cloud-custodian
kube-bench
Our great sponsors
cloud-custodian | kube-bench | |
---|---|---|
32 | 23 | |
5,201 | 6,635 | |
1.0% | 1.6% | |
9.5 | 8.4 | |
5 days ago | 7 days ago | |
Python | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cloud-custodian
-
Cutting down AWS cost by $150k per year simply by shutting things off
> The best optimization is simply shutting things off
This is the way.
A similar idea has been bouncing around in my mind for a while now. An ideal, turnkey system would do the following:
- Execute via Lambda (serverless).
- Support automated startup and shutdown of various AWS resources on a schedule influenced by specially formatted tags.
- Enable resources to be brought back up out of schedule when demand dictates.
- Operate as a TCP/HTTP proxy that can delay clients so that a given service can be started when it is dormant or, even better, the service isn't serverless but you want it to be. This can't work for everything, but perhaps enough things such that the need to run always on services is reduced.
Cloud Custodian [1] can purportedly do some of this, but I've been reluctant to learn yet another YAML-based DSL to use it.
So this is my "make things designed to be always-on serverless instead" project and the work AWS has done to make Java apps function on Lambda keeps me thinking about the potential to take things that 1) have a relatively long startup time and 2) are designed to be long running service loops, and find a way to force them into the serverless execution model.
[1] https://cloudcustodian.io/
-
When have you screwed up, bad?
Goal was to clear up anything old and set us up to rotate keys in use. Why did I do it in the end of December? It was a quarterly goal and I learned to push those across the line if I wanted a good review. Great incentive, that one. I used Cloud Custodian for this. It has a terrible bug where the code says you'll be acting on days since the key was used but actually is reading days since it was created.
-
Open-Source tools for monitoring ML/AI usage- Recommendations?
What is wrong with https://github.com/cloud-custodian/cloud-custodian?
-
Automate deletion of aws ebs snapshots older than year
You can start reading about it here.
-
Optimizing cost on an app which is not used 24/7
Use a tool like this https://cloudcustodian.io/ to manage instance on/off hours or go fargate.
-
Going for the CCP with a Compliance background. Any insight on what direction to pursue in AWS?
Certs aside, there are some great compliance tools out there that you might want to become familiar with. Here is one that comes to mind (is open-source): https://cloudcustodian.io/
- What are some of the community's best recommendations and use cases for Cost Optimization and FinOps
-
EC2 start and stop via Lambda
I'd use a combination of Cloudcustodian for start/stop scheduling and Apprise for notifications.
-
Tag Enforcement
Cloud custodian is a good utility if config rules doesn’t satisfy your needs. It’s also cross platform.
-
26 AWS Security Best Practices to Adopt in Production
AWS Security with open source – Cloud Custodian is a Cloud Security Posture Management (CSPM) tool. CSPM tools evaluate your cloud configuration and identify common configuration mistakes. They also monitor cloud logs to detect threats and configuration changes.
kube-bench
-
Evaluating and securing your Kubernetes infrastructure with kube-bench
However, no matter how well our applications are secured, the security of our entire IT environment ultimately depends on the security of our infrastructure. Therefore, in the lab to follow, we will shift our focus away from Kubernetes workloads and instead explore how we can evaluate and improve upon the security of our Kubernetes clusters with kube-bench, the industry-leading Kubernetes benchmarking solution developed by Aqua.
-
Kube-bench and Popeye: A Power Duo for AKS Security Compliance
The official repository can be found here with detailed installation instructions.
-
Quickstart - Aqua Security Kube-Bench
curl -L [https://github.com/aquasecurity/kube-bench/releases/download/v0.6.10/kube-bench_0.6.10_linux_amd64.deb](https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb) -o kube-bench_0.6.10_linux_amd64.deb
- Looking for Tips on Open Sourcing a kubernetes security tool
-
Kubernetes Security: 10 Best Practices from the Industry and Community
I haven't used Kubernetes for a while, but shouldn't kube-bench (1) be enough? Do you have to check anything manually?
(1) https://github.com/aquasecurity/kube-bench
-
Implement DevSecOps to Secure your CI/CD pipeline
kube-bench checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. We can deploy kube-bench as a Job that runs daily and consume its report in CI/CD to pass or fail the pipeline based on the level of severity.
-
Securing Kubernetes Cluster using Kubescape and kube-bench
kube-bench can be executed as a simple command on the host, as a container on the host using Docker command, or as a job inside Kubernetes Cluster. In case it is run inside a container/pod, it will need access to the PID namespace of the host system. The methods to run kube-bench in AKS, EKS, GKE, On-prem cluster, Openshift and ACK (Alibaba Cloud Container Service For Kubernetes) are different but well documented.
-
What are some fundamental security practices for the self hosted k8s cluster?
Check this out: kube-bench - CIS Benchmark
-
Top 6 Kubernetes Security Tools
Kube-bench, written as a Go application, is deployable as a container. Ready-made job.yaml files make it easy to run Kube-bench inside a Kubernetes cluster or on a managed Kubernetes service, such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or OpenShift. Here's a link to Kube-Bench on Github
-
Introduction to Kubernetes Pentesting
kube-bench - Checks whether Kubernetes is deployed securely by running CIS Kubernetes Benchmark
What are some alternatives?
terraform - Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
ScoutSuite - Multi-Cloud Security Auditing Tool
kubesec - Security risk analysis for Kubernetes resources
steampipe - Zero-ETL, infinite possibilities. Live query APIs, code & more with SQL. No DB required.
kubeaudit - kubeaudit helps you audit your Kubernetes clusters against common security controls
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
kube-hunter - Hunt for security weaknesses in Kubernetes clusters
fixinventory - Fix Inventory consolidates user, resource, and configuration data from your cloud environments into a unified, graph-based asset inventory.
falco - Cloud Native Runtime Security
cloudquery - The open source high performance ELT framework powered by Apache Arrow
docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.