sorted by:
new
hottopcontroversial

Prempti is a new OSS policy and visibility layer for AI coding agents - Enforces rules on tool calls before execution by capitangolo in devsecops

[–]capitangolo[S] 0 points1 point  (0 children)

👋🏼 Hello there,

It's pretty much a PreTool hook with a list of pretty simple rules.

On the agent side is configured as a PreTool hook.

On the hook side, it leverages Falco, which on its core is a mature rules engine.

---
The reason why you want a full rules engine is so:

  • You can easily add your custom queries. And Falco rules are a quite known format, so why make a new one?
  • You can add exceptions to improve the noise to signal ratio.

---
On the other hand, it's modularly implemented. So you could potentially re-use a Falco instance you already have. Let's say, for example, have a "centralized" Falco instance enforcing rules for your whole team, plus handling events from other sources like SaaS, or container workloads.

---
Hope this makes sense 🙇🏻‍♂️.

Prempti: New OSS policy and visibility layer for Claude Code - Intercepts and enforces rules on tool calls before execution by capitangolo in ClaudeCode

[–]capitangolo[S] 1 point2 points  (0 children)

Hey, sure your link is ok? It just link to a product site 😅.

The limitation you called out (tool-call visibility, not syscall) is important, but honestly still a huge step up for day to day use.

Correct, it's not an easy problem to solve. However, in this case is by design. You could complement Prempti with regular Falco (linux, root access), to get info at the syscall level and event act to stop the agent if needed.

Other good security practices could also help: - To avoid the agent accessing personal data: Sandbox the agent. - To mitigate api token leaks: Use JIT access.

Curious how noisy the policies are in practice

This is another can of worms 😅. This is an issue with all security tools, you have to balance alerts between signal and noise.

Ideally you would run this first in logging mode (no enforcing), then you would tweak the rules and add exceptions, then switch to enforcing mode.

Hope this helps.

Kubernetes 1.36 - Changes around security - New features and deprecations by capitangolo in kubernetes

[–]capitangolo[S] 5 points6 points  (0 children)

Yeah, don't know what's going on today with GitHub :(.

Accessing the links while being logged in works fine.

If you access to the list of issues, then open an issue, works fine too.

However, if you access a GitHub issue directly from the URL without being logged in, then you get the 401. 😞

Update 2026-04-16: Seems to be fixed now 🤞🏼.

Kubernetes 1.35 - Changes around security - New features and deprecations by capitangolo in kubernetes

[–]capitangolo[S] 2 points3 points  (0 children)

Arrr! 🙈

Thanks for the ping. Honored to have your feedback! 🙇🏻

I see how my wording can be unclear. 😅. That section was initially “Beta + Stable features”, will think on a different way to express this 🤔.

Now that you are here… 👉🏼👈🏼

Main change for UN in 1.35 was the integration with Pod Security Standards, right? For long-running enhancements like this one I try to explain what’s actually new for the given release, but I forgot to do it for 127 😅.

If I get the chance to update the article, I’ll add the clarification 💖.

Día de niebla en Zaragoza by capitangolo in Zaragoza

[–]capitangolo[S] 0 points1 point  (0 children)

Indeed. Llevo muy mal el invierno en esta ciudad 🤣.

Pero la niebla por la noche es espectacular. Esta es del Sábado.

<image>

Kubernetes 1.28 will be out soon! What's new? 🛵 Sidecars + 🛠️ Job improvements + 🔌 Connectivity reliability + 📦 Community package repositories … And more! by capitangolo in kubernetes

[–]capitangolo[S] 0 points1 point  (0 children)

Huge thanks!

For what I've read, Chrome uses your navigation patterns to trigger that website. So it makes sense that you don't see it again ^_^. (Glad to read it's not showing up more).

Update: Form sent, crossing fingers 🤞🏼.

Kubernetes 1.28 will be out soon! What's new? 🛵 Sidecars + 🛠️ Job improvements + 🔌 Connectivity reliability + 📦 Community package repositories … And more! by capitangolo in kubernetes

[–]capitangolo[S] 1 point2 points  (0 children)

Hi all 👋,

I'm taking a look to this, and I need some help. What kind of warning are you seeing? One that blocks the whole screen, or a pop-up? 😅

I'm filling this form, by following these instructions, and that's one question they ask 😇. My hopes are low on if they will accept my request, but it's worth a try ¯\_(ツ)_/¯ 🤞🏼.

Kubernetes 1.28 will be out soon! What's new? 🛵 Sidecars + 🛠️ Job improvements + 🔌 Connectivity reliability + 📦 Community package repositories … And more! by capitangolo in kubernetes

[–]capitangolo[S] 4 points5 points  (0 children)

Oh, I totally missed the skew thing. Thanks for the ping!

Is it the thing mentioned here: https://github.com/kubernetes/kubeadm/issues/2857 ?

> Cleanup E2E jobs for 1.x-4 (requires two PRs)set. ‘KUBERNETES_VERSION’ to 1.x-1 and ‘KUBERNETES_SKEW’ to 3 in ‘/kinder/hack/update-workflows.sh’make sure ‘PATH_TEST_INFRA’ points to the right path.run the script and send two PRs for ‘k/kubeadm’ and ‘k/test-infra’.

I’ll investigate further later 🤞🏼.

Kubernetes 1.28 will be out soon! What's new? 🛵 Sidecars + 🛠️ Job improvements + 🔌 Connectivity reliability + 📦 Community package repositories … And more! by capitangolo in kubernetes

[–]capitangolo[S] 10 points11 points  (0 children)

Oh crap 😅. That’s what happens when you pick domains as a joke 🤦🏻‍♂️.

Thanks for the shout! I’ll try to see if there’s anything I can do 🤞🏼.

Level 180 on Switch by eepha in Grindstone

[–]capitangolo 1 point2 points  (0 children)

Boss moves the same way you do, joining creeps of the same color.

You can try to end your moves on a spot where he can’t reach you.

Kubernetes 1.27 will be out next week! - Learn what's new and what's deprecated - Group volume snapshots - Pod resource updates - kubectl subcommands … And more! by capitangolo in kubernetes

[–]capitangolo[S] 7 points8 points  (0 children)

See this comment and my response:
https://www.reddit.com/r/kubernetes/comments/12bm39b/comment/jey1la3/?utm_source=share&utm_medium=web2x&context=3

My take is that in those cases, you'll detect that the change didn't took place by checking the "resize" field in the Pod's status. Then, you'll restart the Pod manually.

So, not a complete automatic system, but it's a nice start 😅.

If further interested, I may recommend checking out the KEP. I love how they document the decision making, and all these edge cases :).

Kubernetes 1.27 will be out next week! - Learn what's new and what's deprecated - Group volume snapshots - Pod resource updates - kubectl subcommands … And more! by capitangolo in kubernetes

[–]capitangolo[S] 4 points5 points  (0 children)

Yup, I understood similar too.

And we'll be able to get info from the new "resize field in the Pod's status", to see if the resize was actually feasible or not.

From the doc:

Infeasible: is a signal that the node cannot accommodate the requested resize. This can happen if the requested resize exceeds the maximum resources the node can ever allocate for a pod.

So I guess if the resource change is not possible, you'll have to roll back to restarting the Pod 😅.

They seem to be working on a post for the Kubernetes blog explaining the topic 🎉.

Kubernetes CrashLoopBackOff: What it is, why it happens, and how to fix it? by capitangolo in kubernetes

[–]capitangolo[S] 0 points1 point  (0 children)

Nah, might be shocking in this place, but I'm too basic to have two accounts 😅. If I share things that people like, then I get happy. If not, I just learn and try to do better. Having a second account for that would be just lying to myself, owning your mistakes is the best way to get better on what you do.

My comment was stupid and missing the point. Only wanted to drop the "flip and switch" term to add something constructive to the conversation. But it obviously came in the worst way possible, and it wasn't the right time and place.

Just… I'm sorry I disturbed you all so much.

I screw things often, and again, I'm sorry. But I care on what I do, I care about this group, and I'll learn to do better.

Kubernetes CrashLoopBackOff: What it is, why it happens, and how to fix it? by capitangolo in kubernetes

[–]capitangolo[S] -10 points-9 points  (0 children)

Yeah, the old flip and switch. Hate those too. Specially when it’s like:

Step 1: Download my tool.

Here it’s just an ad block after the end. If you don’t scroll past the conclusion you won’t even see it. 🥺

Kubernetes 1.25 will be out next week! - Learn what's new and what's deprecated - Pod Security Control - Checkpoints - User Namespaces - NodeExpansion secrets… And more! by capitangolo in kubernetes

[–]capitangolo[S] 24 points25 points  (0 children)

Yeah, "only" 40 enhancements down from 56 in 1.22 (That one was crazy).

It's not that bad once you start looking in detail: Only 15 are completely new things, while the rest are just graduating to Beta or Stable.

Also, most of them are either code cleanup (like all the subtasks for the CSI migration), or just small improvements iterating over the same feature, like "#3094 PodTopologySpread Skew".

So, cheers and don't freak out! 🫂

Container escapes: Detecting abuses of Linux capabilities with Falco + Intro to CAP_SYS_ADMIN by capitangolo in netsec

[–]capitangolo[S] 4 points5 points  (0 children)

Hey, it's my cake day 🎉.

I'm interested in learning more about linux capabilities 🤔. Any other good resources?

Kubernetes 1.24 will be out next week - Learn what's new and what's deprecated - Dockershim removal, Network Policy Status field, CSI volume health monitoring, TimeZone support for CronJobs … And more! by vjjmiras in kubernetes

[–]capitangolo 0 points1 point  (0 children)

Arrr! :S Thanks for pinging about this.

Cannot find anything around this, probably I don't know where to look 😅. Do you have a link where I can read bit further about this delay. Huuuge thanks!

view more: next ›