今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#uber

找到 71 篇相关文章

AI 资讯

CKA Scenario 5 - Force nginx to TLS 1.3 with a ConfigMap edit + rolling restart (CKA Workloads)

Force nginx to TLS 1.3 An nginx server is accepting an old TLS version, and the exam wants it locked to TLS one point three. The config lives in a ConfigMap. The catch is that editing the ConfigMap alone changes nothing. Let's do it the way the CKA expects. 🎥 Watch the video: https://www.youtube.com/watch?v=rx-77YBw99w This is a CKA Workloads & Scheduling walkthrough. Every command below is real output from a live cluster, and you can reproduce the whole thing yourself (scripts at the end). The scenario An nginx-static Deployment serves HTTPS, and its server config comes from a ConfigMap named nginx-config. Right now it allows both TLS one point two and one point three. Your task is to allow only TLS one point three, then make nginx actually use the change, so that a TLS one point two request fails. nginx-static serves HTTPS from the nginx-config ConfigMap It currently allows TLS 1.2 AND 1.3 Restrict ssl_protocols to TLS 1.3 only A TLS 1.2 request to the Service must then fail How nginx, ConfigMaps, and rolling restarts fit together Two ideas drive this. First, ssl_protocols is an allow list; leave only TLSv1.3 and nginx rejects any older handshake. Second, a ConfigMap mounted into a pod updates the file on disk, but nginx only reads ssl_protocols when it starts. So you must roll the Deployment, with kubectl rollout restart, for the new value to take effect. Inspect the current state Start by seeing what is running and what the config says. The nginx-static Deployment, its Service on port four forty three, and the nginx-config ConfigMap are all here. Grep the rendered ConfigMap for the ssl_protocols line: it lists TLSv1.2 and TLSv1.3, so old clients still get in. $ kubectl -n nginx-static get deploy,svc,configmap NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/nginx-static 1/1 1 1 17h deployment.apps/tester 1/1 1 1 17h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/nginx-static ClusterIP 10.96.13.162 <none> 443/TCP 17h NAME DATA AGE configmap/kube-root-ca.

2026-06-29 原文 →
AI 资讯

Security Profiles Operator hits v1 with stable APIs and a hardening pass

After several years carrying a beta tag, the Kubernetes Security Profiles Operator went 1.0.0 on June 26, freezing eight CRD APIs and clearing a third-party security audit with no criticals. For cluster admins, the practical effect is small but consequential: the syscall and LSM profile a workload runs under is now declared on APIs that will not move under your feet. The release was announced by Sascha Grunert of Red Hat on the CNCF blog. SPO is the Kubernetes operator that manages seccomp, SELinux and AppArmor profiles as cluster-scoped objects, then attaches them to pods. Until now the value proposition was good and the API was provisional. v1.0.0 nails the second half down. What's actually stable All eight CRDs graduated to v1, including SeccompProfile , ProfileRecording , SelinuxProfile , RawSelinuxProfile , and the AppArmor profile type. Conversion webhooks ship with the release, so a cluster running earlier API versions can roll forward without scheduling downtime. The older versions remain available and are slated for removal in a future release. The migration is on the clock, not on fire. The audit pass came with some shape changes that are worth reading before you upgrade. SelinuxProfile swapped its boolean permissive field for a mode enum with Enforcing and Permissive values, which means any GitOps templates that hard-coded permissive: true need a rewrite. RawSelinuxProfile is now gated by an enableRawSelinuxProfiles configuration flag and a validating admission webhook, so the most privileged path through the operator is off by default. AppArmor inputs run through strict regex validation, raw policy payloads are capped at 500 KB, and the eBPF profile recorder picked up explicit resource limits. Why a cluster team should care The point of an operator like this is to take the profile out of the host's filesystem and into the API. That changes the blast radius of "we shipped a container with no profile at all." With SPO and a workload-attached profile, the r

2026-06-27 原文 →
AI 资讯

Trust the harness, not the model: a weekend of local agents building their own guardrails

Cross-posted from the LLMKube blog . A local 27B coding model, running on hardware in my house, is a coin flip. Some runs it nails the fix in twenty minutes. Some runs it edits the wrong file, writes a test that passes no matter what the code does, and tells you it's done. The bet behind LLMKube's Foreman was never that I would find a local model good enough to trust. It was that I could build a harness I trust more than any single model's output. This weekend tested that bet harder than any benchmark could, because the harness spent the weekend building its own guardrails. Here is the short version of what happened across 0.8.12 and 0.8.13. My local coder built three new gates for itself. One of them shipped with the exact flaw it was written to catch, and the review caught it. Three new contributors sent four clean pull requests while the machines worked. The same model ran on an AMD box and an Apple Silicon Mac, and the Mac quietly won a round nobody expected. And not one byte of any of it touched a cloud API. The thesis, stated plainly Trust the harness, not the model. A coding agent on a local model produces output of wildly variable quality, and no amount of prompt tuning makes a 27B as reliable as a frontier model. So Foreman does not ask the model to be reliable. It wraps the model in a pipeline that is : the coder works in a cloned workspace, a fast in-workspace gate runs gofmt, vet, build, lint, and the unit tests for the packages it touched; a reviewer reads the diff against the issue; and a clean-room Kubernetes Job re-runs the full suite before anything is allowed to call itself a GO. Around all of that sit deterministic rails: scope checks, edit-free-streak detection, repo-map context. The model is a stochastic component inside a system whose job is to make the system's verdict trustworthy even when the component is not. The interesting question is never "is the model good." It is "does the harness catch the model when it is bad." This weekend gave me

2026-06-22 原文 →
AI 资讯

HelmSharp: render Helm charts from .NET without shelling out to helm

TL;DR: I built a .NET library that renders Helm charts and drives Kubernetes releases without shelling out to the helm CLI. 129/129 templates across ingress-nginx, cert-manager, external-dns, podinfo, and metrics-server now render successfully. The main entry point is HelmSharp.Action, with lower-level packages available for chart loading, rendering, Kubernetes operations, and release storage. MIT licensed, looking for feedback and early adopters. Why I Built This At work, our .NET services deploy to Kubernetes through Helm. Every Docker image had to bundle the helm binary — another dependency to manage, another layer in the image, another surface for CVEs. I wanted to cut that out entirely and do Helm-style rendering directly in-process. The .NET ecosystem doesn't really have this. There are YAML libraries. There are Kubernetes client libraries. There are template engines. But nothing ties them together the way helm template does — values merging, named templates, include , range , toYaml , the whole Sprig function set, all wired into a single render pipeline. So I started building one. (This is also my first real open source project — I'd spent years consuming OSS without contributing back, and HelmSharp is what came out of deciding to change that.) What HelmSharp Does HelmSharp is a multi-package .NET SDK (net8.0 / net9.0 / net10.0) that covers: Package What it does HelmSharp.Action High-level Helm client — TemplateAsync , UpgradeInstallAsync , RollbackAsync HelmSharp.Chart Chart loading from directories and .tgz , values merging, --set / --set-json style overrides HelmSharp.Engine Helm-style template rendering — 100+ Sprig/Helm functions HelmSharp.Kube Kubernetes apply, delete, and wait (no kubectl needed) HelmSharp.Release Release history stored in Kubernetes Secrets (Helm-compatible) HelmSharp.Repo Chart repository index, pull, and search Plus Registry , Storage , PostRenderer extension points Here's the lower-level rendering API — no result objects, no stdout

2026-06-22 原文 →
AI 资讯

container escape is becoming an agent workload

The scary part of an agent-driven container escape is not the container escape. That sounds wrong, so let me be precise. The primitives in Sysdig's latest threat research are not new magic. A mounted Docker socket has been a bad idea for years. Over-permissioned Kubernetes service accounts have been a bad idea for years. Privileged containers are dangerous. Host namespace tricks are dangerous. Secrets reachable from application pods are dangerous. None of this should surprise anyone who has had to review production Kubernetes setups with a straight face. The new part is the operator. Sysdig observed what it describes as an LLM-harness-driven attacker exploiting a vulnerable marimo notebook, enumerating the container and host environment, using the Docker socket as an escape path, creating privileged containers, reading host credentials, and replaying a Kubernetes service-account token to dump Secrets. That is the part worth sitting with. Not because the agent invented a new class of exploit. Because it made the old mistakes compose faster. the attack surface was already there Most security incidents are not movie plots. They are boring edges left open long enough for someone to connect them. In this case, the edges are familiar. An internet-reachable application had a vulnerability. The workload had access to a Docker socket. The container environment exposed enough information to enumerate possible escape paths. A Kubernetes service-account token was available. The token had enough RBAC to read Secrets. Secrets contained useful downstream credentials. That is not one bug. That is a chain of assumptions. The application team may have thought about the notebook vulnerability. The platform team may have thought about the Docker socket as a convenience for one workflow. The Kubernetes team may have thought the service account was scoped "only" to a namespace. The security team may have had runtime alerts somewhere in the backlog. Each decision can look locally tolerabl

2026-06-22 原文 →
AI 资讯

I Ran Gitleaks Against My Own Repo and Found 12 Real Secrets

Originally published at woitzik.dev I assumed my homelab repo was clean. No one had ever flagged anything in review (there is no one else reviewing it), CI was green, and I generally try to use Vault and ExternalSecrets for anything sensitive. Then I ran a full-history gitleaks detect against it. It found 12 distinct secrets committed in plaintext — including the OIDC private key that signs SSO tokens for half the cluster. This is the scanning setup I put in place afterward, the baseline strategy that let me adopt secret scanning without getting blocked by my own history on every commit, and the remediation plan for the leaks themselves. View the complete homelab infrastructure source on GitHub 🐙 What Gitleaks Found gitleaks detect --no-banner -v Twelve real findings, plus one already-hashed password (lower severity but still shouldn't be hand-committed) and one false positive in ROADMAP.md (documentation text that happened to match a generic API key pattern). The real findings, by severity: File Secret Why It Matters kubernetes/apps/authelia/configmap.yml OIDC issuer private key Signs SSO tokens for ArgoCD, Vault, Grafana — highest blast radius kubernetes/apps/garage/config.yml RPC secret + admin token Storage backend for Velero/Loki/CNPG backups kubernetes/apps/garage/secrets.yml Admin token (duplicate) Same secret committed twice in two files terraform/stacks/network/local_backend.hcl Garage S3 access key This is the Terraform state backend's own credential kubernetes/system/postgres/cnpg-backup-secret.yml Garage S3 secret key Used for WAL archiving kubernetes/apps/paperless/secrets.yml Postgres password + AI API token kubernetes/apps/cloudflared/secrets.yml Cloudflare Tunnel token kubernetes/apps/headscale/config.yml OIDC client secret Must match Authelia's client config kubernetes/system/monitoring/loki.yml Minio/S3 password kubernetes/apps/mikrodash/secrets.yml Dashboard password Lowest priority — internal tool only None of these were exposed by a public repo

2026-06-21 原文 →
开发者

CKA Exam study 2026 Scenario 1 - The etcd Endpoint Trap

The etcd Endpoint Trap A cluster migration just took your whole control plane offline. In the next few minutes you'll find out why, and fix it the way the CKA exam expects. This is a CKA Troubleshooting walkthrough. Every command below is real output from a live cluster, and you can reproduce the whole thing yourself (scripts at the end). The scenario A single-node kubeadm cluster was migrated to a new machine. The control plane won't come up. Your task: identify the broken component, find the root cause, fix the config, restart, and verify. Single-node kubeadm cluster, freshly migrated Control plane will not start Find the broken component Root-cause it, fix it, verify How the control plane actually starts The kubelet runs the control plane as static pods from /etc/kubernetes/manifests . The kube-apiserver cannot start unless it can reach etcd. Give it the wrong etcd address and the apiserver crashes, so the whole cluster looks dead. The kube-apiserver runs as a static pod : the kubelet reads its manifest from /etc/kubernetes/manifests/ and keeps it running. The apiserver cannot start unless it can reach etcd, so a wrong --etcd-servers endpoint takes the whole API down, and with it, everything you'd normally use to debug. Step 1 — Reproduce the symptom First, reproduce the symptom. kubectl get nodes is refused. A refused connection on the API port means the API server is down: a control-plane problem, not a workload problem. $ kubectl get nodes The connection to the server cka-scenario1-control-plane:6443 was refused - did you specify the right host or port? A refused connection on the API port is a control-plane problem, not a workload problem. Step 2 — Investigate from the node kubectl can't help us now, so drop to the node. The kubelet itself is active. But follow its log and you'll see it stuck in a loop, restarting the apiserver over and over. The kubelet is fine; the static pod it manages is the problem. $ systemctl is-active kubelet active $ journalctl -u ku

2026-06-20 原文 →
AI 资讯

Docker Essentials: Containerizing Your First App – My "Matrix" Moment

The Quest Begins (The "Why") Picture this: I’m hunched over my laptop at 2 a.m., surrounded by empty coffee mugs, trying to get a simple Node.js API to run on a friend’s Windows machine. I’ve got the code, I’ve got the dependencies, but every time I hit npm start on his box I’m greeted with “Cannot find module ‘left-pad’” (yeah, I know, that’s a meme, but it felt real). It was like trying to cast a spell in Harry Potter while forgetting the wand‑movement — nothing happened, and I felt like a Muggle in a wizard’s duel. That night I realized the real dragon wasn’t the buggy code; it was the “it works on my machine” curse. I needed a way to package everything — the runtime, the libraries, the environment variables — into a single, portable chest that any teammate (or future‑me) could open and instantly get the same result. Enter Docker, the holy grail of reproducibility. If The Matrix taught us anything, it’s that once you see the underlying code, you can bend reality. Docker lets you see the container code and then bend your deployment reality to your will. The Revelation (The Insight) The big “aha!” came when I stopped thinking of Docker as just another VM and started seeing it as a lightweight, immutable snapshot of my app’s filesystem. Unlike a full VM that boots an entire OS, a Docker container shares the host kernel but isolates everything else — think of it as the Inception dream‑within‑a‑dream, but each layer is a read‑only snapshot you can stack like LEGO bricks. Here’s the secret sauce in three lines: Dockerfile – a recipe that tells Docker how to build the image. Image – the built, immutable artifact (the “DVD” of your app). Container – a running instance of that image (the “movie playing” from the DVD). When you docker build , Docker reads the Dockerfile line‑by‑line, creates intermediate layers, caches them, and finally spits out an image you can tag, push to a registry, and run anywhere. No more “it works on my machine” because the machine inside the cont

2026-06-20 原文 →
AI 资讯

Building a Kubernetes Cluster on Red Hat Enterprise Linux 10: A kubeadm Guide

Introduction In this post, I'll walk you through deploying a production-ready Kubernetes cluster on Red Hat Enterprise Linux 10 using kubeadm. This lab was inspired by Anthony E. Nocentino's excellent Certified Kubernetes Administrator (CKA): Using kubadm to Install a Basic Cluster training course, which is part of the official Certified Kubernetes Administrator (CKA) path on Pluralsight . ⭐ Shout-out: Anthony is a fantastic trainer! His course uses Ubuntu 22.04 as the base OS. I adapted his approach to work on RHEL 10, adding some additional considerations specific to Red Hat's ecosystem. One intentional decision in this setup: I deployed Kubernetes v1.35 and CRI-O v1.35, which wasn't the latest version available at installation time. This was purposeful. Anthony's course includes a dedicated section on upgrading clusters, and using a slightly older baseline makes that learning path clearer. The upgrade procedures (not covered here) are what really solidify your understanding of cluster lifecycle management. Lab Infrastructure Overview Nodes Configuration Node Role RAM vCPUs IP Address rh-cp1 Control Plane 12 GiB 2 192.168.110.120 rh-node1 Worker 6 GiB 2 192.168.110.121 rh-node2 Worker 6 GiB 2 192.168.110.122 rh-node3 Worker 6 GiB 2 192.168.110.123 Note: The IP address schema is just an example and what was more convenient for me. Supporting Infrastructure A dedicated utilities VM (also RHEL 10) provides essential services: DNS (BIND/named) NTP (chrony) HTTP (Apache/httpd) DHCP (Kea) This centralized infrastructure simplifies name resolution across all cluster nodes. But this is not essential for this project. You can, instead, ensure the nodes are able to reach each other updating the file /etc/hosts on all nodes. Prerequisites & OS Preparation Before diving into Kubernetes, we need consistent node preparation across all machines . 1. System Registration and Updates $ sudo subscription-manager register --username <username> --password <password> $ sudo dnf update

2026-06-19 原文 →
AI 资讯

AI Workloads Are Reshaping Kubernetes in 2026: GPU Scheduling, MLOps, and the Platform Engineering Reckoning

How GPU scheduling complexity and MLOps integration are forcing platform teams to rearchitect Kubernetes clusters before operational debt becomes insurmountable. As AI workloads consume roughly 40% of enterprise Kubernetes clusters by 2026, the platform's default scheduler is proving fundamentally mismatched with the topology-aware, gang-scheduled demands of GPU-intensive training and inference. Platform engineering teams that invest now in purpose-built GPU scheduling layers, multi-tenant partitioning, and FinOps-driven autoscaling will separate themselves from organizations drowning in 30-45% GPU utilization rates and mounting infrastructure costs. Why the Default Kubernetes Scheduler Fails GPU Workloads Kubernetes was designed for stateless, CPU-bound services, and its pod-by-pod bin-packing scheduler has no native awareness of GPU topology, NUMA boundaries, or NVLink interconnect bandwidth. This becomes a critical failure point with NVIDIA H100 SXM5 nodes, where achieving full-bandwidth tensor parallelism requires all 8 GPUs on a node to be scheduled as a single atomic unit. The default scheduler cannot guarantee this co-placement, meaning distributed PyTorch FSDP or MPI training jobs frequently land on suboptimal node configurations, wasting expensive NVLink bandwidth and forcing teams to over-provision GPU capacity. Idle GPU memory stranded across partially-utilized nodes is the primary driver behind the 30-45% utilization rates reported in 2025 surveys by Gradient Dissent and Weights and Biases, representing millions of dollars in annual wasted spend for mid-to-large enterprises running mixed AI workloads. Building the GPU Scheduling Stack: Volcano, KAI Scheduler, and MIG Platform teams are converging on a layered scheduling architecture that replaces or augments the default Kubernetes scheduler with GPU-aware primitives. Volcano has become the dominant choice for distributed training workloads, using its PodGroup abstraction to enforce gang scheduling across

2026-06-18 原文 →
AI 资讯

CloudNativePG: Running PostgreSQL in Kubernetes Without the Pain

A CloudNativePG cluster that sits in Setting up primary forever, with zero error events on the Cluster resource and a perfectly healthy operator, is one of the more frustrating ways to spend an afternoon. The operator says it's working. The pods never appear. And the actual cause has nothing to do with the database at all. Running stateful databases on Kubernetes used to be the thing everyone told you not to do. CloudNativePG (CNPG) changed that calculus for a lot of people, including me. It's a proper operator: it handles failover, backups, connection routing, and rolling upgrades through native Kubernetes primitives instead of bolting Postgres onto a StatefulSet and praying. If you run a hardened cluster with admission controllers, network policies, and least-privilege RBAC, this post is about the friction you'll hit that the quickstart never mentions. Who should care If your cluster is vanilla, kubectl apply the operator and a Cluster manifest, and you're done in ten minutes. The CNPG docs are genuinely good for that path. This is for the rest of us: people running Kyverno or OPA Gatekeeper, self-signed cert chains, and the kind of policy-as-code setup where every workload has to justify its existence. That's where CNPG stops being a ten-minute install and starts being an integration project. What I tried first The first instinct, when a CNPG cluster hangs, is to assume you got the database config wrong. So you go read your Cluster manifest line by line. You check the storage class. You check that the PVC bound. You bump the operator log level and watch it cheerfully report that it's reconciling, over and over, with no complaints. Here's the trap: the CNPG operator doesn't run initdb itself. It creates a Kubernetes Job to bootstrap the primary. That Job spawns a Pod. And in a hardened cluster, the Pod is where everything dies, because your admission controller is judging it against policies the operator's own Pods were exempted from but the bootstrap Job was not.

2026-06-16 原文 →
AI 资讯

How Do You Integrate Penetration Testing into CI/CD?

Modern software delivery pipelines can deploy code dozens or even hundreds of times per day. Traditional penetration testing models, where security teams perform assessments quarterly or before major releases, simply cannot keep pace. Attackers do not wait for the next security review. Every pull request, dependency update, infrastructure change, or container image introduces potential risk. Integrating penetration testing into CI/CD enables organizations to identify vulnerabilities before they reach production. The goal is not replacing human penetration testers. The goal is automating everything that can be automated so security experts can focus on complex attack paths and business logic flaws. Understanding Security Testing Layers in CI/CD Security testing is often misunderstood because multiple categories overlap. Testing Type Purpose SAST Analyze source code SCA Detect vulnerable dependencies DAST Test running applications IAST Runtime security analysis Penetration Testing Simulate attacker behavior Penetration testing combines elements of all these approaches. A mature CI/CD pipeline continuously performs automated penetration testing while reserving manual testing for sophisticated attack scenarios. Designing a Security-First CI/CD Architecture A security-centric pipeline typically looks like: Developer Commit ↓ Pre-Commit Security Checks ↓ Pull Request Validation ↓ Build Stage ↓ Container Security Scan ↓ Infrastructure Validation ↓ Deploy to Staging ↓ Automated Penetration Testing ↓ Security Gate ↓ Production Deployment Each stage eliminates vulnerabilities before they become more expensive to fix. Stage 1: Pre-Commit Security Controls The cheapest vulnerability is the one that never reaches Git. Secret Detection Install TruffleHog or Gitleaks before code reaches the repository. repos : - repo : https://github.com/gitleaks/gitleaks rev : v8.20.0 hooks : - id : gitleaks Developer installation: pip install pre-commit pre-commit install Now every commit is aut

2026-06-15 原文 →