Replication 3 service-ldap-usage Simple LDAP user and group management 3 service-ldap-with-tls SSL/TLS 3 service-ldap-backup-restore Backup and restore 2 Kerberos 3 kerberos-introduction Introduction openssh-crypto-configuration OpenSSH crypto configuration 3 Level Path Navlink 3 troubleshooting-tls-ssl Troubleshooting TLS/SSL 2 Virtualisation and containers 3 Virtual machines 4 vm-tools-in-the-ubuntu-space OpenLDAP Introduction Installation Access control Replication Simple LDAP user and group management SSL/TLS Backup and restore Kerberos Introduction Kerberos server Service principals Kerberos encryption types

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing standalone.enabled to true and optionally provide a volume to mount Hubble UI client certificates if TLS is enabled on Hubble Relay server side. Below is an example deploying Hubble UI as standalone, with this to false as Hubble relay is already installed enabled: false tls: server: # set this to true if tls is enabled on Hubble relay server side enabled: true ui: # enable

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing Inspecting TLS Encrypted Connections with Cilium This document serves as an introduction for how network security teams can use Cilium to transparently inspect TLS-encrypted connections. This TLS-aware inspection visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client accesses the API service via HTTPS. This capability is similar to what is possible

for slapd.access4. 1.8. TLS When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS). Here, we will be our /etc/ssl/ldap01.info info file containing: organization = Example Company cn = ldap01.example.com tls_www_server encryption_key signing_key expiration_days = 3650 The above certificate is good for 10 'ssl-cert' group: sudo systemctl restart slapd.service Your server is now ready to accept the new TLS configuration. Create the file certinfo.ldif with the following contents (adjust accordingly, our

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

how to prepare your Kubernetes environment. For CoreDNS: Enable reverse lookups In order for the TLS cer�ficates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to automa�c management of the etcd cluster including compac�on, restart on quorum loss, and automa�c use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd In case you are not using a TLS-enabled etcd, comment out the configura�on op�ons in the ConfigMap referring to the key loca�ons like this: # In case you want to use TLS in etcd, uncomment the 'ca-file'

netns is not in-use) ○ host services connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter, region) Proxy ● Facebook traffic has to be encrypted ● Transparent TLS helps some services encrypt easily ● How to send task TCP traffic to TLS forward proxy transparently for a service? Solution: ● Redirect

secure NTP, which provides a handshake (TLS) before using a NTP server and authentication of the NTP time synchronization packets using the results of the TLS handshake. The default NTP client in MIL validate data authenticity NTP client (NTS support) TLS/SSL, NTP NTS guarantees data integrity via NTS Authenticator and Encrypted EF NTS provides TLS layer to guarantee authenticity ATTENTION root/root Yes APT client HTTPS Ethernet, cellular, Wi-Fi root/root Yes NTP client (NTS support) TLS/SSL, NTP Ethernet, cellular, Wi-Fi root/root Yes Security Configuration Check The secure models