Reposted by mozillazg
CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager -
CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager · Issue #135525 · kubernetes/kubernetes
CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N - Medium (5.8) A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portw...
github.com
December 2, 2025 at 1:56 PM
CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager -
A kubelet image credential provider for Alibaba Cloud Container Registry(ACR)
github.com/mozillazg/ku...
github.com/mozillazg/ku...
GitHub - mozillazg/kubelet-credential-provider-acr: A kubelet image credential provider for Alibaba Cloud Container Registry(ACR)
A kubelet image credential provider for Alibaba Cloud Container Registry(ACR) - mozillazg/kubelet-credential-provider-acr
github.com
October 19, 2025 at 7:43 AM
A kubelet image credential provider for Alibaba Cloud Container Registry(ACR)
github.com/mozillazg/ku...
github.com/mozillazg/ku...
Reposted by mozillazg
If you are a volunteer maintainer of an open source project, you owe nobody a "responsible disclosure" policy. If enterprises and foundations want you to have one, tell them they can pay you.
October 17, 2025 at 4:50 PM
If you are a volunteer maintainer of an open source project, you owe nobody a "responsible disclosure" policy. If enterprises and foundations want you to have one, tell them they can pay you.
Reposted by mozillazg
what happens if u cut 4 wires out of an ethernet cable & then plug it into yr PC
October 9, 2025 at 2:04 PM
what happens if u cut 4 wires out of an ethernet cable & then plug it into yr PC
Reposted by mozillazg
Our State of Cloud Security 2025 study is out!
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
State of Cloud Security | Datadog
For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.
www.datadoghq.com
October 8, 2025 at 9:10 PM
Our State of Cloud Security 2025 study is out!
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
www.datadoghq.com/state-of-clo...
• On AWS, 40% of organizations leverage data perimeters
• 11% of Google Cloud GKE and 23% of Google Cloud VMs are overprivileged
• On Azure, 1.3% of storage containers are public, 58% proactively block public access
Reposted by mozillazg
Calling all Kubernetes security interested folk. We're planning the next version of the OWASP Kubernetes Top 10, and have a survey to solicit ideas and feedback here docs.google.com/forms/d/e/1F... . Shouldn't take more than a couple of minutes to fill out and all feedback's welcome!
OWASP Kubernetes Top 10 2025 Survey
We're looking to update the OWASP Kubernetes Top 10 and as such want to canvas ideas on what should be included.
The goal of the Top 10 is to provide awareness on the most serious risks that Kubernet...
docs.google.com
October 6, 2025 at 1:10 PM
Calling all Kubernetes security interested folk. We're planning the next version of the OWASP Kubernetes Top 10, and have a survey to solicit ideas and feedback here docs.google.com/forms/d/e/1F... . Shouldn't take more than a couple of minutes to fill out and all feedback's welcome!
Reposted by mozillazg
If you're new to the Unix or Linux command line, I just want you to know:
Me and all my colleagues with years of experience
Still get confused between `ln -s` and `ln` daily.
Me and all my colleagues with years of experience
Still get confused between `ln -s` and `ln` daily.
August 31, 2025 at 5:36 PM
If you're new to the Unix or Linux command line, I just want you to know:
Me and all my colleagues with years of experience
Still get confused between `ln -s` and `ln` daily.
Me and all my colleagues with years of experience
Still get confused between `ln -s` and `ln` daily.
Reposted by mozillazg
The list of papers accepted at the 3rd #eBPF workshop has been published! conferences.sigcomm.org/sigcomm/2025...
August 11, 2025 at 3:32 PM
The list of papers accepted at the 3rd #eBPF workshop has been published! conferences.sigcomm.org/sigcomm/2025...
Reposted by mozillazg
Please please please please do not follow this advice. Sealed secrets are a terrible idea. Git is designed to be easily branchesd and not tracked. Secrets management is about tracking secrets and easy rotation. Encrypting data in git isn't more secure then keeping your secrets in etcd.
Sealed Secrets provides declarative Kubernetes Secret Management in a secure way
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository
➤ https://ku.bz/17NJS0d9k
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository
➤ https://ku.bz/17NJS0d9k
August 16, 2025 at 6:24 PM
Please please please please do not follow this advice. Sealed secrets are a terrible idea. Git is designed to be easily branchesd and not tracked. Secrets management is about tracking secrets and easy rotation. Encrypting data in git isn't more secure then keeping your secrets in etcd.
Reposted by mozillazg
Ok, I have a rant I have to let go of.
If you generate a change to an open-source project fully with AI, didn't read, review, understand, and questioned it, then at least have the decency to say this on the PR description.
You're stealing people's time by making them review it for you.
If you generate a change to an open-source project fully with AI, didn't read, review, understand, and questioned it, then at least have the decency to say this on the PR description.
You're stealing people's time by making them review it for you.
August 16, 2025 at 11:23 AM
Ok, I have a rant I have to let go of.
If you generate a change to an open-source project fully with AI, didn't read, review, understand, and questioned it, then at least have the decency to say this on the PR description.
You're stealing people's time by making them review it for you.
If you generate a change to an open-source project fully with AI, didn't read, review, understand, and questioned it, then at least have the decency to say this on the PR description.
You're stealing people's time by making them review it for you.
MCP Server for Kubernetes Audit Logs
github.com/mozillazg/ku...
github.com/mozillazg/ku...
GitHub - mozillazg/kube-audit-mcp: MCP Server for Kubernetes Audit Logs
MCP Server for Kubernetes Audit Logs. Contribute to mozillazg/kube-audit-mcp development by creating an account on GitHub.
github.com
August 10, 2025 at 12:10 PM
MCP Server for Kubernetes Audit Logs
github.com/mozillazg/ku...
github.com/mozillazg/ku...
Reposted by mozillazg
July 10, 2025 at 8:30 AM
Reposted by mozillazg
With NSDI'25 coming to an end today, I've updated the list of #eBPF papers to include the three papers published at USENIX NSDI this year! pchaigno.github.io/bpf/2025/01/...
April 30, 2025 at 3:01 PM
With NSDI'25 coming to an end today, I've updated the list of #eBPF papers to include the three papers published at USENIX NSDI this year! pchaigno.github.io/bpf/2025/01/...
Reposted by mozillazg
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
March 21, 2025 at 4:26 PM
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
Reposted by mozillazg
I've added talk recordings to my list of eBPF papers, when available. That's 33 videos of ~20min discussing various aspects and use cases of #eBPF!
pchaigno.github.io/bpf/2025/01/...
pchaigno.github.io/bpf/2025/01/...
February 11, 2025 at 4:01 PM
I've added talk recordings to my list of eBPF papers, when available. That's 33 videos of ~20min discussing various aspects and use cases of #eBPF!
pchaigno.github.io/bpf/2025/01/...
pchaigno.github.io/bpf/2025/01/...
ptcpdump v0.32.1 is released!
1. fix(backend): enable process filtering for the cgroup-skb backend
2. Use BPF ringbuf instead of perfbuf when kernel support is available
3. improve detection of backported tcx/ringbuf support in older kernels
github.com/mozillazg/pt...
1. fix(backend): enable process filtering for the cgroup-skb backend
2. Use BPF ringbuf instead of perfbuf when kernel support is available
3. improve detection of backported tcx/ringbuf support in older kernels
github.com/mozillazg/pt...
Release v0.32.1 · mozillazg/ptcpdump
Changelog
792bbe1 fix(backend): enable process filtering for the cgroup-skb backend (#246)
020852d chore(bpf): improve detection of backported tcx/ringbuf support in older kernels (#244)
d8b42a1 c...
github.com
February 10, 2025 at 1:43 PM
ptcpdump v0.32.1 is released!
1. fix(backend): enable process filtering for the cgroup-skb backend
2. Use BPF ringbuf instead of perfbuf when kernel support is available
3. improve detection of backported tcx/ringbuf support in older kernels
github.com/mozillazg/pt...
1. fix(backend): enable process filtering for the cgroup-skb backend
2. Use BPF ringbuf instead of perfbuf when kernel support is available
3. improve detection of backported tcx/ringbuf support in older kernels
github.com/mozillazg/pt...
Reposted by mozillazg
The next blog in our #Kubernetes #Security fundamentals series is out now. This time we're taking a look at the world of network security!
securitylabs.datadoghq.com/articles/kub...
securitylabs.datadoghq.com/articles/kub...
Kubernetes security fundamentals: Networking | Datadog Security Labs
A look at how network security works in Kubernetes
securitylabs.datadoghq.com
January 29, 2025 at 1:15 PM
The next blog in our #Kubernetes #Security fundamentals series is out now. This time we're taking a look at the world of network security!
securitylabs.datadoghq.com/articles/kub...
securitylabs.datadoghq.com/articles/kub...
ptcpdump v0.32.0 is released!
* Add support for capturing traffic based on user ID
* Enrich capture output with user information
* Support for displaying thread ID and name in cgroup-skb output
github.com/mozillazg/pt...
* Add support for capturing traffic based on user ID
* Enrich capture output with user information
* Support for displaying thread ID and name in cgroup-skb output
github.com/mozillazg/pt...
Release v0.32.0 · mozillazg/ptcpdump
Changelog
f5c4d69 feat(filter): Add support for capturing traffic based on user ID (#233)
924c6fa chore(deps): update github.com/cilium/ebpf to v0.17.1 (#232)
3f1dab8 chore(output): Remove group I...
github.com
January 19, 2025 at 3:38 PM
ptcpdump v0.32.0 is released!
* Add support for capturing traffic based on user ID
* Enrich capture output with user information
* Support for displaying thread ID and name in cgroup-skb output
github.com/mozillazg/pt...
* Add support for capturing traffic based on user ID
* Enrich capture output with user information
* Support for displaying thread ID and name in cgroup-skb output
github.com/mozillazg/pt...
Reposted by mozillazg
First blog post of the new year and this is one I've been meaning to write up for a while which is some details on #Kubernetes API Server proxy feature and how it might be possible to use some known weaknesses in it to escalate your privileges in a cluster.
raesene.github.io/blog/2025/01...
raesene.github.io/blog/2025/01...
Exploring the Kubernetes API Server Proxy
raesene.github.io
January 18, 2025 at 12:54 PM
First blog post of the new year and this is one I've been meaning to write up for a while which is some details on #Kubernetes API Server proxy feature and how it might be possible to use some known weaknesses in it to escalate your privileges in a cluster.
raesene.github.io/blog/2025/01...
raesene.github.io/blog/2025/01...
Reposted by mozillazg
The next in my #Kubernetes #Security fundamentals video series is up now.
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
Kubernetes Security Fundamentals: Authentication - Part 3
YouTube video by Datadog
youtu.be
January 14, 2025 at 5:38 PM
The next in my #Kubernetes #Security fundamentals video series is up now.
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
Reposted by mozillazg
I've made an interactive list of #eBPF research papers. Only papers from the top academic conferences, including lots of papers on eBPF verification, kernel offloads, security analysis, etc.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.
eBPF Research Papers
When I started reading on BPF there weren’t many academic papers to describe how it worked, how it didn’t, or how it is used. There are many blog posts and informal articles out there, but it’s harder...
pchaigno.github.io
January 7, 2025 at 4:30 PM
I've made an interactive list of #eBPF research papers. Only papers from the top academic conferences, including lots of papers on eBPF verification, kernel offloads, security analysis, etc.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.
Exploring Workload Identity Federation for GKE
mozillazg.com/2025/01/secu...
mozillazg.com/2025/01/secu...
Exploring Workload Identity Federation in GKE
In this article, we will briefly explore a feature called "Workload Identity Federation for GKE" that was recently announced by GKE in their official blog. Features Overview Workload Identity Federati...
mozillazg.com
January 10, 2025 at 1:02 AM
Exploring Workload Identity Federation for GKE
mozillazg.com/2025/01/secu...
mozillazg.com/2025/01/secu...
happy new year!💥🎇🥳🎉🎊
January 1, 2025 at 1:26 AM
happy new year!💥🎇🥳🎉🎊
ptcpdump v0.31.0 is released!
github.com/mozillazg/pt...
github.com/mozillazg/pt...
Release v0.31.0 · mozillazg/ptcpdump
Changelog
b4870fe feat: support filter by container-id prefix matching 12 or more characters (#218)
e3fa2ee feat(platform): Add support for OpenWrt 24.10 on x86-64 architecture (#214)
a353f78 chor...
github.com
December 22, 2024 at 5:14 AM
ptcpdump v0.31.0 is released!
github.com/mozillazg/pt...
github.com/mozillazg/pt...
Reposted by mozillazg
writing about the terminal is so funny because it's like "redirects are so useful! hooray!"
"okay and also `cmd file.txt > file.txt` will permanently delete the contents of `file.txt`”
lots of cool useful tools with the occasional horrifying fact that you just need to keep seared into your memory
"okay and also `cmd file.txt > file.txt` will permanently delete the contents of `file.txt`”
lots of cool useful tools with the occasional horrifying fact that you just need to keep seared into your memory
December 13, 2024 at 9:31 PM
writing about the terminal is so funny because it's like "redirects are so useful! hooray!"
"okay and also `cmd file.txt > file.txt` will permanently delete the contents of `file.txt`”
lots of cool useful tools with the occasional horrifying fact that you just need to keep seared into your memory
"okay and also `cmd file.txt > file.txt` will permanently delete the contents of `file.txt`”
lots of cool useful tools with the occasional horrifying fact that you just need to keep seared into your memory