Security
Setup the cluster's Audit Log
· โ˜• 6 min read
References   https://docs.kublr.com/logging/logging-api-audit/   Logging in Kubernetes with Elasticsearch, Kibana, and Fluentd   Auditing | Kubernetes Note : Even if this part is not required, you should not ignore it on dev environment and should really really REALLY not skip it for production. In fact, it can contain useful debug informations and security traces to see what is going on in your kubernetes cluster, and even on your whole server(s).

Setup cluster's authentication
· โ˜• 9 min read
Here is a graph of the RBAC setup we are going to implement: 1. Setup keycloak We’ll use keycloak to proxy our authentication for all monitors, using a single realm. You may use several realms in real-life situations. This is probably the tough part, and you may tweak heavily the following guide. Moreover, I may forgot to write some instructions, or somes are heavily linked to your very own setup.

Administrate the cluster with authentication
· โ˜• 7 min read
Create the realm and the client References   engineering-notes/kubernetes-keycloak-integration.md at master ยท zufardhiyaulhaq/engineering-notes ยท GitHub 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 REALM_URL="https://keycloak.{{cluster.baseHostName}}/auth/realms/{{apiServer.realmName}}" # Log in TOKEN_RESPONSE="$(curl \ -d "grant_type=password" \ -d "client_id={{apiServer.clientId}}" \ -d "client_secret={{apiServer.clientSecret}}" \ -d "username=admin-user" \ -d "password=admin-user" \ $REALM_URL/protocol/openid-connect/token)" # Extract the access token ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq '.

Protect monitoring with authentication
· โ˜• 2 min read
Now that we have our authentication service up and running, we can protect our dashboards installed in the step  06 - Monitoring: See what is going on using our Keycloak OpenID Connect provider. Here is a diagram on how authorization will be managed: Traefik dashboard TODO Kibana TODO Kube dashboard References   Protect Kubernetes Dashboard with OpenID Connect | by Hidetake Iwata | ITNEXT Again, we are going to set up a new instance of  louketo-proxy.

CentOS8 Firewalld Tips
· โ˜• 1 min read
Tracking down requests denied by firewalld is an important plus to be both strict and precise about what to allow. This small copy-pasta might help you.