways towards Kubernetes

QAware GmbH

Container Technologien erfreuen sich grosser Beliebtheit und sind mittlerweile auch im Microsoft Entwicklerumfeld angekommen. Visual Studio als Entwicklungswerkzeug bietet neu eine direkte Docker Unterstützung und mit Asp.NET Core respektive .NET Core ist auch die Kompatibilität mit Linux-basierten Docker Containern gegeben. Erfahren Sie in diesem Vortrag, wie sie mit Visual Studio und TFS eine Docker-basierte Build und Release Automatisierung implementieren und betreiben. Mit Azure Container Services haben wir einen skalierbare und ausfallsicheren Cluster zur Verfügung, welcher sich optimal in unsere Release-Pipeline integriert.

Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...

Marc Müller

Moderne Serverless-Computing-Plattformen sind in aller Munde und stellen ein Programmiermodell zur Verfügung, wo sich der Nutzer keine Gedanken mehr über die Administration der Server, Storage, Netzwerk, virtuelle Maschinen, Hochverfügbarkeit und Skalierbarkeit machen brauch, sondern sich auf das Schreiben von eigenen Code konzentriert. Der Code bildet die Geschäftsanforderungen modular in Form von kleinen Funktionspaketen (Functions) ab. Functions sind das Herzstück der Serverless-Computing-Plattform. Sie lesen von der (oft Standard-)Eingabe, tätigen ihre Berechnungen und erzeugen eine Ausgabe. Die zu speichernden Ergebnisse von Funktionen werden in einem permanenten Datastore abgelegt, wie z.B. der Autonomous Database gespeichert. Die Autonomous Database besitzt folgende drei Eigenschaften self-driving, self-repairing und self-securing, die für einen modernen Anwendungsentwicklungsansatz benötigt werden.

"Wie passen Serverless & Autonomous zusammen?"

Volker Linz

Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous integration and delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes followed by Amazon engineers and discuss how you can bring them to your company by using a set of application lifecycle management tools from AWS: the newly announced AWS CodeBuild service, AWS CodePipeline, and AWS CodeDeploy.

AWS Code Services

Amazon Web Services

Continuous Integration using Cruise Control

elliando dias

API Documentation plays an important role in improving the customer’s experience with APIs, which is always a struggle for most of the company. The way to accomplish this is to transition API development culture from “Code First” to “Design First”, here in SAS we call it “API First”. For better API designing and documentation, we have built an API First CI/CD workflow which brings many open-sourced API tools together and involves developers, product managers, documentation writers, and testers to synchronously work together to develop APIs in a “Design First” approach, the industry standard. In the talk, we will discuss how the API-first Workflow could enable better collaboration between teams which could help in many aspects especially writing the openAPI documentation, keeping it up to date and sync with your code. We will take a deep look at one example, the Linting tool from API First workflow, which helps to make sure the API documentation follows the company standard from the start. With openSource linting tools like Spectral, it’s easy for teams to define their own linting rules which includes company standards. When your API specifications go through the linter in the CI/CD pipeline, the linter will throw errors and warnings as you write your spec. This will help ensure your specification is following proper guidelines and that’s all automatic.

API First Workflow: How could we have better API Docs through DevOps pipeline

Pronovix

A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024

Cloud Native NoVA

@ 2020/04/20 SDN x Cloud Native Meetup #27 隨著CNCF將Falco納入incubator project，eBPF這藏於Linux核心內的技術也開始受到矚目。 eBPF，一個從1992年就出現的技術，一路走來經過了甚麼樣的變化? 對於你我目前，或未來的工作又會有甚麼影響呢? 本次分享將會介紹eBPF的前世今生，帶各位了解何謂eBPF。並透過實際範例演示eBPF工具的特殊用法。

Introduction of eBPF - 時下最夯的Linux Technology

Jace Liang

Similaire à PyCon ID 2023 - Ridwan Fadjar Septian.pdf (20)

給 RD 的 Kubernetes 初體驗

Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER

When to use Serverless? When to use Kubernetes?

Continuous Integration using Jenkins with Python

Ian huston getting started with cloud foundry

Ian Huston - "Deploying your data driven web app on Cloud Foundry"

devops ppt for hjs jsdjhjd hsdbusinees.pptx

Using Data Science & Serverless Python to find apartment in Toronto

Cncf checkov and bridgecrew

Princeton RSE Peer network first meeting

Deploying Kubernetes without scaring off your security team - KubeCon 2017

Software Quality Assurance Tooling - Wintersession 2024

Cluster-as-code. The Many Ways towards Kubernetes

Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...

"Wie passen Serverless & Autonomous zusammen?"

AWS Code Services

Continuous Integration using Cruise Control

API First Workflow: How could we have better API Docs through DevOps pipeline

A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024

Introduction of eBPF - 時下最夯的Linux Technology

Plus de Ridwan Fadjar

My Hashitalk Indonesia April 2024 Presentation

Ridwan Fadjar

Cloud Infrastructure automation with Python-3.pdf

Ridwan Fadjar

GraphQL- Presentation

Ridwan Fadjar

Bugs and Where to Find Them (Study Case_ Backend).pdf

Ridwan Fadjar

Introduction to Elixir and Phoenix.pdf

Ridwan Fadjar

Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...

Ridwan Fadjar

CS meetup 2020 - Introduction to DevOps

Ridwan Fadjar

Why Serverless?

Ridwan Fadjar

SenseHealth Indonesia Sharing Session - Do we really need growth mindset (1)

Ridwan Fadjar

Risk Analysis of Dutch Healthcare Company Information System using ISO 27001:...

Ridwan Fadjar

A Study Review of Common Big Data Architecture for Small-Medium Enterprise

Ridwan Fadjar

Mongodb intro-2-asbasdat-2018-v2

Ridwan Fadjar

Mongodb intro-2-asbasdat-2018

Ridwan Fadjar

Mongodb intro-1-asbasdat-2018

Ridwan Fadjar

Resftul API Web Development with Django Rest Framework & Celery

Ridwan Fadjar

Memulai Data Processing dengan Spark dan Python

Ridwan Fadjar

Kisah Dua Sejoli: Arduino & Python

Ridwan Fadjar

Mengenal Si Ular Berbisa - Kopi Darat Python Bandung Desember 2014

Ridwan Fadjar

Modul pelatihan-django-dasar-possupi-v1

Ridwan Fadjar

Membuat game-shooting-dengan-pygame

Ridwan Fadjar

Plus de Ridwan Fadjar (20)

My Hashitalk Indonesia April 2024 Presentation

Cloud Infrastructure automation with Python-3.pdf

GraphQL- Presentation

Bugs and Where to Find Them (Study Case_ Backend).pdf

Introduction to Elixir and Phoenix.pdf

Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...

CS meetup 2020 - Introduction to DevOps

Why Serverless?

SenseHealth Indonesia Sharing Session - Do we really need growth mindset (1)

Risk Analysis of Dutch Healthcare Company Information System using ISO 27001:...

A Study Review of Common Big Data Architecture for Small-Medium Enterprise

Mongodb intro-2-asbasdat-2018-v2

Mongodb intro-2-asbasdat-2018

Mongodb intro-1-asbasdat-2018

Resftul API Web Development with Django Rest Framework & Celery

Memulai Data Processing dengan Spark dan Python

Kisah Dua Sejoli: Arduino & Python

Mengenal Si Ular Berbisa - Kopi Darat Python Bandung Desember 2014

Modul pelatihan-django-dasar-possupi-v1

Membuat game-shooting-dengan-pygame

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Histor y of HAM Radio presentation slide

vu2urc

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024

08448380779 Call Girls In Civil Lines Women Seeking Men

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Boost Fertility New Invention Ups Success Rates.pdf

Powerful Google developer tools for immediate impact! (2023-24 C)

Scaling API-first – The story of a global engineering organization

Histor y of HAM Radio presentation slide

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Driving Behavioral Change for Information Management through Data-Driven Gree...

GenCyber Cyber Security Day Presentation

The 7 Things I Know About Cyber Security After 25 Years | April 2024

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Data Cloud, More than a CDP by Matt Robison

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

How to Troubleshoot Apps for the Modern Connected Worker

presentation ICT roal in 21st century education

Presentation on how to chat with PDF using ChatGPT code interpreter

PyCon ID 2023 - Ridwan Fadjar Septian.pdf

1. BUILD A SECURITY SCANNER FOR KUBERNETES BASED ON CIS BENCHMARK WITH PYTHON3 STANDARD LIBRARY Ridwan Fadjar Septian

2. TABLE OF CONTENT 01. 02. CIS BENCHMARK FOR K8S BUILDING THE PROTOTYPE How CIS Benchmark works for K8s 03. DEVELOPMENT TOOLS 04. PRE-COMMIT Architecture and source code Tools for building the prototype Ensuring quality at before create pull request 05. GITHUB ACTION Ensuring quality before merge to master

3. HELLO! I’m Ridwan Fadjar. Currently, I’m working as Cloud Infrastructure Engineer at Dkatalis Digital Lab. I love to create something with Python, Ansible or Terraform

4. CIS BENCHMARK FOR K8S 01. How CIS benchmark for Kubernetes

5. FREE TO USE RATIONALE CIS Benchmarks are freely available in PDF format for non-commercial use https://www.cisecurity.org/b enchmark/kubernetes The reason why the control should be remediate

6. REMEDIATION AUDIT Practical steps to remediate any violation to CIS controls for K8s Best practice to check the evidence againts controls with straight forward instructions

7. REFERENCES IMPACT Useful reference from credible source that define the audit control possible risk that might surface if we don’t remediate the control

8. BUILDING Arhictecture and source code 02.

9. ARCHITECTURE

10. SOURCE CODE - MAIN

11. SOURCE CODE - UTILS

12. SOURCE CODE - SCANNER

13. SOURCE CODE - BENCMARKER

14. SOURCE CODE - CONTROLS

15. SUMMARY argparse, for parsing command line arguments from user subprocess, for building utilities which used by the scanner typing, ensure data type that used as parameters and return value are meet expectation and secure Python Standard Library which I used for building this security scanner are only those three below:

16. HOW TO RUN IT?

17. SCANNING WORKER NODE SCANNING MASTER NODE python3 kubus/kubus.py --dist minikube --target worker $ python3 kubus/kubus.py --dist minikube --target master

18. SCANNING MASTER NODE

19. DEVELOPMET TOOLS Tools for building the prototype 03.

20. DEVELOPMENT TOOLS Python3, latest edition of Python programming language (e.g. support typing value) Black, the uncompromising Python code formatter created by PSF Ruff, an extremely fast Python linter and code formatter, written in Rust created by Astral-sh (but I use the linter only) Bandit, tool designed to find common security issues in Python code created by PyCQA Pre-commit, tools for performing multiple tasks as hook before you commit your changes Github Action, automation for software development workflows I use several tools when building this security scanner:

21. BLACK - EXAMPLE (BEFORE)

22. BLACK - EXAMPLE (AFTER)

23. RUFF - EXAMPLE

24. RUFF - EXAMPLE

25. BANDIT - EXAMPLE

26. BANDIT - EXAMPLE

27. PRE-COMMIT Ensuring quality at before create pull request 04.

28. AT A GLANCE Ensure that your project is Git initialized Write pre-commit hooks file inside the project Install pre-commit -> pip install pre-commit Install dependencies -> pre-commit install Run pre-commit manually -> pre-commit run --all-files

29. PRE-COMMIT HOOKS - EXAMPLE

30. PRE-COMMIT HOOKS - EXAMPLE ( 1)

31. PRE-COMMIT HOOKS - EXAMPLE ( 1)

32. PRE-COMMIT HOOKS - EXAMPLE ( 1)

33. PRE-COMMIT HOOKS - EXAMPLE ( 2)

34. PRE-COMMIT HOOKS - EXAMPLE ( 2)

35. GITHUB ACTION Ensuring quality before merge to master 05.

36. GITHUB ACTION PIPELINE - EXAMPLE

37. GITHUB ACTION PIPELINE - EXAMPLE

38. GITHUB ACTION PIPELINE - EXAMPLE

39. GITHUB ACTION PIPELINE - EXAMPLE

40. GITHUB ACTION PIPELINE - EXAMPLE