You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Security

Kubernetes, blockDevices & denied permissions

Kubernetes, blockDevices & denied permissions

Mounting (block)devices on containers might result in permission errors (Permission denied) if pods have applied a securityContext. It's possible to configure this on containerd and get both of best worlds - fast device access and reduced permissions on containers.

Daniel Nachtrub
Daniel Nachtrub
Container
Linux kernel keyrings, container isolation and maybe some kerberos

Linux kernel keyrings, container isolation and maybe some kerberos

On a recent project I've been stumbling on the case that kerberos tickets have been inadvertently shared across containers on a node - which obviously caught my attention as I'm not keen on sharing such secrets across workloads. This post describes why this happens and what to do to prevent this.

Daniel Nachtrub
Daniel Nachtrub
Kubernetes
Create a TPM backed certificate request (on windows)

Create a TPM backed certificate request (on windows)

Certificates are everywhere - sometimes you want to keep them even more secure than just on the filesystem (or operating system store). This guide shows how to create TPM backed certificates on windows.

Daniel Nachtrub
Daniel Nachtrub
Windows
Use openssl to verify certificates

Use openssl to verify certificates

Certificates are essential for todays security needs. Sometimes it's required to revoke them, maybe because they are no longer needed or because they got even compromised. But how do you test manually if a certificate has been revoked?

Daniel Nachtrub
Daniel Nachtrub
Linux
pfsense - CRL has expired in openvpn server

pfsense - CRL has expired in openvpn server

A few days ago we ran into an issue where pfsense appliances started to refuse openvpn connections by showing "CRL has expired" error messages. As it shows the reason is an overflow a date.

Daniel Nachtrub
Daniel Nachtrub
Linux
Replace tls cert using commandline (netsh)

Replace tls cert using commandline (netsh)

TLS endpoints on windows are often served by the operating system itself. Related certificate bindings can be managed using the command line easily. This guide shows how to replace a certificate using the commandline.

Daniel Nachtrub
Daniel Nachtrub
Windows
git on windows on CA's without crl (mostly pki)

git on windows on CA's without crl (mostly pki)

If you're working with git and are using certificates without revocation lists on windows this article shows how you can disable ssl revocation checks on git client.

Daniel Nachtrub
Daniel Nachtrub
Windows
Docker - Hardening with firewalld

Docker - Hardening with firewalld

Containers are no virtual machines - yet we might want to treat hosts running container workloads like hypervisors and apply limitations on container networking. This guide describes a way to limit container networking on docker based container hosts using firewalld.

Daniel Nachtrub
Daniel Nachtrub
Linux