Table des matières
2 billet(s) pour janvier 2026
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Notes Kubernetes k8s - sécurite
Voir :
- Kube-bench
Containers !
Ensure Containers Do Not Run As Root
Source : https://www.fairwinds.com/blog/kubernetes-basics-tutorial-ensure-containers-do-not-run-as-root
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsNonRoot: true runAsUser: 1000
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: containers: - name: busybox image: busybox securityContext: runAsNonRoot: true runAsUser: 1000 # allowPrivilegeEscalation: false # privileged: false
If there are no non-root users in the Docker image, you may also need to create one in the Dockerfile, with:
RUN useradd nonroot -u 1000 --user-group # useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead.
Interdire le host namespace
Comment ?
spec: hostPID: true hostIPC: true hostNetwork: true volumes: - name: host-filesystem hostPath: path: /
Autres
runAsNonRoot: true: Ensures that the container does not run as root. If the image’s default user is root, Kubernetes will refuse to start the pod.runAsUser: 1000&runAsGroup: 3000Forces the container to use a specific non-root user (UID 1000) and group (GID 3000).fsGroup: 2000Ensures that files created in shared volumes have the correct group ownership.- Container Security Settings:
Setting privileged: false,allowPrivilegeEscalation: false, and dropping all capabilities dramatically limits what processes within the container can do.
spec! runAsUser: 0
securityContext: allowPrivilegeEscalation: true
Utiliser
- ServiceAccount
- les RBAC
- mTLS pour les services
- EncryptionConfiguration resource pour les servrets (HashiCorp Vault)
- Sécuriser etcd
- Don't allow pods that run containers with root
- SecurtyPolicy (Open Policy Agent / Kyverno)
Utiliser
- Les NetworkPolicy (par défault tous les noeuds peuvent communiquer avec tous les noeuds Oou ServiceMesh (Side car)
Outils analyse sécu
Voir :
- m9sweeper
Kube bench
Step 1: Download the official job manifest
Clone the kube-bench repo or grab job.yaml from the GitHub releases page.
git clone https://github.com/aquasecurity/kube-bench.git cd kube-bench # ou kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
Step 2: Apply the job to your cluster
kubectl apply -f job.yaml
Step 3: Watch the pod until it shows as Completed
kubectl get pods -w
Step 4: Review the results
#kubectl logs -l job-name=kube-bench kubectl logs pod/kube-bench-6zgst
podman run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest run
kubescape
Voir :
Install
kubectl krew update
kubectl krew install kubescape
Scan
kubectl kubescape scan kubescape scan --format html --output results.html
Voir Trivy Scan de vulnérabilité pour les images de conteneurs
Notes - git bundle
Transférer une dépôt Git vers une autre machine lorsque les deux machines n'ont pas de connexion directe (AirGap - offline environment)
Voir
We’ll discuss two cases:
Taking a full backup of a repository
Transferring the history of a repository to another machine when the two machines have no direct connection
Exemple de creation de Bundle Git
git bundle create mybundle v1.0.0..master git bundle create mybundle --since=10.days master git bundle create mybundle --all
Note that --all would not include remote-tracking branches… just like ordinary clone wouldn't either. First clone the repository, and include the --mirror option.
git clone --mirror git@example.org:path/repo.git
Then run
cd /opt/plop git bundle create repo.bundle --all git tag -f lastAGbundle master $ cd cd /opt/plop $ git bundle create ~/toAG/RepoName.bundle lastAGbundle..master --all $ git tag -f lastAGbundle master $ cd /path/to/AG/clone/location $ git clone /path/to/AG/bundles/RepoName.bundle -b master $ cd RepoName $ git gc # Clears some errors $ # Optionally, push to other remotes git bundle verify mybundle
Exemple d'importation de Bundle
[remote "origin"] url = /home/me/tmp/file.bundle fetch = refs/heads/*:refs/remotes/origin/*
machineB$ cd R2 machineB$ git pull
Autre
$ git bundle list-heads ../commits.bundle 71b84daaf49abed142a373b6e5c59a22dc6560dc refs/heads/master $ git fetch ../commits.bundle master:other-master From ../commits.bundle * [new branch] master -> other-master
git clone --bundle-uri=https://[cdn]/bundle/gitlab-base.bundle git clone --bundle-uri=https://[cdn]/bundle/gitlab-base.bundle https://gitlab.com/gitlab-org/gitlab-foss.git g2
Notes - nerdctl
Alternative aux commandes :
- docker
- docker-compose
- podman
- crictl
- ctr
Voir :
Old :
export NERDCTL_EXPERIMENTAL=0
$ nerdctl info
WARNING: AppArmor profile "nerdctl-default" is not loaded.
Use 'sudo nerdctl apparmor load' if you prefer to use AppArmor with rootless mode.
This warning is negligible if you do not intend to use AppArmor.
# nerdctl / kind a besoin de connaitre le chemin de iptables export PATH=$PATH:/usr/sbin/
sudo nerdctl apparmor load
nerdctl compose up
Debug dockerfile
nerdctl builder debug .
list namespaces
nerdctl namespace ls
Connection a container to multiple networks at once nerdctl run --net foo --net bar
nerdctl --address /run/k3s/containerd/containerd.sock --namespace k8s.io ps #ou CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock