Secrets: sensitive, ephemeral, and Write...
SecurityAWS

Secrets: sensitive, ephemeral, and Write-Only Arguments

State stores secrets in plaintext — this article tackles exactly that. sensitive only hides output but still writes to state; ephemeral resources and write-only arguments (Terraform 1.10/1.11) actually keep secrets out of state. Live demo: with the same password, the old way leaks into state while write-only does not.

K
KaiMay 25, 2026· 57 views
The Tetragon Way: From Observe to Enforc...
SecurityKubernetes

The Tetragon Way: From Observe to Enforce with bpf_send_signal

Tetragon is the Cilium ecosystem's runtime security tool: it observes with kprobe/tracepoint (the very hooks Part II used) and then enforces inside the kernel. Its enforcement uses two helpers — bpf_send_signal sends SIGKILL to kill a process, and bpf_override_return overrides a syscall's return value. This article rebuilds that: an exec tracepoint calls bpf_send_signal(SIGKILL) the moment a process runs — a forbidden binary gets exit 137, a normal binary still runs. No LSM, no reboot.

K
KaiMay 24, 2026· 15 views
LSM BPF: Enforcing Security Right Inside...
SecurityLinux

LSM BPF: Enforcing Security Right Inside the Kernel

So far our eBPF has only observed. LSM BPF enforces: it attaches to the kernel's security hooks (Linux Security Modules) that SELinux and AppArmor use, and a program returns 0 to allow or -EPERM to block. This article writes an LSM program that blocks opening a file, and hits a lesson: it loaded and attached but blocked nothing — because bpf wasn't an active LSM. After enabling bpf via a boot parameter and rebooting, it blocks for real — both cat and python get Operation not permitted.

K
KaiMay 24, 2026· 23 views
The Verifier: Why eBPF Doesn't Crash the...
SecurityLinux

The Verifier: Why eBPF Doesn't Crash the Kernel

Article 1 said the eBPF virtual machine design lets the verifier prove safety. This article watches it for real: we compile an XDP program that reads the first byte of a packet but forgets the bounds check, load it — the verifier rejects it with a log naming the exact register and reason. Add one data_end check and it goes through. The verifier is a safety prover at load time, tracking each register's state across every branch — letting eBPF load foreign code into the kernel safely.

K
KaiMay 24, 2026· 18 views
seccomp-bpf: Classic BPF Filtering Sysca...
SecurityContainer

seccomp-bpf: Classic BPF Filtering Syscalls in Every Container

Before eBPF there was cBPF — classic BPF, the thing tcpdump uses. And it's still running: seccomp-bpf filters syscalls with cBPF, the foundational sandbox layer of containers. This article distinguishes cBPF from eBPF, inspects real seccomp on the cluster (pause containers and CSI sidecars restricted, privileged pods not), then writes a cBPF filter that blocks mkdir with EPERM — eight instructions on struct seccomp_data, installed with prctl, blocking for real while printf still runs.

K
KaiMay 24, 2026· 18 views
Node Log Query and Fine-grained Kubelet ...
DevOpsSecurity

Node Log Query and Fine-grained Kubelet Authorization

Article 65 viewed system logs by SSHing into each node to run journalctl. v1.36 lets you query those logs straight through the kubelet API, no SSH. And it comes with a security change: kubelet API access, previously lumped under nodes/proxy, is now split per endpoint — letting you grant exactly nodes/metrics to a monitoring agent without handing over logs or exec. The final article of Part XIV, both touching components we built in Part I.

K
KaiMay 24, 2026· 16 views
Admission Policy with CEL
DevOpsSecurity

Admission Policy with CEL

Article 58 built an admission webhook — a separate HTTPS service with a cert and a server to keep alive. From v1.36, most of that need can be met without any server: ValidatingAdmissionPolicy and MutatingAdmissionPolicy write rules in CEL right inside the API server. This article opens Part XIV — features that just graduated in v1.36 — by blocking :latest images and auto-injecting a pod label, entirely with policy objects, not a line of server.

K
KaiMay 24, 2026· 33 views