The recent discovery of the XZ Utils backdoor, classified as CVE 2024-3094, has been now well documented. Detecting it with Tetragon from Isovalent (now part of Cisco) has been explained in this blog post. I also did some research and experimented with this vulnerability. I wondered how we could leverage Tetragon capabilities to detect it before it was known. There are other vulnerabilities out there, so we need to be prepared for the unknown. For this we have to apply a security strategy called Zero Trust. I wrote another blog post on this topic with another example and another tool if you wa ..read more

The cluster autoscaler brings horizontal scaling into your cluster by deploying it into the cluster to autoscale. This is described in the following blog article https://www.dbi-services.com/blog/rancher-autoscaler-enable-rke2-node-autoscaling/. It didn’t emphasize much about the user and role configuration. With Rancher, the cluster autoscaler uses a user’s API key. We will see how to configure minimal permissions by creating Rancher roles for cluster autoscaler. Rancher user First, let’s create the user that will communicate with Rancher, and whose token will be used. It will be given minima ..read more

Elasticsearch has few interesting features around Machine Learning. While I was looking for data to import into Elasticsearch, I found interesting data sets from Airbnb especially reviews. I noticed that it does not contain any rate, but only comments. To have sentiment of the a review, I would rather have an opinion on that review like: Negative Positive Neutral For that matter, I found the cardiffnlp/twitter-roberta-base-sentiment-latest to suite my needs for my tests. Import Model Elasticsearch provides the tool to import models from Hugging face into Elasticsearch itself: eland. It is po ..read more

Setting up Zabbix monitoring over an Elasticsearch cluster is quiet easy as it does not require an agent install. As a matter a fact, the official template uses the Elastic REST API. Zabbix server itself will trigger these requests. In this blog post, I will quick explain how to setup Elasticsearch cluster, then how easy the Zabbix setup is and list possible issues you might encounter. Elastic Cluster Setup I will not go too much in detail as David covered already many topics around ELK. Anyway, would you need any help to install, tune or monitor your ELK cluster fell free to contact us. My 3 ..read more

With my mate Chay Te (our DevOps champion in all categories and the mastermind of this best practice) we worked on scripts for our new Kubernetes security talk. These scripts where stored in our EC2 instance but this should not be their permanent location. First the EC2 instance could be deleted and we would lose everything. Then we need to version these files and keep track of the changes between us two. It was time to apply DevOps best practice for our scripts and we decided to use GitHub for this purpose. Read on to learn how to backup and share your work with GitHub in this step-by-step gu ..read more

In my previous blog post we have seen how NeuVector from SUSE can detect and prevent data exfiltration. We used the DLP (Data Loss Prevention) feature of NeuVector to recognize patterns in our HTTP packet. That was great but what could you do when the traffic is not in clear text but encrypted with HTTPS instead? I ended my previous blog saying that we would then need to apply a different security strategy. Let’s find out what we can do and how NeuVector can help with that. Application Baseline Before deploying a new containerized application in production, you have to assess it first. From th ..read more

Welcome back in this series of blogs regarding Cloud Native Storage. Check my previous on Cloud Native Storage: Overview for the introduction. In this one, I will discuss about the process involved in choosing a cloud native storage product. If you remember my previous blog, I pasted the exhaustive (big!) list of products. Of course, if you are familiar with Kubernetes you’ll probably know that we can create multiple storage classes, and you are right. The point here is more about choosing a product that will fit a specific workload. Workload can be of several kinds. Databases Stateless/stat ..read more

You may have heard a few weeks ago, in France, more than 30 millions Security Social Numbers (SSN) have been stolen. These data have been exfiltrated from databases. In these modern days, you are probably running your website in a container and use Kubernetes for its autoscaling capabilities. You then need to take care of containers security. A common method to exfiltrate data is to use a Command and Control (C&C also known as C2) attack. It existed before containerization but its principle is still the same. It is about infecting a machine with a malware. An external attacker ca ..read more

Feel free to read my colleague Arnaud; he also gave his opinions on this blog post. If you missed my feedback on our first day at KubeCon, please jump here! The last two days were again pretty intense. Two days, shared between going through almost each booth, we tried to visit all of our partners and contacts at SUSE, Nutanix, JFrog, EDB, mend.io, OVHCloud, Upbound, and more. We also attended morning keynotes, and sessions on topics we were more interested in. While on Tuesday morning, we noticed quite a lot of people entering the event, Wednesday was at a totally different scale. We were queu ..read more

For my 2nd time at the KubeCon & CloudNativeCon Europe – the right place to be for all the Kubernetes & CloudNative technical sessions, showcases, networking and to have fun – the event took place in Paris. Our travel from Basel to Paris was fast, 3 hours of TGV is appreciated compared to Amsterdam where we had to take the flight. And Paris is more practical as they are also speaking french even that the commodities was quite better in Amsterdam (food, biscuits, coffee machines were everywhere). Let me also mention that we didn’t get any foods at Midday during the 1st day this year. I ..read more