# Key considerations for algorithm "RSA" ≥ 2048-bit
openssl genrsa -out server.key 2048
# Key considerations for algorithm "ECDSA" ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)
| admin: | |
| access_log_path: /dev/stdout | |
| address: | |
| socket_address: { address: 0.0.0.0, port_value: 9901 } | |
| static_resources: | |
| listeners: | |
| - name: listener1 | |
| address: | |
| socket_address: { address: 0.0.0.0, port_value: 51051 } |
| #!/bin/bash | |
| set -e | |
| usage() { | |
| cat <<EOF | |
| Generate certificate suitable for use with an sidecar-injector webhook service. | |
| This script uses k8s' CertificateSigningRequest API to a generate a | |
| certificate signed by k8s CA suitable for use with sidecar-injector webhook |
| #!/bin/bash | |
| ROOT=$(cd $(dirname $0)/../../; pwd) | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"') |
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.
It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily.
Most of my Docker images are Alpine based. Trivy uses better vulnerability data for Alpine compared to Clair.
This can be easily plugged in to you CI/CD pipeline - in the scenario we we allow the pipeline to fail, the objective here is to provide visibility.
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: my-restricted-psp | |
| spec: | |
| privileged: false | |
| # Required to prevent escalations to root. | |
| allowPrivilegeEscalation: false | |
| # Allow core volume types. | |
| volumes: |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: restricted-cluster-role | |
| rules: | |
| - apiGroups: | |
| - policy | |
| resourceNames: | |
| - restricted-psp | |
| resources: |
| const core = require('@actions/core'); | |
| const github = require('@actions/github'); | |
| async function run() { | |
| try { | |
| const accessToken = core.getInput('access-token'); | |
| const message = core.getInput('message'); | |
| const payload = github.context.payload; | |
| const githubClient = github.getOctokit(accessToken); |
| /* | |
| Serve is a very simple static file server in go | |
| Usage: | |
| -p="8100": port to serve on | |
| -d=".": the directory of static files to host | |
| Navigating to http://localhost:8100 will display the index.html or directory | |
| listing file. | |
| */ | |
| package main |
