Hello Bret, your videos and educational materials are underrated. As an infra/security engineer who's been working deeply with Kubernetes & containers for the past 6 years, I continue to learn new things from your channel. Thank you for all the work you do to share knowledge with the community.
Hi Bret, Great session as usual. I see that u did mention Apparmor and Selinux to restrict the pod access to OS resources. Do u think seccomp profile eleminates the need for such things. Thanks
If you have the non-root stuff, and seccomp default profile enabled, then there is overlap between those and what AppArmor and SELinux does, but it's not 1-for-1, and I'm not smart enough to do a line-by-line comparison. It's really up to if you want to use a custom profile for your app, and then just pick a tool to do it in. AppArmor (apt/ubuntu) and SELinux (Red Hat) tend to be easier to use than seccomp or manually removing kernel capabilities, IMO. For some apps like NGINX, Apache, MySQL, you might find pre-created profiles you can manually apply to those pods for a much tighter security profile. At that point it doesn't matter which method you use, as long as it works on that host.
Hello Bret, I am running 5 different crons and each have different schedule time. Like 1st run every 4 minute, 2nd run every 10 minutes, 3rf run every 15 minutes, 4th run every 20 minutes and last 5th one every 45 minutes. When I start these crons, these run flawless but I found one issue is that these all crons restart after every hour. Means last cron which runs every 45 minutes got terminated in second iteration after 15 minutes (45+15) I'm using AWS EKS cluster. Can you please let me know what's causing this unusual behaviour of the crons. Thanks in advance
I've never seen that issue before, and it doesn't sound like a normal Kubernetes behavior. I recommend reaching out to AWS support, as it sounds like an issue with your EKS.
What else do you need in your default pod spec?
Hello Bret, your videos and educational materials are underrated. As an infra/security engineer who's been working deeply with Kubernetes & containers for the past 6 years, I continue to learn new things from your channel. Thank you for all the work you do to share knowledge with the community.
Wow, thanks!
Great session. Thank you for the effort to explain the details
YES! It's that you share not just the "what" but the "why". 👍
My pleasure!
Thanks , really helpful
Thanks, Bret, awesome video, watched it twice and will use it as a reference. Please do more k8s security videos.
Great, I wanted it to be a quick reference for all the pod sec things :)
Hello Bret, thanks for detailed information about pod defaults.
I have a question, can we set readinessProbe in cronjob?
Yes you can!
Hi Bret, Great session as usual. I see that u did mention Apparmor and Selinux to restrict the pod access to OS resources. Do u think seccomp profile eleminates the need for such things. Thanks
If you have the non-root stuff, and seccomp default profile enabled, then there is overlap between those and what AppArmor and SELinux does, but it's not 1-for-1, and I'm not smart enough to do a line-by-line comparison. It's really up to if you want to use a custom profile for your app, and then just pick a tool to do it in. AppArmor (apt/ubuntu) and SELinux (Red Hat) tend to be easier to use than seccomp or manually removing kernel capabilities, IMO. For some apps like NGINX, Apache, MySQL, you might find pre-created profiles you can manually apply to those pods for a much tighter security profile. At that point it doesn't matter which method you use, as long as it works on that host.
Hello Bret,
I am running 5 different crons and each have different schedule time. Like 1st run every 4 minute, 2nd run every 10 minutes, 3rf run every 15 minutes, 4th run every 20 minutes and last 5th one every 45 minutes.
When I start these crons, these run flawless but I found one issue is that these all crons restart after every hour. Means last cron which runs every 45 minutes got terminated in second iteration after 15 minutes (45+15)
I'm using AWS EKS cluster. Can you please let me know what's causing this unusual behaviour of the crons.
Thanks in advance
I've never seen that issue before, and it doesn't sound like a normal Kubernetes behavior. I recommend reaching out to AWS support, as it sounds like an issue with your EKS.