DEV Community: Sangam Biradar

Golang for Beginners

Sangam Biradar — Tue, 22 Dec 2020 10:56:55 +0000

-- TABLE OF CONTENTS --
Lets Start With First Hello world Program
Numeral Systems - Decimal
Numeral systems - binary
Numeral systems - hexadecimal
Numeral Systems Loop
Numeral Systems - UTF-8
Short variable declarations
variable with zero value
deep drive on variables
deep drive on Constants
Loop - Init, Condition, Post
Loop - Nested Loops
Loop - For Statement
Loop - Break & Continue
Generate Random number with math/crypto/rand in Go
Loop - Printing ASCII
Conditional - If Statement
Conditional - If, Else if, Else
Loop, Conditional, Modulus
Conditional - Switch Statement
Conditional - Switch Statement Documentation
Conditional Logic Operators
String Type
Bool Type
Structs
struct literal
Struct fields can be accessed through a struct pointer.
Conversion, Not Casting
Creating Your Own Type
Defer
Stacking defers
Pointers
Prefix Suffix
Conversion between array and slice
Methods
variadic function
init Function
Command Line Arguments and File I/O
interface

Support this repo by gitstart

Nitty-Gritty of AWS IAM

Sangam Biradar — Tue, 22 Dec 2020 10:48:41 +0000

Identity and Access Management (IAM)

● The key features of IAM:

Shared Access to your Account
Granular Permissions
Secure Access to AWS Resources
Identity Federation
Identity Information for Assurance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Password Policy
Multi Factor Authentication (MFA)

● Shared access to your AWS account

Grant permission to users to access and use resources in your AWS account without sharing your password.

● Granular Permissions

Granular permissions allow different permissions to various users to manage their access to AWS, such as:

• User access to specific services

• Specific permissions for actions

• Specific access to resources

Secure Access

Securely allocate credentials that applications on EC2 instances require to access other AWS resources.

Identity Federation

● Allows users with external accounts to get temporary access to AWS resources

Identity Information

● Log, monitor, and track what users are doing with your AWS resources.

PCI DSS Compliance

● Payment Card Industry (PCI) and Data Security Standard (DSS) compliant

Multi-Factor Authentication

● Two-Factor Authorization for users and resources to ensure absolute security using MFA devices

Password Policy

● IAM allows you to define password strength and rotation policies.

IAM Policies

● A document that defines one or more permissions

● Attached to users, groups, and roles

● Written in JavaScript Object Notation (JSON)

● Selected from a pre-defined AWS list of policies, or you can create your own policy

## AWS Policies
● AWS has many predefined policies which allow you to define granular access to AWS resources.

● There are around 200 predefined policies available for you to choose from.

AdministratorAccess Policy

● AdministratorAccess policy provides full access to AWS services and resources.

AmazonEC2FullAccess Policy

● AmazonEC2FullAccess policy provides AWS Directory Service user or groups full access to the Amazon EC2 services and resources

AmazonS3ReadOnlyAccess Policy

● AmazonS3ReadOnlyAccess policy provides read-only access to all buckets using the AWS Management Console

JSON

● AWS policies are written using JavaScript Object Notation (JSON).

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:listbucket",
    "Resource": "arn:aws:s3:::example_s3_bucket"
  }
}

Policy-wide information:

Version–Date this policy was created

One or more individual statements:

Effect–Allow permission

Action– 3 list bucket

Resource–Name of the S3 bucket

## IAM Users
Users are defined as the people or systems that use your AWS resources.

## Security Credentials
AWS provides numerous ways to provide secure user access to your AWS resources:

Key pairs:

• They consist of a public and private key

• A private key is used to create a digital signature

• AWS uses the corresponding public key to validate the signature

Email address and password

• They are created when you sign up to use AWS

• They are used to sign in to AWS web pages

IAM user name and password

• They allow multiple individuals or applications access to your AWS account

• Individuals use their user names and passwords to sign in

Multi-Factor Authentication (MFA)

• With AWS MFA enabled, users are prompted for a user name and password and for an authentication code from an MFA device

Access keys

• They consist of an access key and a secret access key

• They use access keys to sign programmatic requests

## IAM Groups
● AWS defines a group as a collection of users that inherit the same set of permissions.

## IAM Roles

IAM Roles are:

• Very similar to users

• Not password protected and do not require access keys

• AWS identities with permission policies that determine the access available to the identities

• Assumed by anyone who requires them

Create Individual IAM Users

• The benefits of creating individual IAM users:

• Control permissions at an individual level

• No shared accounts

• Unique credentials for everyone

• Easier to rotate credentials

• Easier to identify security breaches

Grant Least Privilege

When creating IAM policies, granting ”least privilege,” means that:

• You only grant required permissions

• It's more secure to start with minimum permissions

• It’s easier to grant permissions than revoke them

• You protect your assets

## Manage Permissions with Groups
Use permissions with groups to minimize the workload

Easy to assign new permissions

• It is easier to assign a new permission to a group than to assign it to many individual users.

Simple to reassign permissions

• It is simpler to reassign permissions if a user has a change in responsibilities.

Restrict Access with Further Conditions

• Use additional conditions such as MFA and Security Groups to ensure only the intended users get access.

## Monitor Activity in your AWS Account
AWS has several features to log user actions.

• Logs

• AWS Cloudtrail

Create a Strong Password Policy

• Ensure that all your users have strong passwords and they rotate their passwords regularly.

Use Roles for Applications that run on EC2

• IAM Roles remove the need for your developers to store or pass credentials to AWS EC2.

## Reduce or Remove Unnecessary Credentials
• To reduce the potential for misuse, run a credential report to identify users that are no longer in use and can be removed.

AWS Security Token Service (STS)

• It is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management users that you authenticate.

STS: Things To Remember

• Develop an Identity Broker to communicate with LDAP and AWS STS

• Identity Broker always authenticates with LDAP first and then AWS STS

• Application gets temporary access to AWS resources

MULTIPASS + MICROK8 + Grafana On MACOSX

Sangam Biradar — Tue, 19 Feb 2019 00:00:00 +0000

MULTIPASS + MICROK8 + Grafana On MACOSX

Multipass is a system that orchestrates the creation, management and maintenance of Virtual Machines and associated Ubuntu images to simplify development. MicroK8s is a local deployment of Kubernetes. Let’s skip all the technical details and just accept that Kubernetes does not run natively on MacOS or Windows. You may be thinking “I have seen Kubernetes running on a MacOS laptop, what kind of sorcery was that?” It’s simple, Kubernetes is running inside a VM. You might not see the VM or it might not even be a full blown virtual system but some level of virtualisation is there. This is exactly what we will show here.

Under this tutorial, we will setup a VM using Multipass and will showcase how to install MicroK8s. After the installation we will discuss how to build appalication stack using K8s. Let’s get started:

Download Multipass VM https://github.com/CanonicalLtd/multipass/releases

A multipass VM on MacOS

Biradars-MacBook-Air:~ sangam$ multipass launch --name microk8s-vm --mem 4G --disk 40G
Launched: microk8s-vm                                                           
Biradars-MacBook-Air:~ sangam$ multipass exec microk8s-vm -- sudo snap install microk8s --classic
multipass exec microk8s-vm -- sudo iptables -P FORWARD ACCEPT
2019-02-19T18:13:52+05:30 INFO Waiting for restart...
microk8s v1.13.2 from Canonical✓ installed

Make sure you reserve enough resources to host your deployments; above, we got 4GB of RAM and 40GB of hard disk. We also make sure packets to/from the pod network interface can be forwarded to/from the default interface.

Our VM has an IP that you can check with:

Biradars-MacBook-Air:~ sangam$ multipass list
Name State IPv4 Release
microk8s-vm RUNNING 192.168.64.3 Ubuntu 18.04 LTS

Take a note of this IP since our services will become available there. Other multipass commands you may find handy:

Get a shell inside the VM:

Biradars-MacBook-Air:~ sangam$ multipass shell microk8s-vm
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

7 packages can be updated.
7 updates are security updates.

Last login: Tue Feb 19 18:11:11 2019 from 192.168.64.1

install kubect

sudo snap install kubectl --classic

multipass@microk8s-vm:~$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-01T20:08:12Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:28:14Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}

check k8 microk8

multipass@microk8s-vm:~$ microk8s.kubectl get nodes
NAME STATUS ROLES AGE VERSION
microk8s-vm Ready <none> 13m v1.13.2

check cluster

multipass@microk8s-vm:~$ microk8s.kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 15m

Enable microk8 dashboard

multipass@microk8s-vm:~$ microk8s.enable dns dashboard
Enabling DNS
Applying manifest
service/kube-dns created
serviceaccount/kube-dns created
configmap/kube-dns created
deployment.extensions/kube-dns created
Restarting kubelet
DNS is enabled
Enabling dashboard
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
service/monitoring-grafana created
service/monitoring-influxdb created
service/heapster created
deployment.extensions/monitoring-influxdb-grafana-v4 created
serviceaccount/heapster created
configmap/heapster-config created
configmap/eventer-config created
deployment.extensions/heapster-v1.5.2 created
dashboard enabled
multipass@microk8s-vm:~$

Deployment

Deploying a nginx service is what you would expect, with the addition of the Microk8s prefix

multipass@microk8s-vm:~$ microk8s.kubectl run nginx --image nginx --replicas 3
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx created
 --selector=run=nginx --name nginxkubectl expose deployment nginx --port 80 --target-port 80 --type ClusterIP\ 
The Service "nginx" is invalid: spec.type: Unsupported value: "ClusterIP --selector=run=nginx": supported values: "ClusterIP", "ExternalName", "LoadBalancer", "NodePort"
multipass@microk8s-vm:~$

get all pod and services details

multipass@microk8s-vm:~$ microk8s.kubectl get all
NAME READY STATUS RESTARTS AGE
pod/nginx-7cdbd8cdc9-cgksg 1/1 Running 0 2m41s
pod/nginx-7cdbd8cdc9-msq5w 1/1 Running 0 2m41s
pod/nginx-7cdbd8cdc9-sbqll 1/1 Running 0 2m41s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 22m

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx 3/3 3 3 2m41s

NAME DESIRED CURRENT READY AGE
replicaset.apps/nginx-7cdbd8cdc9 3 3 3 2m41s
multipass@microk8s-vm:~$

multipass@microk8s-vm:~$ kubectl --kubeconfig=kubeconfig get all --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 11m

You can verify that all services are up and running with the following command:

multipass@microk8s-vm:~$ microk8s.kubectl get all --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default pod/nginx-7cdbd8cdc9-cgksg 1/1 Running 0 7m19s
default pod/nginx-7cdbd8cdc9-msq5w 1/1 Running 0 7m19s
default pod/nginx-7cdbd8cdc9-sbqll 1/1 Running 0 7m19s
kube-system pod/heapster-v1.5.2-64874f6bc6-tgx96 4/4 Running 0 7m32s
kube-system pod/kube-dns-6ccd496668-n64pw 3/3 Running 0 10m
kube-system pod/kubernetes-dashboard-654cfb4879-98h29 1/1 Running 0 10m
kube-system pod/monitoring-influxdb-grafana-v4-6679c46745-tbrbg 2/2 Running 0 10m

NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 27m
kube-system service/heapster ClusterIP 10.152.183.77 <none> 80/TCP 10m
kube-system service/kube-dns ClusterIP 10.152.183.10 <none> 53/UDP,53/TCP 10m
kube-system service/kubernetes-dashboard ClusterIP 10.152.183.171 <none> 443/TCP 10m
kube-system service/monitoring-grafana ClusterIP 10.152.183.127 <none> 80/TCP 10m
kube-system service/monitoring-influxdb ClusterIP 10.152.183.216 <none> 8083/TCP,8086/TCP 10m

NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
default deployment.apps/nginx 3/3 3 3 7m19s
kube-system deployment.apps/heapster-v1.5.2 1/1 1 1 10m
kube-system deployment.apps/kube-dns 1/1 1 1 10m
kube-system deployment.apps/kubernetes-dashboard 1/1 1 1 10m
kube-system deployment.apps/monitoring-influxdb-grafana-v4 1/1 1 1 10m

NAMESPACE NAME DESIRED CURRENT READY AGE
default replicaset.apps/nginx-7cdbd8cdc9 3 3 3 7m19s
kube-system replicaset.apps/heapster-v1.5.2-56c546dbb8 0 0 0 7m47s
kube-system replicaset.apps/heapster-v1.5.2-64874f6bc6 1 1 1 7m32s
kube-system replicaset.apps/heapster-v1.5.2-6bc7c4965d 0 0 0 10m
kube-system replicaset.apps/kube-dns-6ccd496668 1 1 1 10m
kube-system replicaset.apps/kubernetes-dashboard-654cfb4879 1 1 1 10m
kube-system replicaset.apps/monitoring-influxdb-grafana-v4-6679c46745 1 1 1 10m

get cluster info

multipass@microk8s-vm:~$ microk8s.kubectl cluster-info
Kubernetes master is running at http://127.0.0.1:8080
Heapster is running at http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Grafana is running at http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
InfluxDB is running at http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:http/proxy

# find ip of your vm and replace with your monitoring servives
Kubernetes master is running at http://192.168.64.3:8080
Heapster is running at http://192.168.64.3:8080/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at http://192.168.64.3:8080/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Grafana is running at http://192.168.64.3:8080/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
InfluxDB is running at http://192.168.64.3:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:http/proxy