tallclair

+++ [0429 17:13:35] Building go targets for linux/amd64
    k8s.io/kubernetes/hack/make-rules/helpers/go2make (non-static)
+++ [0429 17:13:38] Building go targets for linux/amd64
    k8s.io/kubernetes/test/e2e/e2e.test (test)
Conformance test: not doing test setup.
I0429 17:14:04.906220  524819 e2e.go:129] Starting e2e run "135bbd38-94fc-4c81-97d4-af1641a72153" on Ginkgo node 1
{"msg":"Test Suite starting","total":2,"completed":0,"skipped":0,"failed":0}
Running Suite: Kubernetes e2e suite
===================================
Random Seed: 1651277644 - Will randomize all specs

tallclair

This checklist is consolidated from Tim Hawkin's "How To Be A Bad-Ass Code Reviewer" (KubeCon Contributor Summit, Nov 2019).

Out of scope: API review, KEP review

• Pre-work
  • Do I have enough time for this review?
  • Read linked issues
  • Read PR description
  • Read over past discussions
• Does this change require domain specific knowledge? Do I have it?

tallclair

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
  annotations:
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
spec:
  privileged: false
  # Maybe allow all volumes except hostPath

tallclair

# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
kubectl cp /tmp/foo_dir <some-pod>:/tmp/foo_dir
tar cf - /tmp/foo_dir | kubectl exec -i <some-pod> -- tar xf -

# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo <some-pod>:/tmp/foo -c <specific-container>
tar cf - /tmp/foo | kubectl exec -i <some-pod> -c <specific-container> -- tar xf - 

# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/foo

tallclair

Software Engineering Position:
Google Kubernetes Engine - Node Security

Full-time
Based in Sunnyvale, CA

Mission

To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D

tallclair

package main

import (
	"fmt"
	"log"
	"os/user"
	"path/filepath"
	"strings"

	apixv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"

tallclair

# Example of using an InitContainer in place of a GitRepo volume.
# Unilke GitRepo volumes, this approach runs the git command in a container,
# with the associated hardening.
apiVersion: v1
kind: Pod
metadata:
  name: git-repo-demo
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:

tallclair

package main

import "fmt"

/* OUTPUT:
[named] defer: foo error
[main] named err: foo error
[var] defer: <nil>
[main] var err: foo error
*/

tallclair

#!/bin/bash

set -o nounset
set -o pipefail
set -o errexit

if [[ $# < 3 ]]; then
  >&2 echo "USAGE: $0 total available useable"
  exit 1
fi

tallclair

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
spec: