Skip to main content

Posts

Get NodeAuthorization working in Kubernetes with acs-engine

Node Authorization in k8s I'm starting to get into the container world and I'm loving it. Recently we helped a client build out and deploy a micro-services application in Kubernetes. We created the cluster in Azure using the open source project  acs-engine . After we got the cluster set up, our client asked for some updates to the cluster for security reasons. One of those updates was to enable Node Authorization . What is Node Authorization? Node Authorization locks down each Node in the cluster to only be able to do actions on itself. If this is not turned on, its possible for a malicious pod to take actions on any other node, including reading secrets, deleting pods, etc. There is an excellent post by Antoine Cotten that explains this very well ( as well as RBAC, which is a different subject altogether). How do I set it up? Based on the current documentation, it looks like setting up Node Authorization should be easy. Basically follow these steps Turn on TLS
Recent posts

Executing .ps1 files in a DockerFile

This week I was trying to containerize an existing java application. Part of "installing" the application  on the container required executing an PowerShell script in the container during the Image build. Based on the documentation here  I thought i could add the following command to my dockerfile and it would work: RUN install.ps1 However, when I went to build the image, it just hung on that step. I tried several other variations of the run command including: RUN ["Powershell", ".\install.ps1"] which resulted in the following error: '["Powershell"' is not recognized as an internal or external command,operable program or batch file. RUN ["Powershell.exe", ".\install.ps1"] which returned the same error as above. I was about to give up and move the PowerShell commands from the .ps1 file directly into the dockerfile itself as described here , but I had an "A HA!" moment and decided to give a simpler a

IOT security made easy with Azure IOT Suite

There has been quite a lot of talk about security concerns as it relates to IOT devices and security. Businesses want to make sure that they are not opening themselves up to a ton of risk as they expand their data streams and to increase productivity. Thankfully Azure IOT suite makes securely connecting your IOT devices to the cloud quick and easy. Before we get too far, its important to explain exactly what IOT security means: IOT Security In its simplest form, IOT security is broken down into zones and trust boundaries. Typically the zones are defined as follows: Devices – IOT devices that capture and send data Field Gateway – Devices that can aggregate data to and from devices Cloud Gateways – Endpoint that receives / sends data and commands to Field Gateways or directly do devices Services – The services that “do work” on the data that is received from the IOT devices (via the gateways) Trust boundaries are where data moves between zones. During this movement ac

Adding a user to a SQL Azure Database

This week i had to create a few new users for a SQL Azure database. I have to do this often, but I can never remember the exact steps that need to be run. If you've connected to a SQL Azure instance, you'll quickly see that some of the useful UI Options don't exist or work differently. For example, if you want to add a new user, you get a SQL script that just creates the user, but doesn't give them any access to the database: SQL: In order to actually give the user access to a database, you need to switch your connection to the database you want to the user to access and run the following command: CREATE USER [UserName] FOR LOGIN [ UserName] WITH DEFAULT_SCHEMA = dbo GO -- Add user to the database owner role EXEC sp_addrolemember N'db_owner', N'[ UserName] ' GO You can switch out the default schema and role to whatever fits your needs. After all of that, the user should work, but if you try to connect from SQL Mg

Restart-AzureWebsite: Your Azure credentials have not been set up

I recently ran into an issue when trying to restart an Azure App Service from PowerShell. The command to do it is Restart-AzureWebsite , but when I attempted to run it, I got the following error: “Restart-AzureWebsite : Your Azure credentials have not been set up or have expired, please run Add-AzureAccount to set up your Azure credentials” I ran the Add-AzureAccount command but I continued to get the same error. After some digging I realized that I had more than 1 Azure subscription and the command was using the wrong one when attempting to restart the website. I ran the following command to retrieve the subscriptions that are cached on my PC: Get-AzureSubscription That returns all of the subscriptions for all of the accounts that you’ve added from Azure. I found the subscription that was correct for the website I was attempting to restart and then ran this command: Select-AzureSubscription -SubscriptionName "MySubscription" That set the sub

Quick and easy table Audit with code first EF6 and Migrations

For one of my current projects, we had a requirement to create track changes made to two tables in the database for auditing purposes. Initially I thought we could just use the built in SQL change tracking features ( here ), however we were deploying this application to Azure and as of now, that feature is not available in SQL Azure. I did some investigating into this and there were a few options: Option 1: Create my own triggers on these tables and write data to the audit tables when the rows were updated. This was some what straight forward, but I’m not a fan of triggers and I wanted to keep all of my code in C#/Entity Framework for ease of code management down the road. Also, I didn’t want to have to update the triggers when the table was altered Option 2: Implement this work around leveraging a Local data cache While this seems like an easier approach, I wouldn’t be fully in control of what was happening during updates. Also, this approach only tells you what rows have cha

Sitefinity Blank Login Screen

  One on of my current projects, we’re leveraging the Sitefinity CMS for our front end. Initially the setup went really smoothly and I was off to the races. There is a ton to learn and a lot of the functionality is fairly intuitive. I was super excited about it until I tried to deploy some code updates to our Development/Integration Server. We had already created a site on the development server directly and I didn’t need any of the content that I had created locally, so I figured it would be as easy as moving my code out to the DEV server. When I did this and went to fire up the site, I got a blank Login screen: We went back and reviewed the windows roles/features that need to be turned on and everything seemed to look fine. I recopied the code over and over with no success. Finally we did a folder compare between the initially deployed site on the DEV server and the code that I had moved. The only thing noticeable was that the GUID’s in some of the configuration files where dif