Sigmoid Social

Yehor 🇺🇦I just forwarded a port from the public IP of my <a href="https://techhub.social/tags/ProxmoxVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#ProxmoxVE</a> to the privet IP of the <a href="https://techhub.social/tags/Gitea" class="mention hashtag" rel="nofollow noopener" target="_blank">#Gitea</a> <a href="https://techhub.social/tags/LXC" class="mention hashtag" rel="nofollow noopener" target="_blank">#LXC</a> with <a href="https://techhub.social/tags/iptables" class="mention hashtag" rel="nofollow noopener" target="_blank">#iptables</a>. Pure single-line magic. Now I don’t need a dedicated public IP for my Gitea instance to make git work through ssh!<a href="https://techhub.social/tags/linuxadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#linuxadmin</a> <a href="https://techhub.social/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://techhub.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#networking</a> <a href="https://techhub.social/tags/homelab" class="mention hashtag" rel="nofollow noopener" target="_blank">#homelab</a> <a href="https://techhub.social/tags/selfhosted" class="mention hashtag" rel="nofollow noopener" target="_blank">#selfhosted</a> <a href="https://techhub.social/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#selfhosting</a> <a href="https://techhub.social/tags/selfhost" class="mention hashtag" rel="nofollow noopener" target="_blank">#selfhost</a> <a href="https://techhub.social/tags/proxmox" class="mention hashtag" rel="nofollow noopener" target="_blank">#proxmox</a> <a href="https://techhub.social/tags/git" class="mention hashtag" rel="nofollow noopener" target="_blank">#git</a> <a href="https://techhub.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#ssh</a> <a href="https://techhub.social/tags/Hetzner" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hetzner</a>

Markus EiseleRed Hat JBoss EAP 8.1 is out! - Bootable JARs → app + runtime in one package, faster CI/CD - Galleon provisioning → build lean, trimmed servers tailored to your appRuns anywhere: bare-metal, VM, cloud, containers.A modern take on enterprise Java → secure, supported, production-ready. developers.redhat.com/blog/2025/09/02/jboss-eap-81-modernizing-enterprise-java-applications<a href="https://mastodon.online/tags/Java" class="mention hashtag" rel="nofollow noopener" target="_blank">#Java</a> <a href="https://mastodon.online/tags/JakartaEE" class="mention hashtag" rel="nofollow noopener" target="_blank">#JakartaEE</a> <a href="https://mastodon.online/tags/JBossEAP" class="mention hashtag" rel="nofollow noopener" target="_blank">#JBossEAP</a> <a href="https://mastodon.online/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenSource</a> <a href="https://mastodon.online/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a>

knoppixCase matters, folks. 🫠<a href="https://mastodon.social/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#Linux</a> <a href="https://mastodon.social/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FOSS</a> <a href="https://mastodon.social/tags/Terminal" class="mention hashtag" rel="nofollow noopener" target="_blank">#Terminal</a> <a href="https://mastodon.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenSource</a> <a href="https://mastodon.social/tags/Bash" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bash</a> <a href="https://mastodon.social/tags/CommandLine" class="mention hashtag" rel="nofollow noopener" target="_blank">#CommandLine</a> <a href="https://mastodon.social/tags/TechHumor" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechHumor</a> <a href="https://mastodon.social/tags/TechMeme" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechMeme</a> <a href="https://mastodon.social/tags/Humor" class="mention hashtag" rel="nofollow noopener" target="_blank">#Humor</a> <a href="https://mastodon.social/tags/Meme" class="mention hashtag" rel="nofollow noopener" target="_blank">#Meme</a> <a href="https://mastodon.social/tags/SysAdmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#SysAdmin</a> <a href="https://mastodon.social/tags/System" class="mention hashtag" rel="nofollow noopener" target="_blank">#System</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://mastodon.social/tags/LinuxLife" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxLife</a> <a href="https://mastodon.social/tags/LinuxGaming" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxGaming</a> <a href="https://mastodon.social/tags/Shell" class="mention hashtag" rel="nofollow noopener" target="_blank">#Shell</a> <a href="https://mastodon.social/tags/DevLife" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevLife</a> <a href="https://mastodon.social/tags/Dev" class="mention hashtag" rel="nofollow noopener" target="_blank">#Dev</a> <a href="https://mastodon.social/tags/Development" class="mention hashtag" rel="nofollow noopener" target="_blank">#Development</a> <a href="https://mastodon.social/tags/CLI" class="mention hashtag" rel="nofollow noopener" target="_blank">#CLI</a> <a href="https://mastodon.social/tags/LinuxCommunity" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxCommunity</a> <a href="https://mastodon.social/tags/SecureByDesign" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecureByDesign</a> <a href="https://mastodon.social/tags/Ubuntu" class="mention hashtag" rel="nofollow noopener" target="_blank">#Ubuntu</a> <a href="https://mastodon.social/tags/TechNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechNews</a> <a href="https://mastodon.social/tags/Wayland" class="mention hashtag" rel="nofollow noopener" target="_blank">#Wayland</a> <a href="https://mastodon.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://mastodon.social/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfHosting</a> <a href="https://mastodon.social/tags/ArchLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#ArchLinux</a> <a href="https://mastodon.social/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#Debian</a> <a href="https://mastodon.social/tags/LinuxAdmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxAdmin</a> <a href="https://mastodon.social/tags/LinuxTips" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxTips</a> <a href="https://mastodon.social/tags/LinuxMint" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxMint</a> <a href="https://mastodon.social/tags/Fedora" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fedora</a> <a href="https://mastodon.social/tags/PopOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#PopOS</a> <a href="https://mastodon.social/tags/GNULinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#GNULinux</a> <a href="https://mastodon.social/tags/CloudComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudComputing</a> <a href="https://mastodon.social/tags/GNU" class="mention hashtag" rel="nofollow noopener" target="_blank">#GNU</a> <a href="https://mastodon.social/tags/BSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#BSD</a> <a href="https://mastodon.social/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#FreeBSD</a> <a href="https://mastodon.social/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenBSD</a>

ElendolI started to look into dhall-lang as a way to configure new programs and to generate configuration files for programs supporting YAML. Good in theory but it generates some other points of friction. Does anyone has some recommendations? Best practices? Alternatives ? <a href="https://hachyderm.io/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://hachyderm.io/tags/dev" class="mention hashtag" rel="nofollow noopener" target="_blank">#dev</a> <a href="https://hachyderm.io/tags/softwaredevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#softwaredevelopment</a>

Ain Tohvri<a href="https://mstdn.social/tags/Git" class="mention hashtag" rel="nofollow noopener" target="_blank">#Git</a> push getting up to 18x and fetch up to 22x the performance improvement in the 2.51 is surely a great advance for large codebases! <a href="https://about.gitlab.com/blog/what-s-new-in-git-2-51-0/" rel="nofollow noopener" translate="no" target="_blank">https://about.gitlab.com/blog/what-s-new-in-git-2-51-0/</a> <a href="https://mstdn.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://mstdn.social/tags/Software" class="mention hashtag" rel="nofollow noopener" target="_blank">#Software</a> <a href="https://mstdn.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#Programming</a>

The Cassandra CatThis account is either a bot or someone posting AI slop both on fedi and medium about <a href="https://toot.cat/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> and <a href="https://toot.cat/tags/aws" class="mention hashtag" rel="nofollow noopener" target="_blank">#aws</a> with AI generated images that are cringe af, and it keeps showing up on my feed because I subscribe to the hashtags. Unsure if it’s grounds for reporting but I feel like making fun of AI is fine. <a href="https://hachyderm.io/@ismailkovvuru" rel="nofollow noopener" translate="no" target="_blank">https://hachyderm.io/@ismailkovvuru</a>

DSLC VideosRecent <a href="https://fosstodon.org/@DSLC" class="u-url mention" rel="nofollow noopener" target="_blank">@DSLC</a> club meetings::rstats: :python: Devops for Data Science: Data Project Architecture <a href="https://youtu.be/Zpv4TkwHgAc" rel="nofollow noopener" translate="no" target="_blank">https://youtu.be/Zpv4TkwHgAc</a> <a href="https://fosstodon.org/tags/RStats" class="mention hashtag" rel="nofollow noopener" target="_blank">#RStats</a> <a href="https://fosstodon.org/tags/PyData" class="mention hashtag" rel="nofollow noopener" target="_blank">#PyData</a> <a href="https://fosstodon.org/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a>From the <a href="https://fosstodon.org/@DSLC" class="u-url mention" rel="nofollow noopener" target="_blank">@DSLC</a> :rstats:chives::rstats: The Effect: An Introduction to Research Design and Causality: Matching <a href="https://youtu.be/bD20P1XPgNk" rel="nofollow noopener" translate="no" target="_blank">https://youtu.be/bD20P1XPgNk</a> <a href="https://fosstodon.org/tags/RStats" class="mention hashtag" rel="nofollow noopener" target="_blank">#RStats</a> <a href="https://fosstodon.org/tags/causal" class="mention hashtag" rel="nofollow noopener" target="_blank">#causal</a> <a href="https://fosstodon.org/tags/causality" class="mention hashtag" rel="nofollow noopener" target="_blank">#causality</a>:rstats: RWTF: API for an analysis <a href="https://youtu.be/o0-LfV6Tcjg" rel="nofollow noopener" translate="no" target="_blank">https://youtu.be/o0-LfV6Tcjg</a> <a href="https://fosstodon.org/tags/RStats" class="mention hashtag" rel="nofollow noopener" target="_blank">#RStats</a>Visit <a href="https://dslc.video" rel="nofollow noopener" translate="no" target="_blank">https://dslc.video</a> for hours of new <a href="https://fosstodon.org/tags/DataScience" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataScience</a> videos every week!

Alvin Ashcraft 🐿️Dew Drop – September 2, 2025 (#4488)<a href="https://www.alvinashcraft.com/2025/09/02/dew-drop-september-2-2025-4488/" rel="nofollow noopener" translate="no" target="_blank">https://www.alvinashcraft.com/2025/09/02/dew-drop-september-2-2025-4488/</a><a href="https://hachyderm.io/tags/dotnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#dotnet</a> <a href="https://hachyderm.io/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#webdev</a> <a href="https://hachyderm.io/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://hachyderm.io/tags/windowsdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#windowsdev</a> <a href="https://hachyderm.io/tags/csharp" class="mention hashtag" rel="nofollow noopener" target="_blank">#csharp</a> <a href="https://hachyderm.io/tags/mobiledev" class="mention hashtag" rel="nofollow noopener" target="_blank">#mobiledev</a> <a href="https://hachyderm.io/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#cloud</a> <a href="https://hachyderm.io/tags/visualstudio" class="mention hashtag" rel="nofollow noopener" target="_blank">#visualstudio</a> <a href="https://hachyderm.io/tags/ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#ai</a> <a href="https://hachyderm.io/tags/dewdrop" class="mention hashtag" rel="nofollow noopener" target="_blank">#dewdrop</a>

Alvin AshcraftDew Drop – September 2, 2025 (#4488) <a href="https://buff.ly/WVDKRJe" rel="nofollow noopener" target="_blank">buff.ly/WVDKRJe</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23dotnet" target="_blank">#dotnet</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23webdev" target="_blank">#webdev</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23devops" target="_blank">#devops</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23windowsdev" target="_blank">#windowsdev</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23csharp" target="_blank">#csharp</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23mobiledev" target="_blank">#mobiledev</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23cloud" target="_blank">#cloud</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23visualstudio" target="_blank">#visualstudio</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23ai" target="_blank">#ai</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23dewdrop" target="_blank">#dewdrop</a> <a href="https://www.alvinashcraft.com/2025/09/02/dew-drop-september-2-2025-4488/" rel="nofollow noopener" target="_blank">Dew Drop – September 2, 2025 (...</a>

DevOpsDays London⏰ 21 Days till DevOpsDays London 2025! 🤝 Ready to connect with peers? DevOpsDays is all about the community. 🎟️ <a href="https://ti.to/devopsdays-london/2025/discount/BUYNOW2025" rel="nofollow noopener" translate="no" target="_blank">https://ti.to/devopsdays-london/2025/discount/BUYNOW2025</a> (20% Off) 📣 The Open Spaces format means you help set the agenda! 🗣️ <a href="https://devopsdays.org/events/2025-london/program" rel="nofollow noopener" translate="no" target="_blank">https://devopsdays.org/events/2025-london/program</a> 📍 <a href="https://devopsdays.org/events/2025-london/location" rel="nofollow noopener" translate="no" target="_blank">https://devopsdays.org/events/2025-london/location</a> <a href="https://social.devopsdays.org/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://social.devopsdays.org/tags/DevOpsDays" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOpsDays</a> <a href="https://social.devopsdays.org/tags/London" class="mention hashtag" rel="nofollow noopener" target="_blank">#London</a> <a href="https://social.devopsdays.org/tags/Conference" class="mention hashtag" rel="nofollow noopener" target="_blank">#Conference</a>

Lionel Orry<a href="https://mamot.fr/@bearstech" class="u-url mention" rel="nofollow noopener" target="_blank">@bearstech</a> mon quotidien. :shibasmug: <a href="https://piaille.fr/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a>

Inautilo<a href="https://mastodon.social/tags/Development" class="mention hashtag" rel="nofollow noopener" target="_blank">#Development</a> <a href="https://mastodon.social/tags/Challenges" class="mention hashtag" rel="nofollow noopener" target="_blank">#Challenges</a> Obnoxious SSL certificate requirements · How to deal with the growing certificate hassles? <a href="https://ilo.im/166ent" rel="nofollow noopener" translate="no" target="_blank">https://ilo.im/166ent</a>_____ <a href="https://mastodon.social/tags/Business" class="mention hashtag" rel="nofollow noopener" target="_blank">#Business</a> <a href="https://mastodon.social/tags/Company" class="mention hashtag" rel="nofollow noopener" target="_blank">#Company</a> <a href="https://mastodon.social/tags/TSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#TSL</a> <a href="https://mastodon.social/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#SSL</a> <a href="https://mastodon.social/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#Certificates</a> <a href="https://mastodon.social/tags/CA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CA</a> <a href="https://mastodon.social/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#DNS</a> <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://mastodon.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://mastodon.social/tags/WebDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#WebDev</a>

InfoQ<a href="https://techhub.social/tags/CaseStudy" class="mention hashtag" rel="nofollow noopener" target="_blank">#CaseStudy</a> – See how <a href="https://techhub.social/tags/Revolut" class="mention hashtag" rel="nofollow noopener" target="_blank">#Revolut</a>’s small DevOps team empowers 1,300+ engineers to build & deploy apps faster and more consistently.With a centralized systems catalog + automation, they’ve reduced manual effort, improved observability & alerting, and streamlined database management at scale.🎥 Watch the <a href="https://techhub.social/tags/InfoQ" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoQ</a> video with Sérgio Amorim: <a href="https://bit.ly/420O6vC" rel="nofollow noopener" translate="no" target="_blank">https://bit.ly/420O6vC</a> 📄 <a href="https://techhub.social/tags/transcript" class="mention hashtag" rel="nofollow noopener" target="_blank">#transcript</a> included<a href="https://techhub.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://techhub.social/tags/Automation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Automation</a>

Peter N. M. HansteenCome to Zagreb September 24-28, 2025 and geek out with other BSD people at EuroBSDcon! See <a href="https://2025.eurobsdcon.org/" rel="nofollow noopener" translate="no" target="_blank">https://2025.eurobsdcon.org/</a> Program <a href="https://events.eurobsdcon.org/2025/schedule/" rel="nofollow noopener" translate="no" target="_blank">https://events.eurobsdcon.org/2025/schedule/</a> Registration <a href="https://2025.eurobsdcon.org/registration.html" rel="nofollow noopener" translate="no" target="_blank">https://2025.eurobsdcon.org/registration.html</a><a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#openbsd</a> <a href="https://mastodon.social/tags/netbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#netbsd</a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#freebsd</a> <a href="https://mastodon.social/tags/zagreb" class="mention hashtag" rel="nofollow noopener" target="_blank">#zagreb</a> <a href="https://mastodon.social/tags/eurobsdcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#eurobsdcon</a> <a href="https://mastodon.social/tags/conference" class="mention hashtag" rel="nofollow noopener" target="_blank">#conference</a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#freesoftware</a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#libresoftware</a> <a href="https://mastodon.social/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#development</a> <a href="https://mastodon.social/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://mastodon.social/tags/sysadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#sysadmin</a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#networking</a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>

ReynardSecA grumpy ItSec guy walks through the office when he overhears an exchange of words.devops0: These k8s security SaaS prices are wild. devops1: Image scanning, policy engines, "enterprise tiers"... why are we paying so much?ItSec (walking by): You pay for updates & support, probably, but you can do some of this yourselves with a bit of k8s hacking.devops0: How, exactly?Disclaimer: this is a PoC for learning, not a production-ready solution.Kubernetes can ask an external webhook whether a given image should be allowed via Admission Controller, in this case ImagePolicyWebhook [1]. The webhook receives an ImageReview payload [2], initiates a scan, and returns "allowed: true/false". We will write a Flask endpoint that invokes Trivy [3] for each image and denies pod creation process if HIGH or CRITICAL vuln appear. Below is a minimal Flask service.<pre><code>from flask import Flask, request, jsonify import subprocess, json, shlex, re app = Flask(__name__) def is_valid_image_format(image: str) -> bool: if not re.fullmatch(r"[A-Za-z0-9/_:.@+-]{1,300}", image): return False if image.startswith("-"): return False return True def scan_with_trivy(image: str): cmd = [ "trivy", "--quiet", "--severity", "HIGH,CRITICAL", "image", "--format", "json", image ] r = subprocess.run(cmd, capture_output=True, text=True) try: data = json.loads(r.stdout or "{}") results = data.get("Results", []) vulns = [] for res in results: for v in res.get("Vulnerabilities", []) or []: if v.get("Severity") in ("HIGH", "CRITICAL"): vulns.append(v) return vulns except json.JSONDecodeError: return None @app.route("/scan", methods=["POST"]) def scan(): body = request.get_json(force=True, silent=True) or {} containers = body.get("spec", {}).get("containers", []) if not containers: return jsonify({ "apiVersion": "imagepolicy.k8s.io/v1alpha1", "kind": "ImageReview", "status": {"allowed": False, "reason": "No containers provided"} }) results = [] decision = True for c in containers: image = c.get("image", "") if not is_valid_image_format(image): results.append({"image": image, "allowed": False, "reason": "Invalid image format"}) decision = False continue vulns = scan_with_trivy(shlex.quote(image)) if vulns is None: results.append({"image": image, "allowed": False, "reason": "Scanner error"}) decision = False continue if vulns: results.append({"image": image, "allowed": False, "reason": "HIGH/CRITICAL vulnerabilities detected"}) decision = False else: results.append({"image": image, "allowed": True}) return jsonify({ "apiVersion": "imagepolicy.k8s.io/v1alpha1", "kind": "ImageReview", "status": {"allowed": decision, "results": results} }) if __name__ == "__main__": app.run(host="0.0.0.0", port=5000) </code></pre>Run the service wherever Trivy is available. Tip: warm up the trivy vulns db once so the first request will not timeout.<pre><code>trivy image alpine:3.22 #warm up gunicorn -w 4 -b 0.0.0.0:5000 app:app </code></pre>Test it with an ImageReview-like request. Replace the and URL and images as you wish/need.<pre><code>curl -s -X POST http://127.0.0.1:5000/scan -H "Content-Type: application/json" -d '{ "apiVersion": "imagepolicy.k8s.io/v1alpha1", "kind": "ImageReview", "spec": { "containers": [ {"image": "alpine:3.22"}, {"image": "nginx:latest"} ] } }' | jq . </code></pre>Tell the API server to use ImagePolicyWebhook. The AdmissionConfiguration points at a kubeconfig for the webhook endpoint (/etc/kubernetes/admission-control-config.yaml).<pre><code>apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: ImagePolicyWebhook configuration: imagePolicy: kubeConfigFile: /etc/kubernetes/webhook-kubeconfig.yaml allowTTL: 50 denyTTL: 50 retryBackoff: 500 defaultAllow: false </code></pre>The webhook kubeconfig targets your scanner's HTTP endpoint (/etc/kubernetes/webhook-kubeconfig.yaml). Edit "server" value for your case.<pre><code>apiVersion: v1 kind: Config clusters: - name: webhook cluster: server: http://192.168.108.48:5000/scan contexts: - name: webhook context: cluster: webhook user: "" current-context: webhook </code></pre>Mount the AdmissionConfiguration and enable the plugin in the API server manifest. Add the following flags and mount the config file; adjust paths and IPs to your environment (kube-apiserver.yaml):<pre><code>--- apiVersion: v1 [...] containers: - command: - kube-apiserver [...] - --admission-control-config-file=/etc/kubernetes/admission-control-config.yaml - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook [...] volumeMounts: [...] - mountPath: /etc/kubernetes/admission-control-config.yaml name: admission-control-config readOnly: true - mountPath: /etc/kubernetes/webhook-kubeconfig.yaml name: webhook-kubeconfig readOnly: true volumes: [...] path: /etc/kubernetes/admission-control-config.yaml type: FileOrCreate - name: webhook-kubeconfig hostPath: path: /etc/kubernetes/webhook-kubeconfig.yaml type: FileOrCreate </code></pre>After the API server restarts, the cluster will begin asking app about images during pod creation. A quick check shows an allowed image and a blocked one:<pre><code>kubectl run ok --image=docker.io/alpine:3.22 pod/ok created kubectl run nope --image=docker.io/nginx:latest Error from server (Forbidden): pods "nope" is forbidden: one or more images rejected by webhook backend </code></pre>That's the whole trick. Kubernetes asks our Flask app. App calls Trivy. If HIGH or CRITICAL vulnerabilities are present, the admission decision is deny, and the pod never starts. It's not fancy and as I wrote before, it's not meant for production, but it illustrates exactly how admission can enforce image hygiene without buying an external SaaS.[1] <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook" rel="nofollow noopener" translate="no" target="_blank">https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook</a> [2] <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#request-payloads" rel="nofollow noopener" translate="no" target="_blank">https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#request-payloads</a> [3] <a href="https://github.com/aquasecurity/trivy" rel="nofollow noopener" translate="no" target="_blank">https://github.com/aquasecurity/trivy</a> For more grumpy stories visit: 1) <a href="https://infosec.exchange/@reynardsec/115093791930794699" translate="no" rel="nofollow noopener" target="_blank">https://infosec.exchange/@reynardsec/115093791930794699</a> 2) <a href="https://infosec.exchange/@reynardsec/115048607028444198" translate="no" rel="nofollow noopener" target="_blank">https://infosec.exchange/@reynardsec/115048607028444198</a> 3) <a href="https://infosec.exchange/@reynardsec/115014440095793678" translate="no" rel="nofollow noopener" target="_blank">https://infosec.exchange/@reynardsec/115014440095793678</a> 4) <a href="https://infosec.exchange/@reynardsec/114912792051851956" translate="no" rel="nofollow noopener" target="_blank">https://infosec.exchange/@reynardsec/114912792051851956</a><a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#appsec</a> <a href="https://infosec.exchange/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://infosec.exchange/tags/kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#kubernetes</a> <a href="https://infosec.exchange/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://infosec.exchange/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#webdev</a> <a href="https://infosec.exchange/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#docker</a> <a href="https://infosec.exchange/tags/containers" class="mention hashtag" rel="nofollow noopener" target="_blank">#containers</a> <a href="https://infosec.exchange/tags/k8s" class="mention hashtag" rel="nofollow noopener" target="_blank">#k8s</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#cloud</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/sysadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#sysadmin</a> <a href="https://infosec.exchange/tags/sysops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sysops</a>

Ismail Kovvuru🔧 Kubernetes on AWS EKS isn’t bulletproof. Engineers still face Spot Loss, IP Exhaustion & Scaling Delays daily. Here’s a step-by-step breakdown of how to fix them 👇 <a href="https://medium.com/system-weakness/how-to-fix-aws-eks-high-availability-issues-spot-loss-ip-exhaustion-scaling-delays-0898227d379e" rel="nofollow noopener" translate="no" target="_blank">https://medium.com/system-weakness/how-to-fix-aws-eks-high-availability-issues-spot-loss-ip-exhaustion-scaling-delays-0898227d379e</a><a href="https://hachyderm.io/tags/AWS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AWS</a> <a href="https://hachyderm.io/tags/EKS" class="mention hashtag" rel="nofollow noopener" target="_blank">#EKS</a> <a href="https://hachyderm.io/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#Kubernetes</a> <a href="https://hachyderm.io/tags/CloudNative" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudNative</a> <a href="https://hachyderm.io/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://hachyderm.io/tags/HighAvailability" class="mention hashtag" rel="nofollow noopener" target="_blank">#HighAvailability</a> <a href="https://hachyderm.io/tags/Resilience" class="mention hashtag" rel="nofollow noopener" target="_blank">#Resilience</a> <a href="https://hachyderm.io/tags/InfraOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfraOps</a> <a href="https://hachyderm.io/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#tech</a>

Mauricio Teixeira 🇺🇸🇧🇷Generic question for people who manage or work on deploying apps in Kubernetes: do you prioritize Helm charts, plain manifests, or something else that I don't know?I have a feeling that Helm charts are too limiting on some occasions, and some app developers don't even provide one, so you need to use a third party. I have a mix of Helm and manifests, but I'm unsure if I'm setting myself for a bad time when I finish migrating my lots of apps from my Docker Compose hosts.Edit: forgot to mention that I'm using FluxCD to manage my deployments.For context: my question will help my home lab. We have defined rules at work (which I don't wanna talk about).<a href="https://hachyderm.io/tags/HomeLab" class="mention hashtag" rel="nofollow noopener" target="_blank">#HomeLab</a> <a href="https://hachyderm.io/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://hachyderm.io/tags/SRE" class="mention hashtag" rel="nofollow noopener" target="_blank">#SRE</a> <a href="https://hachyderm.io/tags/SysAdminLife" class="mention hashtag" rel="nofollow noopener" target="_blank">#SysAdminLife</a> <a href="https://hachyderm.io/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#Kubernetes</a>

Andreu Casablanca 🐀Having "fun" with <a href="https://hachyderm.io/tags/Scaleway" class="mention hashtag" rel="nofollow noopener" target="_blank">#Scaleway</a> ...<a href="https://hachyderm.io/tags/IPv6" class="mention hashtag" rel="nofollow noopener" target="_blank">#IPv6</a> <a href="https://hachyderm.io/tags/IPv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#IPv4</a> <a href="https://hachyderm.io/tags/networks" class="mention hashtag" rel="nofollow noopener" target="_blank">#networks</a> <a href="https://hachyderm.io/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a>

InfoQThe Cloud Native Computing Foundation (CNCF) has officially welcomed <a href="https://techhub.social/tags/OpenYurt" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenYurt</a> as an incubating project!This <a href="https://techhub.social/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#opensource</a> platform extends <a href="https://techhub.social/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#Kubernetes</a> to <a href="https://techhub.social/tags/EdgeComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#EdgeComputing</a> environments, all while staying fully compatible with the upstream Kubernetes API.👉 Learn more: <a href="https://bit.ly/4p2WCnA" rel="nofollow noopener" translate="no" target="_blank">https://bit.ly/4p2WCnA</a> <a href="https://techhub.social/tags/CNCF" class="mention hashtag" rel="nofollow noopener" target="_blank">#CNCF</a> <a href="https://techhub.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://techhub.social/tags/InfoQ" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoQ</a>

No Starch PressA friendly reminder that you can enjoy 35% off everything on our website until tomorrow at 23:59. DRM-Free. Print includes instant ebook. 30-day returns. Build skills that outlast jobs. <a href="https://nostarch.com/" rel="nofollow noopener" translate="no" target="_blank">https://nostarch.com/</a><a href="https://mastodon.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#linux</a> <a href="https://mastodon.social/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#python</a> <a href="https://mastodon.social/tags/php" class="mention hashtag" rel="nofollow noopener" target="_blank">#php</a> <a href="https://mastodon.social/tags/books" class="mention hashtag" rel="nofollow noopener" target="_blank">#books</a> <a href="https://mastodon.social/tags/bookstodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#bookstodon</a> <a href="https://mastodon.social/tags/hardware" class="mention hashtag" rel="nofollow noopener" target="_blank">#hardware</a> <a href="https://mastodon.social/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://mastodon.social/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#redteam</a> <a href="https://mastodon.social/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a> <a href="https://mastodon.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#DevOps</a> <a href="https://mastodon.social/tags/design" class="mention hashtag" rel="nofollow noopener" target="_blank">#design</a> <a href="https://mastodon.social/tags/manga" class="mention hashtag" rel="nofollow noopener" target="_blank">#manga</a> <a href="https://mastodon.social/tags/lego" class="mention hashtag" rel="nofollow noopener" target="_blank">#lego</a> <a href="https://mastodon.social/tags/bash" class="mention hashtag" rel="nofollow noopener" target="_blank">#bash</a> <a href="https://mastodon.social/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#PowerShell</a> <a href="https://mastodon.social/tags/R" class="mention hashtag" rel="nofollow noopener" target="_blank">#R</a> <a href="https://mastodon.social/tags/excel" class="mention hashtag" rel="nofollow noopener" target="_blank">#excel</a> <a href="https://mastodon.social/tags/Automation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Automation</a> <a href="https://mastodon.social/tags/quantumcomputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#quantumcomputing</a> <a href="https://mastodon.social/tags/deeplearning" class="mention hashtag" rel="nofollow noopener" target="_blank">#deeplearning</a> <a href="https://mastodon.social/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#javascript</a> <a href="https://mastodon.social/tags/kotlin" class="mention hashtag" rel="nofollow noopener" target="_blank">#kotlin</a>

Recent searches

Search options

Administered by:

Server stats:

#devops