-
Notifications
You must be signed in to change notification settings - Fork 154
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7ed0f0a
commit 7554e84
Showing
18 changed files
with
221 additions
and
1 deletion.
There are no files selected for viewing
Binary file added
BIN
+32.9 KB
source/_static/kubernetes/administer/policy/apiserver_request_handler_chain.webp
Binary file not shown.
Binary file added
BIN
+48 KB
source/_static/machine_learning/deep_learning/convolutional_neural_network.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+26.4 KB
source/_static/machine_learning/deep_learning/recurrent_neural_network.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+52.3 KB
source/_static/machine_learning/deep_learning/standard_neural_network.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
.. _checkov: | ||
|
||
============================ | ||
checkov静态代码分析工具 | ||
============================ | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
|
||
intro_checkov.rst |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
.. _intro_checkov: | ||
|
||
=================== | ||
checkov简介 | ||
=================== | ||
|
||
checkov 是一个静态代码分析工具,用于扫描 ``基础架构即代码`` (infrastructure as code, IaC) 文件是否存在导致安全或合规性问题的错误配置。checkov内置了750多个预定义策略来检查常见的错误配置问题,还支持自定义策略的创建和贡献。 | ||
|
||
支持的IaC类型: | ||
|
||
- Terraform (for AWS, GCP, Azure and OCI) | ||
- CloudFormation (including AWS SAM) | ||
- Azure Resource Manager (ARM) | ||
- Serverless framework | ||
- Helm charts | ||
- Kubernetes | ||
- Docker | ||
|
||
.. note:: | ||
|
||
目前我还没具体实践,但是我认为这是一个值得切入的细分技术领域,后续有合适的机会再验证实践 | ||
|
||
参考 | ||
====== | ||
|
||
- `What is Checkov? <https://www.checkov.io/1.Welcome/What%20is%20Checkov.html>`_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,7 @@ DevOps Atlas | |
ansible/index | ||
jsonnet/index | ||
airflow/index | ||
checkov/index | ||
utils/index | ||
docs/index | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
.. _protobuf: | ||
|
||
============================ | ||
Protocol Buffers (Protobuf) | ||
============================ | ||
|
||
Protocol Buffers (Protobuf) 是免费开源的跨平台数据格式,用于结构化数据的序列化和反序列化: | ||
|
||
- Protocol Buffer的设计目标强调简单性和性能,特别设计成比XML更小、更快。Protocol Buffers 在 Google 被广泛用于存储和交换各种结构化信息。 该方法是自定义远程过程调用 (RPC) 系统的基础,几乎用于 Google 的所有机器间通信。 | ||
- Protocol Buffer 与 Apache Thrift、Ion 和 Microsoft Bond 协议类似。 提供一个具体的 RPC 协议栈以用于称为 gRPC 的定义服务。 | ||
- 数据结构模式(称为消息)和服务在 proto 定义文件 (.proto) 中描述并使用 protoc 进行编译。 此编译生成可由这些数据结构的发送者或接收者调用的代码。 | ||
- Protobuf 没有单一的规范。该格式最适合不超过几兆字节的小数据块,并且可以立即加载/发送到内存中,因此不是可流格式(streamable format)。 | ||
- Protobuf不仅是一种消息格式,还是一组定义和交换这些消息的规则和工具。Google开源了该协议,并提供了最为常用的编程语言生成代码的工具。例如,JavaScript、Java、PHP、C#、Ruby、Objective C、Python、C++ 和 Go。 | ||
- Protobuf比JSON拥有更多的数据类型,例如枚举和方法,并且也大量用于RPC(远程过程调用) | ||
|
||
.. note:: | ||
|
||
:ref:`kubernetes` 的apiserver提供了支持Protobuf通讯的模式,可以大幅度提高客户端和apiserver的效率,所以在大型Kuernetes集群常会看到这样的支持配置 | ||
|
||
|
||
参考 | ||
======== | ||
|
||
- `wikipedia: Protocol Buffers <https://en.wikipedia.org/wiki/Protocol_Buffers>`_ | ||
- `Beating JSON performance with Protobuf <https://auth0.com/blog/beating-json-performance-with-protobuf/>`_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
source/kubernetes/administer/policy/apiserver_request-timeout.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
.. _apiserver_request-timeout: | ||
|
||
================================== | ||
Kubernetes apiserver 请求超时设置 | ||
================================== | ||
|
||
.. figure:: ../../../_static/kubernetes/administer/policy/apiserver_request_handler_chain.webp | ||
|
||
API Server请求处理链路 | ||
|
||
``--request-timeout`` 参数设置Kubernetes apiserver的全局连接超时时间。这个设置调整可以允许API服务器的请求超时限制延长到适合用户连接速度的持续时间。默认设置是 ``60秒`` ,在比较慢的连接上可能会出现问题: 也就是一旦请求的数据量超过60秒内可以传输的数据量,就会导致集群资源无法访问。但是,如果将这个超时设置调整太大,可能会耗尽API服务器的资源,从而容易遭受拒绝服务攻击(Denial-of-Service attack)。所以,这个参数应该合理设置,并且仅在需要时才更改 ``60秒`` 默认设置。 | ||
|
||
如果请求超时,客户端将收到错误,则客户端可能会重试请求或相应处理失败。注意,如果客户端因为超时不断重试,反而会加重API服务器的负载,所以设计好的客户端需要有一个自动机制避免不断重复请求。此外,正确配置这个超时参数,能够恰好满足客户端数据下载,同时不至于过分增加API服务器的负担,这对确保Kubernetes集群及其组件的稳定运行非常重要。 | ||
|
||
调整案例: | ||
|
||
.. literalinclude:: apiserver_request-timeout/kube-apiserver_request-timeout.yaml | ||
:language: yaml | ||
:caption: 调整 ``kube-apiserver`` 默认运行参数 ``--request-timeout`` | ||
:emphasize-lines: 14 | ||
|
||
修订apiserver的运行pod配置文件是 ``/etc/kubernetes/manifests/kube-apiserver.yaml`` | ||
|
||
.. note:: | ||
|
||
在大规模的Kubernetes集群,大量的数据传输,上述 ``--request-timeout`` 可能需要调整为 ``5m0`` 或者 ``10m0`` | ||
|
||
参考 | ||
====== | ||
|
||
- `Ensure the --request-timeout argument is set appropriately <https://docs.bridgecrew.io/docs/ensure-that-the-request-timeout-argument-is-set-as-appropriate>`_ | ||
- `DevOps in K8s — API-Server Request Handler Chain, Request Timeout <https://blog.devgenius.io/devops-in-k8s-api-server-request-handler-chain-request-timeout-b0cf597ddcb2>`_ |
16 changes: 16 additions & 0 deletions
16
...ubernetes/administer/policy/apiserver_request-timeout/kube-apiserver_request-timeout.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
creationTimestamp: null | ||
labels: | ||
component: kube-apiserver | ||
tier: control-plane | ||
name: kube-apiserver | ||
namespace: kube-system | ||
spec: | ||
containers: | ||
- command: | ||
- kube-apiserver | ||
- --request-timeout=2m3s | ||
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 | ||
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
.. _k8s_policy: | ||
|
||
====================== | ||
Kubernetes策略配置 | ||
====================== | ||
|
||
`Bridgecrew <https://docs.bridgecrew.io/docs/what-is-bridgecrew>`_ 是Prisma Cloud的自动安全工程师,专注于发现和修复代码、云计算架构。在 `Bridgecrew docs <https://docs.bridgecrew.io/>`_ 提供了大量安全索引(也就是该公司 ``Bridgecrew`` 产品的后端依据),可以作为学习和参考 | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
|
||
apiserver_request-timeout.rst |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.. _bridgecrew: | ||
|
||
================================= | ||
Bridgecrew | ||
================================= | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
|
||
intro_bridgecrew.rst | ||
|
||
.. only:: subproject and html | ||
|
||
Indices | ||
======= | ||
|
||
* :ref:`genindex` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
.. _intro_bridgecrew: | ||
|
||
================== | ||
Bridgecrew简介 | ||
================== | ||
|
||
`Bridgecrew by Prisma Cloud <https://docs.bridgecrew.io/>`_ 是 `Prisma Cloud <https://www.paloaltonetworks.com/prisma/cloud>`_ 的自动化安全引擎,专注于代码和云架构的漏洞发现和修复。 | ||
|
||
特性: | ||
|
||
- 云和代码安全: 查找 IaC、Secrets、Images、SCA 等中的错误配置和漏洞,使用简化的策略管理来管理应用程序和基础设施开发 | ||
- 补救措施(remediation): 自动生成的代码修复程序可以修复和修补易受攻击的代码 (有点类似GitHub的Dependabot/Code scanning/Secret scanning) | ||
- 多生态集成: 提供30多个生态集成以及功能齐全的CLI、API和Terraform provider,开发者可以选择和自定义自己的工具链应用程序 | ||
- 资产追踪: 使用可追溯性标签,用户可以定位基于特定 IaC 资源创建的云资源、检测 IaC 模板的偏差并跟踪云和代码之间的差异 | ||
- 供应链安全: 应用程序依赖关系的全面清单和可视化 | ||
|
||
.. note:: | ||
|
||
`Prisma Cloud <https://www.paloaltonetworks.com/prisma/cloud>`_ 是 `Palo Alto Networks <https://www.paloaltonetworks.com/>`_ 旗下的解决方案之一。 `Palo Alto Networks中文官网 <https://www.paloaltonetworks.cn/>`_ 有关于该公司解决方案的介绍: | ||
|
||
- 全球网路安全领导者,专注于云计算(内部、云交付、云原生、边缘云、运营)的全面解决方案 | ||
|
||
这是一个非常有特色的安全技术领域,从 `Bridgecrew by Prisma Cloud <https://docs.bridgecrew.io/>`_ | ||
文档中可以看到,这个产品是集成到软件仓库、云计算、持续集成、IDE开发环境以及Kubernetes和私有仓库的安全工具。当平台给予Bridgecrew管理员级别权限,该自动化引擎会扫描系统,给出漏洞、风险评估以及对应的解决方案。虽然Bridgecrew不是开源软件(实际是SaaS),但是它的架构理念、后端策略(例如 :ref:`k8s_policy` )、以及集成的开源组件是非常值得研究借鉴的: | ||
|
||
- :ref:`checkov` : infrastructure as code(IaC)的静态代码分析工具 | ||
|
||
在 `Bridgecrew by Prisma Cloud <https://docs.bridgecrew.io/>`_ 文档网站可以参考云计算配置的建议,了解设置的优缺点,不断改进自己的部署: | ||
|
||
- 我在 :ref:`k8s_policy` 中借鉴和实践 | ||
|
||
.. note:: | ||
|
||
Bridgecrew服务是一个SaaS(Software as a service) Security,其构建架构在大型软件、互联网公司有很强的市场。 | ||
|
||
我想在后续找机会学习实践... | ||
|
||
参考 | ||
======= | ||
|
||
- `What is Bridgecrew? <https://docs.bridgecrew.io/docs/what-is-bridgecrew>`_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters