How a Kubernetes bug won't let you expose a service over TCP and UDP on a same port

Introduction

Long story short, I wasted hours of my life because of an unfixed 2016 Kubernetes’s bug that didn’t want me to expose a service over both UDP and TCP on a same port. May this article come up in your Google search and save you hours of suffering.

How it is supposed to work

Let’s say you want to expose the following Pod using a Deployment :

Read more →

---

Securing a shared Docker socket using a Golang reverse-proxy (2/4)

Introduction

In the previous part of this article series, we discussed :

• How sharing the Docker socket with a container can lead to container escape and privilege escalation on the host.
• Why current Docker client’s permissions mechanisms are somewhat unadapted (or at least to my needs).
• How building a Golang reverse-proxy, handling clients authentication and permissions, can solve those issues.

In this article, we are going to discuss how to build a basic reverse proxy in Go and how to put it in a Docker image built FROM SCRATCH.

Read more →

---

Securing a shared Docker socket using a Golang reverse-proxy (1/4)

Introduction

If you already worked a bit with Docker, maybe did you end-up in a situation were you needed to launch/create/manage a new container from an already existing one. For example, when you are running a dockerized Jenkins instance and need to create ephemeral containers in your pipeline to perform build tasks.

In such case, a quick Google search will offers you two main options :

Read more →

---