Put your Nginx inside a bunker! nginx Docker image secure by default.
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
Non-exhaustive list of features :
- HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ...
- Perform automatic DNSBL checks to block known bad IP
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Easy to configure with environment variables
https://github.com/bunkerity/bunkerized-nginx
#devops #docker
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
Non-exhaustive list of features :
- HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ...
- Perform automatic DNSBL checks to block known bad IP
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Easy to configure with environment variables
https://github.com/bunkerity/bunkerized-nginx
#devops #docker
GitHub
GitHub - bunkerity/bunkerweb: 🛡️ Open-source and next-generation Web Application Firewall (WAF)
🛡️ Open-source and next-generation Web Application Firewall (WAF) - bunkerity/bunkerweb
Validate, define, and use dynamic and text-based data.
CUE is an open source language, with a rich set of APIs and tooling, for defining, generating, and validating all kinds of data: configuration, APIs, database schemas, code, … you name it.
Features:
- Data Validation. Validate text-based data files or programmatic data such as incoming RPCs or database documents.
- Configuration. Just add validation to existing data (CUE, YAML, JSON), reduce boilerplate in large-scale configurations, or both.
- Schema Definition. Define schema to communicate an API or standard and validate backwards compatibility.
- Generate Code and Schema. Keep validation code in sync across code bases, Protobuf definitions, and OpenAPI definitions.
- Scripting. Automate the use of your data without writing yet another tool.
- Querying. Find the locations of instances of CUE types and values in data. Coming soon.
https://cuelang.org/
#devops #go #noyaml
CUE is an open source language, with a rich set of APIs and tooling, for defining, generating, and validating all kinds of data: configuration, APIs, database schemas, code, … you name it.
Features:
- Data Validation. Validate text-based data files or programmatic data such as incoming RPCs or database documents.
- Configuration. Just add validation to existing data (CUE, YAML, JSON), reduce boilerplate in large-scale configurations, or both.
- Schema Definition. Define schema to communicate an API or standard and validate backwards compatibility.
- Generate Code and Schema. Keep validation code in sync across code bases, Protobuf definitions, and OpenAPI definitions.
- Scripting. Automate the use of your data without writing yet another tool.
- Querying. Find the locations of instances of CUE types and values in data. Coming soon.
https://cuelang.org/
#devops #go #noyaml
Gitkube is a tool for building and deploying Docker images on Kubernetes using
After a simple initial setup, users can simply keep git push-ing their repos to build and deploy to Kubernetes automatically.
Features:
- No dependencies except native tooling (git, kubectl)
- Plug and play installation
- Simple public key based authentication
- RBAC ready - Control access to git remotes using RBAC
- Support for namespace based multi-tenancy - Remotes can only deploy to their own namespace
- No assumptions about repository structure
https://github.com/hasura/gitkube
#go #devops #k8s
git push.After a simple initial setup, users can simply keep git push-ing their repos to build and deploy to Kubernetes automatically.
Features:
- No dependencies except native tooling (git, kubectl)
- Plug and play installation
- Simple public key based authentication
- RBAC ready - Control access to git remotes using RBAC
- Support for namespace based multi-tenancy - Remotes can only deploy to their own namespace
- No assumptions about repository structure
https://github.com/hasura/gitkube
#go #devops #k8s
Keel is a tool for automating Kubernetes deployment updates.
kubectl is the new SSH. If you are using it to update production workloads, you are doing it wrong. See examples on how to automate application updates.
Keel runs as a single container, scanning Kubernetes and Helm releases for outdated images. Policies and trigger types are specified in your application deployment files or Helm charts. Single command, no dependencies. No lock-in, no custom configuration files.
Comes with a web interface.
https://github.com/keel-hq/keel
#go #vue #devops #k8s
kubectl is the new SSH. If you are using it to update production workloads, you are doing it wrong. See examples on how to automate application updates.
Keel runs as a single container, scanning Kubernetes and Helm releases for outdated images. Policies and trigger types are specified in your application deployment files or Helm charts. Single command, no dependencies. No lock-in, no custom configuration files.
Comes with a web interface.
https://github.com/keel-hq/keel
#go #vue #devops #k8s
The smallest, fastest Kubernetes.
MicroK8s is a small, fast, single-package Kubernetes for developers, IoT and edge.
Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. Perfect for:
- Developer workstations
- IoT
- Edge
- CI/CD
Why MicroK8s?
- Small. Developers want the smallest K8s for laptop and workstation development. MicroK8s provides a standalone K8s compatible with Azure AKS, Amazon EKS, Google GKE when you run it on Ubuntu.
- Simple. Minimize administration and operations with a single-package install that has no moving parts for simplicity and certainty. All dependencies and batteries included.
- Secure. Updates are available for all security issues and can be applied immediately or scheduled to suit your maintenance cycle.
- Current. MicroK8s tracks upstream and releases beta, RC and final bits the same day as upstream K8s. You can track latest K8s or stick to any release version from 1.10 onwards.
- Comprehensive. MicroK8s includes a curated collection of manifests for common K8s capabilities and services.
https://github.com/ubuntu/microk8s
#python #devops #k8s
MicroK8s is a small, fast, single-package Kubernetes for developers, IoT and edge.
Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. Perfect for:
- Developer workstations
- IoT
- Edge
- CI/CD
Why MicroK8s?
- Small. Developers want the smallest K8s for laptop and workstation development. MicroK8s provides a standalone K8s compatible with Azure AKS, Amazon EKS, Google GKE when you run it on Ubuntu.
- Simple. Minimize administration and operations with a single-package install that has no moving parts for simplicity and certainty. All dependencies and batteries included.
- Secure. Updates are available for all security issues and can be applied immediately or scheduled to suit your maintenance cycle.
- Current. MicroK8s tracks upstream and releases beta, RC and final bits the same day as upstream K8s. You can track latest K8s or stick to any release version from 1.10 onwards.
- Comprehensive. MicroK8s includes a curated collection of manifests for common K8s capabilities and services.
https://github.com/ubuntu/microk8s
#python #devops #k8s
GitHub
GitHub - canonical/microk8s: MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge.
MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge. - canonical/microk8s
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov (Чехов).
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.
Features:
- Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
- Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON, JUnit XML and github markdown and link to remediation guides.
https://github.com/bridgecrewio/checkov
#python #devops #k8s
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.
Features:
- Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
- Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON, JUnit XML and github markdown and link to remediation guides.
https://github.com/bridgecrewio/checkov
#python #devops #k8s
k0s - Zero Friction Kubernetes
k0s is an all-inclusive Kubernetes distribution with all the required bells and whistles preconfigured to make building a Kubernetes clusters a matter of just copying an executable to every host and running it.
Key Features:
- Packaged as a single static binary
- Self-hosted, isolated control plane
- Variety of storage backends: etcd, SQLite, MySQL (or any compatible), PostgreSQL
- Elastic control-plane
- Vanilla upstream Kubernetes
- Supports custom container runtimes (containerd is the default)
- Supports custom Container Network Interface (CNI) plugins (calico is the default)
- Supports x86-64 and arm64
Quickstart:
https://github.com/k0sproject/k0s
#k8s #devops #go
k0s is an all-inclusive Kubernetes distribution with all the required bells and whistles preconfigured to make building a Kubernetes clusters a matter of just copying an executable to every host and running it.
Key Features:
- Packaged as a single static binary
- Self-hosted, isolated control plane
- Variety of storage backends: etcd, SQLite, MySQL (or any compatible), PostgreSQL
- Elastic control-plane
- Vanilla upstream Kubernetes
- Supports custom container runtimes (containerd is the default)
- Supports custom Container Network Interface (CNI) plugins (calico is the default)
- Supports x86-64 and arm64
Quickstart:
curl -sSLf get.k0s.sh | sh
k0s server --enable-worker
https://github.com/k0sproject/k0s
#k8s #devops #go
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! Datree is a CLI tool to ensure K8s manifests and Helm charts follow best practices as well as your organization’s policies.
It’s far more effective than manual processes, such as sending an email to a slew of developers, begging them to set various limits, which likely falls on deaf ears because developers are already overwhelmed.
The CLI integration provides a policy enforcement solution for Kubernetes to run automatic checks on every code change for rule violations and misconfigurations. When rule violations are found, Datree produces an alert which guides the developer to fix the issue inside the CI process — or even earlier as a pre-commit hook — while explaining the reason behind the rule.
Right now, there are 30 battle-tested rules for you to choose from.
https://github.com/datreeio/datree
#k8s #devops #go
It’s far more effective than manual processes, such as sending an email to a slew of developers, begging them to set various limits, which likely falls on deaf ears because developers are already overwhelmed.
The CLI integration provides a policy enforcement solution for Kubernetes to run automatic checks on every code change for rule violations and misconfigurations. When rule violations are found, Datree produces an alert which guides the developer to fix the issue inside the CI process — or even earlier as a pre-commit hook — while explaining the reason behind the rule.
Right now, there are 30 battle-tested rules for you to choose from.
https://github.com/datreeio/datree
#k8s #devops #go
Kubegres is a #k8s operator allowing to deploy one or many clusters of postgresql instances and manage databases replication, failover and backup.
Features:
- It can manage one or many clusters of Postgres instances. Each cluster of Postgres instances is created using a YAML of "kind: Kubegres". Each cluster is self-contained and is identified by its unique name and namespace.
- It creates a cluster of PostgreSql servers with Streaming Replication enabled: it creates a Primary PostgreSql pod and a number of Replica PostgreSql pods and replicates primary's database in real-time to Replica pods.
- It manages fail-over: if a Primary PostgreSql crashes, it automatically promotes a Replica PostgreSql as a Primary.
- It has a data backup option allowing to dump PostgreSql data regularly in a given volume.
- It provides a very simple YAML with properties specialised for PostgreSql.
https://github.com/reactive-tech/kubegres
#go #devops
Features:
- It can manage one or many clusters of Postgres instances. Each cluster of Postgres instances is created using a YAML of "kind: Kubegres". Each cluster is self-contained and is identified by its unique name and namespace.
- It creates a cluster of PostgreSql servers with Streaming Replication enabled: it creates a Primary PostgreSql pod and a number of Replica PostgreSql pods and replicates primary's database in real-time to Replica pods.
- It manages fail-over: if a Primary PostgreSql crashes, it automatically promotes a Replica PostgreSql as a Primary.
- It has a data backup option allowing to dump PostgreSql data regularly in a given volume.
- It provides a very simple YAML with properties specialised for PostgreSql.
https://github.com/reactive-tech/kubegres
#go #devops
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
https://github.com/stackrox/kube-linter
#go #k8s #devops
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
https://github.com/stackrox/kube-linter
#go #k8s #devops
👍1