@tallclair profile picture
Tim Allclair @tallclair

Kubernetes @Google. Opinions are my own. He / him. #BlackLivesMatter

Joined November 2011
  • Tweets 262
  • Following 479
  • Followers 2,840
18 Photos and videos
Tim Allclair retweeted
Rita Zhang@ritazzhang
27 Oct 2022
Are you struggling with migrating off PSP? Come to this #kubecon talk to learn about the PodSecurityPolicy migration tool from @tallclair & Sam Stoelinga sched.co/182Jx
2
5
I've been helping my wife (child psychologist) build a site for mental health children's books recommendations, and I'm proud of the work she's done. If you're a parent or read books with kids, I hope you find it useful! dranniesbookshelf.com/?ref=t…

Dr. Annie's Bookshelf

A curated collection of picture books on mental health topics reviewed by a child psychologist with a love of children's literature.

dranniesbookshelf.com
3
4
20
I'm really excited that Pod Security Admission is stable in #Kubernetes v1.25. It provides super-simple out-of-the-box pod security, and I'm optimistic that it will raise the bar for baseline Kubernetes hardening. kubernetes.io/blog/2022/08/2…

Kubernetes v1.25: Pod Security Admission Controller in Stable

The release of Kubernetes v1.25 marks a major milestone for Kubernetes out-of-the-box pod security controls: Pod Security admission (PSA) graduated to stable, and Pod Security Policy (PSP) has been...

kubernetes.io
3
40
193
I'm looking forward to presenting some strategies for migrating off of Pod Security Policy with @samosx at the next #kubecon sched.co/182Jx

1
6
7
Something happened to my twitter feed, and it’s now 90% viral content. Anyone else notice this or did I just click on one too many viral tweets?
4
5
I recently rewrote the #kubernetes Pod Security migration guide. If you're thinking of moving from PSP to Pod Secruity, check it out! kubernetes.io/docs/tasks/con…

Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller

This page describes the process of migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. This can be done effectively using a combination of dry-run and audit and warn...

kubernetes.io
4
36
110
Unfortunately PSP doesn't give us any good tools to identify mutations, so the process is still more manual than I'd like.
4
It was fun talking with @pablokbs about Kubernetes and container security. The interview is in English, if you want to check it out.
Pablo Fredrikson
@PeladoNerd
15 Mar 2022
En el podcast de hoy, charlo con un ingeniero de Google y grosso en seguridad de Kubernetes. No se la pierdan youtu.be/g9MAcBZQXjM PD: El 31/03 hay un evento gratuito donde van a hablar de la deprecación de Dockershim en Kubernetes 1.24! goo.gle/LKL22 anótenseeeee
15
84
Tim Allclair retweeted
Google Open Source@GoogleOSS
8 Mar 2022
🤔 Want to learn why Dockershim is being deprecated on Kubernetes 1.24 from industry experts? Register for the panel "After the storm: Dockershim deprecation demystified" here 👉 goo.gle/35FoESd starting at 9:00 AM PDT on March 31st.
2
16
28
Tim Allclair retweeted
Rory McCune@raesene
24 Jan 2022
Some notes on a new Linux kernel CVE that dropped last week and could allow for container breakout in Kubernetes environments blog.aquasec.com/cve-2022-01… . Interesting to note that using a seccomp filter (as in default Docker) can help mitigate this issue.

CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes

A high-severity CVE was released that affects the Linux kernel, allowing unprivileged users to escalate those rights to root and escape from the container

aquasec.com
1
29
92
Today is my first day back at Google after a 1.5 year hiatus. I'm excited to be rejoining the GKE team, focusing more on Kubernetes upstream, and branching out from security.
9
2
263
My time away helped me realize a lot of the great parts of Google's culture that I'd taken for granted. Hopefully I picked up some positive new perspectives to bring back with me too.
4
30
PodSecurity will be enabled by default with #Kubernetes v1.23! But you don't need to wait for v1.23 to try it out - the webhook version can be installed on an older cluster: git.k8s.io/pod-security-admi…

4
73
151
Please share feedback! More details here: groups.google.com/g/kubernet…

1
1
5
Tim Allclair retweeted
Benjamin Elder@BenTheElder
29 Oct 2021
This is exciting: Soon all the major CRI will support privileged ports with no capabilities 😁 github.com/containerd/contai…

CRI: Support enable_unprivileged_icmp and enable_unprivileged_ports options by olljanat · Pull...

Borrowing logic from moby/moby#41030 to solve #4936 (and kubernetes/kubernetes#102612 ) by adding options enable_unprivileged_icmp and enable_unprivileged_ports. However in-this point those are dis...

github.com
2
19
47
Tim Allclair retweeted
Tabitha Sable@TabbySable
19 Oct 2021
The slides from @tallclair and my #KubeCon NA 2021 talk, “PodSecurityPolicy Replacement: Past, Present, and Future”, are now available. We’re so proud of how the Kubernetes community came together to replace PSP, and grateful to share the story! kccncna2021.sched.com/event/…
15
42
Tim Allclair retweeted
Bob Killen @mrbobbytabl.es@MrBobbyTables
15 Oct 2021
Were you taken by surprise with the deprecation of PSPs? Want to know more about the replacement for them? Go check out @TabbySable and @tallclair's session on them! sched.co/lV9A

2
3
7
This is a great illustration of the pitfalls of node isolation, and why I advise against it.
This tweet is unavailable
1
2
7
If you need strong multi tenant isolation, focus on hardening the Pod. I recommend @katacontainers
1
5
To learn more about other types off attacks on nodes, check out tim.allclair.org/talks/20191…

Walls Within Walls

What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tena...

tim.allclair.org
2
1
Load more