In this post, Banzai Cloud explains how they settled on Thanos as a standardised solution that would allow them to federate metrics, and collect them into a single place for long term storage, querying and analysis.

This GitHub repo contains a reference implementation of a fully productionalized Kubernetes setup, based on immutable infrastructure and Gitops Flow methodologies. Everything starts out in Git as either code or configuration. Items are manipulated to the desired state and that is applied onto the infrastructure.

This post provides a nice introduction into Network Policies, and explains how to enhance them to control allowed egress.

Check out the latest guidance from NSA on how to navigate the cloud securely.

imds-filterd is a tool that allows administrators of EC2 instances to lock down which data from the Instance Metadata Service can be accessed by specified system users and groups, thereby making the EC2 Instance Metadata Service compatible with traditional UNIX privilege separation.

Interesting application that simulates an attack on AWS infrastructure.

kube-resource-report is a handy script that generates an HTML report of cluster and pod resource requests (CPU and memory) vs. usage (collected via Metrics API/Heapster). If you are curious, you can check out the sample HTML report.

Little utility that provides an easy way to give all your EC2 instances SSH host certificates: run it in your EC2 userdata script, and it will use AWS KMS to sign the instance's SSH host key. You can then add a @ cert-authority line to your ~/.ssh/known_hosts and never be prompted about an unknown host again.

The first article in a series covering the implementation of a high-level container runtime. If you are wondering what is a container manager, some prominent examples would be containerd, cri-o, dockerd, and podman.

AWS conducted an anonymous survey in late 2019 amongst container users on AWS, and the results are quite discomforting (although I have to admit the sample size is close to be classified as statistical error). Among the findings, 83% of the respondents admitted they don't employ dynamic/runtime scanning, 89% don't sign their images, and 81% do not manage the supply chain. The questions and results are available via GitHub.

Amazon has released a new whitepaper, "Amazon Web Services' Approach to Operational Resilience in the Financial Sector and Beyond", in which they discuss how AWS and customers build for resiliency on the AWS cloud.

This is a great presentation from Microsoft, designed to rapidly increase your Azure security posture and to make the right security decisions with best practices, choices and context/recommendations. As a plus, it has general recommendations that can be abstracted away from Azure and applied to other cloud providers as well.