How to Set Up Kubernetes NetworkPolicies
A complete walkthrough restricting which pods can talk to which — Kubernetes allows all pod-to-pod traffic by default, and NetworkPolicies are how you actually change that.
tag
39 posts
A complete walkthrough restricting which pods can talk to which — Kubernetes allows all pod-to-pod traffic by default, and NetworkPolicies are how you actually change that.
A deeper look at FreeBSD's Capsicum framework — cap_rights, the process descriptor model, and how to structure a service around capability mode instead of bolting it on afterward.
Setting up FreeBSD's Basic Security Module audit framework to log security-relevant events with the right level of detail without drowning in noise.
A practical walkthrough of Capsicum's capability mode — how to check if a program supports it, and how sandboxed services actually differ from ordinary ones at the syscall level.
How FreeBSD gathers entropy from interrupt timing and hardware sources, feeds it into Fortuna, and guarantees /dev/random never blocks without silently becoming predictable.
How Linux capabilities split root's monolithic power into dozens of independent privileges, and why that's a meaningfully better security model than the traditional all-or-nothing setuid-root pattern.
A service that works fine with SELinux disabled fails mysteriously with it enforcing. Here's how to read audit.log, generate a targeted policy module, and fix the actual denial instead of disabling protection.
Building a working AppArmor mandatory access control profile from scratch using complain mode and the log-based profile generator, rather than guessing at rules upfront.
A complete walkthrough configuring the Linux audit daemon to watch specific files, commands, and syscalls — and actually query the resulting logs for something useful.
The app isn't actually damaged in most cases — this is Gatekeeper's quarantine flag reacting to how the file was downloaded, and there's a legitimate, safe way to override it for software you trust.
Turning on macOS's built-in SSH server correctly, then hardening it beyond the default configuration with key-based authentication and restricted access.
How the T2, introduced in the 2017 iMac Pro and rolled out across the Mac lineup through 2018, took boot security, storage encryption, and other sensitive functions away from the main CPU entirely.
How Windows uses hardware virtualization to carve out a memory region even a fully compromised kernel can't touch, and why that specifically matters for protecting credentials from pass-the-hash attacks.
Running an untrusted website in a hardware-isolated container that's automatically discarded afterward, instead of risking whatever a malicious page might do to your regular browsing session.
A complete walkthrough building an allow-list policy that only permits explicitly trusted applications to run — a meaningfully stronger control than antivirus scanning alone.
User Account Control was a genuine security improvement for Windows, but its constant, poorly-tuned confirmation prompts made it the single most complained-about feature of Vista's rocky launch.
Why Microsoft's April 8, 2014 cutoff for Windows XP updates became one of the most consequential end-of-life dates in the operating system's history, given exactly how many machines were still running it.
A complete walkthrough deploying Vault, storing a secret, and retrieving it from a Kubernetes pod dynamically — instead of secrets sitting as plain base64 in a Kubernetes Secret object.
A complete walkthrough configuring periodic(8), pkg-audit, and freebsd-update to catch known vulnerabilities and pending patches automatically, with results delivered by email.
A complete walkthrough configuring unattended-upgrades (Debian/Ubuntu) and dnf-automatic (RHEL/Fedora) to apply security patches automatically, with sane limits on what gets updated unattended.
A complete walkthrough of Keychain Access — viewing saved passwords, storing new items securely, managing certificates, and understanding how iCloud Keychain syncs credentials across your devices.
Disclosed on September 24, 2014, the Shellshock vulnerability let attackers execute arbitrary commands through a flaw in how Bash processed environment variables — and botnets were scanning for vulnerable systems within hours.
A graduate student's experiment to measure the internet's size instead knocked out an estimated 10% of it in a single night. The Morris Worm produced the first felony conviction under US computer crime law.
A Cornell graduate student's self-replicating program, released from MIT's network on a November night in 1988, spread far faster and further than its own author reportedly intended.
How admission controllers intercept API requests before they're persisted, and how OPA/Gatekeeper turn that hook into cluster-wide policy enforcement.
How vulnerability scanners actually inspect container image layers, how to read a scan report, and the practices that reduce real supply-chain risk.
How multi-stage builds, distroless base images, and layer discipline combine to produce smaller, more secure container images without sacrificing developer ergonomics.
How FreeBSD jails partition a single kernel into isolated userlands, and why they predate Linux containers by more than a decade.
A service won't start, logs are unhelpful, and the files look correctly owned. SELinux and AppArmor enforce a second, invisible layer of permissions — here's how to check it.
A complete walkthrough encrypting a disk or partition with LUKS, from initial setup through mounting it automatically (with a key file) at boot.
A complete walkthrough generating an SSH key pair, deploying it correctly, and disabling password authentication safely — without locking yourself out.
How SELinux's label-based policy and AppArmor's path-based profiles both extend Linux's discretionary permission model, and how to work with each day to day.
How macOS verifies that an application hasn't been tampered with and hasn't been flagged as malware, before it's ever allowed to launch.
A complete walkthrough enabling FileVault, understanding your recovery key options, and what to do if you're locked out — before you need it, not after.
Released September 30, 2015, OS X 10.11 shipped with SIP enabled by default — restricting even the root user from modifying protected system files.
What SIP protects, how it's enforced below the level of the root user, and the legitimate reasons to disable it temporarily.
How discretionary ACLs, mandatory integrity levels, and UAC's token-splitting combine to form Windows' layered access control model.
A complete BitLocker setup covering TPM requirements, the recovery key you must save externally, and how to verify encryption actually completed.
A complete walkthrough enabling Remote Desktop the right way — Network Level Authentication, a non-default port, and firewall scoping — rather than exposing RDP openly to the internet.