mozillazg

GitHub - mozillazg/kubelet-credential-provider-acr: A kubelet image credential provider for Alibaba Cloud Container Registry(ACR) A kubelet image credential provider for Alibaba Cloud Container Registry(ACR) - mozillazg/kubelet-credential-provider-acr

A kubelet image credential provider for Alibaba Cloud Container Registry(ACR)
github.com/mozillazg/ku...

If you are a volunteer maintainer of an open source project, you owe nobody a "responsible disclosure" policy. If enterprises and foundations want you to have one, tell them they can pay you.

what happens if u cut 4 wires out of an ethernet cable & then plug it into yr PC

State of Cloud Security | Datadog For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.

Our State of Cloud Security 2025 study is out!

www.datadoghq.com/state-of-clo...

• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access

OWASP Kubernetes Top 10 2025 Survey We're looking to update the OWASP Kubernetes Top 10 and as such want to canvas ideas on what should be included. The goal of the Top 10 is to provide awareness on the most serious risks that Kubernet...

Calling all Kubernetes security interested folk. We're planning the next version of the OWASP Kubernetes Top 10, and have a survey to solicit ideas and feedback here docs.google.com/forms/d/e/1F... . Shouldn't take more than a couple of minutes to fill out and all feedback's welcome!

If you're new to the Unix or Linux command line, I just want you to know:

Me and all my colleagues with years of experience

Still get confused between `ln -s` and `ln` daily.

Screenshot of the eBPF workshop program, showing Session 3 ("Time for Better and Safer Programming") and the beginning of Session 4 ("Profiling meets Machine Learning and Privacy").

The list of papers accepted at the 3rd #eBPF workshop has been published! conferences.sigcomm.org/sigcomm/2025...

Please please please please do not follow this advice. Sealed secrets are a terrible idea. Git is designed to be easily branchesd and not tracked. Secrets management is about tracking secrets and easy rotation. Encrypting data in git isn't more secure then keeping your secrets in etcd.

Ok, I have a rant I have to let go of.

If you generate a change to an open-source project fully with AI, didn't read, review, understand, and questioned it, then at least have the decency to say this on the PR description.

You're stealing people's time by making them review it for you.

GitHub - mozillazg/kube-audit-mcp: MCP Server for Kubernetes Audit Logs MCP Server for Kubernetes Audit Logs. Contribute to mozillazg/kube-audit-mcp development by creating an account on GitHub.

MCP Server for Kubernetes Audit Logs
github.com/mozillazg/ku...

Next eBPF acquisition in the books, this time for security

www.cyera.com/de/press-rel...

Screenshot of the top of the list, showing the interactive selectors and the three eBPF papers published at NSDI'25.

With NSDI'25 coming to an end today, I've updated the list of #eBPF papers to include the three papers published at USENIX NSDI this year! pchaigno.github.io/bpf/2025/01/...

table of contents for tmp.0ut volume 4

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

tmpout.sh/4/

I've added talk recordings to my list of eBPF papers, when available. That's 33 videos of ~20min discussing various aspects and use cases of #eBPF!
pchaigno.github.io/bpf/2025/01/...

Release v0.32.1 · mozillazg/ptcpdump Changelog 792bbe1 fix(backend): enable process filtering for the cgroup-skb backend (#246) 020852d chore(bpf): improve detection of backported tcx/ringbuf support in older kernels (#244) d8b42a1 c...

ptcpdump v0.32.1 is released!

1. fix(backend): enable process filtering for the cgroup-skb backend
2. Use BPF ringbuf instead of perfbuf when kernel support is available
3. improve detection of backported tcx/ringbuf support in older kernels

github.com/mozillazg/pt...

Kubernetes security fundamentals: Networking | Datadog Security Labs A look at how network security works in Kubernetes

The next blog in our #Kubernetes #Security fundamentals series is out now. This time we're taking a look at the world of network security!

securitylabs.datadoghq.com/articles/kub...

ptcpdump v0.32.0 is released!
* Add support for capturing traffic based on user ID
* Enrich capture output with user information
* Support for displaying thread ID and name in cgroup-skb output
github.com/mozillazg/pt...

First blog post of the new year and this is one I've been meaning to write up for a while which is some details on #Kubernetes API Server proxy feature and how it might be possible to use some known weaknesses in it to escalate your privileges in a cluster.

raesene.github.io/blog/2025/01...

YouTube video by Datadog Kubernetes Security Fundamentals: Authentication - Part 3

The next in my #Kubernetes #Security fundamentals video series is up now.

This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.

youtu.be/jTswj4CS4IA?...

eBPF Research Papers When I started reading on BPF there weren’t many academic papers to describe how it worked, how it didn’t, or how it is used. There are many blog posts and informal articles out there, but it’s harder...

I've made an interactive list of #eBPF research papers. Only papers from the top academic conferences, including lots of papers on eBPF verification, kernel offloads, security analysis, etc.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.

Exploring Workload Identity Federation in GKE In this article, we will briefly explore a feature called "Workload Identity Federation for GKE" that was recently announced by GKE in their official blog. Features Overview Workload Identity Federati...

Exploring Workload Identity Federation for GKE
mozillazg.com/2025/01/secu...

happy new year!💥🎇🥳🎉🎊

Release v0.31.0 · mozillazg/ptcpdump Changelog b4870fe feat: support filter by container-id prefix matching 12 or more characters (#218) e3fa2ee feat(platform): Add support for OpenWrt 24.10 on x86-64 architecture (#214) a353f78 chor...

ptcpdump v0.31.0 is released!
github.com/mozillazg/pt...

writing about the terminal is so funny because it's like "redirects are so useful! hooray!"

"okay and also `cmd file.txt > file.txt` will permanently delete the contents of `file.txt`”

lots of cool useful tools with the occasional horrifying fact that you just need to keep seared into your memory

Release v0.30.0 · mozillazg/ptcpdump Changelog 7d71bb8 chore(bpf): Optimize BPF attachment by skipping netdev hooks when not using TC backend (#209) 0308649 feat(capture): Add --backend=cgroup-skb support for cgroup-based packet capt...

github.com/mozillazg/pt...

pcapng: support read and write Enhanced Packet Block (EPB) options by mozillazg · Pull Request #58 · gopacket/gopacket

github.com/gopacket/gop...

dockerc: container image to single executable compiler
github.com/NilsIrl/dock...

YouTube video by AWS Events AWS re:Invent 2024 - Securing Kubernetes workloads in Amazon EKS (KUB315)

My re:Invent talk is up! www.youtube.com/watch?v=yuXF...

Stratus Red Team v2.20.0 is now available, with great contributions from @flekyy90.bsky.social allowing you to reproduce AWS TTPs seen in the wild!

➔ Use GetFederationToken to generate temporary credentials

➔ Use SendSerialConsoleSSHPublicKey to pivot to EC2 instances

github.com/DataDog/stra...

We're now officially on Bluesky!

Expect:

➔ New articles on Security Labs about cloud, container and application security
➔ OSS projects for cloud security practioners
➔ Conference talks at community conferences

See also our starter pack bsky.app/starter-pack... with our authors and researchers!