Cloud and infrastructure security
View All Tags
Your cluster is running in production. Three teams share it. A junior developer accidentally deletes a Deployment in the production namespace. Sound familiar? This is what happens when everyone has cluster-admin. RBAC exists to make sure every user and every service account has exactly the permissions they need — and nothing more.
A container is not a security boundary. It shares the host kernel, and a misconfigured container running as root with all capabilities is one exploit away from full host compromise. The good news is that Docker gives you layers of defense — most people just never enable them.
Still typing passwords every time you SSH into a server? Still memorizing IP addresses? Still copying files with scp one server at a time? SSH is the most used tool in a DevOps engineer's arsenal, yet most people only use 10% of its power. Let's change that.
Anyone can write a Dockerfile that works. FROM ubuntu, RUN apt-get install everything, COPY . ., done. It builds. It runs. And it is a 1.8 GB security nightmare that takes 10 minutes to deploy. Here are 12 rules that separate a working Dockerfile from a production-ready one.
Your app needs a database URL in dev, a different one in staging, and yet another in production. You could bake each URL into a separate Docker image, but then you would need three images for the same code. ConfigMaps and Secrets let you inject configuration at deploy time, so one image works everywhere. Here is how to use them properly.
A developer hardcodes a storage account key in a GitHub repo. Twelve minutes later, a bot scrapes it and racks up $14,000 in crypto mining charges. This is not a hypothetical — it happens every week. Microsoft Entra ID exists to make sure your applications authenticate without secrets lying around in code.