Skip to content

Instantly share code, notes, and snippets.

View tallclair's full-sized avatar

Tim Allclair tallclair

230 followers · 0 following
View GitHub Profile
@tallclair
tallclair / diff.txt
Created September 25, 2017 22:55
Base package changes from jessie to stretch
$ diff -y -W 80 -t jessie.txt stretch.txt
acl <
adduser adduser
apt apt
base-files base-files
base-passwd base-passwd
bash bash
bsdutils bsdutils
coreutils coreutils
dash dash
@tallclair
tallclair / restricted-psp.yaml
Last active March 27, 2025 02:22
Restricted PodSecurityPolicy
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
@tallclair
tallclair / make_policies.sh
Created November 9, 2017 02:31
Generate PodSecurityPolicies for testing
#!/bin/bash
set -o nounset
set -o pipefail
set -o errexit
if [[ $# < 3 ]]; then
>&2 echo "USAGE: $0 total available useable"
exit 1
fi
@tallclair
tallclair / mask_return.go
Created November 10, 2017 00:22
Demonstrate named return masking
package main
import "fmt"
/* OUTPUT:
[named] defer: foo error
[main] named err: foo error
[var] defer: <nil>
[main] var err: foo error
*/
@tallclair
tallclair / git-repo-demo.yaml
Created March 9, 2018 19:54
More secure GitRepo volumes
# Example of using an InitContainer in place of a GitRepo volume.
# Unilke GitRepo volumes, this approach runs the git command in a container,
# with the associated hardening.
apiVersion: v1
kind: Pod
metadata:
name: git-repo-demo
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
@tallclair
tallclair / dynamic_crds.go
Last active July 10, 2024 13:02
Example of using CRDs with the dynamic go client
package main
import (
"fmt"
"log"
"os/user"
"path/filepath"
"strings"
apixv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
@tallclair
tallclair / gke-node-security.md
Created September 28, 2018 21:19
Software Engineering Position: Google Kubernetes Engine - Node Security

Software Engineering Position:
Google Kubernetes Engine - Node Security

Full-time
Based in Sunnyvale, CA

Mission

To secure critical node infrastructure in Kubernetes, the open source platform that is taking the cloud by storm ;D

@tallclair
tallclair / kubectl-cp.sh
Last active July 16, 2025 13:18
kubectl cp equivalents
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
kubectl cp /tmp/foo_dir <some-pod>:/tmp/foo_dir
tar cf - /tmp/foo_dir | kubectl exec -i <some-pod> -- tar xf -
# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo <some-pod>:/tmp/foo -c <specific-container>
tar cf - /tmp/foo | kubectl exec -i <some-pod> -c <specific-container> -- tar xf -
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/foo
@tallclair
tallclair / default-psp.yaml
Created November 22, 2019 20:21
Default PSP profile
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: default
annotations:
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Maybe allow all volumes except hostPath
@tallclair
tallclair / code-review.md
Last active December 3, 2019 21:00
Code Review Checklist

This checklist is consolidated from Tim Hawkin's "How To Be A Bad-Ass Code Reviewer" (KubeCon Contributor Summit, Nov 2019).

Out of scope: API review, KEP review

  • Pre-work
    • Do I have enough time for this review?
    • Read linked issues
    • Read PR description
    • Read over past discussions
  • Does this change require domain specific knowledge? Do I have it?