profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/ptx96/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Pietro Terrizzi ptx96 South - Italy

clastix/kubectl 1

Kubernetes CLI running in a container. ARM supported.

ptx96/capsule 1

Kubernetes Operator for multi-tenancy

ptx96/capsule-proxy 0

Reverse proxy for Capsule Operator.

ptx96/ckd-capsule-app 0

YTT templates for the Capsule module

ptx96/docker-kubectl 0

Yet another kubectl repository

ptx96/kubectl 0

Kubernetes CLI running in a container. ARM supported.

ptx96/kubescape 0

kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

ptx96/oom 0

Mirror of https://gerrit.onap.org/r/#/admin/projects/oom

ptx96/prometheus 0

Kubernetes Setup for Prometheus and Grafana

ptx96/terraform-provider-ovirt 0

Terraform provider for oVirt 4.x

startedxManager-v2/xManager-Spotify

started time in a day

starteddocker-slim/docker-slim

started time in 11 days

delete branch ptx96/ckd-capsule-app

delete branch : dev

delete time in 11 days

delete branch ptx96/ckd-capsule-app

delete branch : alegrey91

delete time in 11 days

PR closed ptx96/ckd-capsule-app

firts draft of charts using ytt
+1811 -30

2 comments

18 changed files

alegrey91

pr closed time in 11 days

delete branch ptx96/ckd-capsule-app

delete branch : ptx

delete time in 11 days

push eventptx96/ckd-capsule-app

Pietro Terrizzi

commit sha 2a5cc3289b73e8331a113e90be88c5203de178b9

ytt templates refactoring and upgrading to v0.1.0 (#4) * feat(ytt): initial values * fix(chart): add function to imports * feat(ytt): added crds * fix(ytt): fixed loglevel "default" logic * fix(ytt): added "v" to image tag parser * feat(ytt): added monitoring sa * fix(ytt): modified webhook strategy * feat(ytt): sync with v0.1.0 1035afc Co-authored-by: alegrey91 <ale_grey_91@hotmail.it>

view details

push time in 11 days

PR merged ptx96/ckd-capsule-app

ytt templates refactoring and upgrading to v0.1.0 enhancement
+1389 -37

0 comment

19 changed files

ptx96

pr closed time in 11 days

PR opened ptx96/ckd-capsule-app

ytt templates refactoring and upgrading to v0.1.0 enhancement
+1389 -37

0 comment

19 changed files

pr created time in 11 days

MemberEvent

push eventptx96/ckd-capsule-app

Pietro Terrizzi

commit sha 2d5c27e56bbc2d186eee32c2c45b7c6c5d17f5e6

feat(ytt): sync with v0.1.0 1035afc

view details

push time in 19 days

issue commentclastix/capsule

Evaluate needed security measures as defined in Kubernetes Hardening Guidance

Added more tests to the issue description.

@ptx96 can you run the test suite again excluding the Capsule Namespace and update the comment with the new results?

In this way, only cluster-wide resources have been retrieved (probably out of scope).

We can ignore the capsule-system Namespace since our Operators has to act as cluster admin.

I don't think we should ignore capsule-system namespace, because we'd lose focus on some interesting checks.

ptx96

comment created time in a month

issue openedclastix/capsule

Evaluate needed security measures as defined in Kubernetes Hardening Guidance

Background

The Kubernetes Hardening Guidance by NSA and CISA details recommendations to harden Kubernetes systems;

while some security measures depend on the target cluster and its architecture, others are closely related to containers and Pods, due to possible vulnerabilities, misconfiguration, and wrong privileges.

Proposal

To speed up the recognition and fix of possible breaches, we could test the armosec/kubescape utility against the namespace of a freshly installed capsule;

then, consider which actions to take and which to exclude as out of scope/unrepairable.

Output

$ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public,[...]

ARMO security scanner starting
[progress] Downloading framework definitions
[success] Downloaded framework
[progress] Accessing Kubernetes objects
[success] Accessed successfully to Kubernetes objects, let’s start!!!
[progress] Scanning cluster
◑ [success] Done scanning cluster

[control: Applications credentials in configuration files] failed 😥
Description: Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.
   Namespace capsule-system
      ConfigMap - kube-root-ca.crt

[control: Automatic mapping of service account] failed 😥
Description: Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.
   Namespace capsule-system
      ServiceAccount - capsule
      ServiceAccount - default

[control: Cluster-admin binding] failed 😥
Description: Attackers who have Cluster-admin permissions, or permissions to create bindings and cluster-bindings can take advantage of their high privileges for malicious intentions. Determines which subjects have cluster admin permissions.
      ClusterRole - capsule-namespace-provisioner
      ClusterRoleBinding - capsule-namespace-provisioner
      ClusterRole - cluster-admin
      ClusterRoleBinding - capsule-manager-rolebinding
      ClusterRoleBinding - cluster-admin

[control: Exec into container] failed 😥
Description: Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). Determines which subjects have permissions to exec into containers.
      ClusterRole - cluster-admin
      ClusterRoleBinding - capsule-manager-rolebinding
      ClusterRoleBinding - cluster-admin

[control: Immutable container filesystem] failed 😥
Description: Mutable container filesystem can be abused to gain malicious code and data injection into containers. Use immutable (read-only) filesystem to limit potential attacks.
   Namespace capsule-system
      Deployment - capsule-controller-manager

[control: Resource policies] failed 😥
Description: CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
   Namespace capsule-system
      Deployment - capsule-controller-manager

Test parameters

  • Kubernetes version: kubeadm - v1.20.9
  • Capsule version: v0.1.0-rc6
  • Kubescape version: v0.0.38

created time in a month

PullRequestReviewEvent

fork ptx96/kubescape

kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

fork in a month

pull request commentclastix/capsule

Change webhook metric used in Grafana dashboard

I've uploaded this new dashboard and it seems to work flawlessly. Now we list also convert webhook, but this one does not appear to be triggered by the current e2e tests.

image

@prometherion WDYT?

bsctl

comment created time in a month

startedrenovatebot/renovate

started time in a month

issue openedclastix/capsule

Grafana Webhook variable does not provide all possible values until triggered

<!-- Thanks for taking time reporting a Capsule bug!

We do our best to keep it reliable and working, so don't hesitate adding as many information as you can and keep in mind you can reach us on our Clastix Slack workspace: https://clastix.slack.com, #capsule channel.
-->

Bug description

We currently fetch the "Webhook" variable' values from the controller_runtime_webhook_latency_seconds_sum metric However, this solution does not provide all possible values until relative webhooks are triggered

How to reproduce

Simply upload the capsule dashboard without executing any trigger/test.

Expected behavior

image

created time in a month

startedarmosec/kubescape

started time in a month

PR opened clastix/capsule

Reviewers
Monitoring documentation and Grafana dashboard screenshots documentation v0.1.0

Close #301

+189 -7

0 comment

12 changed files

pr created time in a month

push eventptx96/capsule

Pietro Terrizzi

commit sha 2229bf4da9033801029e3fe24cfeea66136bfdcb

docs(monitoring): added screenshots

view details

Pietro Terrizzi

commit sha 0f7b39423618fc09ee6e28adc735c381efc24c94

docs(helm): added further servicemonitor values

view details

Pietro Terrizzi

commit sha c2c2da2738b0f69e2508c87fa00a6c4d27858e35

docs(monitor): capsule dashboard install and steps

view details

push time in a month

push eventptx96/capsule

Dario Tranchitella

commit sha c140ab076e94b3d0acd21e0f734776f3968a4ef3

ci(gh): adding git semantic commit message check

view details

Adriano Pezzuto

commit sha 63935418187f5a2088441b111c5e496d06d22664

build(helm): update chart and app version (#395) * build(helm): update chart and app version * fix(docs): helm charts values descriptions Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>

view details

bsctl

commit sha 23e55c685c2bb4cdc1ad05f71648a9b13b3ba453

docs: documenting the Conventional git Commit Messages

view details

bsctl

commit sha 713867d9167edf09b8bc56357a2f35237d13c6c9

docs: documenting required new-line at the end of the file

view details

bsctl

commit sha cb8e504832584f9f3f6454c6ecc5be7e07d0da16

docs: add general contributions lineguides for capsule-proxy

view details

push time in a month

push eventptx96/capsule

push time in a month

push eventptx96/capsule

Dario Tranchitella

commit sha c140ab076e94b3d0acd21e0f734776f3968a4ef3

ci(gh): adding git semantic commit message check

view details

Adriano Pezzuto

commit sha 63935418187f5a2088441b111c5e496d06d22664

build(helm): update chart and app version (#395) * build(helm): update chart and app version * fix(docs): helm charts values descriptions Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>

view details

Pietro Terrizzi

commit sha e8767f533901e914ac050b6ff2c3e6f6f43604e0

docs(monitoring): added screenshots

view details

Pietro Terrizzi

commit sha 4cdfc9a63c6af55de92f6e5875858ceadf5fb50a

docs(helm): added further servicemonitor values

view details

Pietro Terrizzi

commit sha 8cabb43a3e1dbc90bb0a68781c86e570e4d2426d

docs(monitor): capsule dashboard install and steps

view details

push time in a month

push eventptx96/capsule

Pietro Terrizzi

commit sha b3d5b68f88e40007df97a503d4344b97c73c6881

docs(monitoring): added screenshots

view details

Pietro Terrizzi

commit sha 023636ab5713fca79cb08eee68fd64384382924a

docs(helm): added further servicemonitor values

view details

Pietro Terrizzi

commit sha 68053fd3eea442a00a6a65c0ec51eb3c38d5ebe8

docs(monitor): capsule dashboard install and steps

view details

push time in a month

create barnchptx96/capsule

branch : issues/301

created branch time in a month

push eventptx96/capsule

Dario Tranchitella

commit sha c140ab076e94b3d0acd21e0f734776f3968a4ef3

ci(gh): adding git semantic commit message check

view details

Adriano Pezzuto

commit sha 63935418187f5a2088441b111c5e496d06d22664

build(helm): update chart and app version (#395) * build(helm): update chart and app version * fix(docs): helm charts values descriptions Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>

view details

push time in a month

startedTehloWasTaken/HomeDashboard

started time in a month

fork ptx96/prometheus

Kubernetes Setup for Prometheus and Grafana

fork in a month