♲ 0hlov3 - 2024-12-13 13:19:53 GMT

The OWASP Top Ten has long been the cornerstone of web application security, but as Kubernetes takes center stage in cloud-native environments, a new focus is required. Enter the OWASP Kubernetes Top Ten, which sheds light on the most common and critical security risks in Kubernetes clusters.With containerization and Kubernetes forming the backbone of modern applications, it's crucial to secure not just the workloads, but also the orchestration platform itself.

Risks like:
- Unpatched container images 🛠️
- Weak network segmentation 🌐
- Misconfigured access controls 🔒

… can ripple across teams, impacting not only DevOps professionals but also developers and security managers alike.

Have you explored these critical Kubernetes security considerations?

🔗 owasp.org/www-project-kubernet…

#Kubernetes

Let log analysis be the guide for your #Kubernetes #security safari.

https://thenewstack.io/hunting-the-stealth-hacker-in-the-kubernetes-jungle/

Hunting the Stealth Hacker in the Kubernetes Jungle

Let log analysis be the guide for your Kubernetes security safari. 

#Podman als Zwischenstufe von #Docker zu #Kubernetes.

Ich hatte allerdings gehofft, er geht etwas auf das Pod-Konzept ein. Aber egal, war trotzdem wieder sehr lehrreich.

Danke #GLT

#GLT2024 #Graz #ccc #Chaos #systemd #Container #GNU/Linux #PoweredByRSS

https://mirrors.dotsrc.org/cdn.media.ccc.de/events/glt24/h264-hd/glt24-454-deu-Container-Management_leicht_gemacht_hd.mp4

Seit bald einem Jahr laufen unsere produktiven Services via #Kubernetes. Heute haben wir gemerkt, dass seit gestern plötzlich die Webserver parallel (RoundRobin) arbeiten anstatt im FailOver-Mode.So war es eigentlich die ganze Zeit geplant.

Vermutlich werden wir noch ein weiteres Jahr brauchen, herauszufinden, warum das so ist.

#EinmalMitProfis

Hab gestern mal wieder gemerkt, wie weit ich mich von der Basis entfernt habe. Eher featuregetrieben haben wir die produktiven Tomcats von #openjdk 11 auf 17 umgestellt. Wir hatten vorher funktional getestet, aber groß über die Hintergründe informiert hatte ich mich tatsächlich vorher nicht.

Jetzt verbrauchen die Pods plötzlich um Faktor 2 bis 4 mal weniger RAM als vorher und die GarbageCollection agiert sichtbar dynamisch. Alta!

#Java #Kubernetes #Tomcat #EinmalMitProfis

FLOSS Weekly Episode 769: OpenCost — We Spent How Much?

#computerhacks #hackadaycolumns #podcasts #cloudnative #flossweekly #kubernetes #opencost #hackaday
posted by pod_feeder_v2

FLOSS Weekly Episode 769: OpenCost — We Spent How Much?

This week Jonathan Bennett and Katherine Druckman talk with Matt Ray about OpenCost. What exactly is Cloud Native? Why do we need a project just for tracking expenses? Doesn’t the cloud make …

I made a #kubernetes pod that updates my mail server’s DANE record whenever LetsEncrypt issues a new one because boredom. Curiously I used ChatGPT to generate the script that uses openssl to generate the TLSA record and it actually worked perfectly. Once I had the certificate and the TLSA record, a simple call to nsupdate with a TSIG key and BIND worked all its DNSSEC magic.

#!/bin/bash

TLSA="3 0 1 $(openssl x509 -in certificate.pem -outform DER | openssl sha256 | cut -d' ' -f2)"

NAME="_25._tcp.smtp.koehn.com"

UPDATE="
server ns1.koehn.com
zone koehn.com
update delete $NAME TLSA
update add $NAME 300 TLSA $TLSA
send"

echo "$UPDATE" | nsupdate -vy "$KEY"

Acht Jahre habe ich mich damit gequält - gestern konnte ich den Server von #Puppet für immer abschalten. Es war ein innerliches Fest.

Heutzutage quält man sich viel schöner mit #Kubernetes.

Microsoft has made Azure Linux generally available. Repeat, Azure Linux

Well this is something of an odd day, a long way from former #Microsoft CEO' Steve Balmer's "Linux is a cancer" declaration in 2001.

#Azure #Linux #Kubernetes

Morgen um 9:00 wird DNS umgestellt. Dann gehen 15 Jahre Betrieb mit #Xen auf eigenen Servern zu Ende und die glorreiche Zeit von #Kubernetes in der Cloud bricht an. Alles wird gut - ganz bestimmt.

Wenn ich es nicht gemacht hätte, hätt' es ein anderer gemacht...

#LinuxGraubart

I finally upgraded #k3s on the cluster today, and it was so painless it felt like cheating. Download the new binary, move it in place, and restart the service. In #Kubernetes this takes an hour with endless plans and scripts and draining and reloading everything. In k3s it took five minutes.

Ab 2:00 konnte ich nicht mehr schlafen. Senile Bettflucht, wer kennt das nicht.

Aufgestanden, Kaffee gemacht und mal geschaut, was die #CLT23 noch an coolen Talks zu bieten hat. Ah, was mit #kubernetes und #security. Sehr schön.

Das war ein Fehler! Jetzt kann ich wahrscheinlich nie mehr schlafen...

#k8s #CLT #ccc #Chaos #PoweredByRSS

♲ Chaos Computer Club - Media (Inoffiziell) - 2023-03-11 23:00:00 GMT

Hacking Kubernetes Cluster and Secure it with Open Source (clt23)
https://mirror.selfnet.de/CCC/events/clt/2023/h264-hd/clt23-99-deu-Hacking_Kubernetes_Cluster_and_Secure_it_with_Open_Source_hd.mp4

I worked quite hard to solve this problem, and I’m happy with its (eventual) simplicity. When you have (for example) two Kubernetes containers in a pod (or two processes that can share a named pipe) and you need to run a process on one of them from the other one, I have just the tool for you. It’s basically ssh without all the pesky networking, using named pipes instead of TCP streams.

https://unix.stackexchange.com/a/735642/157130

#linux #kubernetes #docker #fifo #bash

How do I attach a bash shell to a named pipe?

Let’s say I have two machines X and Y (two containers in the same Kubernetes pod, actually) that share a volume. On that volume is a named pipe /foo that I want attached to a bash process on machin...

Auch so'n Ding, an das ich mich in der Container-Welt erst noch gewöhnen muss:

dev-44f679674-7fghj:/> grep 'PRETTY_NAME' /etc/os-release  
PRETTY_NAME="openSUSE Leap 15.4"

dev-44f679674-7fghj:/> uname -a
Linux dev-44f679674-7fghj 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

#kubernetes

♲ baskin - 2022-10-03 18:04:42 GMT

#seems_legit #k8s #kubernetes

baskin (@baskin@kafeneio.social)

6.7K Posts, 510 Following, 436 Followers · Riding on networks. Sysadmin, open source lover, poly, bi, father, cats servant. Posting in Greek and English. Sometimes #nsfw Moved from baskin@mastodon.social to help administer kafeneio.social...

Hey everyone, I’m #newhere. I’m interested in #cybersecurity, #groovy, #java, #kotlin, #kubernetes, #numpy, #pandas, #programming, and #python. Thanks for the invite, @Welcome Diasporg!

Deconstructing TICK

#influxdata #influxdb #kubernetes #metrics #rancher

Deconstructing TICK

TICK is another monitoring stack for Kubernetes, and it’s based on the InfluxDB time series database.

This Week in Security: uClibc and DNS Poisoning, Encryption is Hard, and the Goat

#hackadaycolumns #news #securityhacks #dnsspoofing #kubernetes #openwrt #thisweekinsecurity #hackaday
posted by pod_feeder_v2

This Week In Security: UClibc And DNS Poisoning, Encryption Is Hard, And The Goat

DNS spoofing/poisoning is the attack discovered by [Dan Kaminski] back in 2008 that simply refuses to go away. This week a vulnerability was announced in the uClibc and uClibc-ng standard libraries…

I’m enjoying the new pod configuration.

#kubernetes #k3s #haproxy #ingress-nginx #tls #ssl #ssllabs

Now that I have working #NFS in #Kubernetes, can I point multiple instances of #Postfix at the queues for high availability? Nope.

Postfix file locking and NFS

For the Postfix mail queue, it does not matter how well NFS file locking works. The reason is that you cannot share Postfix queues among multiple running Postfix instances. You can use NFS to switch a Postfix mail queue from one NFS client to another one, but only one NFS client can access a Postfix mail queue at any particular point in time.

But I can create multiple instances of Postfix, each with its own queues, using StatefulSets. But I don’t think it buys me very much in terms of reliability; with my workload, a few seconds of downtime while k3s spins up a new Postfix pod isn’t very impactful.