April 2019

Your shiny new cloud instances might be tarnished by the reputation of the last tenant.
Use Shodan to check, and Greynoise to see if its above the norm.
And above all, don’t panic!

Docker hub loses account info, deploy tokens for github + bitbucket. Supply chain security chaos should ensue. Or are we now too blase? Its not me, right?

Passwords. bits of plain text that end up everywhere in automated systems. etcd. A `secure` way to share secrets. The Internet. A place that everything is guaranteed to end up. This is a toxic brew, read on!

Wide open elasticsearch on the Internet. Its common. The user usually believes since they use private IP (NAT) they are protected. Wrong.

Bad code can come in through our own import statements and software process. Do you run an egress firewall to protect the world from yourself?

Gitlab is an excellent continuous integration platform. Adding static application scanning (SAST) makes it better. Lets try without making changes to the container under test.

Use your desktop chrome to find software with security flaws on the sites you visit. And then fix (if your own) or notify (if not). Be part of the security solution.

Secrets get committed to git, forgotten, and then resurrected by the wrong people later.
Don’t let this happen to you, use sops.
And be declarative, use kustomize.
And do it with this cool new library I wrote.

Amplification attacks occur when a small request causes a larger response. NTP and DNS have both been prone to this, but now cloud logging? Read on!

Using fluent-bit annotations can increase the usefulness of your Kubernetes nginx-ingress logging. Create a custom regex parser.

The (memory) cost of all the security proxies can be higher than the thing they protect. Let’s look at Istio.

Google API keys. Powerful. Commonly used on websites. But able to cost you a lot of money. Learn how to protect them and your wallet.

Setting the security context in Kubernetes is something you need to do. Reduce the privilege as much as you can. Defense in Depth. It’s your friend.

You’ve got a mixed-used Kubernetes cluster. You have a very nifty security logging system that wants to audit everything from certain namespaces, and of course you want general logs from all. How would you go about configuring Fluent-bit to route all logs to one output, and only a single namespace to another, simultaneously? Read on!

Cloud. It achieves its elastic nature using Load Balancers and Proxies. The sad side affect of these is they remove the source IP. Let’s try to bring it back.

Ever wanted to apply Kubernetes secrets without displaying or persisting the secret value? Well now you can: Unix to the rescue!

Have you ever had a Pod in a Deployment that you wish would just pull the latest container image to see what’s up? Want to run the equivalent of `touch`? Read on!

Keeping your cool during an upgrade is important. Let the scheduler do its work, you’ll reconverge to happiness.

Like scalable storage? Like resilience, redundancy? Want to run your own Kubernetes cluster with great persistent disks? Let’s talk ceph!

Kubernetes technically doesn’t support dual-stack (ipv4 and ipv6 simultaneously). What if you want to run some CI job in there that requires a localhost ::1 to bind to? Read on!

Add the sha-hash of a configmap contents to its name as a design pattern and simplify your Deployment restarts, knowing they always have the right value and don’t die on error.

HSTS exists to secure your site, to enforce your HTTPS-only policy. Why not use it and put yourself on the preload list?

Cloud logging. How much space does a typical keep-alive take if you log it?

Randomness is needed for seeding encryption, particularly at session start. In an orchestrated cloud environment, we use a lot of it, but have no user to provide. What to do?

Want to see what ‘docker’ is doing on a Kubernetes node (logs, ps, images), or re-pull an image? Don’t want to ssh there? dink!

Could cloud logging be the next NTP amplification attack for a DDoS? A small input produces a larger output, the ingredients are there…

Learn how to safely protect ‘internal’ or ‘development’ resources while having them on the public Internet. Simply.

You are working with multiple clouds. But, you keep changing context and then accidentally applying something. Ooops. If only this could be simpler.Drop these two bits in your .bashrc. Now you can simply say ‘context foo’ and be in that context with a little bit of colour in your prompt to remind you.