Introduction In this previous post we have been exploring how to build docker images for multiple architectures. In this post we will look into streamlining this approach using docker buildx, both locally and in gitlab-ci. Step-by-step Enable buildx In order to use docker buildx you will need: A recent docker version; I am running 19.03.11 on linux enable the experimental features: export DOCKER_CLI_EXPERIMENTAL=enabled Running docker buildx should show you: Read more

Introduction Debugging gitlab-ci pipelines can be a tedious task, especially as the pipeline does not run in the inner loop. Fortunately the gitlab-runner can be installed locally, allowing you to test many aspects of the CI/CD pipeline prior to commit. Read more

Introduction Whether it is from CI/CD or from the command-line, I often see the default kube-config with cluster-admin rights being used. This is like permanently working with root privileges and there certainly are more secure ways. In this post we will look into demystifying Kubernetes RBAC, and setting-up more suitable permissions for two use-cases: a CI/CD pipeline that needs full permissions on anything located in a given Namespace a reader who needs to access resources for troubleshooting purposes Concepts Roles and ClusterRoles define sets of permissions to objects at the namespace and cluster scope. Read more

Introduction Gatekeeper is a validating webhook that enforces CRD-based policies executed by Open Policy Agent. In a previous post, we went into details about OPA: this post superseeds it. The differences between OPA and Gatekeeper are listed here. In this post we will explore Gatekeeper and start with implementing a policy to enforce a given label to be present at the namespace level. In future posts coming soon we will implement policies as described here: Read more

Introduction This article will take you through setting-up a yubikey to hold your SSH private key. It assumes that you have a PIV-enabled yubikey: PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smartcard (such as the YubiKey NEO), through common interfaces like PKCS#11. PIV is primarily used for non-web applications. It has built-in support under Windows, and can be used on OS X and Linux via the OpenSC project. Read more