I am testing my binary authorization policies and put an exemption entry to allow nginx .
Following are the entries I tried by adding them under Images exempt from policy
registry.hub.docker.com/library/nginx*
registry.hub.docker.com/library/nginx.latest
docker.io/library/nginx*
but it is failing with below error
$ kubectl run httpd-server --image=nginx --restart=Never -l app=httpd-server --port 80
Error from server (VIOLATES_POLICY): admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image nginx denied by Binary Authorization default admission rule. Denied by always_deny admission rule
If i disable binary authorization and install the nginx package , it shows the following repository is used to pull the image
image: docker.io/library/nginx:latest
This entry is already there in Images exempt from policy , but the download is still blocked . Any suggestions ?
Related
I am running nginx-ingress v0.44.0 on Kubernetes version v1.20.2, install ingress using helm chat ingress-nginx-3.23.0. nginx taking the traffic from the log file I see this error message.
E0209 23:21:41.300842 6 token_source.go:152] Unable to rotate token: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
E0209 23:21:41.316286 6 token_source.go:152] Unable to rotate token: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
Nignx is running uid 101 but serviceaccount directory owned by root user.
How to fix this error message?
Thanks
It's kinda odd, as I've tested I haven't experienced such a error.
You could use securityContext, set
fsGroup: 101 or
runAsUser/runAsGroup
But still the ingress-nginx sets appropriate securityContext (for example to bind on 80/443), so it should work.
As #sfgroups mentioned solution is to make nignx not running uid 101 but 0.
Add flag to installation command: --set controller.image.runAsUser=0.
Read: helm-nginx-ingress-installation.
I am getting 404 accesing to https://my-dmain/ui/. If I try to access to https://my-dmain/artifactory it redirects to https://my-dmain/ui/ with 404. No log errors, only one warning:
2020-07-10T08:06:04.535L [35m[tomct][0m [WARNING] [ ]
[org.apache.catalina.startup.HostConfig]
[org.apache.catalina.startup.HostConfig deployDescriptor] - A docBase
[/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war]
inside the host appBase has been specified, and will be ignored
2020-07-10T08:06:04.540L [35m[tomct][0m [WARNING] [ ]
[org.apache.catalina.startup.HostConfig]
[org.apache.catalina.startup.HostConfig deployDescriptor] - A docBase
[/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/access.war]
inside the host appBase has been specified, and will be ignored
Just to confirm it, can you try to access the Artifactory using the server IP and port, like HTTP://1.2.3.4:8082? If you are able to access the Artifactory UI using the server IP and Port, I believe you need to tweak the reverse proxy being used.
Your problem is that with Artifactory 7.x the reverse proxy configuration is different. In this KB article you can find a working NGINX configuration.
One easy way to generate such configuration is to bypass your reverse proxy and go to Artifactory directly, there in the UI you will be able to log in, head to HTTP settings, and generate a new Apache or NGINX config.
I'm unable to setup an SSL connection between Filebeat and Elasticsearch.
My knowledge is lacking when it comes to SSL. I'm using X-Pack to generate a certificate using the certutil command. bin/xpack/certutil ca generates a certificate authority under the name elastic-stack-ca.p12.
Then
$ bin/x-pack/certutil cert --ca elastic-stack-ca.p12
Which I believe creates a certificate signed by that CA. This results in the file elastic-certificates.p12. From here I'm clueless.
I tried testing to see if the certificates work by setting up a HTTPS connection to ES.
I put
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate_authorities: [ "/path/to/elastic-stack-ca.p12" ]
However, this brings up quite a few errors one of them being
caught exception while handling client http traffic, closing connection
When I add the https IP and the CA in Kibana it fails to connect with ES.
I would like to know how to successfully set up https. Also how can a SSL connection be established between two servers. One containing Filebeat, but no X-Pack and the receiving server with ES on it alongside X-Pack installed.
After adding those SSL settings in your elasticsearch.yml, you also need to add the password to the Elasticsearch keystore and truststore. You should've set a password when you ran the certutil command. You can do that with:
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
Make sure you restart Elasticsearch after making these changes.
I setup my own landing page on my server with Nginx on top of it. I follow digital ocean 'How to' to get SSL certificat for it.
Now I finish to setup a Wordpress for my wife. Everything working well on plain HTTP but if I try to redo the process with let's encrypt : sudo certbot --nginx -d pamelajoa.com -d www.pamelajoa.com cerbot try to challenge the server but find out that there is already a certificat for my own website:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: pamelajoa.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
XXX.YYY.acme.invalid
from [2001:41d0:8:6d9b::1]:443. Received 2 certificate(s), first
certificate had names "gfelot.xyz, www.gfelot.xyz"
Domain: www.pamelajoa.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
XXX.YYY.acme.invalid
from [2001:41d0:8:6d9b::1]:443. Received 2 certificate(s), first
certificate had names "gfelot.xyz, www.gfelot.xyz"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Once again my own web site works on HTTPS and the WP works on HTTP so I don't think it's coming for my Nginx conf.
Any Idea ?
Found a solution that worked for me by using this option in your command :
--preferred-challenges http-01
or you may try to use this one :
--preferred-challenges http
Full command here :
sudo certbot --nginx --preferred-challenges http-01 -d www.kaokeb.com
Full post for this solution in this thread :
https://community.letsencrypt.org/t/expired-certification/60185/23
Just wondering what I am missing here when trying to create an API with Tyk Dashboard.
My setup is:
Nginx > Apache Tomcat 8 > Java Web Application > (database)
Nginx is already working, redirecting calls to apache tomcat at default port 8080.
Example: tomcat.myserver.com/webapp/get/1
200-OK
I have setup tyk-dashboard and tyk-gateway previously as follows using a custom node port 8011:
Tyk dashboard:
$ sudo /opt/tyk-dashboard/install/setup.sh --listenport=3000 --redishost=localhost --redisport=6379 --mongo=mongodb://127.0.0.1/tyk_analytics --tyk_api_hostname=$HOSTNAME --tyk_node_hostname=http://127.0.0.1 --tyk_node_port=8011 --portal_root=/portal --domain="dashboard.tyk-local.com"
Tyk gateway:
/opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8011 --redishost=127.0.0.1 --redisport=6379 --domain=""
/etc/hosts already configured (not really needed):
127.0.0.1 dashboard.tyk-local.com
127.0.0.1 portal.tyk-local.com
Tyk Dashboard configurations (nothing special here):
API name: foo
Listen path: /foo
API slug: foo
Target URL: tomcat.myserver.com/webapp/
What URI I suppose to call? Is there any setup I need to add in Nginx?
myserver.com/foo 502 nginx
myserver.com:8011/foo does not respond
foo.myserver.com 502 nginx
(everything is running under the same server)
SOLVED:
Tyk Gateway configuration was incorrect.
Needed to add --mongo and remove --domain directives at setup.sh :
/opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8011 --redishost=localhost --redisport=6379 --mongo=mongodb://127.0.0.1/tyk_analytics
So, calling curl -H "Authorization: null" 127.0.0.1:8011/foo
I get:
{
"error": "Key not authorised"
}
I am not sure about the /foo path. I think that was previously what the /hello path is. But it appears there is a key not authorized issue. If the call is made using the Gateway API, then the secret value may be missing. It is required when making calls to the gateway (except the hello and reload paths)
x-tyk-authorization: <your-secret>
However, since there is a dashboard present, then I would suggest using the Dashboard APIs to create the API definition instead.