Full-time
Based in Sunnyvale, CA
To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D
apiVersion: extensions/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: restricted | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: |
# Example of using an InitContainer in place of a GitRepo volume. | |
# Unilke GitRepo volumes, this approach runs the git command in a container, | |
# with the associated hardening. | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: git-repo-demo | |
annotations: | |
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' | |
spec: |
package main | |
import ( | |
"fmt" | |
"log" | |
"os/user" | |
"path/filepath" | |
"strings" | |
apixv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" |
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace | |
kubectl cp /tmp/foo_dir <some-pod>:/tmp/foo_dir | |
tar cf - /tmp/foo_dir | kubectl exec -i <some-pod> -- tar xf - | |
# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container | |
kubectl cp /tmp/foo <some-pod>:/tmp/foo -c <specific-container> | |
tar cf - /tmp/foo | kubectl exec -i <some-pod> -c <specific-container> -- tar xf - | |
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace> | |
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/foo |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: default | |
annotations: | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: | |
privileged: false | |
# Maybe allow all volumes except hostPath |
+++ [0429 17:13:35] Building go targets for linux/amd64 | |
k8s.io/kubernetes/hack/make-rules/helpers/go2make (non-static) | |
+++ [0429 17:13:38] Building go targets for linux/amd64 | |
k8s.io/kubernetes/test/e2e/e2e.test (test) | |
Conformance test: not doing test setup. | |
I0429 17:14:04.906220 524819 e2e.go:129] Starting e2e run "135bbd38-94fc-4c81-97d4-af1641a72153" on Ginkgo node 1 | |
{"msg":"Test Suite starting","total":2,"completed":0,"skipped":0,"failed":0} | |
Running Suite: Kubernetes e2e suite | |
=================================== | |
Random Seed: 1651277644 - Will randomize all specs |
Full-time
Based in Sunnyvale, CA
To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D
This checklist is consolidated from Tim Hawkin's "How To Be A Bad-Ass Code Reviewer" (KubeCon Contributor Summit, Nov 2019).
Out of scope: API review, KEP review
#!/bin/bash | |
set -o nounset | |
set -o pipefail | |
set -o errexit | |
if [[ $# < 3 ]]; then | |
>&2 echo "USAGE: $0 total available useable" | |
exit 1 | |
fi |
package main | |
import "fmt" | |
/* OUTPUT: | |
[named] defer: foo error | |
[main] named err: foo error | |
[var] defer: <nil> | |
[main] var err: foo error | |
*/ |