2022년 6월 20일 월요일

[Cloud/GCP] gcpdiag

- 0 개의 댓글

안녕하세요

gcpdiag라는게 새로 나와서 좀 테스트를 해 봤는데요.

결론부터 얘기하자면…뭐랄까…aquasecurity/kube-bench 도구 같은 느낌이네요?

그리고 좀 단점부터 보이는게…컨테이너 베이스로 동작을 시키다 보니…

linux 커널이 필요한거 같다? 이고…근데 왜 이걸 오픈소스화 했을까…?

어짜피 GCP에서만 쓸꺼 같은 이름인데…

어쨌든 GCP를 쓰고, 내부적으로 audit을 전체적으로 하고 싶다 하면 써볼만 할꺼 같기도 합니다.

실행 내용과 결과는 다음과 같습니다.
[gcpdiag run]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag
Unable to find image 'us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55' locally
0.55: Pulling from gcpdiag-dist/release/gcpdiag
1fe172e4850f: Pull complete
caf521ccaac6: Pull complete
3ead6fa29328: Pull complete
5c2a1cbceb83: Pull complete
a8d5f1318db7: Pull complete
358ca086baa3: Pull complete
30197a52639a: Pull complete
65545a04dace: Pull complete
80cf14a4e373: Pull complete
00f344331f1a: Pull complete
5fbfd71d5b4d: Pull complete
Digest: sha256:0b5fcc0fd3e2f1b822cec492b0128f7e1df5173c19990570ee072c80cf6164c4
Status: Downloaded newer image for us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55
gcpdiag 🩺 - Diagnostics for Google Cloud Platform

Usage:
        gcpdiag COMMAND [OPTIONS]

Commands:
        help     Print this help text.
        lint     Run diagnostics on GCP projects.
        version  Print gcpdiag version.

See: gcpdiag COMMAND --help for command-specific usage.

실행 결과 실패한 내용을 rough하게 살펴보면…

  1. serial port가 enable 안되어 있어서 실패…(👎️)
  2. date ops가 설치 안되서 실패…? (👎️)
  3. uniform access(단일 접근) 아니라서 실패…(👍️)
  4. GKE가 리저널이 아니라서 실패…(👌)
  5. GKE가 기본 서비스 어카운트를 써서 실패(👍️)

뭐 이정도면…한번쯤 cloud shell에서 돌려봐도 무방할꺼 같기도 하네요.

[gcpdiag --project]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag lint --project=hj-int-20200908
gcpdiag

Starting lint inspection (project: hj-int-20200908)...

🔎  gce/BP/2021_001: Serial port logging is enabled.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [FAIL]
   - hj-int-20200908/windows                                              [FAIL]
   - hj-int-20200908/zipkin-vm                                            [FAIL]

   Serial port output can be often useful for troubleshooting, and enabling
   serial logging makes sure that you don't lose the information when the VM is
   restarted. Additionally, serial port logs are timestamped, which is useful to
   determine when a particular serial output line was printed.

   https://gcpdiag.dev/rules/gce/BP/2021_001

🔎  gce/BP/2021_002: GCE nodes have an up to date ops agent installed.
   - hj-int-20200908/gui-pipe                                             [FAIL] not installed
   - hj-int-20200908/windows                                              [FAIL] not installed
   - hj-int-20200908/zipkin-vm                                            [FAIL] not installed

   Verify that the ops agent is used by the GCE instances and that the agent is
   recent enough. If the monitoring agent is found it is recommended to upgrade
   to the ops agent.  see:
   https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent

   https://gcpdiag.dev/rules/gce/BP/2021_002

🔎  gce/ERR/2021_003: Google APIs service agent has the Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gce/ERR/2021_004: Serial logs don't contain Secure Boot error messages
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/ERR/2021_005: Serial logs don't contain mount error messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_001: GCE instance service account permissions for logging.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_003: GCE instance service account permissions for monitoring.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_004: Serial logs don't contain disk full messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_005: Serial logs don't contain out-of-memory messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_006: Serial logs don't contain "Kernel panic" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_007: Serial logs don't contain "BSOD" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_001: GCE connectivity: IAP service can connect to SSH/RDP port on instances.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_002: Instance groups named ports are using unique names.
   - hj-int-20200908/gke-gke-nodes-634bd260-grp                           [ OK ]

🔎  gce/WARN/2022_003: GCE VM instances quota is not near the limit.
   - projects/hj-int-20200908/regions/asia-northeast3                     [ OK ]
   - projects/hj-int-20200908/regions/us-central1                         [ OK ]

🔎  gcs/BP/2022_001: Buckets are using uniform access
   - hj-int-20200908/artifacts.hj-int-20200908.appspot.com                [FAIL]
     it is recommend to use uniform access on your bucket
   - hj-int-20200908/hoon                                                 [FAIL]
     it is recommend to use uniform access on your bucket

   Google recommends using uniform access for a Cloud Storage bucket IAM policy
   https://cloud.google.com/storage/docs/access-
   control#choose_between_uniform_and_fine-grained_access

   https://gcpdiag.dev/rules/gcs/BP/2022_001

🔎  gke/BP/2021_001: GKE system logging and monitoring enabled.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/BP/2022_001: GKE clusters are regional.
   - hj-int-20200908/us-central1-c/gke                                    [FAIL]
      is not regional

   The availability of regional clusters (both control plane and nodes) is
   higher for regional clusters as they are replicated across zones in the
   region. It is recommended to use regional clusters for the production
   workload.

   https://gcpdiag.dev/rules/gke/BP/2022_001

🔎  gke/BP/2022_002: GKE clusters are using unique subnets.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_001: GKE nodes service account permissions for logging.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_002: GKE nodes service account permissions for monitoring.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_004: GKE nodes aren't reporting connection issues to apiserver.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_005: GKE nodes aren't reporting connection issues to storage.google.com.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_006: GKE Autoscaler isn't reporting scaleup failures.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_007: GKE service account permissions.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_008: Google APIs service agent has Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_009: Version skew between cluster and node pool.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_010: Check internal peering forwarding limits which affect GKE.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_011: ip-masq-agent not reporting errors
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_012: Node pool service account exists and not is disabled.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_013: GKE cluster firewall rules are configured.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_015: GKE connectivity: node to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_001: GKE connectivity: pod to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_002: GKE nodes of private clusters can access Google APIs and services.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/SEC/2021_001: GKE nodes don't use the GCE default service account.
   - hj-int-20200908/us-central1-c/gke/nodes                              [FAIL]
     node pool uses the GCE default service account

   The GCE default service account has more permissions than are required to run
   your Kubernetes Engine cluster. You should either use GKE Workload Identity
   or create and use a minimally privileged service account.

   https://gcpdiag.dev/rules/gke/SEC/2021_001

🔎  gke/WARN/2021_003: GKE cluster size close to maximum allowed by pod range
   - hj-int-20200908/us-central1-c/gke                                    [ OK ] 1/1024 nodes used.

🔎  gke/WARN/2021_004: GKE system workloads are running stable.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_005: GKE nodes have good disk performance.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_006: GKE nodes aren't reporting conntrack issues.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_007: GKE nodes have enough free space on the boot disk.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_009: GKE nodes use a containerd image.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_001: GKE clusters with workload identity are regional.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_002: GKE metadata concealment is not in use
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_003: GKE service account permissions to manage project VPC firewall rules.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_004: Cloud Logging API enabled when GKE logging is enabled
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  iam/SEC/2021_001: No service accounts have the Owner role
   - hj-int-20200908                                                      [ OK ]

Rules summary: 24 skipped, 40 ok, 5 failed
[Continue reading...]

[Cloud/GCP] gcpdiag

- 0 개의 댓글
gcpdiag

안녕하세요

gcpdiag라는게 새로 나와서 좀 테스트를 해 봤는데요.

결론부터 얘기하자면…뭐랄까…aquasecurity/kube-bench 도구 같은 느낌이네요?

그리고 좀 단점부터 보이는게…컨테이너 베이스로 동작을 시키다 보니…

linux 커널이 필요한거 같다? 이고…근데 왜 이걸 오픈소스화 했을까…?

어짜피 GCP에서만 쓸꺼 같은 이름인데…

어쨌든 GCP를 쓰고, 내부적으로 audit을 전체적으로 하고 싶다 하면 써볼만 할꺼 같기도 합니다.

실행 내용과 결과는 다음과 같습니다.
[gcpdiag run]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag
Unable to find image 'us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55' locally
0.55: Pulling from gcpdiag-dist/release/gcpdiag
1fe172e4850f: Pull complete
caf521ccaac6: Pull complete
3ead6fa29328: Pull complete
5c2a1cbceb83: Pull complete
a8d5f1318db7: Pull complete
358ca086baa3: Pull complete
30197a52639a: Pull complete
65545a04dace: Pull complete
80cf14a4e373: Pull complete
00f344331f1a: Pull complete
5fbfd71d5b4d: Pull complete
Digest: sha256:0b5fcc0fd3e2f1b822cec492b0128f7e1df5173c19990570ee072c80cf6164c4
Status: Downloaded newer image for us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55
gcpdiag 🩺 - Diagnostics for Google Cloud Platform

Usage:
        gcpdiag COMMAND [OPTIONS]

Commands:
        help     Print this help text.
        lint     Run diagnostics on GCP projects.
        version  Print gcpdiag version.

See: gcpdiag COMMAND --help for command-specific usage.

실행 결과 실패한 내용을 rough하게 살펴보면…

  1. serial port가 enable 안되어 있어서 실패…(👎️)
  2. date ops가 설치 안되서 실패…? (👎️)
  3. uniform access(단일 접근) 아니라서 실패…(👍️)
  4. GKE가 리저널이 아니라서 실패…(👌)
  5. GKE가 기본 서비스 어카운트를 써서 실패(👍️)

뭐 이정도면…한번쯤 cloud shell에서 돌려봐도 무방할꺼 같기도 하네요.

[gcpdiag --project]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag lint --project=hj-int-20200908
gcpdiag

Starting lint inspection (project: hj-int-20200908)...

🔎  gce/BP/2021_001: Serial port logging is enabled.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [FAIL]
   - hj-int-20200908/windows                                              [FAIL]
   - hj-int-20200908/zipkin-vm                                            [FAIL]

   Serial port output can be often useful for troubleshooting, and enabling
   serial logging makes sure that you don't lose the information when the VM is
   restarted. Additionally, serial port logs are timestamped, which is useful to
   determine when a particular serial output line was printed.

   https://gcpdiag.dev/rules/gce/BP/2021_001

🔎  gce/BP/2021_002: GCE nodes have an up to date ops agent installed.
   - hj-int-20200908/gui-pipe                                             [FAIL] not installed
   - hj-int-20200908/windows                                              [FAIL] not installed
   - hj-int-20200908/zipkin-vm                                            [FAIL] not installed

   Verify that the ops agent is used by the GCE instances and that the agent is
   recent enough. If the monitoring agent is found it is recommended to upgrade
   to the ops agent.  see:
   https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent

   https://gcpdiag.dev/rules/gce/BP/2021_002

🔎  gce/ERR/2021_003: Google APIs service agent has the Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gce/ERR/2021_004: Serial logs don't contain Secure Boot error messages
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/ERR/2021_005: Serial logs don't contain mount error messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_001: GCE instance service account permissions for logging.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_003: GCE instance service account permissions for monitoring.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_004: Serial logs don't contain disk full messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_005: Serial logs don't contain out-of-memory messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_006: Serial logs don't contain "Kernel panic" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_007: Serial logs don't contain "BSOD" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_001: GCE connectivity: IAP service can connect to SSH/RDP port on instances.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_002: Instance groups named ports are using unique names.
   - hj-int-20200908/gke-gke-nodes-634bd260-grp                           [ OK ]

🔎  gce/WARN/2022_003: GCE VM instances quota is not near the limit.
   - projects/hj-int-20200908/regions/asia-northeast3                     [ OK ]
   - projects/hj-int-20200908/regions/us-central1                         [ OK ]

🔎  gcs/BP/2022_001: Buckets are using uniform access
   - hj-int-20200908/artifacts.hj-int-20200908.appspot.com                [FAIL]
     it is recommend to use uniform access on your bucket
   - hj-int-20200908/hoon                                                 [FAIL]
     it is recommend to use uniform access on your bucket

   Google recommends using uniform access for a Cloud Storage bucket IAM policy
   https://cloud.google.com/storage/docs/access-
   control#choose_between_uniform_and_fine-grained_access

   https://gcpdiag.dev/rules/gcs/BP/2022_001

🔎  gke/BP/2021_001: GKE system logging and monitoring enabled.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/BP/2022_001: GKE clusters are regional.
   - hj-int-20200908/us-central1-c/gke                                    [FAIL]
      is not regional

   The availability of regional clusters (both control plane and nodes) is
   higher for regional clusters as they are replicated across zones in the
   region. It is recommended to use regional clusters for the production
   workload.

   https://gcpdiag.dev/rules/gke/BP/2022_001

🔎  gke/BP/2022_002: GKE clusters are using unique subnets.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_001: GKE nodes service account permissions for logging.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_002: GKE nodes service account permissions for monitoring.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_004: GKE nodes aren't reporting connection issues to apiserver.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_005: GKE nodes aren't reporting connection issues to storage.google.com.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_006: GKE Autoscaler isn't reporting scaleup failures.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_007: GKE service account permissions.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_008: Google APIs service agent has Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_009: Version skew between cluster and node pool.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_010: Check internal peering forwarding limits which affect GKE.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_011: ip-masq-agent not reporting errors
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_012: Node pool service account exists and not is disabled.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_013: GKE cluster firewall rules are configured.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_015: GKE connectivity: node to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_001: GKE connectivity: pod to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_002: GKE nodes of private clusters can access Google APIs and services.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/SEC/2021_001: GKE nodes don't use the GCE default service account.
   - hj-int-20200908/us-central1-c/gke/nodes                              [FAIL]
     node pool uses the GCE default service account

   The GCE default service account has more permissions than are required to run
   your Kubernetes Engine cluster. You should either use GKE Workload Identity
   or create and use a minimally privileged service account.

   https://gcpdiag.dev/rules/gke/SEC/2021_001

🔎  gke/WARN/2021_003: GKE cluster size close to maximum allowed by pod range
   - hj-int-20200908/us-central1-c/gke                                    [ OK ] 1/1024 nodes used.

🔎  gke/WARN/2021_004: GKE system workloads are running stable.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_005: GKE nodes have good disk performance.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_006: GKE nodes aren't reporting conntrack issues.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_007: GKE nodes have enough free space on the boot disk.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_009: GKE nodes use a containerd image.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_001: GKE clusters with workload identity are regional.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_002: GKE metadata concealment is not in use
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_003: GKE service account permissions to manage project VPC firewall rules.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_004: Cloud Logging API enabled when GKE logging is enabled
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  iam/SEC/2021_001: No service accounts have the Owner role
   - hj-int-20200908                                                      [ OK ]

Rules summary: 24 skipped, 40 ok, 5 failed
[Continue reading...]

[Cloud/GCP] gcpdiag

- 0 개의 댓글
gcpdiag

안녕하세요

gcpdiag라는게 새로 나와서 좀 테스트를 해 봤는데요.

결론부터 얘기하자면…뭐랄까…aquasecurity/kube-bench 도구 같은 느낌이네요?

그리고 좀 단점부터 보이는게…컨테이너 베이스로 동작을 시키다 보니…

linux 커널이 필요한거 같다? 이고…근데 왜 이걸 오픈소스화 했을까…?

어짜피 GCP에서만 쓸꺼 같은 이름인데…

어쨌든 GCP를 쓰고, 내부적으로 audit을 전체적으로 하고 싶다 하면 써볼만 할꺼 같기도 합니다.

실행 내용과 결과는 다음과 같습니다.
[gcpdiag run]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag
Unable to find image 'us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55' locally
0.55: Pulling from gcpdiag-dist/release/gcpdiag
1fe172e4850f: Pull complete
caf521ccaac6: Pull complete
3ead6fa29328: Pull complete
5c2a1cbceb83: Pull complete
a8d5f1318db7: Pull complete
358ca086baa3: Pull complete
30197a52639a: Pull complete
65545a04dace: Pull complete
80cf14a4e373: Pull complete
00f344331f1a: Pull complete
5fbfd71d5b4d: Pull complete
Digest: sha256:0b5fcc0fd3e2f1b822cec492b0128f7e1df5173c19990570ee072c80cf6164c4
Status: Downloaded newer image for us-docker.pkg.dev/gcpdiag-dist/release/gcpdiag:0.55
gcpdiag 🩺 - Diagnostics for Google Cloud Platform

Usage:
        gcpdiag COMMAND [OPTIONS]

Commands:
        help     Print this help text.
        lint     Run diagnostics on GCP projects.
        version  Print gcpdiag version.

See: gcpdiag COMMAND --help for command-specific usage.

실행 결과 실패한 내용을 rough하게 살펴보면…

  1. serial port가 enable 안되어 있어서 실패…(👎️)
  2. date ops가 설치 안되서 실패…? (👎️)
  3. uniform access(단일 접근) 아니라서 실패…(👍️)
  4. GKE가 리저널이 아니라서 실패…(👌)
  5. GKE가 기본 서비스 어카운트를 써서 실패(👍️)

뭐 이정도면…한번쯤 cloud shell에서 돌려봐도 무방할꺼 같기도 하네요.

[gcpdiag --project]

[hj@cs-491314827780-default ~ (☸️ |hj-gke:default)]$ gcpdiag lint --project=hj-int-20200908
gcpdiag

Starting lint inspection (project: hj-int-20200908)...

🔎  gce/BP/2021_001: Serial port logging is enabled.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [FAIL]
   - hj-int-20200908/windows                                              [FAIL]
   - hj-int-20200908/zipkin-vm                                            [FAIL]

   Serial port output can be often useful for troubleshooting, and enabling
   serial logging makes sure that you don't lose the information when the VM is
   restarted. Additionally, serial port logs are timestamped, which is useful to
   determine when a particular serial output line was printed.

   https://gcpdiag.dev/rules/gce/BP/2021_001

🔎  gce/BP/2021_002: GCE nodes have an up to date ops agent installed.
   - hj-int-20200908/gui-pipe                                             [FAIL] not installed
   - hj-int-20200908/windows                                              [FAIL] not installed
   - hj-int-20200908/zipkin-vm                                            [FAIL] not installed

   Verify that the ops agent is used by the GCE instances and that the agent is
   recent enough. If the monitoring agent is found it is recommended to upgrade
   to the ops agent.  see:
   https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent

   https://gcpdiag.dev/rules/gce/BP/2021_002

🔎  gce/ERR/2021_003: Google APIs service agent has the Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gce/ERR/2021_004: Serial logs don't contain Secure Boot error messages
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/ERR/2021_005: Serial logs don't contain mount error messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_001: GCE instance service account permissions for logging.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_003: GCE instance service account permissions for monitoring.
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_004: Serial logs don't contain disk full messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_005: Serial logs don't contain out-of-memory messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_006: Serial logs don't contain "Kernel panic" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2021_007: Serial logs don't contain "BSOD" messages
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_001: GCE connectivity: IAP service can connect to SSH/RDP port on instances.
   - hj-int-20200908/gke-gke-nodes-634bd260-gefn                          [ OK ]
   - hj-int-20200908/gui-pipe                                             [ OK ]
   - hj-int-20200908/windows                                              [ OK ]
   - hj-int-20200908/zipkin-vm                                            [ OK ]

🔎  gce/WARN/2022_002: Instance groups named ports are using unique names.
   - hj-int-20200908/gke-gke-nodes-634bd260-grp                           [ OK ]

🔎  gce/WARN/2022_003: GCE VM instances quota is not near the limit.
   - projects/hj-int-20200908/regions/asia-northeast3                     [ OK ]
   - projects/hj-int-20200908/regions/us-central1                         [ OK ]

🔎  gcs/BP/2022_001: Buckets are using uniform access
   - hj-int-20200908/artifacts.hj-int-20200908.appspot.com                [FAIL]
     it is recommend to use uniform access on your bucket
   - hj-int-20200908/hoon                                                 [FAIL]
     it is recommend to use uniform access on your bucket

   Google recommends using uniform access for a Cloud Storage bucket IAM policy
   https://cloud.google.com/storage/docs/access-
   control#choose_between_uniform_and_fine-grained_access

   https://gcpdiag.dev/rules/gcs/BP/2022_001

🔎  gke/BP/2021_001: GKE system logging and monitoring enabled.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/BP/2022_001: GKE clusters are regional.
   - hj-int-20200908/us-central1-c/gke                                    [FAIL]
      is not regional

   The availability of regional clusters (both control plane and nodes) is
   higher for regional clusters as they are replicated across zones in the
   region. It is recommended to use regional clusters for the production
   workload.

   https://gcpdiag.dev/rules/gke/BP/2022_001

🔎  gke/BP/2022_002: GKE clusters are using unique subnets.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_001: GKE nodes service account permissions for logging.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_002: GKE nodes service account permissions for monitoring.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_004: GKE nodes aren't reporting connection issues to apiserver.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_005: GKE nodes aren't reporting connection issues to storage.google.com.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_006: GKE Autoscaler isn't reporting scaleup failures.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_007: GKE service account permissions.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_008: Google APIs service agent has Editor role.
   - hj-int-20200908                                                      [ OK ]

🔎  gke/ERR/2021_009: Version skew between cluster and node pool.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_010: Check internal peering forwarding limits which affect GKE.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_011: ip-masq-agent not reporting errors
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_012: Node pool service account exists and not is disabled.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/ERR/2021_013: GKE cluster firewall rules are configured.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2021_015: GKE connectivity: node to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_001: GKE connectivity: pod to pod communication.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/ERR/2022_002: GKE nodes of private clusters can access Google APIs and services.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/SEC/2021_001: GKE nodes don't use the GCE default service account.
   - hj-int-20200908/us-central1-c/gke/nodes                              [FAIL]
     node pool uses the GCE default service account

   The GCE default service account has more permissions than are required to run
   your Kubernetes Engine cluster. You should either use GKE Workload Identity
   or create and use a minimally privileged service account.

   https://gcpdiag.dev/rules/gke/SEC/2021_001

🔎  gke/WARN/2021_003: GKE cluster size close to maximum allowed by pod range
   - hj-int-20200908/us-central1-c/gke                                    [ OK ] 1/1024 nodes used.

🔎  gke/WARN/2021_004: GKE system workloads are running stable.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_005: GKE nodes have good disk performance.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_006: GKE nodes aren't reporting conntrack issues.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_007: GKE nodes have enough free space on the boot disk.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2021_009: GKE nodes use a containerd image.
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_001: GKE clusters with workload identity are regional.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_002: GKE metadata concealment is not in use
   - hj-int-20200908/us-central1-c/gke/nodes                              [ OK ]

🔎  gke/WARN/2022_003: GKE service account permissions to manage project VPC firewall rules.
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  gke/WARN/2022_004: Cloud Logging API enabled when GKE logging is enabled
   - hj-int-20200908/us-central1-c/gke                                    [ OK ]

🔎  iam/SEC/2021_001: No service accounts have the Owner role
   - hj-int-20200908                                                      [ OK ]

Rules summary: 24 skipped, 40 ok, 5 failed
[Continue reading...]

2021년 12월 29일 수요일

CKS 시험 정보 Portal ver0.5

- 3 개의 댓글

 



안녕하세요 

Certified Kubernetes Security Specialist (CKS) 를 취득으로 CK 관련 자격증 3종 세트를 완료하였습니다.  이번에 알게된 것 중에 간단하게 정리해보려고 합니다. 관련해서 영상도 좀 찍을꺼 같아요. 

우선 CKS는 CKAD와 CKA와 많이 차이가 있는 것처럼 보이지만...실제로는 기존에 쿠버네티스 자격증 처럼 매우 실무적으로 Practical한 내용들 위주로 만들어져 있습니다. 
그리고 개인적으로 봤을때 난이도는 

CKAD > CKS > CKA 

수준이 아닐까 하네요 
AD가 힘든 이유는 

이 글을 보시면 아실꺼 같아요. 

기존에는 참고할만한 사이트와 내용들이 매우 많았고 이번에도 많지만...
따로 이 부분은 정리하지 않기로 했어요. 왜냐면, linuxFoundation에서 제공하는 handbook이 너무나도 좋고요. 또한 시험을 등록하면 제공하는 killer.sh의 랩과 설명이 충분히 유용하기 때문이에요.  그외에는 시시각각 변하는 정보들을 구글하시는게 더 좋은거 같아요. 


생각해 보니까 너무 매정한거 같아서 일부 사이트들은 넣었습니다! 

CKS 소개: 


예제문제 스타일 파악:


CKS 한글 후기 / 예제 문제 풀이 

끝으로 딱 3가지로 CKS를 요약은 해 볼께요!

CKS를 위한 3줄 요약

 - CKA와 다른 관점으로 진행 하지만 시간이 많이 부족하지 않다. 편하게 풀어라 

 - 3개의 외부 도구(영상) 그리고 그 외에 쿠버네티스의 third party 들에 대해서 미리 알아두고 가자
    (허용하는 링크이기도 함)

 - 높은 점수의 문제가 의외로 안 어렵다. 그러니 높은 것부터 풀자  


CKS는 정말 재밌는 시험이에요 :) 이것저것 알아보면서도 흥미로웠고..특히 killer.sh를 시험자체에서 2번에나 제공하기 때문에 랩을 구매하겠다고 유데미의 인도분 강의를 살 필요도 없다고 봐요.  (이 부분은 다시 영상으로 정리할께요! 아마 youtube 여기에 올라갈꺼에요 )


다들 즐거운 쿠버네티스 자격증을 통해서 더 즐거운 쿠버네티스 생활이 되면 좋겠어요!

Hoon이 2021년에 마지막 드리는 메시지! 



[Continue reading...]

2021년 9월 24일 금요일

[책쓰기] 책 집필 제의를 받게 되는 3가지 방법

- 0 개의 댓글

 안녕하세요 


어찌 어찌 하다보니 책을 3권을 내게 되었습니다. :) 



그래서 어떻게 하면 책을 쓸 수 있나요? 책 집필은 어떻게 하면 제안 받나요?

라는 질문을 종종 받습니다. 이를 적당한 수준에서 정의하면 많은 분들에게 도움이 되지 않을까? 라는 생각이 들어서 정리해 봅니다!!! 


일반적으로 3가지 정도의 방법으로 집필을 시작하게 되는거 같아요. 


1. 내가 제안한다. 

책을 쓰기 위해 다양한 채널을 통해서 제안을 하게 됩니다. 

보통 회사에 입사 제안? (이력서를 낸다고 하죠) 하는거랑 비슷하게 보셔도 될꺼 같아요. 

약간 더 정확하게 얘기하자면 스타트업 창업? 제안서 처럼 일종의 계획에 따라 제안하게 됩니다. 

이는 출판사마다 양식이 어느정도 있어서 원하시는 출판사에 제안해 보시면 될꺼 같아요. 


2. 주제가 정해져서 출판사로부터 연락이 온다. 

출판사로부터 어떤 주제를 가지고, 책을 집필하고자 할때 이에 맞는 저자를 찾아서 연락이 옵니다. 이런저런 내용이 있는데 책 어떠신가요? 라고요. (이런 경우 출판사에서 없는 항목으로 출간하려고 하는 것입니다. 내부에서 공통된 책을 만들 필요는 없으니까요)

보통 이런거는 지인 추천?으로 더 진행되는 경우가 많아요. 출판사에서 리소스를 아는데 한계도 있기도 하고 회사를 다녀보셨다면 아시겠지만 지인 추천인 경우 어느정도 검증되어서 올라오고 책임감도 더 높아지니까요..

책을 쓰다보면 중간에 엎어지는 경우가 생기는데 저자의 책임감이 없다면 여러가지로 큰 문제가 발생하거든요. 이래서 저자들끼리는 좀 친하게 지내는 경우가 많답니다. :) 

저도 찬호랑, 커피고래님이랑, 아리수님이랑 알고 지내요 ;) 우린 모두 쿠버 저자! (물론 아리수님하고는 랜선 친구 수준입니다'' 혼자서 친한척 하는 듯 ㅠㅠ)


3. 블로그, 강의 또는 세미나 발표등을 보고 출판사에서 연락이 온다. 

출판사의 존재 목적은 IT 발전도 있겠지만...상업적으로 팔려야 하는 책을 만들어야 하는데요. 

그러기 위해서는 컨텐츠가 검증되면 검증될 수록 좋습니다. 따라서 일단 유명한(?) 사람이라면 책의 기본 판매 부수를 만들 수 있습니다. 그리고 이런 분들이 특정 분야에 구루/마스터 라면 더더욱 좋죠. 그래서 외부 세미나, 밋업, 블로그 등이 인기가 높으면 높을수록 책의 제의를 받게될 가능성이 높습니다. 

사실 어느정도 유명세가 타면 꼭 받게 되실꺼에요. 출판사 입장에서는 국내 저자가 컨텐츠의 자유도도 높고 수정도 가능하고 라이센스 비용을 제공할 필요도 없으니 마진율을 좋게 만들 가능성이 높거든요. 


끝으로 책 자체는 사실 경제적으로 볼때는 살림에 보탬이 되기는 매우 어렵지만 경력적인 측면에서 매우 도움이 되고요. (근데 건강을 깎아서 책을 쓰는 느낌이...) 또한 이를 가지고 여러가지 컨텐츠로 만들어 낼 수 있는 장점도 있습니다. :) 

[예시: 강의로 만든 그림으로 배우는 쿠버네티스 ]


많은 분들이 함께 책(또는 강의)을 만들고, 지식을 나누어 함께 성장하면 좋겠습니다.

오늘 하루도 성장하는 하루가 되었으면 좋겠습니다. 

조훈 드림.  



[Continue reading...]
 
Copyright © . 쿠버네티스 전문가 블로그 - Posts · Comments
Theme Template by BTDesigner · Powered by Blogger