All posts
62 posts
Kubernetes network policies: default-deny, keep DNS upLock down pod-to-pod traffic with a default-deny NetworkPolicy, then re-allow DNS and the flows your apps actually need.Jul 3, 2026 · 11 minAdvancedkubernetesnetworkpolicyMulti-stage Docker builds that cut image size by 80%Split build tooling from the runtime so your final image ships only the binary and its deps — smaller, faster, safer.Jun 24, 2026 · 9 minIntermediatedockerimagesVault Kubernetes auth: secrets without static tokensLet pods authenticate to Vault with their service account token and get short-lived secrets — no bootstrap secret to leak.Jun 9, 2026 · 12 minAdvancedvaultkubernetesScanning container images with Trivy in GitLab CIWire Trivy into your pipeline, fail builds on criticals without blocking every merge, and cache the vuln DB so scans stay under 30 seconds.May 26, 2026 · 9 minIntermediatetrivygitlabSpeed up GitHub Actions with dependency cachingCache node_modules, pip wheels, and Go modules keyed on your lockfile hash, and warm the cache on main to cut minutes off every GitHub Actions run.May 12, 2026 · 6 minBeginnergithub-actionscacheTerraform remote state and locking on S3 and DynamoDBMove Terraform state off your laptop into an encrypted S3 or GCS backend with locking, so two applies never race and corrupt your infrastructure.May 5, 2026 · 9 minIntermediateterraformawsPod Security Standards: enforce restricted without breakageRoll out the restricted profile namespace by namespace, find violators with audit mode first, and carve exceptions that expire.Apr 28, 2026 · 12 minAdvancedkubernetespsaKubernetes RBAC least privilege: from admin to scoped rolesReplace blanket cluster-admin with namespaced Roles, audit who can do what, and test access with kubectl auth can-i.Apr 14, 2026 · 10 minIntermediatekubernetesrbacDistroless container images: shipping without a shellShip images with no package manager, no shell, and almost no attack surface — and still debug when you need to.Apr 2, 2026 · 10 minAdvanceddockerdistrolessDynamic database credentials for Jenkins with VaultStop pasting Postgres passwords into Jenkins credentials. Vault mints a fresh user per build and revokes it when the job ends.Mar 24, 2026 · 11 minIntermediatevaultjenkinsSandboxing Linux services with systemd security directivesTurn a plain unit file into a locked-down sandbox with ProtectSystem, NoNewPrivileges, and capability limits.Mar 10, 2026 · 11 minAdvancedlinuxsystemdEncrypt secrets in Git with SOPS and ageKeep encrypted secrets safely in your repo, decrypt them in CI, and never commit a plaintext credential again.Mar 3, 2026 · 8 minIntermediatesopsageSign and verify images with Cosign and KyvernoKeyless image signing with cosign in CI and signature verification at the admission controller, so unsigned or tampered images simply stop scheduling.Feb 24, 2026 · 10 minAdvancedcosignkyvernoScanning Terraform with Checkov before you applyCatch public buckets and open security groups in the plan — in CI, with suppressions that expire and a clean baseline.Feb 12, 2026 · 8 minIntermediateterraformcheckovEncrypting Kubernetes Secrets at rest in etcdKubernetes Secrets are only base64 by default. Turn on an EncryptionConfiguration and rotate the key without downtime.Feb 4, 2026 · 10 minAdvancedkubernetesetcdSAST in CI with Semgrep and custom rulesAdd fast static analysis to your pipeline and write project-specific rules that catch your own recurring bugs.Jan 28, 2026 · 9 minIntermediatesemgrepsastGitHub Actions to AWS with OIDC: no more long-lived keysFederate your workflows into AWS with short-lived tokens scoped to repo and branch. Delete the access keys after.Jan 20, 2026 · 8 minIntermediategithub-actionsawsAWS IAM least privilege with Access AnalyzerGenerate tight IAM policies from real CloudTrail activity and find resources shared outside your account.Jan 8, 2026 · 10 minIntermediateawsiamLinux capabilities: dropping root the right waySplit root into fine-grained capabilities, drop everything you don't need, and stop running containers as full root.Dec 30, 2025 · 9 minIntermediatelinuxcapabilitiesPolicy-as-code for Terraform: tfsec and OPA in reviewCatch public buckets and open security groups in the plan, not in prod. Policies live next to the modules they guard.Dec 16, 2025 · 10 minIntermediateterraformopaOPA Gatekeeper: writing constraint templates from scratchEnforce org-wide Kubernetes policy with Rego — required labels, blocked images, and audit of existing violations.Dec 3, 2025 · 12 minAdvancedopagatekeeperFalco rules that catch real attacks (and skip the noise)Default rulesets page you for everything. Tune Falco to the syscalls that matter and route the rest to a dashboard.Nov 25, 2025 · 13 minAdvancedfalcoebpfGitLab review apps: a fresh environment per merge requestSpin up an ephemeral deploy for every merge request and tear it down on merge — review real changes, not screenshots.Nov 12, 2025 · 10 minIntermediategitlabreview-appsShort-lived TLS certificates from Vault PKIRun an internal CA in Vault and issue certs that live for hours, not years — rotation becomes a non-event.Nov 4, 2025 · 11 minAdvancedvaultpkiBash strict mode: writing ops scripts that fail loudlyset -euo pipefail is the start, not the whole story. Traps, quoting, and safe temp files for scripts that run as root.Oct 28, 2025 · 6 minBeginnerbashlinuxWriting reusable Terraform modules that don't fight youDesign modules with clear inputs and outputs, sane defaults, and versioning so teams reuse them without forking.Oct 15, 2025 · 10 minIntermediateterraformmodulesRootless Docker and why containers shouldn't run as rootRun the Docker daemon and your containers as a non-root user so a container escape lands unprivileged, plus the subuid, cgroups, and storage gotchas.Oct 7, 2025 · 9 minIntermediatedockerrootlessPrometheus alerting rules that don't cry wolfWrite alerts on symptoms with for-durations and good labels so on-call gets pages that actually mean something.Sep 30, 2025 · 10 minIntermediateprometheusalertingAnsible Vault vs HashiCorp Vault: which secret goes whereOne encrypts files in your repo, the other serves secrets at runtime. Most teams need both — here is the split that works.Sep 23, 2025 · 7 minBeginneransiblevaultKubernetes requests and limits: stop OOMKills, noisy podsSet CPU and memory requests and limits that keep the scheduler honest, stop one pod from starving the node, and avoid needless OOMKills under load.Sep 9, 2025 · 7 minBeginnerkubernetesresourcesStop leaking secrets in CI logs: masking and OIDCMask variables, avoid echoing secrets, and move to short-lived OIDC tokens so a leaked log isn't a breach.Aug 27, 2025 · 9 minIntermediatecisecretsSELinux on OpenShift: stop chmod 777-ing your way outRead AVC denials, write a targeted policy module, and keep SCCs strict instead of granting privileged.Aug 19, 2025 · 11 minAdvancedopenshiftselinuxSSH hardening: keys, ciphers, and CA-signed certificatesDisable passwords, pick modern ciphers, and issue SSH certificates so you stop managing authorized_keys by hand.Aug 5, 2025 · 9 minIntermediatesshlinuxExternal Secrets Operator: sync Vault into KubernetesKeep the source of truth in Vault and let the operator materialize Kubernetes Secrets your pods can mount.Jul 29, 2025 · 9 minIntermediatekubernetesvaultParse auditd logs with Python before they hit your SIEMRaw audit records are unreadable and expensive to index. Normalize them with 80 lines of Python and cut ingest cost.Jul 15, 2025 · 8 minBeginnerpythonauditdLocking down S3: block public access and enforce encryptionTurn on account-wide Block Public Access, require TLS and encryption with a bucket policy, and verify it.Jul 2, 2025 · 7 minBeginnerawss3Kubernetes liveness, readiness, startup probes done rightStop routing traffic to pods that aren't ready and restarts that make outages worse — the three probes explained.Jun 24, 2025 · 8 minIntermediatekubernetesprobesCI dependency scanning: pip-audit, npm audit, fail fastLockfile scanners like pip-audit and npm audit are free and fast — the hard part is a CI failure policy strict enough to matter that your team keeps on.Jun 12, 2025 · 7 minBeginnerpip-auditnpmAttesting builds with SLSA provenance in CIGenerate an SBOM and signed SLSA provenance for every build, attach them with cosign, and prove exactly where an artifact came from when auditors ask.Jun 3, 2025 · 11 minAdvancedslsasbomFrom iptables to nftables: a practical migrationTranslate your ruleset to nftables' cleaner syntax and sets, and run both during the cutover without lockouts.May 20, 2025 · 11 minAdvancedlinuxnftablesAutomating secret rotation without downtimeRotate database and API credentials on a schedule using overlapping versions so nothing breaks mid-rotation.May 6, 2025 · 10 minAdvancedsecretsrotationLog aggregation with Loki and structured loggingShip JSON logs, label them well, and query with LogQL — centralized logs without a heavyweight indexing bill.Apr 22, 2025 · 9 minIntermediatelokiloggingDockerfile layer caching: order matters more than you thinkOrder your instructions so dependency layers stay cached and only your code layer rebuilds — seconds, not minutes.Apr 8, 2025 · 6 minBeginnerdockercacheKubernetes Ingress TLS with cert-manager and Let's EncryptIssue and auto-renew TLS certificates for Ingress with cert-manager, ACME, and a ClusterIssuer, and debug stuck orders before ACME rate-limits you.Mar 25, 2025 · 9 minIntermediatekubernetescert-managerTerraform workspaces vs directories for environmentsWhen workspaces help and when separate directories are safer for dev, staging, and prod — with the tradeoffs.Mar 11, 2025 · 8 minIntermediateterraformworkspacesCatch secrets before commit with gitleaks and pre-commitBlock credentials at the git hook, scan history for what already leaked, and wire the same check into CI.Feb 25, 2025 · 6 minBeginnergitleakspre-commitThreat detection on AWS with GuardDuty and EventBridgeTurn on GuardDuty across the org and route high-severity findings to Slack and auto-remediation with EventBridge.Feb 11, 2025 · 10 minAdvancedawsguarddutyHow container escapes happen — and how to prevent themPrivileged flags, host mounts, and leaked sockets are the usual doors. Close them before an attacker finds them.Jan 28, 2025 · 12 minAdvancedcontainerssecurityDRY GitHub Actions with reusable workflowsExtract shared build-and-scan steps into a reusable workflow and call it from every repo with inputs and secrets.Jan 14, 2025 · 8 minIntermediategithub-actionsreuseAuditd rules that matter for complianceWatch the files and syscalls auditors actually ask about, tune rules by key, and keep signal high without drowning auditd in noise nobody reads.Dec 17, 2024 · 9 minIntermediateauditdlinuxKubernetes autoscaling with the Horizontal Pod AutoscalerScale on CPU, memory, or custom Prometheus metrics, and tune stabilization windows so the HorizontalPodAutoscaler won't flap under spiky, bursty load.Dec 3, 2024 · 9 minIntermediatekuberneteshpaTerragrunt: keeping 30 environments DRYStop copy-pasting backend and provider blocks across environments — generate them and keep inputs in one place.Nov 19, 2024 · 11 minAdvancedterragruntterraformGenerate an SBOM for any container image with SyftProduce a complete software bill of materials in SPDX or CycloneDX and feed it to Grype for fast CVE triage.Nov 5, 2024 · 8 minIntermediatesyftsbomBlue-green and canary deploys from your pipelineShip with zero downtime and instant rollback by shifting traffic between versions instead of replacing in place.Oct 22, 2024 · 11 minAdvanceddeploycanaryCentralized logging with journald and rsyslogMake the journal persistent, forward it to a central host, and keep logs you can actually search after an incident.Oct 8, 2024 · 7 minBeginnerjournaldrsyslogTurn on the Kubernetes audit log and actually read itWrite a Kubernetes audit policy that captures the right events at the right level, then query the log to find exactly who deleted that deployment at 2am.Sep 24, 2024 · 11 minAdvancedkubernetesauditImporting existing infrastructure into Terraform stateBring click-ops resources under Terraform with import blocks and generated config — without recreating them.Sep 10, 2024 · 8 minIntermediateterraformimportHEALTHCHECK and graceful shutdown in containersTell the orchestrator when your container is actually healthy, and handle SIGTERM so deploys don't drop requests.Aug 27, 2024 · 8 minIntermediatedockerhealthcheckHardening self-hosted GitLab runnersIsolate jobs, scope CI tokens, and pin executors so one poisoned pipeline can't pivot into your whole GitLab runner fleet or leak another team's secrets.Aug 13, 2024 · 10 minAdvancedgitlabrunnersPulumi vs Terraform: choosing your IaC toolReal programming languages vs HCL: how state handling, unit testing, blast radius, and your team's skills should decide between Pulumi and Terraform.Jul 30, 2024 · 7 minBeginnerpulumiterraformDebugging Pending pods: the five usual causesInsufficient resources, taints, affinity, PVCs, and quotas — how to read the events and fix each one fast.Jul 16, 2024 · 7 minBeginnerkubernetestroubleshootingDocker Compose in production: the parts that biteRestart policies, health-gated dependencies, resource caps, and secrets — what to fix before Compose meets real traffic.Jul 2, 2024 · 9 minIntermediatedockercompose