Full-time
Based in Sunnyvale, CA
To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D
$ diff -y -W 80 -t jessie.txt stretch.txt | |
acl < | |
adduser adduser | |
apt apt | |
base-files base-files | |
base-passwd base-passwd | |
bash bash | |
bsdutils bsdutils | |
coreutils coreutils | |
dash dash |
apiVersion: extensions/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: restricted | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: |
#!/bin/bash | |
set -o nounset | |
set -o pipefail | |
set -o errexit | |
if [[ $# < 3 ]]; then | |
>&2 echo "USAGE: $0 total available useable" | |
exit 1 | |
fi |
package main | |
import "fmt" | |
/* OUTPUT: | |
[named] defer: foo error | |
[main] named err: foo error | |
[var] defer: <nil> | |
[main] var err: foo error | |
*/ |
# Example of using an InitContainer in place of a GitRepo volume. | |
# Unilke GitRepo volumes, this approach runs the git command in a container, | |
# with the associated hardening. | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: git-repo-demo | |
annotations: | |
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' | |
spec: |
package main | |
import ( | |
"fmt" | |
"log" | |
"os/user" | |
"path/filepath" | |
"strings" | |
apixv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" |
Full-time
Based in Sunnyvale, CA
To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace | |
kubectl cp /tmp/foo_dir <some-pod>:/tmp/foo_dir | |
tar cf - /tmp/foo_dir | kubectl exec -i <some-pod> -- tar xf - | |
# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container | |
kubectl cp /tmp/foo <some-pod>:/tmp/foo -c <specific-container> | |
tar cf - /tmp/foo | kubectl exec -i <some-pod> -c <specific-container> -- tar xf - | |
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace> | |
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/foo |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: default | |
annotations: | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: | |
privileged: false | |
# Maybe allow all volumes except hostPath |
This checklist is consolidated from Tim Hawkin's "How To Be A Bad-Ass Code Reviewer" (KubeCon Contributor Summit, Nov 2019).
Out of scope: API review, KEP review