Tag: security

  • CI’s Gone Wild: Totally Tenacious Test Tuning

    CI’s Gone Wild: Totally Tenacious Test Tuning

    So one of the upstream projects I am working on has added some new tests. Should be a good thing, right? Suddenly, out of nowhere, we start getting ‘terminated 137’ on CI stages. The obscure unix math is… substract 128 to get the signal. So kill -9 (see here for why, tl;dr: 8-bit, 0-128==normal return,…

  • Laughably Loquacious Logging

    So you are pretty proud of yourself. You have a full micro-services running in Kubernetes with a service mesh (courtesy of Istio). You have configured your liveness probes to once per second. You are using an EFK stack (Elasticsearch / Fluent-Bit/  Kubernetes). Live is good. You are evaluating turning on either Jaeger or Zipkin. You…

  • Its looking like HTTP/3 will be all encrypted and all UDP, all the time

    I started my web-ish life with HTTP 0/9. It was the dialect that ‘escaped’ from Cern. Soon after HTTP/1.0 came along, and then 1.1. And we stuck on 1.1 for a long time (more than 2 decades). And then HTTP/2 came along, and it was great. 100% encrypted, asynchronous, etc. In parallel some folks started…

  • The agony and the ecstasy of the read-only

    The agony and the ecstasy of the read-only

    So earlier today I counselled to run your container filesystem read-only. Its higher security (something can’t weasel in as easily) You want to be able to dynamically dispose and restart containers somewhere else, how can you do this if they are stateful The overlay fileystem is not hgh performance Now, this last one. Lets say…

  • Have you set your security context recently?

    Have you set your security context recently?

    You’d be shocked at how few people copy these few lines into their YAML in Kubernetes. Highly recommend you do this. Why? Well, lets walk through them. runAsNonRoot: self explanatory. Why would you want root permission inside this container? What possible good could come of that? is it because you need to bind to <…