Sonali Patel’s Post

Kubernetes v1.36 just landed a security game-changer: User Namespaces are now Generally Available (GA)! 🚀 For anyone managing multi-tenant clusters, this is the policy design opportunity you’ve been waiting for. When paired with Kyverno, you can enforce practical, scalable security across your environment. The key shift is powerful in its simplicity: 1. Set hostUsers: false 2. Keep workload flexibility 3. Reduce the host compromise blast radius Why this matters for your security posture: 1. The root inside the container is no longer directly a host-root equivalent. 2. Capabilities like CAP_NET_ADMIN become namespaced when hostUsers: false is set. 3. You can now support advanced workloads without defaulting to high-risk patterns. We designed an 8-policy Kyverno framework around this to enforce the new baseline. Key actions include: 1. Requirement: Enforce hostUsers: false. 2. Blockers: Block privileged: true and host namespace joins (like hostNetwork, hostPID, hostIPC) unless User Namespaces are active. 3. Adoption: Mutate missing hostUsers to false for passive adoption. Successful rollout strategy: 1. Audit first for visibility. 2. Mutate next for passive adoption. 3. Enforce high-risk blockers (e.g., blocking privileged containers). 4. Enforce the baseline requirement (hostUsers: false) last. The bottom line: v1.36 User Namespaces is not just a feature toggle—it's a massive policy-design opportunity to strengthen your Kubernetes security model fundamentally. Time to start planning your migration! #Kubernetes #K8s #Security #Kyverno #CloudNative #DevSecOps #MultiTenancy #Kyverno #PolicyAsCode

"Principle of least privilege" gets mentioned in every Kubernetes security guide. But most teams implement it wrong, or not at all. The theory sounds simple: give workloads only the permissions they need, nothing more. In practice, it's where security context settings deceive teams constantly. Where PoLP breaks down in real clusters: → Running as root "because it works" The container runs fine. Until someone exploits it and now has root access to your node. → Dropping zero capabilities Default containers inherit more Linux capabilities than most workloads need. CAP_NET_RAW, CAP_SYS_CHROOT — leaving these in place expands your attack surface for no reason. → Read-write filesystems everywhere If your app doesn't need to write to disk, why allow it? A read-only root filesystem blocks entire categories of attacks. → No seccomp profiles Without syscall filtering, a compromised container can make any system call the kernel allows. That's not least privilege, that's maximum privilege with extra steps. The real problem isn't settings. It's understanding workloads. Least privilege requires knowing what your application actually needs: - Which ports does it bind? - Does it need to write files? - What syscalls does it make? - Does it actually need root, or did someone just copy a Dockerfile from Stack Overflow? Most teams don't have time to audit every workload. So they ship permissive defaults and hope for the best. The balance nobody talks about: Too permissive = security exposure. Too restrictive = broken deployments and frustrated developers. The teams that get this right aren't guessing. They're observing actual workload behavior and tightening permissions based on real data, not assumptions. What's your approach to enforcing least privilege without breaking everything? #Kubernetes #DevOps #PlatformEngineering

DevOps Concept of the Day: Networking Basics for DevOps Core networking for DevOps: IP addresses, DNS lookups, TCP/UDP ports, HTTP/HTTPS, load balancers, and firewalls. When deployments fail, network knowledge tells you why. Today's DevOps/MLOps update (Apache Airflow): airflow-ctl/0.1.4rc2 Apache Airflow CTL 0.1.4rc2 https://lnkd.in/dGSxx6p7 Why it matters: Pipeline automation replaces manual, error-prone notebook runs at scale. #Networking #DevOps #CloudNetworking #Infrastructure

As every DevOps engineer knows, "it's always DNS" is a mantra with a grain of truth. This post gives you the tools you need to install before things start going wrong, so you are ready to diagnose DNS issues before they happen. I’ve put together a comprehensive guide on the modern DNS toolkit, covering everything from the classics to newer encrypted protocols. Move beyond nslookup and troubleshoot network issues, newer encrypted DNS protocols and security features. Don't wait for the next outage to find out your diagnostic tools aren't installed. Read more here: https://lnkd.in/eBxErhhE #DNS #DevOps #Networking #SRE #TechTools #SysAdmin #WebDevelopment

👉 Part 3 – The series continues 👈 “Connection refused” is not just a failure – it’s a signal that the system on the other side is reachable, but actively rejecting the connection. In the latest part (Part 3) of Aardwark TCP Troubleshooting Deep Dive series, the team explains what’s behind this behavior and why it matters. Understanding these fundamentals might seem technical, but it’s exactly the kind of detail that helps teams troubleshoot faster and operate systems more effectively. 👉 If you’re curious how things work behind the scenes, you can read the full article on our blog: https://lnkd.in/dFbsgg2e #TCP #Troubleshooting #DevOps #ITInfrastructure

From Raw Metal to A+ Security: My Homelab is Live Two months of solo study, no guidance, no shortcuts. The result is a production-grade, multi-tier homelab at homelab-dzhafarov.fr. The goal was never to host an app — it was to engineer a system that mirrors real production standards. THE ARCHITECTURE A single ethernet cable from the home router into a Huawei device is the only physical entry point into the lab. The Huawei introduces a second NAT layer — a hard subnet boundary that completely isolates lab traffic from the family network. What most engineers treat as a problem, Double NAT, becomes a deliberate isolation mechanism here. The Cloudflare Tunnel then bypasses the port-forwarding limitations that Double NAT creates. One constraint solved two problems. Full traffic path: Proxmox VMs -> NGINX Load Balancer -> Huawei (isolated subnet) -> ethernet -> Home Router -> ISP -> Cloudflare Edge No inbound ports open. Home IP never exposed. Lab and home traffic structurally separated at the hardware level. THE STACK Proxmox VE 8.x running Ubuntu Server 22.04 LTS nodes — Ed25519 key-only SSH, root login disabled, UFW policies isolating Node Exporter to the monitoring VM only. NGINX load balancer with HSTS, strict CSP, X-Frame-Options — verified A+ on securityheaders.com. Prometheus and Grafana for full observability from day one. Cloudflare Tunnel for outbound-only public exposure. DOCUMENTATION AS A DELIVERABLE Four SOPs covering tunnel setup, NGINX hardening, monitoring deployment, and VM provisioning — each with a "Variables — Adapt Before Use" section so they're reusable, not just a personal log. Monitoring comes up first so every subsequent build step is observable. If you can't hand it to someone else and have them reproduce it, you don't own the process. WHAT IS NEXT The current infrastructure is the foundation. The roadmap ahead is deliberate. Planned additions include an advanced CI/CD pipeline with integrated linting and test automation using pytest, a GitHub-GitLab bridge for cross-platform pipeline orchestration, and HashiCorp Vault for centralized secrets management — replacing static credentials with dynamic, policy-controlled access. Early work on the CI/CD and testing layer is already visible at https://lnkd.in/dvYaeF2m or my last LinkedIn post Starting Kubernetes in one month, with the CKA — Certified Kubernetes Administrator — targeted for Q3 2026. The certification will run in parallel with integrating K8s directly into this stack. Every addition will be documented to the same standard as this project. Live site: homelab-dzhafarov.fr Repo: https://lnkd.in/dwXqeB2x #DevOps #SysAdmin #Cloudflare #NGINX #Prometheus #Grafana #Proxmox #GitHub #Homelab #Infrastructure #Security #SelfTaught #Apprenticeship

𝗧𝘄𝗼 𝗢𝗳𝘁𝗲𝗻 𝗢𝘃𝗲𝗿𝗹𝗼𝗼𝗸𝗲𝗱 𝗬𝗲𝘁 𝗣𝗼𝘄𝗲𝗿𝗳𝘂𝗹 𝗞𝘂𝗯𝗲𝗿𝗻𝗲𝘁𝗲𝘀 𝗖𝗼𝗻𝗰𝗲𝗽𝘁𝘀 𝟭. 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗩𝗼𝗹𝘂𝗺𝗲 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝘄𝗵𝗲𝗻 𝗺𝗼𝘂𝗻𝘁𝗲𝗱 𝗶𝗻𝘀𝗶𝗱𝗲 𝗮 𝗰𝗼𝗻𝘁𝗮𝗶𝗻𝗲𝗿 When a volume is mounted using only 𝗺𝗼𝘂𝗻𝘁𝗣𝗮𝘁𝗵, Kubernetes mounts the entire volume at that location. This means:  • Any files that already existed in that directory inside the container image become hidden (masked)  • They are not deleted, but completely inaccessible from within the container  • The directory now shows only the contents of the mounted volume This behavior exists to avoid file conflicts and merge ambiguity, ensure predictable and consistent filesystem behavior. 👉 To resolve this 𝘀𝘂𝗯𝗣𝗮𝘁𝗵 provides a more granular approach:  • Instead of mounting the entire volume, you mount only a specific file or subdirectory from the volume  • This allows you to preserve the rest of the existing directory contents inside the container  • Only the targeted file or directory is overridden In simple terms: 𝗺𝗼𝘂𝗻𝘁𝗣𝗮𝘁𝗵 → replaces the whole directory  𝗺𝗼𝘂𝗻𝘁𝗣𝗮𝘁𝗵 + 𝘀𝘂𝗯𝗣𝗮𝘁𝗵 → injects only what you need 𝟮. 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗧𝗼𝗸𝗲𝗻 𝗔𝘂𝘁𝗼-𝗠𝗼𝘂𝗻𝘁𝗶𝗻𝗴 𝗶𝗻 𝗣𝗼𝗱𝘀 By default, Kubernetes automatically mounts a Service Account token into every pod using a projected volume. Along with the token, ca.crt, pod's namespace are also injected automatically.  This enables the pod to:  • Authenticate with the Kubernetes API  • Interact with cluster resources (based on RBAC permissions)  ❗𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗰𝗮𝗻 𝗯𝗲 𝗿𝗶𝘀𝗸𝘆  • If a container is compromised, the attacker can use the mounted token to access the Kubernetes API  • The level of access depends on the permissions assigned to the Service Account  • This creates a potential attack surface, especially in workloads that don’t need API access. 👉 How to mitigate If your application does not need Kubernetes API access, you should disable token auto-mounting:  • At the 𝗣𝗼𝗱 𝗹𝗲𝘃𝗲𝗹 → affects only that pod  • At the 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗹𝗲𝘃𝗲𝗹 → affects all pods using that account This follows the principle of least privilege, reducing unnecessary exposure. 𝗙𝗶𝗻𝗮𝗹 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆 💡Volumes replace directories unless scoped with 𝘀𝘂𝗯𝗣𝗮𝘁𝗵, and ServiceAccount tokens are auto-mounted by default—use both carefully to avoid unintended access and security risks. #Kubernetes #DevOps #PodtoProductionStories

Source: https://lnkd.in/eHdXCUkG 🚀 System Design Insights for Engineers 💡 Why APIs matter: REST vs GraphQL vs gRPC—each has unique use cases (e.g., real-time data with WebSockets). 📈 🔒 Security is non-negotiable: Rate limiting, OAuth 2.0, and JWT tokens are critical to prevent DDoS and injection attacks. 🔐 🛠️ Design for scale: Horizontal scaling + load balancers ensure reliability. Don’t overlook single points of failure! 💥 #SystemDesign #APIs #DevOps

Every DevOps incident I've seen comes down to one thing. Someone didn't understand the network. The app was running. The container was healthy. The deployment went fine. But nothing was reachable. Here's what actually matters: 🔹 OSI & TCP/IP models — not just theory, your debugging compass 🔹 DNS — the silent layer beneath every connection you make 🔹 Subnetting & CIDR — how cloud VPCs, Kubernetes pods, and firewalls are structured 🔹 Ports — the difference between a service running and a service reachable 🔹 The 6 commands that diagnose 90% of network issues: ping → traceroute → dig → ss → nc → curl Most engineers skip networking. They learn Docker. They learn Kubernetes. They learn Terraform. Then they hit an incident at 2 AM and don't know where to look. Networking is the map. Everything else is built on top of it. I wrote a complete breakdown — OSI layers, DNS resolution, IP addressing, subnetting, ports, and hands-on troubleshooting commands. All in one place. 📖 Full guide in the comments 👇 ♻️ Repost if this helps someone level up their DevOps game! 🚀 #DevOps #Networking #Linux #SRE #CloudComputing #DNS #Kubernetes #LearningInPublic #90DaysOfDevOps