This article explores Docker Multi-Stage Builds as a powerful technique for creating smaller and more secure container images.
https://labs.iximiuz.com/tutorials/docker-multi-stage-builds
https://labs.iximiuz.com/tutorials/docker-multi-stage-builds
iximiuz Labs
How to Build Smaller Container Images: Docker Multi-Stage Builds | iximiuz Labs
Learn how to build smaller, more secure Docker container images using Multi-Stage Builds. This guide explains common sources of image bloat, best practices for slimming down production images, and practical examples for Node.js, Go, Rust, and other applicationโฆ
๐4
This article provides a comprehensive guide on setting up a WireGuard VPN server on AWS using Terraform. It likely covers the step-by-step process of deploying a secure and scalable VPN solution, leveraging AWS infrastructure and Terraform's infrastructure-as-code capabilities.
https://vladkens.cc/aws-wireguard-vpn-terraform/
https://vladkens.cc/aws-wireguard-vpn-terraform/
vladkens.cc
Setting up WireGuard VPN at AWS with Terraform
All resources in AWS work inside private VPC. Sometimes you may need to access these resources from local computer (e.g. to interact with database). Some resourโฆ
๐6
The article focuses on the importance of handling termination signals gracefully in applications deployed in orchestrated environments like Kubernetes. Graceful shutdowns are crucial to prevent data loss and system instability that can occur with abrupt terminations, ensuring that applications can exit cleanly and maintain consistency even when they are stopped or scaled down.
https://packagemain.tech/p/graceful-shutdowns-k8s-go
https://packagemain.tech/p/graceful-shutdowns-k8s-go
packagemain.tech
Terminating elegantly: a guide to graceful shutdowns
Let's dive into the world of graceful shutdowns, specifically for Go applications running on Kubernetes.
๐4
The incredible HULL - Helm Uniform Layer Library - is a Helm library chart to improve Helm chart based workflows
https://github.com/vidispine/hull
https://github.com/vidispine/hull
GitHub
GitHub - vidispine/hull: The incredible HULL - Helm Uniform Layer Library - is a Helm library chart to improve Helm chart basedโฆ
The incredible HULL - Helm Uniform Layer Library - is a Helm library chart to improve Helm chart based workflows. - GitHub - vidispine/hull: The incredible HULL - Helm Uniform Layer Library - is a...
๐ฅ4
Forwarded from Golang notes
A PostgreSQL database explorer TUI (Terminal User Interface) application written in Go.
https://github.com/ddoemonn/go-dot-dot
https://github.com/ddoemonn/go-dot-dot
GitHub
GitHub - ddoemonn/go-dot-dot: A PostgreSQL database explorer TUI (Terminal User Interface) application written in Go.
A PostgreSQL database explorer TUI (Terminal User Interface) application written in Go. - ddoemonn/go-dot-dot
๐3๐ฅ2
๐ฅ Critical vulnarabliiity in ingress-nginx controlller
9.8/10๐ฅ https://github.com/advisories/GHSA-mgvx-rpfc-9mpv
If you're running Kubernetes with the ingress-nginx controller and are affected by the vulnerability described in GHSA-mgvx-rpfc-9mpv (CVE-2025-1974), you face several serious security risks:
Critical Security Risks
This vulnerability, published on March 25, 2025, is part of a set of critical flaws collectively named "IngressNightmare" with a CVSS score of 9.8[6]. The specific issues include:
- Unauthenticated Remote Code Execution (RCE): An attacker with access to the pod network can execute arbitrary code in the context of the ingress-nginx controller without authentication[1][2].
- Cluster-wide Secret Exposure: The vulnerability allows attackers to access and steal all secrets accessible to the controller. In default installations, the controller can access all secrets across all namespaces in the cluster[1][3].
- Complete Cluster Takeover: Due to the elevated privileges of the admission controller, successful exploitation could lead to full compromise of your Kubernetes environment[3][6].
- Public Exposure Risk: Over 6,500 clusters with publicly accessible admission controllers are at immediate risk, including those operated by Fortune 500 companies[8].
How the Vulnerability Works
The attack targets the admission controller component of the ingress-nginx controller:
1. The vulnerability allows attackers to inject arbitrary NGINX configuration remotely by sending a malicious ingress object directly to the admission controller[3].
2. When the controller processes this malicious object during validation, it causes the NGINX validator to execute malicious code[6][8].
3. The admission controller's elevated privileges and network accessibility create a critical escalation path, allowing an attacker to access sensitive resources across the entire cluster[3].
Required Action
To mitigate this issue, you should:
- Update immediately to one of the patched versions: 1.12.1, 1.11.5, or 1.10.7[6].
- Ensure your admission webhook endpoint is not exposed externally[6].
- Limit access to the admission controller to only the Kubernetes API Server[6].
- Temporarily disable the admission controller component if it's not needed[6].
This vulnerability affects approximately 43% of cloud environments, making it a widespread and serious threat to Kubernetes deployments[6].
9.8/10
If you're running Kubernetes with the ingress-nginx controller and are affected by the vulnerability described in GHSA-mgvx-rpfc-9mpv (CVE-2025-1974), you face several serious security risks:
Critical Security Risks
This vulnerability, published on March 25, 2025, is part of a set of critical flaws collectively named "IngressNightmare" with a CVSS score of 9.8[6]. The specific issues include:
- Unauthenticated Remote Code Execution (RCE): An attacker with access to the pod network can execute arbitrary code in the context of the ingress-nginx controller without authentication[1][2].
- Cluster-wide Secret Exposure: The vulnerability allows attackers to access and steal all secrets accessible to the controller. In default installations, the controller can access all secrets across all namespaces in the cluster[1][3].
- Complete Cluster Takeover: Due to the elevated privileges of the admission controller, successful exploitation could lead to full compromise of your Kubernetes environment[3][6].
- Public Exposure Risk: Over 6,500 clusters with publicly accessible admission controllers are at immediate risk, including those operated by Fortune 500 companies[8].
How the Vulnerability Works
The attack targets the admission controller component of the ingress-nginx controller:
1. The vulnerability allows attackers to inject arbitrary NGINX configuration remotely by sending a malicious ingress object directly to the admission controller[3].
2. When the controller processes this malicious object during validation, it causes the NGINX validator to execute malicious code[6][8].
3. The admission controller's elevated privileges and network accessibility create a critical escalation path, allowing an attacker to access sensitive resources across the entire cluster[3].
Required Action
To mitigate this issue, you should:
- Update immediately to one of the patched versions: 1.12.1, 1.11.5, or 1.10.7[6].
- Ensure your admission webhook endpoint is not exposed externally[6].
- Limit access to the admission controller to only the Kubernetes API Server[6].
- Temporarily disable the admission controller component if it's not needed[6].
This vulnerability affects approximately 43% of cloud environments, making it a widespread and serious threat to Kubernetes deployments[6].
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
CVE-2025-1974 - GitHub Advisory Database
ingress-nginx admission controller RCE escalation
๐ฑ7๐5๐ฅ4
The author discusses strategies for significantly reducing the startup time of AWS EKS Windows nodes. The author achieved this by using Karpenter for dynamic node provisioning, optimizing PowerShell scripts, and pre-caching images with AWS Image Builder. Key optimizations included uninstalling unnecessary PowerShell modules and rewriting the bootstrap script in C# for better performance, resulting in startup times under 90 seconds
https://hackernoon.com/how-i-reduced-eks-windows-node-start-time-from-5-min-to-90s
https://hackernoon.com/how-i-reduced-eks-windows-node-start-time-from-5-min-to-90s
Hackernoon
How I Reduced EKS Windows Node Start Time From 5 Min to ~90s
Learn how to reduce AWS EKS Windows node startup times to < 90 secs using Karpenter, optimized scripts, and pre-cached images. Boost your cluster's performance!
๐3โค1
The article delves into the intricacies of Kubernetes resource management, specifically focusing on requests and limits. It explains how these settings impact pod scheduling, resource allocation, and performance, highlighting the importance of correctly configuring them to ensure efficient use of cluster resources and prevent overcommitting or underutilization. Understanding these concepts is crucial for optimizing application performance and reliability in Kubernetes environments.
https://thenewstack.io/how-kubernetes-requests-and-limits-really-work/
https://thenewstack.io/how-kubernetes-requests-and-limits-really-work/
The New Stack
How Kubernetes Requests and Limits Really Work
A wizard's journey through the technical inner workings of Kubernetes resource management โ Chapter 1.
๐6
Goliat - Dashboard is an open-source tool for managing, visualizing, and optimizing Terraform deployments, with integration to Terraform Cloud and a custom provider.
https://github.com/danieljsaldana/goliat-dashboard
https://github.com/danieljsaldana/goliat-dashboard
GitHub
GitHub - danieljsaldana/goliat-dashboard: Dashboard centralizado desarrollado con Astro y React, con integraciรณn para GitHub, Azureโฆ
Dashboard centralizado desarrollado con Astro y React, con integraciรณn para GitHub, Azure, AWS y OpenAI. Ideal para equipos de DevOps, SRE, Seguridad, Arquitectura Cloud y Negocio. - danieljsaldana...
๐3
The blogpost addresses the challenges engineering managers face in maintaining their technical skills amidst busy schedules. It suggests that instead of trying to dedicate a significant portion of their time to hands-on technical work, managers can leverage their team's diversity and projects to stay updated. This involves guiding team members through experimental projects, learning from their experiences, and teaching junior engineers, which helps maintain a technical edge without compromising work-life balance
https://medium.com/engineering-managers-journal/real-ways-to-maintain-your-technical-edge-as-an-engineering-manager-25652fa1495c
https://medium.com/engineering-managers-journal/real-ways-to-maintain-your-technical-edge-as-an-engineering-manager-25652fa1495c
Medium
Real Ways To Maintain Your Technical Edge As An Engineering Manager
Most advice isnโt practical, but there are realistic alternatives.
๐6๐1
The author provides a comprehensive guide to building a REST API hosted on AWS API Gateway with a backend on AWS Lambda and a database on DynamoDB. The guide includes setting up AWS services using Terraform, creating a Lambda function to perform CRUD operations on DynamoDB, and implementing authentication with Amazon Cognito to secure certain routes
https://awstip.com/a-step-by-step-guide-on-deploying-rest-api-using-api-gateway-lambda-cognito-terraform-f277814d048e
https://awstip.com/a-step-by-step-guide-on-deploying-rest-api-using-api-gateway-lambda-cognito-terraform-f277814d048e
Medium
A Step-by-Step Guide On Deploying REST API using API Gateway, Lambda, CognitoโโโTerraform
Introduction
๐5
Retry a command with exponential backoff and jitter (+ Starlark expressions)
https://github.com/dbohdan/recur
https://github.com/dbohdan/recur
GitHub
GitHub - dbohdan/recur: Retry a command with exponential backoff and jitter (+ Starlark expressions)
Retry a command with exponential backoff and jitter (+ Starlark expressions) - dbohdan/recur
๐3โค1
Kuzco reviews your Terraform and OpenTofu resources, compares them to the provider schema to detect unused parameters, and uses AI to suggest improvements and fixes
https://github.com/RoseSecurity/Kuzco
https://github.com/RoseSecurity/Kuzco
GitHub
GitHub - RoseSecurity/Kuzco: Kuzco reviews your Terraform and OpenTofu resources, compares them to the provider schema to detectโฆ
Kuzco reviews your Terraform and OpenTofu resources, compares them to the provider schema to detect unused parameters, and uses AI to suggest improvements and fixes - RoseSecurity/Kuzco
๐ฅ4๐2
Forwarded from Best Channels for Tech guys
๐ Golang Notes ๐น
Looking for a place to level up your Go skills? Join Golang Notes and stay ahead in the world of Golang!
โจ What you'll find:
๐น Best practices and coding tips
๐น Latest updates from the Go ecosystem
๐น Useful tools, snippets, and guides
๐น Community discussions and expert insights
๐จโ๐ป Whether you're a beginner or an experienced developer, this channel has something for you!
๐ Join now
Looking for a place to level up your Go skills? Join Golang Notes and stay ahead in the world of Golang!
โจ What you'll find:
๐น Best practices and coding tips
๐น Latest updates from the Go ecosystem
๐น Useful tools, snippets, and guides
๐น Community discussions and expert insights
๐จโ๐ป Whether you're a beginner or an experienced developer, this channel has something for you!
๐ Join now
โค2
The article "Autoscaling with Keda and Prometheus Using Custom Metrics in Go" on *Medium* provides a detailed guide on how to implement autoscaling in Kubernetes using Keda and Prometheus. It demonstrates creating custom Prometheus metrics in a Go application, deploying it on Kubernetes, and configuring Prometheus to scrape these metrics. The article then shows how to integrate Keda with Prometheus to scale pods based on custom metrics, such as the number of HTTP requests or product orders, ensuring dynamic resource allocation during varying traffic conditions.
https://medium.com/vakifbank-teknoloji/autoscaling-with-keda-and-prometheus-using-custom-metrics-in-go-558a64668fc4
https://medium.com/vakifbank-teknoloji/autoscaling-with-keda-and-prometheus-using-custom-metrics-in-go-558a64668fc4
Medium
Autoscaling with Keda and Prometheus Using Custom Metrics in Go
Goals
๐3