https://marktaguiad.dev/tags/security/ Recent content in Security on marktaguiad.dev Hugo en-us marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad.dev Sun, 19 Apr 2026 00:00:00 +0000 https://marktaguiad.dev/post/k8s-sealed-secrets/ Sun, 19 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-sealed-secrets/ <p><img class="theme-image" src="https://marktaguiad.dev/images/devops/k8s-notes/k8s-sealed-secrets.png" data-light="/images/devops/k8s-notes/k8s-sealed-secrets.png" data-dark="/images/devops/k8s-notes/k8s-sealed-secrets-dark.png" alt="Secret" > k8s-sealed-secrets.png Managing secrets in Kubernetes is a bit tricky. Native <code>Secret</code> objects are only <code>base64-encoded</code>—not encrypted—making them unsafe for Git-based workflows. If you&rsquo;re doing GitOps (e.g., with Argo CD), committing raw secrets is not an option.</p> <p>This is where <a href="https://github.com/bitnami-labs/sealed-secrets">Sealed Secrets</a> comes in.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#why-sealed-secret">Why Sealed Secret?</a></li> <li><a href="#install">Install</a> <ol> <li><a href="#cluster">Cluster</a></li> <li><a href="#client">Client</a></li> <li><a href="#certificate">Certificate</a></li> </ol> </li> <li><a href="#key">Key</a></li> <li><a href="#example">Example</a> <ol> <li><a href="#default-k8s-secrets">Default K8S Secrets</a></li> <li><a href="#sealed-secret">Sealed Secret</a></li> <li><a href="#git">Git</a></li> </ol> </li> </ol> </nav> <h3 id="why-sealed-secret">Why Sealed Secret?</h3> <p>Sealed Secrets uses asymmetric encryption to solve one problem:</p> https://marktaguiad.dev/post/k8s-rbac/ Tue, 07 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-rbac/ <img class="theme-image" src="https://marktaguiad.dev/images/devops/k8s-notes/k8s-rbac-001.png" data-light="/images/devops/k8s-notes/k8s-rbac-001.png" data-dark="/images/devops/k8s-notes/k8s-rbac-dark-001.png" alt="Architecture Diagram" > <p>Role‑Based Access Control (RBAC) is a core part of Kubernetes security — it lets you grant precise permissions to users, groups, or service accounts so they can do only what they’re allowed. In this hands‑on guide, we’ll go step‑by‑step through:</p> <ul> <li>creating a Kubernetes user</li> <li>assigning permissions using RBAC</li> <li>testing permissions</li> </ul> <p>Read more on this topic <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">here</a>.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#create-kubernetes-user">Create Kubernetes User</a> <ol> <li><a href="#script">Script</a></li> <li><a href="#create-user">Create User</a></li> <li><a href="#verify">Verify</a></li> <li><a href="#test">Test</a></li> <li><a href="#delete-user">Delete User</a></li> </ol> </li> <li><a href="#roles--rolebindings">Roles &amp; RoleBindings</a></li> <li><a href="#cluster-roles--cluster-role-bindings">Cluster Roles &amp; Cluster Role Bindings</a></li> </ol> </nav> <h3 id="create-kubernetes-user">Create Kubernetes User</h3> <p>Let&rsquo;s automate this process-in the perspective of an admin. Use the script to create user.</p> https://marktaguiad.dev/post/k8s-istio-tres/ Sat, 28 Mar 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-istio-tres/ <p>Continuation of Kubernetes Istio.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#ingress-gateway">Ingress Gateway</a></li> <li><a href="#gateway">Gateway</a></li> <li><a href="#fault-injection">Fault Injection</a> <ol> <li><a href="#verify">Verify</a></li> </ol> </li> <li><a href="#retries">Retries</a></li> <li><a href="#circuit-breaker">Circuit Breaker</a></li> </ol> </nav> <p>I&rsquo;ve mentioned in this <a href="https://marktaguiad.dev/post/k8s-istio-uno.md">post</a> that will sticking with <code>HTTPRoute</code>, but feature discussed here only support (for now) Istio API.</p> <h3 id="ingress-gateway">Ingress Gateway</h3> <p>Istio deploys a default resource for this, and for this example we are using the default ingress gateway <code>ingressgateway</code>.</p> <p>If you want to create a custom ingress gateway.</p> <p><em>istio-gateway.yaml</em></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">install.istio.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">IstioOperator</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-control-plane</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">ingressGateways</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-ingressgateway-prod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l">ingressgateway-prod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-ingressgateway-dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l">ingressgateway-dev</span><span class="w"> </span></span></span></code></pre></div><p>This will create two ingress gateway.</p> https://marktaguiad.dev/post/k8s-istio-dos/ Tue, 24 Mar 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-istio-dos/ <p>Continuation of Kubernetes Istio, this time we&rsquo;ll focus on Security.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#security">Security</a> <ol> <li><a href="#mtls-mutual-tls">mTLS (Mutual TLS)</a></li> <li><a href="#authorizationpolicy-rbac">AuthorizationPolicy (RBAC)</a></li> </ol> </li> </ol> </nav> <h3 id="security">Security</h3> <h4 id="mtls-mutual-tls">mTLS (Mutual TLS)</h4> <p>This will ensure that service-to-service traffic is encrypted and authenticated.</p> <p>Istio allows you to configure three main modes per namespace, workload, or globally:</p> <table> <thead> <tr> <th>Mode</th> <th>Behavior</th> <th>When to Use</th> </tr> </thead> <tbody> <tr> <td><strong>STRICT</strong></td> <td>Only allows <strong>mTLS-encrypted traffic</strong>. Plain HTTP connections are rejected.</td> <td>Best for production when you want <strong>full security</strong> between services.</td> </tr> <tr> <td><strong>PERMISSIVE</strong></td> <td>Accepts both mTLS-encrypted and plain HTTP traffic.</td> <td>Useful during <strong>gradual migration</strong> to mTLS. Old workloads can still communicate without encryption.</td> </tr> <tr> <td><strong>DISABLE</strong></td> <td>Does not use mTLS at all.</td> <td>For testing, legacy workloads, or non-critical traffic.</td> </tr> </tbody> </table> <p>You might get confused with the HTTPS traffic, it just mean that all traffic are converted by istio envoy to mTLS. So as long as the request is going through first the sidecar then it is valid.</p> https://marktaguiad.dev/post/linux-security-hardening/ Sat, 26 Jul 2025 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/linux-security-hardening/ <div class="alert alert-info"> <div class="alert-title">Info</div> <div class="alert-content"> Content here are automated using ansible, check <a href="https://marktaguiad.dev/post/linux-hardening-playbook">here</a> if you are interested. </div> </div> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#ssh-hardening">SSH hardening</a> <ol> <li><a href="#core-configuration">Core Configuration</a></li> <li><a href="#enforce-password-complexity">Enforce password complexity</a></li> <li><a href="#debian-base">Debian base</a></li> <li><a href="#redhat-base">Redhat base</a></li> <li><a href="#monitoring">Monitoring</a></li> <li><a href="#optional-enhancement">Optional Enhancement</a></li> </ol> </li> <li><a href="#fail2ban">Fail2ban</a> <ol> <li><a href="#installation">Installation</a></li> <li><a href="#configuration">Configuration</a></li> <li><a href="#status">Status</a></li> <li><a href="#unbanning-ip">Unbanning IP</a></li> <li><a href="#custom-configregex">Custom Config/Regex</a></li> </ol> </li> <li><a href="#selinux">SELinux</a> <ol> <li><a href="#mode-definitions">Mode Definitions</a></li> <li><a href="#labels-and-policy">Labels and Policy</a></li> <li><a href="#type-enforcement">Type Enforcement</a></li> <li><a href="#mcs-enforement">MCS Enforement</a></li> <li><a href="#mls-enforcement">MLS Enforcement</a></li> <li><a href="#selinux-enforcement-comparison">SELinux Enforcement Comparison</a></li> <li><a href="#configuration-1">Configuration</a></li> </ol> </li> </ol> <ol> <li><a href="#firewall">Firewall</a></li> <li><a href="#automatic-security-upgrade">Automatic Security Upgrade</a> <ol> <li><a href="#debian-base-1">Debian base</a></li> <li><a href="#redhat-base-1">Redhat base</a></li> </ol> </li> <li><a href="#audit">Audit</a></li> <li><a href="#advanced-intrusion-detection-environment">Advanced Intrusion Detection Environment</a></li> </ol> </nav> <h3 id="ssh-hardening">SSH hardening</h3> <p>SSH is one of the most targeted services on any server exposed to a network. Hardening SSH reduces the attack surface, limits brute-force attempts, and enforces stronger authentication and cryptography.</p>