Personal blog by hajowieland

wieland.tech

Istio OIDC authn + authz with oauth2-proxy


Securing the workloads running in your Kubernetes cluster is a crucial task when defining an authorization strategy for your setup. Might say it’s Best Practice™ to restrict access on a network level and with some sort of authn + authz logic. You can use some sort of VPN solution (Wireguard, OpenVPN) or restrict access via IP whitelisting (Load Balancer / K8s Service / Ingress / NetworkPolicy) on the Networking Part. The authorization side can be handled by Istio with a custom external authorization system using OIDC: in this guide we use oauth2-proxy for that.…
Read more ⟶

Argo CD with Auth0 SSO Login


ArgoCD + Auth0 => Great Team Argo CD is a great tool for gitOps-style Continous Deployment on Kubernetes. It’s fast, simple and has all the essential features your DevOps team might need. You can connect Argo with all major OpenID Connect Identity Providers out there (Auth0, AzureAD, Okta, OneLogin). The official documentation for setting up Auth0 + ArgoCD is quite good, but it misses some Auth0-specific points which have to be set up correctly for a secure configuration.…
Read more ⟶

Jitsi on AWS (with Terraform)


Even before COVID-19, most of us were in need for some kind of conference solution. Some use proprietary ones like Google Hangouts, Zoom or one of the other popular ones out there. But if you are in tightly-regulated industry or just want to have full control over your data and like to use open-source, then chances are high you already stumbled upon Jitsi Meet. In this post I describe the process to setup a fully-functional Jitsi-Meet instance on AWS (+ Terraform code!…
Read more ⟶

Kubernetes The (real) Hard Way on AWS


Works with Kubernetes 1.16 ! INFRASTRUCTURE For my preparation to the Cloud Native Computing Foundation - Certified Kubernetes Administrator exam (or CNCF CKA for short), it is important to get the Ins and Outs of creating Kubernetes clusters by hand. This includes generating all the certificates, systemd unit files, K8s configs and the installation of components. You should already have some basic knowledge about Kubernetes in general. Most of you may have already seen Kelsey Hightower’s fantastic “Kubernetes The Hard Way” tutorial on GitHub.…
Read more ⟶

Terraform Kubernetes Multi-Cloud (ACK, AKS, DOK, EKS, GKE, OKE)


To be clear: I ❤️ Kubernetes ! This is why I’m spending most of my free learning resources on reading about Kubernetes, watching conference talks about Kubernetes (KubeCon EU 2019!) and get my hands on as much tools and services which exist in the ever growing K8s ecosystem. At work I’m mostly using the AWS cloud (=> EKS), so I thought it would be interesting to see how all the other Major Public Cloud vendors implement managed Kubernetes services.…
Read more ⟶

AWS S3 Bucket Magecart Attacks and How to Prevent Them


Currently there are happening automated attacks against AWS S3 buckets with publicly writable objects by so called Magecart groups. These are hacking groups who specialize in attacking systems and software to get credit card information. These are often widespread mass attacks which often fail, but when only some succeed, it is still very profitable. The current attack which started in early April 2019 and was discovered and documented by RiskIQ scans for misconfigured S3 buckets who allow public write access (everyone with an AWS account can edit files).…
Read more ⟶

Terraform & Packer to create a Kali Linux AWS EC2 Instance


Recently I needed a up-to-date Kali Linux on an AWS EC2 instance to do some security testing and found that the official Kali Linux AMI is based on 2018.3a (from August 2018). The notorious apt-get update && apt-get dist-upgrade -y took some time because it needed to download and update ~2000 packages. Additionally I thought it would be nice to create a fully-fledged Kali Linux EC2 instance by utilizing Terraform so I could spin up and down a security machine as needed.…
Read more ⟶

Hello World


Just a simple Hello World 👨‍💻…
Read more ⟶