From 4aa9d0ef7fdd067f0b254ca072b3ffccd82c8aa1 Mon Sep 17 00:00:00 2001 From: David Young Date: Fri, 10 Feb 2023 23:25:42 +1300 Subject: [PATCH] Satisfy markdown lint Signed-off-by: David Young --- docs/blog/posts/notes/layered-kubernetes-security-is-a-pita.md | 2 +- docs/blog/posts/reviews/review-nextcloud-24.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/blog/posts/notes/layered-kubernetes-security-is-a-pita.md b/docs/blog/posts/notes/layered-kubernetes-security-is-a-pita.md index d363861..93d6780 100644 --- a/docs/blog/posts/notes/layered-kubernetes-security-is-a-pita.md +++ b/docs/blog/posts/notes/layered-kubernetes-security-is-a-pita.md @@ -23,7 +23,7 @@ Here's how the process went: 4. Image must be signed using [cosign](https://github.com/sigstore/cosign) on both the dev and prod infrastructure (*separate signing keys are used*). [Connaisseur](https://github.com/sse-secure-systems/connaisseur) prevents unsigned images from being run in any of our clusters[^2]. 5. Image is in the repo, now to deploy it... add a deployment template to our existing database helm chart. Deployment pipeline (*via [Concourse CI](https://concourse-ci.org/)*) fails while [kube-scor](https://github.com/zegl/kube-score)ing / [kube-conform](https://github.com/yannh/kubeconform)ing the generated manifests, because they're missing the appropriate probes and securityContexts 6. Note that if we had been able to sneak a less-than-secure deployment past kube-score's static linting, then [Kyverno](https://kyverno.io/) would have prevented the pod from running! -7. Fixed all the invalid / less-than-best-practice elements of the deployment. Ensure resource limits, HPAs, securityContexts are applied. +7. Fixed all the invalid / less-than-best-practice elements of the deployment. Ensure resource limits, HPAs, securityContexts are applied. 8. Manifest deploys (*pipeline is green!*), pod immediately crashloops (*it's not very obtuse code!*) 9. Examine Cilium's [Hubble](https://github.com/cilium/hubble), determine that the pod is trying to talk to FoundationDB (*duh*), and being blocked by default. 10. Apply the appropriate labels to the deployment / pod to align with the pre-existing regime of [Cilium NetworkPolicies](https://docs.cilium.io/en/latest/security/policy/) permitting ingress/egress to services based on pod labels (*thanks [Monzo](https://monzo.com/blog/we-built-network-isolation-for-1-500-services)!*) diff --git a/docs/blog/posts/reviews/review-nextcloud-24.md b/docs/blog/posts/reviews/review-nextcloud-24.md index fac1694..990a122 100644 --- a/docs/blog/posts/reviews/review-nextcloud-24.md +++ b/docs/blog/posts/reviews/review-nextcloud-24.md @@ -44,7 +44,7 @@ It's been a few years since I published a Docker Swarm recipe for Nextcloud, com TL;DR - It's still boring on the inside. But that's good. The outside though, is increasingly sexy and well-polished. -In the process of running the latest recipe through its paces in CI, I noticed that the UX has come a long way. Under the hood, NextCloud is much the same, with some extra polish, and a few years more ecosystem maturity. Now apps like[ Nextcloud Talk](https://nextcloud.com/talk/) (which was beta at the the time) is de-facto, and the integration of 3rd-party apps is well-established. +In the process of running the latest recipe through its paces in CI, I noticed that the UX has come a long way. Under the hood, NextCloud is much the same, with some extra polish, and a few years more ecosystem maturity. Now apps like [Nextcloud Talk](https://nextcloud.com/talk/) (which was beta at the the time) is de-facto, and the integration of 3rd-party apps is well-established. Nextcloud (*now called "Nextcloud Hub II" for some reason!*) no longer looks like a boring, corporate file collaboration suite. The default page is a "Dashboard", which can be extended with "Widgets" which integrate with the various apps (*of which there are over 100!*) which can be installed from their app store.