Network Automation: Accelerating Adoption Through Compliance
Network automation is the key to providing consistent performance across a company’s infrastructure. But establishing a compliant baseline will provide the foundation for effective utilization across the cloud.Sponsored Post: Pinecone, Kinsta, Bridgecrew, IP2Location, StackHawk, InterviewCamp.io, Educative, Stream, Fauna, Triplebyte
Who's Hiring?
- DevOps Engineer: At Kinsta, we set out to create the best managed hosting platform in the world. If you are an experienced DevOps Engineer who is constantly looking for ways to innovate and improve, we might just be the place for you! As Kinsta’s DevOps Engineer, you will be instrumental in making sure that our infrastructure is always on the bleeding edge of technology, remaining stable and high-performing at all times. If you love working with Linux, have a background in PHP, and have worked with cutting-edge technologies, such as Ansible and LXC, check us out and apply here.
- SysOps Engineer: As Kinsta’s SysOps Engineer, you’ll play a key role in caring for the health of our servers, preventing issues, and responding immediately to mitigate any problems in our infrastructure. If you have experience in hosting and with the WordPress stack, have worked with Ubuntu or Debian-based systems, and cutting-edge technologies, such Ansible and LXC, you should definitely check us out and apply here!
- JavaScript Developer: Kinsta’s Development Team aims to create truly effective solutions for our customers and our internal teams. We believe the only way to maintain and scale Continue reading
Encryption: A Building Block of a Trustworthy Internet
At the Internet Society, we’re committed to building a bigger and stronger Internet. To make sure it remains open, globally connected, secure, and trustworthy, we connect the right people to discuss different aspects of key legislative proposals. It’s a healthy way to create debate, setting up the right conditions for different parties to find common […]
The post Encryption: A Building Block of a Trustworthy Internet appeared first on Internet Society.
Kubernetes security policy design: 10 critical best practices
In this blog post, I will be looking at 10 best practices for Kubernetes security policy design. Application modernization is a strategic initiative that changes the way enterprises are doing business. The journey requires a significant investment in people, processes, and technology in order to achieve the desired business outcomes of accelerating the pace of innovation, optimizing cost, and improving an enterprise’s overall security posture. It is crucial to establish the right foundation from the beginning, to avoid the high cost of re-architecture. Developing a standard and scalable security design for your Kubernetes environment helps establish the framework for implementing the necessary checks, enforcement, and visibility to enable your strategic business objectives.
High-level design
Building a scalable Kubernetes security policy design requires that you adopt a fully cloud-native mindset that takes into account how your streamlined CI/CD process should enable security policy provisioning. A sound design would enable your enforcement and policy provisioning requirements in Day-N, while accommodating Day-1 requirements. The following list summarizes the fundamental requirements that a cloud-native security policy design should include:
- Segmentation of the control, management, and data planes
- Segmentation of deployment environments
- Multi-tenancy controls
- Application microsegmentation
- Cluster hardening
- Ingress access control
- Egress access control
- Continue reading
IPv6 Buzz 080: Working With IPv6 In The Management Plane
On today's IPv6 Buzz, Ed and Scott talk about IPv6 in the management plane with network engineers Nick Buraglio and Chris Cummings, including management challenges, dual-stack vs. IPv6 only, IPv6 prefix space for lab deployments, and more.IPv6 Buzz 080: Working With IPv6 In The Management Plane
On today's IPv6 Buzz, Ed and Scott talk about IPv6 in the management plane with network engineers Nick Buraglio and Chris Cummings, including management challenges, dual-stack vs. IPv6 only, IPv6 prefix space for lab deployments, and more.
The post IPv6 Buzz 080: Working With IPv6 In The Management Plane appeared first on Packet Pushers.
Heavy Strategy 008: Five Core Issues for IT Architects in 2021
I’ve just published the latest episode of Heavy Strategy with Johna Til-Johnson. In this episode we discuss five issues that we think IT Architects should be considered for 2021. The discussion on why and why not should be helpful for your own thinking and prepare you for discussions in your own organisations. You can find […]
Microsoft Misplaced Security Priorites
Pays bug bounty pittance, spends big on speculative product
How AI is Changing the Role of Network Managers and Teams
AI tools are set to transform network management and operations. The technology is also poised to bring major changes to the way network leaders and staff work.HS 008: Five Core Issues for IT Architects in 2021
What five issues would be top of mind for IT architects ? Security, Backup.Recovery, Cloud, Skills Development and Distributed/Hybrid Work. Listen in on why and how these issues are our choices. If you have feedback or want us to followup then head over to our Follow Up page and send us your anonymous (or not) feedback.
Heavy Strategy 008: Five Core Issues for IT Architects in 2021
What five issues would be top of mind for IT architects ? Security, Backup.Recovery, Cloud, Skills Development and Distributed/Hybrid Work. Listen in on why and how these issues are our choices. If you have feedback or want us to followup then head over to our Follow Up page and send us your anonymous (or not) feedback.
The post Heavy Strategy 008: Five Core Issues for IT Architects in 2021 appeared first on Packet Pushers.
Automatic Remediation of Kubernetes Nodes
We use Kubernetes to run many of the diverse services that help us control Cloudflare’s edge. We have five geographically diverse clusters, with hundreds of nodes in our largest cluster. These clusters are self-managed on bare-metal machines which gives us a good amount of power and flexibility in the software and integrations with Kubernetes. However, it also means we don’t have a cloud provider to rely on for virtualizing or managing the nodes. This distinction becomes even more prominent when considering all the different reasons that nodes degrade. With self-managed bare-metal machines, the list of reasons that cause a node to become unhealthy include:
- Hardware failures
- Kernel-level software failures
- Kubernetes cluster-level software failures
- Degraded network communication
- Software updates are required
- Resource exhaustion1
Unhappy Nodes
We have plenty of examples of failures in the aforementioned categories, but one example has been particularly tedious to deal with. It starts with the following log line from the kernel:
unregister_netdevice: waiting for lo to become free. Usage count = 1
The issue is further observed with the number of network interfaces on the node owned by the Container Network Interface (CNI) plugin getting out of proportion with the number of running pods:
$ Continue readingRansomware: Quis custodiet ipsos custodes
Many claim that "ransomware" is due to cybersecurity failures. It's not really true. We are adequately protecting users and computers. The failure is in the inability of cybersecurity guardians to protect themselves. Ransomware doesn't make the news when it only accesses the files normal users have access to. The big ransomware news events happened because ransomware elevated itself to that of an "administrator" over the network, giving it access to all files, including online backups.
Generic improvements in cybersecurity will help only a little, because they don't specifically address this problem. Likewise, blaming ransomware on how it breached perimeter defenses (phishing, patches, password reuse) will only produce marginal improvements. Ransomware solutions need to instead focus on looking at the typical human-operated ransomware killchain, identify how they typically achieve "administrator" credentials, and fix those problems. In particular, large organizations need to redesign how they handle Windows "domains" and "segment" networks.
I read a lot of lazy op-eds on ransomware. Most of them claim that the problem is due to some sort of moral weakness (laziness, stupidity, greed, slovenliness, lust). They suggest things like "taking cybersecurity more seriously" or "do better at basic cyber hygiene". These are "unfalsifiable" -- things that nobody Continue reading
Hedge 91: Leslie Daigle and IP Addresses Acting Badly
What if you could connect a lot of devices to the Internet—without any kind of firewall or other protection—and observe attackers trying to find their way “in?” What might you learn from such an exercise? One thing you might learn is a lot of attacks seem to originate from within a relatively small group of IP addresses—IP addresses acing badly. Listen in as Leslie Daigle of Thinking Cat and the Techsequences podcast, Tom Ammon, and Russ White discuss just such an experiment and its results.
Automation Savings Planner
Pre-plan your automation savings with Red Hat Insights for Red Hat Ansible Automation Platform
Enterprise organizations understand that to be leaders in their industries, they must change the way they deliver applications, improve their relationships with customers and gain competitive advantages.
Positioning those advantages to have a positive return on investment often starts with proper planning and automation.
But what does proper planning of your automation even look like?
For some enterprises, proper planning includes reducing automation costs. For others, it’s reducing time spent to open new opportunities.
With this in mind, Red Hat is excited to introduce Automation Savings Planner, a new enhancement that puts automation planning in the forefront within the hosted services on console.redhat.com.
The Automation Savings Planner is designed to provide a one stop shop to plan, track and analyze potential efficiency improvements and cost savings of your automation initiatives.
How does it work?
Users can create an automation savings plan within Red Hat Insights for Red Hat Ansible Automation Platform by defining how long and often the work is done manually, as well as a list of tasks needed to successfully automate this job.
Once defined, you can integrate your newly Continue reading
Day Two Cloud 106: Towards A More Open Cloud
On today's Day Two Cloud we discuss the notion of open cloud. The premise is about reducing or minimizing costs of migrating from a public cloud. In theory, open cloud lets organizations keep their options open to make changes and reduces lock-in. But is open cloud even feasible? Our guest is Chris Psaltis, co-founder and CEO of Mist.io, a startup building an open-source, multi-cloud management platform.Day Two Cloud 106: Towards A More Open Cloud
On today's Day Two Cloud we discuss the notion of open cloud. The premise is about reducing or minimizing costs of migrating from a public cloud. In theory, open cloud lets organizations keep their options open to make changes and reduces lock-in. But is open cloud even feasible? Our guest is Chris Psaltis, co-founder and CEO of Mist.io, a startup building an open-source, multi-cloud management platform.
The post Day Two Cloud 106: Towards A More Open Cloud appeared first on Packet Pushers.