Security

OpenVPN DCO part of linux kernel Members Public

openvpn dco will be part of linux kernel 6.16 - that's huge and you should have this on your radar to benefit from huge performance gains!

Daniel Nachtrub
Daniel Nachtrub
VPN

ingress-nginx 1.12 & allow-snippet-annotations Members Public

If you need to use snippet annotations (why?) on ingress-nginx - you'll also need to adjust the annotation filtering.

Daniel Nachtrub
Daniel Nachtrub
Azure

Unexpected behavior of TUN devices in Kubernetes >= 1.31.3 Members Public

Sometimes, security improvements in one project can cause problems in places nobody ever expected. In this case, we had to deal with one of these improvements.

Felix Zimmermann
Kubernetes

Kubernetes, blockDevices & denied permissions Members Public

Mounting (block)devices on containers might result in permission errors (Permission denied) if pods have applied a securityContext. It's possible to configure this on containerd and get both of best worlds - fast device access and reduced permissions on containers.

Daniel Nachtrub
Daniel Nachtrub
Container

Linux kernel keyrings, container isolation and maybe some kerberos Members Public

On a recent project I've been stumbling on the case that kerberos tickets have been inadvertently shared across containers on a node - which obviously caught my attention as I'm not keen on sharing such secrets across workloads. This post describes why this happens and what to do to prevent this.

Daniel Nachtrub
Daniel Nachtrub
Kubernetes

Create a TPM backed certificate request (on windows) Members Public

Certificates are everywhere - sometimes you want to keep them even more secure than just on the filesystem (or operating system store). This guide shows how to create TPM backed certificates on windows.

Daniel Nachtrub
Daniel Nachtrub
Windows

Use openssl to verify certificates Members Public

Certificates are essential for todays security needs. Sometimes it's required to revoke them, maybe because they are no longer needed or because they got even compromised. But how do you test manually if a certificate has been revoked?

Daniel Nachtrub
Daniel Nachtrub
Linux

pfsense - CRL has expired in openvpn server Members Public

A few days ago we ran into an issue where pfsense appliances started to refuse openvpn connections by showing "CRL has expired" error messages. As it shows the reason is an overflow a date.

Daniel Nachtrub
Daniel Nachtrub
Linux