The following Linux capabilities describe how unprivileged processes (including those running in containers with a UID and GID of non-zero) these capabilities are per-thread capabilities and the allow an unprivileged process perform certain actions, pending permissions.
This document describes the different capabilities – their meaning and things to lookout for when deploying them on a production cluster.
Continue reading "Kubernetes container security – Linux capabilities"
Installing sonatype nexus on Kubernetes with a Persistent volume. Prerequisites NFS server Internet connection Create persistent volume Make sure your NFS server is exporting the /data/k8s-pvs/pv015 directory and that all cluster nodes can reach the NFS server network wise. apiVersion: v1 kind: PersistentVolume metadata: name: nexuspv spec: capacity: storage: 100Gi volumeMode: Filesystem …
Continue reading "Installing Nexus on Kubernetes"
Executive Summary This document describes the Risk factors, probability assessment and actions which should be taken when running an OCP environment in production. The document focuses on three main aspects: Application security risks (code), platform security risks (Kubernetes), Node security (cloud) and deployments (CD processes and containers) security risks. Risk Assessment methodology The document is …
Continue reading "Kubernetes Security Risk Assessment"
This document aims to depict the main guidelines when producing, storing, testing and using programming products and making sure the outcome of every run on every Kubernetes cluster will be identical.
Continue reading "Technical Artifacts considerations K8S aspects"
Having done the last SSL certificates on my and my customers domains about a year ago, I forgot the order in which the crt ca-bundle and key file are to be concatonated into the PEM file in order for haproxy to read it correctly. I write this as both a reminder to myself for …
Continue reading "Creating a PEM file for haproxy"
This post is here to allow a space for Q&A and other issues with relation to the openshift graduation drill
Continue reading "Openshift graduationn drill"
I recently encountered a problem while deploying Openshift on Opennebula based VMs. Because Opennebula uses contextualization, it disables network manager which in turn causes problems when Openshift tries to start the SDN pods (no cni found). There were a couple of challenges but the one that buffed me the most was the NM_CONTROLLED=no which kept …
Continue reading "Openshift on opennebula CNI not loading"
Orgad Kimchi and myself would like to thank all the participants in our Kiali and Istio on Openshift presentation in the Open Cloud Summit in Tel Aviv. It was a riveting experience and we were asked some interesting and exciting question during the presentation itself. For those of you who could not participate, here …
Continue reading "Open cloud summit Tel Aviv 2018"
Preparing for the upcoming open cloud summit in Tel Aviv where Orgad Kimchi and myself will be presenting Istio and kiali on Openshift Here’s a little taste of kiali’s animation feature.
Continue reading "A little taste of kiali’s animation feature"
Working to improve the demo of Istio and Kiali on Openshift – the new and improved version of the demo will be presented in the Open Cloud summit in Tel Aviv – come see Orgad Kimchi and myself presenting!. November 27th 2018 Hangar 11, Tel …
Continue reading "Preparing for the open cloud summit TelAviv 2018"