VissOct 4, 2024
@arichtman @vwbusguy @mttaggart exposed api endpoints, super secret secrets hanging out in env vars, rbac not configured or not present, public api access, shared usernames, images that are 2-5 years old with trivial kernel privesc bugs, containers built by people who dont security and spread far and wide. its just a risk matroshka doll full of exploitable surfaces and configs, and all the corners and edges full of "industry best practices", written by non-security people
Show threadScott Williams 🐧Oct 4, 2024

@Viss @arichtman @mttaggart I'm more bothered by the fact that k8s secrets objects aren't actually encrypted (they're just base64 encoded) than scoped injection by env.

https://12factor.net/config

The Twelve-Factor App

A methodology for building modern, scalable, maintainable software-as-a-service apps.

Show threadVissOct 4, 2024
@vwbusguy @arichtman @mttaggart one time i made a very attractive lady literally snotlaugh by saying "kubernetes appears to have been invented to solve a litany of problems that nobody actually appears to have"
Show threadmk30Oct 5, 2024
@Viss @vwbusguy @arichtman @mttaggart @ceejbot from the outside, it looks like that, but I always assumed I was just missing something. Is that really how it is?
Show threadVissOct 5, 2024
@mk30 @vwbusguy @arichtman @mttaggart @ceejbot the easiest way to put this without getting into the weeds is "kubernetes is not for everyone". it very clearly was not designed with security in mind from the beginning, and since its inception its been this sorta trapeze act to bolt on stuff here and there or use other third party tools to 'make it safer somehow', so it got (my opinion) very top heavy and complex, very fast, and i would argue not as "hardenable" as many security folks would prefer
Show threadmk30
@Viss @vwbusguy @arichtman @mttaggart @ceejbot that makes sense. Thanks for explaining it 🐱
Oct 5, 2024 at 9:59pmWeb