A secure Kubernetes deployment benefits from Kubernetes specific security tools. One high quality open source tool is Falco. Falco is an intrusion detection system that reports suspicious Kubernetes events that a security admin might want to know about. This is an IDS, so it can be chatty. I found that it will report lots of less than useful system call event drops. You can easily opt to log and not notify you about these events, which is what I am choosing to do for now.

Here is a quick guide to deploying Falco on Kubernetes

This app will run as a daemon set and require about 1 GB of memory per node. …

Deploying Kubernetes on premises can be challenging enough.

You’ll quickly find out things you’d expect to work, simply don’t. That’s because cloud providers do lots of things for you (which is good).

I am currently storing docker images on ECR (AWS elastic container registry). It’s easy to use some simple commands to authenticate with your configured credentials then push / pull images when developing.

But this is something you are going to want to just do with Kubernetes. It is also essential for Kubernetes to be able to pull images from the cloud when it needs to. AWS ECR tokens expire every 12 hours so you will need a something that takes care refreshing tokens for you. …

Original post: Fido U2F

I ended up switching to a Yubikey after all. Feitian keys are a nice cheaper option but there were just too many important websites that wouldn’t support them. That said, there have been some interesting developments with FIDO. Android phones now have built-in security keys that serve as a nice backup key for a hardware key. It still makes sense to have a physical key because an alternate two factor method will be required to set up your account when you eventually change phones.

The Android key also appears to have some reliability issues and depends on network connectivity. I have experienced random times where the prompt never appeared or did appear but errored out with a vague unhelpful network error. …

My wife recently came across the Scribbing Speech experiment and wondered if we could do something similar. The experiment appears to do exactly what she wants, but I could not find a working version online; which is unfortunate, because it appears very well done. So I set out to create something similar but simplistic in design.

Below is my first attempt to draw simple objects using the QuickDraw library, with Google natural speech for input.

My python script is available on Github: QuickDraw with Speech.

This was put together really quick and could be improved quite a bit. Feel free to contribute or make suggestions.

I created this simple script because I could not find a way to automatically turn on / off my dehumidifier using IFTTT with Tado’s humidity sensor.

You can download the code here: https://github.com/gtom1984/Tado-Kasa/

Requirements:

• TADO Smart Thermostat and Tado account
• TP-Link HS110 Smart Plug and Kasa cloud account
• Dehumidifier to plug into the smart plug
• Amazon Web Services account (services used: Lambda python3.6, Simple Email Service, KMS)

How it works:

A cloud watch event is run every 4 hours (or whenever you choose). The event triggers the Python Lambda script (with KMS keys to encrypt the account passwords). The Tado’s humidity will be read from the cloud account. The smart plug will be activated if the humidity is over a certain threshold. It will be shut off if the humidity drops below the threshold when the script is run again. The humidity reading, and plug’s responses are recorded in the AWS Cloud Watch log. The current is monitored when the device is started, you will receive an email if the current is low and the device is on, this is a good way to know the water tank is full. …

Why switch to Chrome OS
My main home computer for the past 10 years has been a Ubuntu Linux machine. It served me well but was always lacking good Google service integration. This led me to eventually switch back to Windows, Windows 10 Pro specifically.

My main personal laptop eventually became outdated and I wanted something different. The latest line of Chromebooks looked appealing because they are secure, well integrated with Google services, and can run Linux apps. I no longer require a powerful home computer now that cloud services can do almost everything I need. …

I have recently purchased some FIDO U2F keys and have attempted to do two factor that right way. Unfortunately it didn't work out like I expected. That said, it has been an overall positive experience.

The hardware

I ended up buying the Feitian ePass FIDO-NFC Security Key because it did exactly what I needed and did not cost too much. Yubikey was my first choice but I did not want to pay the Yubikey price and did not need some of the extra features. …

The Amazon AWS Systems Manager Agent (SSM Agent) is a great way to manage systems in EC2 or on premises. It can run shell commands remotely and return a response. But sometimes there is no substitute for a full SSH session.

The problem is most firewalls will block incoming or outgoing SSH connections because of the security risk. This guide shows a simple way to trigger a reverse tunnel with SSH over HTTPS back to an EC2 instance you can use to remotely control a system.

All SSH keys are generated on demand and never reused. The remote connection will use a service account that does not provide a shell. Keys are removed after the connection is made so the tunnel cannot be easily hijacked. …