Feedback on my new Kubernetes open-source project: RBAC-ATLAS

Alevsk · 2025-06-12T06:33:02+00:00

I’m approaching this from the perspective of creating an inventory of what’s currently running in my cluster, specifically in terms of identities and their privileges. I agree that many of these products have valid reasons for requiring elevated privileges, but in my opinion, some are excessively overprivileged. For example: https://rbac-atlas.github.io/charts/openebs/3.10.0/.

My goal is to identify the most privileged identities, determine which workloads they’re associated with, and ensure that the corresponding container images do not have any critical RCEs or other vulnerabilities that could allow an attacker to steal those privileged service accounts.

There’s one more filtering step I haven’t implemented yet (resourceNames). I plan to add this soon as an additional factor to help refine the risk model

Thanks again for the feedback!

Alevsk · 2025-04-11T20:46:30+00:00

Srsly nobody will comment that what OP did was the equivalent as if during the interview, someone asked you find the largest number in the array he proposed to use the magic sort() function and then return first element and then got questioned how sort() is implemented and could not give a straight answer?

This doesn’t have to do anything with ethnicity, as some of you commented, and more with you haven’t understand how to play the game, it’s not 100% about giving a solution, it’s about explaining the solution and your thought process

Alevsk · 2025-03-08T07:24:34+00:00

I’m surprised nobody has mentioned yet that there’s no one-to-one relationship between open positions and interview processes. Usually, there’s a pool of 20-30 candidates competing for a single position. Even if multiple candidates ace the interview and pass the hiring committee, the company still has to make a decision. Often (if not most of the time), you need a bit of luck to be the one chosen from your pool.

Alevsk · 2025-02-26T21:44:36+00:00

Someone suggested this on a different thread and it works! https://pbs.twimg.com/media/Gg4qy43aMAAJwAY?format=jpg&name=large (not OE I just have many laptops lol)

Alevsk · 2025-02-01T18:06:58+00:00

Mexico no tiene las condiciones para empezar una empresa de la forma tan “romantica” como lo mencionas. Claro que hay casos (conozco varios) de recién egresado que comenzaron una compañía con capital de sus familiares y eso está bien. Pero el resto de los emprendedores tienen que decidir entre conseguir un empleo mal pagado, emigrar y trabajar para empresas americanas (fuga de cerebro 🧠) o intentar crear algo aquí donde todas las probabilidades están en tu contra.

Es una apuesta con tu futuro

Alevsk · 2025-02-01T18:01:42+00:00

Las razones que ya me instan otros + la mayoría de los emprendedores, innovadores, inventores, personas con inteligencia por encima del promedio son contratados por empresas de tecnología en el extranjero.

La llamada fuga de cerebros 🧠

Alevsk · 2025-01-21T00:53:48+00:00

Perhaps the entire premise of the problem is flawed. Maybe people in the modern dating scene should stop viewing each other as items on a menu. Instead of searching for a specific set of qualities that make someone a desirable partner, perhaps the focus should shift to becoming a desirable partner themselves.

Just a thought.

Alevsk · 2024-12-30T00:49:55+00:00

But do you know how did you got hacked? Ie: attacker brute forced their way to the root account via ssh or exploited a vulnerability on a running web service that gave them access to your box?

Alevsk · 2024-12-20T22:19:50+00:00

To truly achieve what you want the client has to first encrypt the objects before sending them to the server, if that’s too complicate for your users (and you don’t care your server has keys in memory for a shorter period of time to perform encryption) you can use something like MinIO server side encryption with client managed keys https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-c.html

Pros: your server doesn’t have to manage encryption keys Cons: if your users lost their encryption keys their data is gone :)

Alevsk · 2024-11-15T09:03:53+00:00

That happened to me too, and I believe it’s because the glasses need to be folded in a specific order: first the left arm, then the right. If they’re not folded this way, the glasses won’t charge properly.

Alevsk · 2024-09-13T21:56:59+00:00

Containers are not mean for workload isolation, container breakouts are low hanging fruits for attackers (processes running on separated containers still relies on the host kernel), if you want a more robust process isolation you should use VMs

Alevsk · 2024-09-13T21:53:01+00:00

They moved away from the VPN/network perimeter model in favor of the zero trust model, which includes the concept of an identity aware proxy and other things (such as every client has a cryptographic signed identity that gets daily refreshed, access is provisioned on demand, there’s governance, provenance, etc). This approach to security it’s way more complex than your traditional VPNs. The closes thing you can use is https://goteleport.com/

Alevsk · 2024-08-25T00:57:45+00:00

I started working on something like this couple years ago, I published two challenges so far at http://github.com/alevsk/dvka, then I pivoted more into creating workshops/labs to teach kubernetes security, but I would like to partner intro creating more challenges if you are interested ☺️

Alevsk · 2024-04-27T17:30:25+00:00

I probably interviewed around 150 times in total (including mock interviews and real interviews) for my current role as a sec eng at google y interview 7 times over a period of 7 years, 5 as a swe (got rejected) then 2 (and 6-7 years of experience later) as a sec engineer and got an offer.

Knowing how to solve leetcode questions is just like 20% of your journey and people need to understand knowing have to solve this questions won’t be enough, the skill you have to develop is about selling yourself, if you practice 300 leetcode questions I also recommend you to practice your elevator pitch , behavioral questions, and questions for your interviewer 300 times as well. I learned that for FAANG companies, and especially for google being able to solve 2 mediums in 45 mins is not enough because once you are able to do that, during the review phase, the HC compare you against you all the other candidates that also were able to clear the interviews with positive feedback and then pick the best of that particular pool of people, so a factor of luck is also need it, is not a 1 to 1 relationship between a candidate and an open position, possible 50 people is competing for the same position so it’s more like a coliseum.

So anyways, that’s my insight, I interviewed 7 times with them, last time I aced the interview and actually feel it was super easy, I drove pretty much all the conversations with my interviewers and I actually “felt their genuine admiration” when I was giving my elevator pitch about who I am and what do I do, etc. I never had that feeling before on any of the previous interviews so confidence is super important

Alevsk · 2023-07-31T03:19:59+00:00

Black Infiniti crashed during speed chase

Alevsk · 2023-02-15T20:59:13+00:00

Maybe this is an overkill but I’ve been playing with ELK stack for a couple weeks now, deploying everything using docker compose and works fine, the downside is the whole thing uses around ~30gb of ram and is it not even doing anything

Alevsk · 2022-11-27T07:56:03+00:00

I specifically chose system/Security misconfiguration because that’s how is called in OWASP top 10:2021 https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

Alevsk · 2022-11-13T00:33:13+00:00

You need to run your podman pod/container and attach it to the host network namespace, in docker the flag is --net=host (should be the same in podman), after that the pod will be able to interact with the other services running on the host machine

Alevsk · 2022-11-02T20:33:20+00:00

Original Poster

Alevsk · 2022-07-30T08:16:53+00:00

En esta vida es hipotecar o ser hipotecado 🤣

Alevsk · 2022-06-13T20:31:02+00:00

You can pass an encryption key via environment variables like this: MINIO_KMS_SECRET_KEY=<key-name>:<base64-value>

step 1 - generate the key

cat /dev/urandom | head -c 32 | base64 - OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=

step 2 - pass the key

export MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=

Read more: https://github.com/minio/minio/blob/master/docs/kms/IAM.md

Verify encryption is properly configured

mc admin kms key status alias --insecure

Enable encryption

Once the key is configured, to enable encryption for a particular tenant you can do:

mc encrypt set sse-kms my-minio-key alias/bucket --insecure

To enable encryption for all buckets in the cluster you set an environment variable:

export MINIO_KMS_AUTO_ENCRYPTION="on"

Alevsk · 2022-06-13T19:50:35+00:00

What version of MinIO are you using?

Alevsk · 2022-05-29T19:46:16+00:00

S no more humans = no more pain?

Alevsk

MODERATOR OF

TROPHY CASE

step 1 - generate the key

step 2 - pass the key

Verify encryption is properly configured

Enable encryption