Missed the Security Profiles Operator release earlier this week?
No problem, here is what's new:
Follow
Sascha Grunert
@saschagrunert
Senior Software Engineer | Kubernetes | SIG Release Chair | Container Runtimes (CRI-O, Podman) | Open Source Enthusiast | Speaker | Writer | He/HimSascha Grunert’s Tweets
I published a blog post about how to record #seccomp profiles using eBPF and the Security Profiles Operator in #Kubernetes:
developers.redhat.com/articles/2021/
It also covers how to build and deploy a containerized bpf application as well as technical details of the syscall recorder. 🙂
12
35
As end of the year gift, we released v0.4.0 of the #Kubernetes Security Profiles Operator! 🥳
github.com/kubernetes-sig
It contains many new features, like log based seccomp and SELinux profile recording, an eBPF seccomp recorder, AppArmor support as well as metrics!
30
56
This is my personal favorite espresso, I hope you enjoy it as much as I do! 🤗🤤
Actually, a pretty local roasting house from your perspective.
Quote Tweet
And we got a fantastic Xmas gift from my friend @saschagrunert Vielen Danke Meine Freunde 
1
8
I got this awesome Christmas gift from and ! 🎄😭
Thank you so much and enjoy the Christmas season! Let’s see if my baby fits into it. 😅
#relengFam
2
21
The Kubernetes project is working towards security hardening their software supply chain! 🙂
I'd like to share our SIG Release Roadmap and Vision update, which covers full SLSA compliance as well as how to sign our release artifacts:
groups.google.com/g/kubernetes-d
34
108
Topics to follow
Sign up to get Tweets about the Topics you follow in your Home timeline.
Carousel
Today I submitted two talks for #KubeCon Europe 2022 in Valencia! 🇪🇸
I’m trying something new this time by proposing one talk in the community track.
Submit your talks, folks. The CFP closes on Dec 18!
23
Found the issue: The clang wrapper (a shell script wrapping the binary before execution) does not support the `-target` argument and therefore does not pass it down to the clang CLI.
Additionally adding `--extra-sandbox-paths /sys` makes building bpf modules in nixpkgs work.
1
Show this thread
Strangely, I cannot compile the bpf object with nix, because clang/llvm reports:
fatal error: error in backend: Cannot select: intrinsic %llvm.preserve.struct.access.index
Tried clang 10/11/12, maybe or any other of you folks have an idea… 🤔
1
2
4
Show this thread
I'm working on a bpf based syscall recorder for the Kubernetes Security Profiles Operator:
github.com/kubernetes-sig
It works without any third party dependency, is able to unload the bpf module on demand and will run on x86_64 as well as arm64 Linux. 😊
2
13
74
Show this thread
I've built an eBPF/libbpf based syscall recorder, which has no further runtime dependencies when linked statically.
github.com/saschagrunert/
It can be wrapped as OCI hook for recording inside Kubernetes, but I'm also considering a solution which works with , in Rust.
11
43
Quote Tweet
1
22
My #Kubernetes #RelEngFam is crushing right now at "Hardening the Kubernetes Software Supply Chain Through Better Transparency" - #KubeCon + #CloudNativeCon
1
6
26
Show this thread
Don't miss our #KubeCon NA talk tomorrow 11am PT / 8pm CEST about:
"What's New in CRI-O?" - with , , and myself.
10
Thank you for all of your hard work this year, #Kubernetes #RelEngFam!
Let's keep pushing together :)
Quote Tweet
In @kubernetesio SIG Release we maintain our own roadmap and vision to track our long term efforts.
Our main goal is to establish a consumable, introspectable, and secure software supply chain for #Kubernetes. 
Now it’s going to get its first update 
github.com/kubernetes/sig
Now it’s going to get its first update
github.com/kubernetes/sig2
5
In SIG Release we maintain our own roadmap and vision to track our long term efforts.
Our main goal is to establish a consumable, introspectable, and secure software supply chain for #Kubernetes. 🔐
Now it’s going to get its first update 👇
9
34
"How to enable #Kubernetes container #RuntimeDefault #seccomp profile for all workloads" via medium.com/@LachlanEvenso
33
77