►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So
let's
talk
about
the
agenda
first,
a
short
intro
who
we
are,
then
we
will
discuss
a
standard
gates
environment.
After
that
we
come
along
to
the
question.
What
is
air
gap?
And
we
will
show
you
some
important
topics
about
thanks.
The
winston
will
give
us
a
short
demonstration
and
coming
to
the
end
with
a
conclusion.
A
A
I
want
to
start
with
this
funny
quote
of
a
user.
He
said
I
barely
understand
my
own
feelings.
How
am
I
supposed
to
understand?
Kubernetes
kubernetes
is
not
a
flash
in
the
pen;
it
is
here
to
stay
and
its
prevalence
in
the
next
minutes.
I
want
to
give
you
a
short
overview
about
some
topics
on
the
kubernetes
and
air
captain
environment.
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
That's
one
of
the
most
important
rules
for
a
base
image
make
sure
that
only
that
software
is
included
which
is
actually
need
and,
as
a
consequence
of
this,
make
sure
that
you
really
know
what
or
which
software
is
included
and
how
it
is
working
for
checking
the
images
you
can
use.
For
example,
create.io
security
scanner,
part
of
the
quay
container
image
registry
and
most
potentially
harmful
container
images
are
coin
miners,
with
over
44
of
the
containers.
A
Our
bank
is
usually
enabled
by
default,
but
when
you
use
our
back
or
when
you
enable
our
back,
you
must
also
disable
the
legacy
attribute
based
access
control,
called
abec.
Second
use
a
third
party
authentication
for
api
server.
It
is
highly
recommended
to
integrate
kubernetes
with
a
third-party
authentication
provider,
for
example
github.
A
So
next
one
is
user
process.
Whitelisting
process
whitelisting
is
an
effective
way
to
identify
unexpected
running
processes.
First
observe
the
application
over
a
period
of
time
to
identify
all
processes
running
during
normal
application.
Behavior
then
use
this
list
as
your
white
list
for
future
application,
behavior.
A
A
Nexon
is
also
important.
That
means
keep
kubernetes
version
up-to-date.
You
should
always
run
the
latest
version
of
kubernetes,
so
always
plan
to
upgrade
your
kubernetes
version
to
the
latest.
Upgrading
kubernetes
can
be
a
complex
process
because
you
get
three
or
four
times
per
year.
Some
new
upgrades
from
kubernetes.
A
A
Okay,
the
cube
config
cubelet
config
and
the
cube
adm
config
contain
important
information
about
the
cluster.
Besides
information
gathering
modifying
these
conflicts
can
the
cluster
by
default.
The
following
directories
contain
important
information.
This
directory
are
only
relevant
for
troubleshooting.
A
A
A
A
Kubernetes
offers
many
levels
for
securing
the
cluster
or
cluster
operations,
and
most
of
the
security
settings
are
not
focused
on
maximum
security,
but
are
designed
for
fast
deployment
and
use.
So
the
rule
of
thumb
here
is
an
insecure
container
can
be
intercepted
by
a
secure
cluster.
But,
however,
the
reverse
does
not
apply.
B
B
The
term
air
gap
means
the
complete
isolation
of
a
device
or
system
from
the
internet.
Aircap
networks
and
computers
are
used
when
the
highest
level
of
security
must
be
provided
for
the
system
or
the
data
stored
within
it.
The
icap
protects
the
system
from
malware
key
loggers,
ransomware
or
other
unwanted
access
in
a
kubernetes
air
gap.
Environment,
internet
connectivity
is
severely
limited
by
a
firewall.
B
A
common
solution
is
to
white
list
access
to
software
repositories
or
registries
with
an
outbound
proxy
and
keep
all
the
other
connections
closed.
In
this
way,
the
cluster
is
cut
off
from
the
outside
world.
In
an
air
gap
kubernetes
cluster,
you
cannot
reach
control,
plane,
endpoints
over
the
internet
and
in
a
security
environment.
B
B
B
B
B
In
order
to
downgrade
to
an
older
version,
specific
yum
commands
are
required,
which
must
be
first
enabled
to
install
a
specific
iptables
version.
Another
example:
there
is
a
request
needed
to
access
the
registry
through
the
outgoing
proxy
so
that
we
can
retrieve
all
the
images
needed
for
the
cluster
and
application
one.
Last
practical
example:
you
want
to
migrate
your
storage
solution
from
nfs
to
longhorn,
so
the
disks
need
to
be
mounted
and
integrated
into
longhorn.
This
requires
many
pseudo
commands,
but
they
have
to
be
enabled
first
yeah.
B
Let's
move
on
to
the
pros
and
cons
of
an
air
gap
and
security
environment
in
an
air
gap
and
security
environment.
The
advantages
in
terms
of
security
most
likely
go
hand
in
hand
with
the
disadvantages
in
terms
of
productivity,
while
the
limited
internet
connectivity
may
protect
you
from
downloading
malicious
data
or
certain
third-party
attacks.
On
the
other
hand,
you
may
lose
productivity
and
aspects,
and
the
effort
and
cost
of
deploying
and
maintaining
your
cluster
may
increase.
B
Not
only
does
offer
installation
enhance
complexity
during
installation,
but
also
cluster
management
operations.
Such
a
machine
maintenance,
disaster
recovery,
upgrading
to
newer
versions,
applying
security
patches
and
more,
ultimately,
you
will
never
be
100
secure
with
an
air
gap.
Only
environment,
for
example,
threats
from
within
are
still
possible.
B
B
B
The
third
step
is
the
deployment
of
elasticsearch.
You
add
the
hand,
repo
called
the
value
cml
file
and
install
the
hem
chart.
This
approach
can
be
risky
if
you
are
working
in
a
security,
oriented
production,
environment.
Many
hem
charts
include
images
and
containers
that
aren't
always
necessary
or
worse.
You
really
don't
know
which
images
are
even
installed
or
how
many
critical
vulnerabilities
they
have,
especially
in
a
kubernetes
cluster.
You
should
make
your
containers
as
secure
as
possible
to
minimize
the
chance
of
outside
attacks
or
privilege
escalations
from
the
containers.
B
B
Let's
continue
with
our
example.
Here
we
call
the
helm
installation
script
from
github
in
an
environment
with
internet
connection
and
as
you
can
see
it
works
fine,
then
we
can
run
the
script
and
install
him
in
an
air
gap
environment.
We
already
failed
because
the
firewall
blocks
the
url
and
we
can't
access
github.
B
B
B
B
B
B
C
Thanks
ralph
and
toby,
I
will
show
you
how
to
set
up
an
airgap
cluster
with
a
simple
proxy
server.
So
first
things.
First,
I
show
you
my
setup.
This
is
the
admin
machine,
it's
not
a
direct
part
of
the
cluster
itself,
but
it
manages
it.
The
cluster
contains
two
nodes:
one
master
node
and
one
broker.
Node
all
three
nodes
have
very
limited
access
to
the
outside
world.
C
I
already
prepared
the
port
32
454
as
well,
which
I
will
use
for
the
docker
registry,
and
the
address
is
available
on
the
hubcover
native
net,
which
is
the
the
package
manager
the
place
where
all
packages
are
stored,
as
well
as
all
the
machines
in
the
cluster,
but
that's
it.
I
am
ready
and
my
cluster
is
ready
as
well
for
a
deployment.
C
C
C
C
B
C
C
C
C
C
C
C
C
C
C
C
Next,
the
template
plugin
gets
called
so
that
we
can
change
the
values
for
the
installation
of
the
helm
chart
afterwards,
after
both
is
done.
Finally,
we
can
install
the
helm
chart
to
do
so.
We
call
helm,
install
we
define
which
helm
chart
should
get
installed.
This
is
the
docker
registry
132,
and
the
values
which
can
change
the
deployment
are
passed
in
the
result.yaml.
C
Okay,
after
this,
we
should
have
a
deployed
and
up
and
running
registry,
but
we
can
connect
to
it
since
it's
got
no
certificate
and
we
don't
have
a
way
to
connect
to
it
via
https,
so
we
have
to
edit
in
the
insecure
registries
file
to
do
so.
We
have
to
edit
a
file,
so
we
call
the
edit
file
plugin
the
operation
we
want
to
do
with
that
file.
Is
we
want
to
override
it?
C
C
C
C
C
The
service
type
is
cluster
ip,
which
is
not
ideal,
since
we
want
to
reach
it
instantly
to
do
so.
We
have
to
change
the
type
to
node
port
and
define
a
node
port,
and
we
could
do
this
directly
here
in
the
values.yaml
of
the
helm
chart,
but
there
is
a
better
way
to
do
so.
There
is
the
cena
way
again.
We
take
a
look
at
the
template.yaml.
C
C
C
And
that's
it
now
we
take
a
short
look
at
package.yammer,
just
to
make
sure
the
name
is
cubecon
registry.
The
enter
version
is
271,
okay,
so
this
last
action
to
share
it
with
the
world
and
everyone
we
say:
cena
push.
Now.
If
you
have
packages
you
can
share
with
everyone
but
want
to
use
cena.
Don't
worry.
We
also
got
the
opportunity
for
a
private
hub
for
you
to
use.
C
If
you
want
it
feel
free
to
contact
us
after
this
presentation
and
that's
it-
our
package
is
installed.
We
go
back
to
our
cluster
now.
What
we
do
first
is
delete
our
old
deployment
by
typing
delete
and
the
deployment
name
so
that
our
cluster
is
clean
again
also,
we
remove
all
images
just
to
prove
that
we
took
the
images
from
the
cena
package.