DEV Community: Abhishek Tiwari

Introducing JWT Debugger App

Abhishek Tiwari — Fri, 29 May 2020 16:58:12 +0000

JSON Web Token is a compact yet URL-safe token primarily used for OAuth 2 and OpenID based authentication and authorization. A JWT token represents a set of claims as a JSON object that is encoded in a JSON Web Signature (JWS) structure.

JWT Token

A JWT token is made of three URL-safe portions header, payload, and signature separated by period ('.') characters. Each component contains a base64url-encoded value. For instance, the following string represents a JWT token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1czNvcmphczc5bDAzOHBrMWJwNmoxZCIsIm5hbWUiOiJKb2huIERvZSIsImp0aSI6Ijc4ZjRnMWpkam5naTBpMzJveGtuZCIsImV4cCI6MTU5MDc2OTE1OH0.rP0Ykkr1jjzErb14OAeNTlCSSGpuKQaxRa2hO3-2Olc

Decoding a token

When you decode a JWT token you get a JSON header and JSON payload. The overall token decoding process is really straightforward. You take the first portion, Base64url decode it and remove any line breaks, whitespace, or other additional characters which gives you header. You take the second portion and Base64url decode it and remove any line breaks, whitespace, or other additional characters which gives you payload.

// Token Header decoded from eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
{
 "alg": "HS256",
 "typ": "JWT"
}
// Token Payload decoded from eyJzdWIiOiJ1czNvcmphczc5bDAzOHBrMWJwNmoxZCIsIm5hbWUiOiJKb2huIERvZSIsImp0aSI6Ijc4ZjRnMWpkam5naTBpMzJveGtuZCIsImV4cCI6MTU5MDc2OTE1OH0
{
  "sub":"us3orjas79l038pk1bp6j1d",
  "name":"John Doe",
  "jti":"78f4g1jdjngi0i32oxknd",
  "exp":1590769158
}

Token validation

Validation of the token requires signing key or secrete used to create the signature portion of the token. Signing algorithm is described by alg claim the token header.

If the signing algorithm belongs the family of asymmetrical algorithms i.e. Rivest–Shamir–Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) then you will need the public version of the private key used for token signing. The public key can be in JSON Web Key (JWK) format or PEM format. If you are using an OpenID Connect compliant authorizations server then the public side of JWK keys are served by a JSON Web Key Set (JWKS) endpoint. A JWKS endpoint returns a set of keys which contains the one or more public keys.
If the signing algorithm belongs to the family of symmetrical algorithms HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) you will need the shared key or secret used to sign the token.

Here is an example of JWKS endpoint of Google OAuth 2 server. JWKS endpoint may return more than one public key so you identify relevant key matching the kid parameter of token header and JWK key.

{
{
   "keys":[
      {
         "e":"AQAB",
         "alg":"RS256",
         "use":"sig",
         "n":"qx9oubekMS3x-mmgPJOUeoPJH9aoYwlDfElkRk2XfQnRmsfbxVc8Gna6V8avfWpBcXuyTMkJ4_hmk4Ra3x4KMwpQ3XVZGtFvP2PwTHKbtf47if-gVsh5PZlHovKOS1ixTnagfidzBGpnwAGGSyrIDSVOxPC6GcOIxWtJ56AZ6kcHtI9zGO4AE8T8-TXEgIkUfby-AQCFxzlXDsA_zxWbjka0gscAqiYESB5JLjMrxNWwEPhlvIRO7LospdwYTjZteLAAC5OEWPMlxI6laSB9TzPWLHMsNNEe6_YOylp2sMSwslOb9FFsP5KVaVdBBLwHwFf7ncVaHExFqhwTHIoS8Q",
         "kty":"RSA",
         "kid":"960a7e8e8341ed752f12b186fa129731fe0b04c0"
      },
      {
         "n":"zK8PHf_6V3G5rU-viUOL1HvAYn7q--dxMoUkt7x1rSWX6fimla-lpoYAKhFTLUELkRKy_6UDzfybz0P9eItqS2UxVWYpKYmKTQ08HgUBUde4GtO_B0SkSk8iLtGh653UBBjgXmfzdfQEz_DsaWn7BMtuAhY9hpMtJye8LQlwaS8ibQrsC0j0GZM5KXRITHwfx06_T1qqC_MOZRA6iJs-J2HNlgeyFuoQVBTY6pRqGXa-qaVsSG3iU-vqNIciFquIq-xydwxLqZNksRRer5VAsSHf0eD3g2DX-cf6paSy1aM40svO9EfSvG_07MuHafEE44RFvSZZ4ubEN9U7ALSjdw",
         "kty":"RSA",
         "kid":"fb8ca5b7d8d9a5c6c6788071e866c6c40f3fc1f9",
         "e":"AQAB",
         "alg":"RS256",
         "use":"sig"
      }
   ]
}

Finally, the use of JWKS endpoint for token validation is recommended as it is safe and does not require sharing of the secret key between parties.

Use a JWT Debugger

If you are a developer working with JWT tokens then most likely you use a debugger tool to decode and validate your token. JWT.io is probably one of the most popular out there. JWT.io is an amazing tool but if you are working with sensitive tokens probably you want to avoid pasting them online which is why we created a cross-platform interactive JWT Debugger App.

With JWT Debugger App, use the web version as a progressive web app or install desktop apps for Mac, Window, and Linux. More importantly, [JWT Debugger App] supports token validation using both JWKS Endpoint and PEM/Secret Keys. JWT.io and many other JWT tools currently don't support JWKS Endpoint based token validation.

JWT Debugger App itself is open-source and if you find any issues or like to add a feature just open a Github ticket and we will love to help.

10 open-source Kubernetes tools for highly effective SRE and Ops Teams

Abhishek Tiwari — Sat, 06 Jan 2018 13:00:00 +0000

If you are running workloads in Kubernetes, your site reliability engineering (SRE) and operations (Ops) teams need right kind of tooling to ensure the high-reliability of the Kubernetes cluster and workloads running in it. Here we present a list of 10 open-source Kubernetes tools to make your SRE and Ops teams more effective to achieve their service level objectives.

Kube-ops-view

Kube-ops-view provides a common operational view for multiple Kubernetes clusters. It is a handy tool for SRE and Ops teams. Kube-ops-view provides read-only system dashboard. Some of the cool features offered by kube-ops-view,

Switch between multiple Kubernetes clusters
Render nodes and indicate their overall status ("Ready")
Show node capacity and resource usage (CPU, memory)
Indicate status of pods (green: ready/running, red: error etc)
Provide tooltip information for nodes and pods
Animate pod creation and termination
Project dashboards on TV screens using screen tokens

Cabin

Cabin is the native mobile dashboard app for Kubernetes. Cabin UI is built using React Native hence runs both iOS and Android devices. It is an on the move assistant which provides fine-grained actions to manipulate Kubernetes resources. Cabin app is touch optimised. So for instance, you can delete pods with a single left swipe. You can scale deployments with a finger scroll.

Some of the interesting features included in Cabin,

Seamless support for Google Kubernetes Engine (GKE). You can create GKE clusters directly from your mobile phone.
Early support for Help charts, you can view Charts repositories and launch charts with one click on the move.
Access pod logs, search resources by the label, trigger rolling-updates by changing the image of your deployments etc.

Kubectx

Kubectx is another must-have tool if you working with multiple Kubernetes clusters. Kubectx comes bundled with kubens and together they allow you switch between Kubernetes clusters and namespaces when using kubectl.

kubectx and kubens support tab completion on bash/zsh shells to help you with long context names. You don't have to remember full context names anymore.

Kube-shell

Kube-shell is an integrated shell for working with the Kubernetes CLI. It has some really nifty features such as

auto-completion of commands, auto-suggestions, in-line documentation
access to the history of commands executed by using up/down arrow keys
current context from kubeconfig, easy switch between the clusters/namespaces

Related tools

Kube-prompt is yet another interactive Kubernetes client featuring auto-complete. It accepts commands without kubectl prefix.

In addition, Kube-ps1 is a neat script that lets you add the current Kubernetes context and namespace configured on kubectl to your Bash/Zsh prompt strings.

Lastly, Kail is Kubernetes tail. As a Kubernetes log viewer, kail allows you to stream logs from matching pods using selectors.

You can match pods based on a standard label selector, by name, by service, by deployment, etc.

Telepresence

Telepresence is an open source tool that lets you debug a service locally while keeping the connection with its dependency services hosted in a remote Kubernetes cluster and remote cloud resources like a database.

Personally, I think Telepresence has a lot potential. Telepresence is already a powerful local development environment for services running in Kubernetes. Live debugging part is new but evolving quite rapidly.

Weave Scope

Weave Scope is troubleshooting & monitoring tool for Docker and Kubernetes. It automatically builds logical topologies of your application and infrastructure which enable your SRE and Ops team to intuitively understand, monitor and control your containerized, microservices based application.

Apart from Topology view, Weave Scope can provide a drill down views i.e everything between nodes and processes including deployments, services, replica sets, pods, and containers. In addition, you can apply filters based on CPU and Memory usage or use search to quickly find node types, containers, and processes by name, label or even path.

PowerfulSeal

PowerfulSeal is inspired by Chaos Monkey and developed by Bloomberg engineering team. It can add chaos to your Kubernetes clusters like killing targeted pods and nodes. It operates in two modes: interactive and autonomous.

Interactive mode is designed to allow you to discover your cluster's components, and manually break things to see what happens. It operates on nodes, pods, deployments, and namespaces.> Autonomous mode reads a policy file, which can contain any number of pod and node scenarios. Each scenario describes a list of matches, filters, and actions to execute on your cluster.

Policy files are written in YAML format and includes scenarios which will be executed by the autonomous agent.

Related tools

kube-monkey is an alternative implementation of Netflix's Chaos Monkey for Kubernetes clusters. It randomly deletes pods in the Kubernetes cluster encouraging and validating the development of failure-resilient services.

Marmot

Marmot is a workflow execution engine from Google for processing workflows targeting DevOps/SRE needs. It has been designed as a tool for handling infrastructure changes but it can be used with Kubernetes.

It is particularly suitable for any type of operation that must be performed in steps with certain pacing and may require state checks for health. So, for instance, you are rolling out a new service version on Kubernetes with a large number of instances then you perform an incremental but controlled rollout (canary release).

Ark

Ark is a tool for managing disaster recovery for your Kubernetes resources and volumes. Ark provides a simple and operationally robust way to back up and restore Kubernetes resources and Persistent Volumes from a series of checkpoints. The backup files are stored in an object storage service (e.g. Amazon S3).

Ark enables you to you to automate following scenarios in a more efficient way,

Disaster recovery with reduced TTR (time to respond)
Cross-cloud-provider migration of Kubernetes API objects
Dev and testing environment setup (+ CI), via replication of prod

Ark comes with an in-cluster service (Ark server) and CLI (Ark client). In-cluster service does the most of heavy lifting as it runs all of the Ark controllers. Ark server performs the actual backup, validates it and loads backup files in cloud object storage.

Sysdig

Sysdig is container troubleshooting tool which captures system calls and events from the Linux kernel. Simply put, Sysdig is strace + tcpdump + htop + iftop + lsof + wireshark for your entire cluster.

Sysdig instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Sysdig also makes it possible to create trace files for system activity

Related tools

Sysdig Inspect is an interface to visualize the data collected by Sysdig. Sysdig Inspect enables SRE and Ops teams in container troubleshooting and security investigation.

Inspect's user interface is designed to intuitively navigate the data-dense Sysdig captures that contain granular system, network, and application activity of a Linux system. Sysdig Inspect helps you understand trends, correlate metrics and find the needle in the haystack. It comes packed with features designed to support both performance and security investigations, with deep container introspection.

Sysdig Falco is another tool built on top of granular data collected by Sysdig. Falco monitors behavioral activity and it is designed to detect anomalous activity in your application. For instance, using Falco you can detect activities such as,

a shell is run inside a container
a container is running in privileged mode
a container is mounting a sensitive from the host

Final thoughts

Kubernetes ecosystem is observing an explosive growth. There are a large number of open source and commercial tools which you can help you to be more effective and efficient when operating missing-critical Kubernetes cluster and services. As always, setting down on top 10 tools is not easy. Did we miss something? Tell us on Twitter if you are using something interesting to manage Kubernetes in production.