Posts

This week, I implemented several critical security measures in Azure Active Directory (now Microsoft Entra ID) that every organization should consider. Let’s walk through the key implementations: 1. Break Glass Account Setup Break glass accounts are emergency access accounts that help maintain access during identity system failures. Here’s how to set one up: Create a dedicated emergency access account Store credentials securely (I used a password manager) Configure exemptions from Conditional Access policies Share access with minimal required administrators Document the process and access procedures 2. Conditional Access for Admin Roles Implemented stronger MFA controls for administrative roles: ...

WAF Configuration Fundamentals Rule Set Implementation # Custom VCL for WAF integration sub vcl_recv { # Enable WAF for specific paths if (req.url.path ~ "^/api/") { set req.http.X-Fastly-WAF-Enabled = "true"; } # Custom headers for WAF logging set req.http.X-Environment = "production"; set req.http.X-Application = "api-gateway"; } Advanced Security Rules Custom Rule Configuration { "rule_id": "custom-sqli-protection", "severity": "critical", "conditions": { "operator": "and", "conditions": [ { "parameter": "REQUEST_URI", "operator": "contains", "value": "sql" }, { "parameter": "REQUEST_METHOD", "operator": "equals", "value": "POST" } ] }, "action": "block" } Logging and Monitoring Real-time Alert Configuration { "name": "waf-alerts", "endpoint_type": "https", "url": "https://alerts.example.com/webhook", "content_type": "application/json", "format": { "timestamp": "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", "client_ip": "%{req.http.Fastly-Client-IP}V", "request_id": "%{req.http.Fastly-Request-ID}V", "rule_id": "%{waf.rule_id}V", "severity": "%{waf.severity}V", "action": "%{waf.action}V", "message": "%{waf.message}V" } } Production Implementation # Terraform configuration for Fastly WAF resource "fastly_service_waf_configuration" "production" { name = "production-waf" rule_set { type = "owasp" version = "latest" } rule { rule_id = "1010020" status = "log" threshold = 10 } rule { rule_id = "1010030" status = "block" threshold = 5 } logging { name = "waf-logs" format = "${jsonencode({ timestamp = "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", client_ip = "%{req.http.Fastly-Client-IP}V", request_id = "%{req.http.Fastly-Request-ID}V", rule_id = "%{waf.rule_id}V", severity = "%{waf.severity}V", action = "%{waf.action}V", message = "%{waf.message}V" })}" } }

Pod Disruption Budgets (PDBs) are crucial for maintaining application availability during voluntary disruptions like node drains or cluster upgrades. Understanding PDB Basics PDBs define the minimum number of pods that must remain available during voluntary disruptions. Basic PDB Configuration apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: app-pdb spec: minAvailable: 2 selector: matchLabels: app: critical-service Implementation Strategies 1. Absolute vs. Percentage Values Choose between: minAvailable: 2: Absolute number minAvailable: "50%": Percentage-based 2. Using maxUnavailable apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: app-pdb spec: maxUnavailable: 1 selector: matchLabels: app: critical-service Best Practices PDB Calculation ...

Horizontal Pod Autoscaling (HPA) is a crucial component for maintaining application performance and resource efficiency in Kubernetes clusters. This guide explores implementation best practices and common pitfalls to avoid. Understanding HPA Fundamentals HPA automatically scales the number of pods in a deployment based on observed metrics. While CPU and memory are common scaling triggers, custom metrics can provide more meaningful scaling decisions. Key Metrics Selection When choosing metrics for HPA, consider: ...

Node Pool Design Patterns GKE Node Pool Configuration # GKE Node Pool resource "google_container_node_pool" "general_purpose" { name = "general-purpose" cluster = google_container_cluster.primary.name location = "us-central1" autoscaling { min_node_count = 1 max_node_count = 10 location_policy = "BALANCED" } node_config { machine_type = "n2-standard-4" disk_size_gb = 100 disk_type = "pd-ssd" labels = { role = "general" env = "production" } taint { key = "specialty" value = "gpu" effect = "NO_SCHEDULE" } } management { auto_repair = true auto_upgrade = true } } EKS Node Group Configuration # EKS Node Group resource "aws_eks_node_group" "compute_optimized" { cluster_name = aws_eks_cluster.main.name node_group_name = "compute-optimized" node_role_arn = aws_iam_role.eks_node.arn subnet_ids = aws_subnet.private[*].id scaling_config { desired_size = 2 max_size = 10 min_size = 1 } instance_types = ["c5.2xlarge"] capacity_type = "SPOT" labels = { workload = "compute" cost = "spot" } taint { key = "workload" value = "compute" effect = "NO_SCHEDULE" } } AKS Node Pool Configuration # AKS Node Pool resource "azurerm_kubernetes_cluster_node_pool" "memory_optimized" { name = "memopt" kubernetes_cluster_id = azurerm_kubernetes_cluster.main.id vm_size = "Standard_E4s_v3" enable_auto_scaling = true min_count = 1 max_count = 5 node_labels = { workload = "memory-intensive" } node_taints = [ "workload=memory:NoSchedule" ] zones = [1, 2, 3] } Cloud-Specific Features GKE-Specific Capabilities # GKE-specific features resource "google_container_cluster" "advanced" { # Autopilot mode enable_autopilot = true # Vertical Pod Autoscaling vertical_pod_autoscaling { enabled = true } # Binary Authorization enable_binary_authorization = true # Workload Identity workload_identity_config { workload_pool = "${project_id}.svc.id.goog" } } EKS-Specific Features # EKS-specific features resource "aws_eks_cluster" "advanced" { # Fargate Profiles fargate_profile { name = "serverless" selectors { namespace = "serverless" } } # IPv6 Support kubernetes_network_config { ip_family = "ipv6" } # Secrets Encryption encryption_config { provider { key_arn = aws_kms_key.eks.arn } resources = ["secrets"] } } AKS-Specific Features # AKS-specific features resource "azurerm_kubernetes_cluster" "advanced" { # Azure CNI Overlay network_profile { network_plugin = "azure" network_policy = "calico" network_mode = "overlay" } # Azure AD Integration azure_active_directory_role_based_access_control { managed = true azure_rbac_enabled = true } # Azure Key Vault Integration key_vault_secrets_provider { secret_rotation_enabled = true } }