Notes from the
infrastructure.
One Pod to Node Root: Defending Kubernetes from Copy Fail and Dirty Frag
Two fresh Linux kernel LPEs - Copy Fail and Dirty Frag - both turn an unprivileged pod into root on the node. The defense is a stack of boring controls you can turn on today.
Writing a Tiny Reverse Proxy in Go
httputil.ReverseProxy is 200 lines from production-grade. We add retries, circuit breaking and request tracing in one sitting.