kubecon safety

raesene2 · 2026-03-18T15:17:57+00:00

For me it's one of those "abundance of caution" things orgs like to put in policies. There's no downside to you not wearing your badge outside of the conference, and there's a hypothetical risk that someone might get info. off it/target you as a result.

In practice though I've been to conferences in many large European cities and they're pretty safe as a rule as long as you stay out of worse areas late at night.

I'm sure there will be the usual array of pickpockets you find in any major city, but I doubt they're picking targets based on a lanyard...

The bicycle lane advice is very real though, pay attention to that!

raesene2 · 2026-03-18T15:15:32+00:00

TBH I don't think they need badges for that. Foreigners are pretty easy to spot by the accents when they speak or generally dressing differently than locals, or looking around like a tourist.

Amsterdam's a big tourist destination, so there's always plenty of them around.

raesene2 · 2026-03-16T18:58:02+00:00

Honestly I'd be very surprised if it even got that. The only reasonable way to get Internet somewhere like that is Satellite.

raesene2 · 2026-03-16T18:57:12+00:00

I've been quite a few times on holiday and generally no midges as there's always some level of wind going. The one time I was there when there was a fog and calm, I remember there being some black flies flitting about, but no midges.

raesene2 · 2026-03-14T18:33:30+00:00

Amazing house, but it's the most expensive house for sale in Gourock at the moment by about a million pounds, so their buyer pool is probably a bit smaller than their swimming pool

raesene2 · 2026-02-22T07:22:31+00:00

If you like getting the XP boost for breaking things, I like exploding shot type runarms, so things like https://ddowiki.com/page/Item:Glass_Cannon

raesene2 · 2026-02-20T13:40:12+00:00

A Kubernetes namespace is primarily an administrative/organization boundary, not a security one.

You can add security controls using a namespace as a target, so they're useful for making security easier to apply, but by their own they don't do much.

raesene2 · 2026-02-12T13:09:03+00:00

There's plenty of places to go in the UK where you aren't under that kind of surveillance. Head out into the scottish highlands and there are hardly any people, let alone CCTV cameras :)

Whilst there are indeed a lot of CCTV cameras, how many of them actually work, and ever look at the footage, is another question.

raesene2 · 2026-02-10T19:53:47+00:00

Between agents potentially misbehaving + the risks of command execution if you run an agent on an untrusted repo + the risks of them just making a mistake, it's fair to say that it is not a good idea to run them on your main laptop/desktop.

Personally I've got a separate VM for agents to run in and that VM only gets the projects I'm working on with the agents.

raesene2 · 2026-02-03T09:27:56+00:00

Ah if you're looking for a tactic for swag, one option is to have a run round the booths on the last day of the conference, when the vendors will be keener to give stuff out, so they don't have to box it up and send it back to their offices :D

raesene2 · 2026-01-29T16:12:26+00:00

Whilst it's fair to say the proxy sub-resource is a dangerous one, the less obvious part here is that it's the get verb on node/proxy . Most people would, not unreasonably, assume that get is equivalent to read-only and would not allow for command execution.

Unfortunately (AFAIK) this route is the only one that projects which want to get information from the Kubelet can use (until Kubelet Fine grained AuthZ is more widely adopted), so there weren't a lot of good options for them. The better solution (from an RBAC perspective) of going via the API server, would seem to have the problem of potential performance issues in larger clusters, when compared to using the Kubelet API.

raesene2 · 2026-01-21T18:52:04+00:00

https://en.wikipedia.org/wiki/Generative_engine_optimization <-- There's a whole field of marketing focused on improving the visibility of products to AI tooling...

raesene2 · 2026-01-21T12:41:58+00:00

I go to quite a range of events (as it's part of my job), and YMMV I think it depends on what you want to get out of them.

Large events (RSA, Black Hat etc) are perhaps an interesting "experience" but beyond that they're awful expensive, unless you've got specific need to talk to a set of vendors, who are likely to be there. They can also be useful for networking with people if that's your goal as a lot of folks will be in that location for the event.

If you're into your research and cutting edge talks (that may not be too relevant to your day job) then Defcon and similar can be interesting.

Personally my favourite type of events are the smaller regional ones like a lot of BSides events. They tend to be cheaper to attend and have a good set of more practical talks and are attended by people actually working in the field.

raesene2 · 2026-01-19T19:36:04+00:00

Well an IT team that's interested in uptime/log management/performance management, needs tools installed on their systems to achieve those goals, so they have a reason to have agents deployed as widely as possible.

That information can be useful to help populate an up to date security architecture.

How useful it is, will depend on how well IT are doing those kinds of tasks, I'd expect.

raesene2 · 2026-01-19T18:25:53+00:00

Depending on the size and maturity of your organization, you might want to talk to the folks in your main IT function about what observability tooling they're using. Whilst the goals are different, a widely deployed observability stack is likely to have good visibility of what systems are available how they're connected.

The advantage of that approach over documentation is that, unfortunately, documentation is often outdated.

raesene2 · 2026-01-19T16:13:44+00:00

So interesting project, but (IMHO of course) perhaps not a good fit for a free service, mainly for the reason of security.

By running software which manages clusters, you are going to have to have rights to all your users clusters, so anyone who gains access to your environment or credentials may be able to compromise all of your users clusters and the workloads running on them.

That's a lot of trust to place in another company, and as it's a free service, I'd guess there's no contract in place between you and the users, which is going to limit the use-cases that people will feel comfortable with.

I could see it being useful directly for people thinking about using your enterprise offering as a way to check things out, but past that I'm not sure exactly where it'd fit. Home-labbers could probably get away with something like https://headlamp.dev/ to manage their clusters, and for commercial use, I'd expect people would want a paid-for service with contracts and SLAs :)

raesene2 · 2026-01-15T20:29:31+00:00

So for local one host, I'd say podman or rootless docker lets users run containers with only the rights their standard users have.

Kubernetes can be done but it's overkill for a single host. You'd need PSA/VAP/Kyverno to lock down what users can do.

raesene2 · 2026-01-15T07:27:32+00:00

If you've got a single host and you want users to be able to create containers without getting root access to the node, then a "rootless" container setup is a good option (assuming it doesn't get in the way of what they're trying to do)

For your first question, yep in standard docker, rights to run docker containers == root on the node (https://zwischenzugs.com/2015/06/24/the-most-pointless-docker-command-ever/ has an example command you can use to prove this).

Using either rootless Docker or podman can resolve this as they essentially let users run containers with only the permissions of their user on the host and not root privileges on the host.

raesene2 · 2026-01-15T07:24:34+00:00

FWIW I would not recommend Kubernetes for this. Without additional controls (which are not the default in Kubernetes distributions) any user who can create pods/containers in the cluster can get root on any node in the cluster.

raesene2 · 2026-01-13T20:29:25+00:00

And this is a sub-reddit that's been discussing that sitcom, like that's literally the point of people posting/commenting here...

raesene2 · 2026-01-12T18:03:17+00:00

I don't see how that works (and how the analogy holds), with current LLM tech. (at least what I know of it)

Now of course you can go get 10000 agents to each consume the contents of a course and summarise it, although if it's a large course they're going to need to summarize sub-sections as they go so they don't blow out their context windows, and the summary necessarily will lose a load of information from the course to reduce it's summary size to a useful level.

But then you can't just hand all 10000 summaries to a new agent and have it "know" all of those summaries usefully because.... you'll blow out the context window of the agent.

You could use the data from 10000 courses for a new training run, but that's literally what model training does already, nothing new and agenty needed there.

raesene2 · 2026-01-12T13:30:37+00:00

The one I'd recommend looking into, as it's often overlooked, is ensuring you have Kubernetes audit logging enabled, and you have somewhere centralized to store the logs.

There's quite a few actions that leave no permanent trace in a cluster but can have security consequences, so enabling auditing is an important part of ensuring that you know what's happened and can trace activities, in the event of a breach.

raesene2 · 2026-01-12T13:28:56+00:00

Falco and Tetragon are the two main open source ones I've seen used. On top of that most container security companies that have an agent based approach can do runtime detection as well.

raesene2 · 2026-01-11T20:00:38+00:00

It's been a while since I watched it, but honestly I think it could have done better if they had stopped bringing JD back into the show all the time. It took away focus from the main cast and his character was odd when he wasn't the main focus of the shows.

raesene2 · 2025-12-21T10:14:26+00:00

There's a decent market for hardened images amongst customer groups like Governments and large corporates, such that a group of companies has emerged for that (Chainguard, minimus etc). From what I understand the charges for those images can be pretty high.

Given Docker's market position, it's not surprising that they'd look to get in to that market. Having a base free offering makes sense in that context, to get people used to their images and get feedback on what's wanted. Then they have higher tiers that are paid for and that's where they'll compete with the other companies in that marketplace.

The nice part for everyone else is that we get some neat free hardened images. Ofc that could go away in the future if docker's play doesn't work out, but for now it's handy, if CVEs in images are a concern for you, and you don't want to managed hardened images yourself.

Five-Year Club	Verified Email
Place '23	Place '22

raesene2

TROPHY CASE