We are creating a new version of payment gateway processor and We want to use docker container with kubernetes but we are worried if Kubernetes and docker container follow the PCI DSS requirements.
We don't find anything clear in PCI DSS specifications.
Re-iterating Tim's comment above: As far as I know nobody has implemented a fully PCI-compliant kubernetes install yet (they might have done and not told us). I don't know of anything specific to Docker or Kubernetes that would prevent you from getting your deployment certified.
PCI-DSS can be achieved by 3rd party solutions.
(Disclaimer - I'm an employee of Twistlock, which has brought a PCI-DSS solution, if you're interested in it please check the following link - https://info.twistlock.com/guide-to-pci-compliance-for-containers)
I've implemented and got PCI-DSS Level 1 certified a K8S Cluster as Cardholder Data Environment for the company I work for.
Don't get intimidated by the requirements, there's always a way to make them "not applicable" or meet them with some elbow oil.
The basics you need to meet to make it compliant are:
use COS so you can skip all the Nodes hardening hassle.
use the --enable-master-authorized-networks flag (Beta) although I haven't had any problems with it yet.
manage the network CIDRs yourself as you need to provide classes that don't change for the docs and show how only
those are authorized to access the cluster.
you must implement a NAT gateway cluster and pass all the K8S traffic through it and setup on the systems a silly
outgoing IDS/IPS solution, I used Suricata. (it's silly, I know)
you need to whitelist all outgoing traffic IPs for any API you're eventually calling from your apps and deny everything else.
PS: I know it sounds like BS, but you gotta do it if you wanna pass compliance.
PPS: remember to harden the NAT gateways, I used ansible with the STIG playbook.
These were the trickiest parts, everything else was cumbersome but manageable. Glad to help.
see this article. While the author is referring to "public iaas" it seems that one could substitute "private kubernetes".
Related
I am working on a project where the requirement just came to create a pod for MTA/SMTP within Kubernetes cluster such that it can be accessed through discovery like other services.
Didn't find anything concrete that I could follow to set up this on a Kubernetes cluster. My question is if there's any way to do this then how? also, is it a good idea to set up it as pod?
Will appreciate any help.
Thanks
You sure can. It's more about opinion and really depends on how you divide your resources into containers or VMs or bare-metal machines.
Some might argue that running something like postfix is more efficient in Kubernetes because the CPU/Memory resources will mostly be used when postfix is actually sending/receiving (a more efficient way of processing the mail queues). There are a few resources that you may able to follow. For example:
https://www.tauceti.blog/post/run-postfix-in-kubernetes/
https://blog.mi.hdm-stuttgart.de/index.php/2019/08/26/creating-an-email-server-environment-on-kubernetes/
Postfix Helm chart: https://hub.helm.sh/charts/halkeye/postfix
It's actually relatively simple to deploy a Postfix MTA relay on Kubernetes (aka Postfix null client).
There's:
an image available on Docker hub,
a Chart on artifacthub and
source on GitHub.
(Disclaimer: I am the author of the chart and image. There are other alternatives, listed on the said GitHub page)
Service can then be simply accessed via smtp-server:587 or similar resolution. The biggest issue you're going to face is configuring the outside services (such as SPF, DNS, registering your block with Microsoft) properly to avoid having your email going into spam.
Most of it is explained nicely in the README.
Today I have a bit tricky question. Imagine a situation when someone has written a custom connector to the network (let's say there are a lot of security features hidden and so on). Now imagine that each application can connect to the network (even IoT Edge Runtime) only through this custom connector (let's say, this connector has implementation of both https and plain MQTT protocols).
Now the issue! According to the documentation here https://github.com/Azure/iotedge/blob/master/doc/networking.md the IoT Edge Runtime connects to the network through moby-engine modified by Microsoft. According to the Microsoft, we cannot get this moby-engine. Moreover, if we use original moby project the support from the Microsoft will be caught off, which is a bad thing. So, we cannot modify moby-engine and make it use this custom connector.
Now the question!
Is it possible (may be I missed something in documentation. Not the first time tbh) to use custom connector with IoT Edge Runtime (no proxy, we need plain MQTT protocol)? If yes, can you explain in details how? If no, what posible features inside Iot Edge Runtime/moby engine can help to use custom connector?
Please ask, if you need more information. I will provide it right away. A similar question was asked by me on Microsoft github. No response from there.
The proposal from #silent pointed me to the correct direction. While reading manuals, how to properly setup a gateway, I once again began to read manual about creating custom modules. This pointed me to have a look at preparing a build environment. This again directed me to the SDK bit.
Honestly speaking, by accident and mostly out of curiosity I clicked the link about porting the SDK to my custom platform. This was the solution in my case https://github.com/Azure/azure-c-shared-utility/blob/master/devdoc/porting_guide.md
I have to mention here two other solutions I walked through:
Proxy server that supports your custom connector/protocol (will
work for cases where you do not need MQTT. However, MQTT websockets
can be used here)
Gateway. This is definitely a good one. Again many thanks to #silent.
Which one will work in your particular case is only up to you to decide.
Iām just browsing through the docs+code and I have a quick question: do you see Wolkenkit, or any of its components, working in a serverless environment? either now or in the future
Short answer
Unfortunately no.
Long answer
Unfortunately no, if we are talking about now. wolkenkit is very strict in separating your domain code from the technical infrastructure code that is required to run your domain code. Right now this technical infrastructure code is focused on making use of Docker containers, as this allows you to work not only in the cloud, but also locally, or in a classic data-center, or ā¦ you name it š
Of course it would be technically feasible and reasonable, to have another type of runtime in the future, that does not make use of Docker containers, but instead would work with some kind of FaaS solution. As the native web (the company behind wolkenkit) is a small company, we need to decide what to focus on, and unfortunately, at least right now this is not on the roadmap for the close future. I do not say that this will never be done ā it just will take time. Maybe also someone else comes up with such a runtime and enhances the wolkenkit ecosystem.
So, to cut a long story short, if now, then the answer is no. If we're talking about the future, the answer is possible, but without an ETA.
PS: I am one of the developers of wolkenkit, so please take my answer with a grain of salt.
I am new to this, what is a best approach to implement microservices?
I found fw like seneca but it is little bit confusing...
Is there any tut how to create jwt auth, mongodb and other staff in microservices?
Take a look on Docker.
With docker-compose you can play with several services with an easy integration without worrying about the IP addresses to connect them.
Also if you add nginx to your stack, it's gonna be very easy to scale those services, there are several videos and tutorials that you can lookup to help you get started.
I've heard aboutseneca, but I haven't used, I think you shouldn't depend on a specific framework because one of the ideas behind of Microservices is the low coupling.
To make the jump into the real micro-services world is not trivial. It's not about plumbing some APIs, but a radical change in architecture thinking that, well, at the beginning will make you a bit uncomfortable (e.g. every service with its own database) :)
The best book I have read so far about micro-services is The Tao of Microservices, by Richard Rodger the author of Seneca himself. It exposes very well the shift from monolithic and object-oriented software towards micro-services.
I have personally struggled a bit with Seneca because of the average quality of documentation (inconsistencies, etc...). I would rather recommend Hemera, which took its inspiration from the message-pattern approach from Seneca, but is better documented and much more production-ready.
1) Build services and deploy it with Docker Containers
2) Let them communicate via gRPC coz it is really fast for inter services communication.
3) Use error reporter like Bugsnag or Rollbar. Error reporting is really important to catch error quickly.
4) Integrate tracing using opentracing or opencensus. Tracing is important too because it will be so hard to monitor all microservices with logs only.
I'm building an arsenal of different things to attack my site with, to see how I can protect it. I was curious if there were gems available for this.
If you want to simulate a DDos attack you may want to spin up a bunch of Amazon EC2 instances and run ApacheBench on them. That should do it :)
Disclaimer
I'm not sure if the Apache terms say anything about using EC2 in this way. Please make sure you don't get your account banned for DDOSing your own site!
you can use something like fail2ban to avoid too much request from IP