As a reminder to myself. When looking for a good site security scanner to use owasp zap.
As a reminder to myself. When looking for a good site security scanner to use owasp zap.
Set kubectl path
# Set the path to kubectl
# Example path if using microk8s "/snap/bin/microk8s kubectl"
k="/usr/bin/kubectl"
Set the rolling update strategy to have a maxUnavailable to avoid outages.
echo "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"strategy\":{\"rollingUpdate\":{\"maxSurge\": 0, \"maxUnavailable\": \"25%\"}, \"type\": \"RollingUpdate\"}}}"
Health checks are important to managing a cluster. They are used to determine if pods are online and healthy or offline and needs disposal and new pods spun up.
Has the pod started?
echo "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
STARTUPPROBE="/healthz"
PORT="443"
SCHEME="HTTPS"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"startupProbe\":{\"httpGet\": {\"path\":\"$STARTUPPROBE\", \"port\": $PORT, \"scheme\": \"$SCHEME\"}, \"failureThreshold\": 30, \"periodSeconds\": 10}}]}}}}"
Is the pod alive.
echo "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
LIVEPROBE="/healthz/live"
PORT="443"
SCHEME="HTTPS"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"livenessProbe\":{\"httpGet\": {\"path\":\"$LIVEPROBE\", \"port\": $PORT, \"scheme\": \"$SCHEME\"}, \"initialDelaySeconds\": 30, \"failureThreshold\": 3, \"timeoutSeconds\": 5}}]}}}}"
Is the pod alive and ready to serve traffic.
echo "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
READYPROBE="/healthz/ready"
PORT="443"
SCHEME="HTTPS"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"readinessProbe\":{\"httpGet\": {\"path\":\"$READYPROBE\", \"port\": $PORT, \"scheme\": \"$SCHEME\"}, \"initialDelaySeconds\": 30, \"failureThreshold\": 30, \"timeoutSeconds\": 15}}]}}}}"
Upgrade or downgrade images.
echo "https://kubernetes.io/docs/reference/kubectl/cheatsheet/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
IMAGE_NAME="PLACEHOLDER"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"image\":\"$IMAGE_NAME\"}]}}}}"
Request a set reservation of memory and cpu. This helps kubernetes properly schedule pods across clusters.
echo "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
RAM="128Mi"
CPU="500m"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"resources\":{\"requests\": {\"memory\":\"$RAM\", \"cpu\": \"$CPU\"}}}]}}}}"
Set a limit on memory and cpu.
echo "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
NAMESPACE="PLACEHOLDER"
DEPLOYMENT_NAME="PLACEHOLDER"
RAM="2048Mi"
CPU="2500m"
$k -n $NAMESPACE patch deployment $DEPLOYMENT_NAME -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"$DEPLOYMENT_NAME\",\"resources\":{\"limits\": {\"memory\":\"$RAM\", \"cpu\": \"$CPU\"}}}]}}}}"
As of June 2023 code signing requires that hardware tokens must be used. The following documentation is an opinionated way to to make this work using digicert. This document does not cover initial setup and purchase of ev code signing cert. This document will only cover using an ev hardware token with SafeNet.
DigiCert’s SafeNet instructions.
The hardware token must be attached to the computer. The SafeNet Authentication client tool must be running in the user session and logged in.
WILL NOT WORK IN RDP/SSH SESSION.
Example command syntax as of March 25, 2023.
.\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "Certs Subject Name Goes Here" "C:\path\to\fileToSign.exe"
The above example will prompt you with for the hardwares signing token and it must be manually entered for each file signed.
How to Enable Single Logon for a SafeNet Token
Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
With the above done SafeNet will only prompt once per session for the hardware signing token password.
Export the certificate. See Automate Extended Validation (EV) code signing. The examples below is taken from that stackoverflow post. It has screenshots. Read it.
Ensure that the ** characters remain just replace the characters **THE_PASSWORD.
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "Certs Subject Name Goes Here" /f "C:\the\path\to\exported\cert.cer" /csp "eToken Base Cryptographic Provider" /kc "[THE_READER{{THE_TOKEN_PASSWORD}}]=THE_CONTAINER_NAME" "C:\path\to\fileToSign.exe"
For /kc the value should be in the format below:
[reader{{password}}]=name
Where:
See the newer 2024-10-19 post dotnet crystal reports on linux via crystalcmd post.
old stuff
WARNING. Do not use. This is one big experiment.
crystalcmd is a:
Java and c# program to load json files into crystal reports and produce PDFs.
IIS
curl https://c.majorsilence.com/status
curl -F "reportdata=@test.json" -F "reporttemplate=@report.rpt" https:///export --output testout.pdf
# test localhost
curl -F "reportdata=@test.json" -F "reporttemplate=@report.rpt" https:///export --output testout.pdf
Add the package Majorsilence.CrystalCmd.Client to your project.
dotnet add package Majorsilence.CrystalCmd.Client
cs code
DataTable dt = new DataTable();
// init reprt data
var reportData = new Majorsilence.CrystalCmd.Client.Data()
{
DataTables = new Dictionary<string, string>(),
MoveObjectPosition = new List<Majorsilence.CrystalCmd.Client.MoveObjects>(),
Parameters = new Dictionary<string, object>(),
SubReportDataTables = new List<Majorsilence.CrystalCmd.Client.SubReports>()
};
// add as many data tables as needed. The client library will do the necessary conversions to json/csv.
reportData.AddData("report name goes here", "table name goes here", dt);
// export to pdf
var crystalReport = System.IO.File.ReadAllBytes("The rpt template file path goes here");
using (var instream = new MemoryStream(crystalReport))
using (var outstream = new MemoryStream())
{
var rpt = new Majorsilence.CrystalCmd.Client.Report(serverUrl, username: "The server username goes here", password: "The server password goes here");
using (var stream = await rpt.GenerateAsync(reportData, instream, _httpClient))
{
stream.CopyTo(outstream);
return outstream.ToArray();
}
}
By default, kubectl looks for a file named config in the $HOME/.kube directory. You can specify other kubeconfig files by setting the KUBECONFIG environment variable or by setting the –kubeconfig flag.
To set an alternative kubectl config path set the KUBECONFIG environment variable or set the –kubeconfig flag.
export KUBECONFIG=~/path/to/kubeconfig.yaml
kubectl get nodes
kubectl get nodes --kubeconfig ~/path/to/kubeconfig.yaml