#security (2020-03)
Archive: https://archive.sweetops.com/security/
2020-03-03
cert-manager folks — https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864
good looking out!
To help folks out, here’s how I forced cert-manager to renew my certs in place with no downtime.
kubectl get certificates
kubectl edit certificate <name>
# add the following k:v pair to the YAML
# spec:
# renewBefore: 2040h
kubectl get events # watch for it to renew and be done
kubectl get certificate <name> -o yaml
# check transition date and expiry date, should be 90 days out
kubectl edit certificate <name>
# revert changes to spec.renewBefore
@Adam Blackwell
bah, i’m still on 0.9, bug checker tool doesn’t work for me >.<
@Adam Blackwell has joined the channel
2020-03-04
2020-03-05
2020-03-08
Has anyone used gatekeeper without keycloak? Works ok? Thinking about integrating it with one login
Haven’t tried but curious what you figure out
2020-03-10
2020-03-11
regarding: https://github.com/cloudposse/bastion I see that if you add slack notification, webhook token will be in env vars…
wouldn’t that be safer to login using another user than root? to hide it?
even if it’s an alpine docker with minimal commands
it’s just tricker to orchestrate and in the end, all the webhook can do is post messages. Of course, that can be used for phishing and other things, but don’t see any way an unprivileged user couldn’t game it.
oh, and the idea with bastion is to mount a passwd file so users aren’t root.
yep agree but they are bound to root on bastion. instead of user without sudo
they are bound
what does they refer to?
users logged in.
no, sshd should be handling that like any other system
sshd runs as root so it can drop perms to the user logging in
yes, the container itself runs as root
but that’s the only way sshd can have the right permissions to change uid
if we had the container run as nobody for example, then sshd could not change uid to something like UID 1001
by the way noticed the make is not working. Strange the make build:latest will fail in the project. Did I miss something?
I grabbed instead the latest build
2020-03-16
@mumoshu has joined the channel
@Jeremy G (Cloud Posse) on our team is also curious if we can do this?
@Erik Osterman (Cloud Posse) It isn’t possible today but seems easy to add support for. Could you expand more on your use-case(s) though?
https://github.com/mumoshu/aws-secret-operator/issues/22#issuecomment-599817070
thanks @mumoshu - updated issue with a better example
2020-03-23
2020-03-27
Adding @discourse_forum bot
@discourse_forum has joined the channel