Tag : security

Protecting Yourself with Pod Security Policies

I listen to a lot of folks talk about their Kubernetes strategy as a means of apportioning a finite, limited resource (compute) among a wide and varied set of people, usually application developers and operations nerds, with an eye toward isolation. I have bad news for you. Kubernetes isn’t about isolation, not in the security

James Hunt Profile Image

Posted by:
James Hunt

Read More ➝
The Capable Kernel: An Introduction to Linux Capabilities

Traditionally, Linux separates users and their processes into two different groups: root (user ID 0) and everyone else. Back in 1999, with the 2.2 Linux kernel release, kernel developers started breaking up the privileges of the root user into distinct capabilities, allowing processes to inherit subsets of root’s privilege, without giving away too much. Fast-forward

James Hunt Profile Image

Posted by:
James Hunt

Read More ➝
Rails 5.1 applications can be a lot more secretive on Cloud Foundry and Heroku

Our applications need access to secrets – passwords, tokens, special URLs. Platforms like Cloud Foundry and Heroku have made environment variables easy to use, and so we use them. Albeit they are typically not as secretive as we might like. Here’s a one-liner to look up every secret that you have access to across all

Dr Nic Williams Profile Image

Posted by:
Dr Nic Williams

Read More ➝
Setting up Keybase and GPG Tools (Mac)

What are GPG Tools? GPG, or GNU Privacy Guard, is a replacement for Symantec’s PGP cryptographic software suite and allows users to encrypt sensitive information. Specifically, GPG Tools includes a utility that integrates with Apple Mail, a GPG Keychain to manage OpenPGP keys, and a command line tool (which I will be using below). What

Quintessence Anx Profile Image

Posted by:
Quintessence Anx

Read More ➝
Hardening the vcap user’s password on BOSH VMs

Locking down your BOSH VMs? Here’s a handy guide for some options at your disposal for overriding the default password for BOSH’s vcap user: Customize it in your manifest In each resource pool (or VM type) configuration in your BOSH manifest (or cloud config manifest), you can specify env.bosh.password. This will overwrite the value of

GeoffFranks Profile Image

Posted by:
GeoffFranks

Read More ➝
Safely Hiding Sensitive Data in your Concourse Pipelines

At Stark & Wayne, we love Concourse pipelines! We use them for testing/releasing CLI utilities, deploying Cloud Foundry apps, building docker images, creating and testing BOSH releases, and vetting changes to BOSH deployments in an automated fashion starting in sandbox environments all the way to production. Uh-oh! credentials.yml file got committed? One of the most

GeoffFranks Profile Image

Posted by:
GeoffFranks

Read More ➝
Standing up Vault using Genesis

A few of our recent posts related to standing up BOSH deployments using Genesis have all revolved around needing Vault to store your credentials safely. The vault-boshrelease makes this fairly straightforward, but there’s now a Genesis Vault template to make running Vault even easier! The procedure is similar to the other Genesis deployments: $ genesis

GeoffFranks Profile Image

Posted by:
GeoffFranks

Read More ➝
Using Genesis to Deploy Cloud Foundry

In this post, we’re going to use Genesis to deploy Cloud Foundry. We will make use of some of Genesis’s cool features to generate unique credentials for each deployment, and Vault to keep the credentials out of the saved manifests. We will do this on BOSH-Lite, but templates exist to easily deploy to AWS with

GeoffFranks Profile Image

Posted by:
GeoffFranks

Read More ➝
Managing Multiple BOSH Environments with Genesis

If you’ve ever deployed Cloud Foundry via BOSH, you know how complicated BOSH’s deployment manifests can be – thousands of lines, many properties, many of which are repeated. This problem gets compounded when you start to host multiple copies of your BOSH deployments, such as for a sandbox, preproduction, and prod environment. Many of these

GeoffFranks Profile Image

Posted by:
GeoffFranks

Read More ➝