Posts

External Secrets Operator is a great FOSS project that, over the last few years, has gained traction in Kubernetes environments, becoming one of the standard security tools for managing and integrating Kubernetes secrets from external sources. ESO is an operator and can be installed in different ways, for example via HELM or the OpenShift Operator Catalog. Here’s their GitHub repo. A couple of weeks ago, the team raised a giant RED FLAG with the following announcement: ...

Today, my manager forwarded me this article about several zero-day CVEs discovered in CyberArk and HashiCorp products. After some time spent researching online, I confirmed that both brands have fixed these CVEs by releasing updated versions!! I’m not surprised that these two big corporations acted quickly and fixed the vulnerabilities; both are well-known and reliable! This event gave me an excuse to write this article and respond to one of the most common questions I get from my customers whenever I share news about a new release of a secrets manager: ...

With the Digital Operational Resilience Act (DORA) now in effect across the European Union as of January 17, 2025, financial institutions face unprecedented cybersecurity and operational resilience requirements. Successfully achieving DORA compliance demands a comprehensive security strategy that also includes the following three fundamental components: Robust secrets management Hardened container images with minimal vulnerabilities Unified cloud-native application protection platforms (CNAPPs) These technologies work synergistically to meet DORA’s stringent ICT risk management, asset identification, and third-party oversight mandates. ...

It’s summertime in Europe. I’m just back from my summer holidays, and I want to restart the blog with a different kind of post: my journey from Senior System Engineer to Team Leader. I’ll share how I transitioned between these roles and outline my leadership principles for the team, focusing on delivering the highest level of service to our customers while maintaining a positive working environment. This includes balancing high standards, thorough documentation, continuous learning and improvement, and, importantly, having fun, all in a fully remote environment. There’s a lot to explain, so let’s start from the beginning! ...

Security should be a primary driver in IT! Everyone understands the importance of running secure, reliable code at every level of our infrastructure. Since the container revolution began a decade ago with Kubernetes 1.0, traditional IT administrators have lost some control to developers, who can now use Dockerfiles to package and deploy software at unprecedented speed. But at what cost? As organizations adopted runtime security tools to monitor containers and processes, it quickly became clear that pulling base images from public repositories often introduced a flood of vulnerabilities. ...

As you probably know, Apple is running WWDC 25, and yesterday there were a lot of exciting announcements. Among these, aside from the OS updates, Apple announced “container” and containerization support for macOS 26. Here are the key features: Manage OCI images Interact with remote registries Create and populate ext4 file systems Interact with the Netlink socket family Create an optimized Linux kernel for fast boot times Spawn lightweight virtual machines Manage the runtime environment of virtual machines Spawn and interact with containerized processes Use Rosetta 2 for executing x86_64 processes on Apple silicon In fact, the “container” client will be able to spawn a lightweight VM with an optimized Linux kernel and small rootFS, where you can run Linux containers using Rosetta 2 for executing x86 instructions. The interesting part from a security perspective is that every container will run isolated inside its own lightweight VM. ...

I finally did it! After years of delay, I moved my blog away from Blogger. I needed something modern and better suited to my content, so I decided to go with Hugo and the PaperMod theme. The site is stored in a GitHub repository and hosted by Cloudflare Pages, which builds my site every time I push something to the repository. I won’t bore you with details about how much better this technical solution is compared to Blogger, but I’ll leave you with some useful links if you’re curious: ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...

Starting with version 12, Grafana introduces the ability to configure dashboards using a GitOps approach through an experimental feature called Git Sync. This is a particularly interesting capability that can help manage dashboards in large and complex environments. Git Sync is available as an experimental feature in both Grafana OSS and Enterprise editions. Activation can also be requested for the Cloud version (currently available as a private preview). You can find the relevant documentation in this page, and below I am including a demo video. ...

Today, I want to share with you a new initiative by OpenSSF called the Open Source Project Security Baseline. The TL;DR: This initiative consists of a series of checks that project maintainers must have in place in their software repositories to demonstrate a strong security posture. The baseline is divided into three well defined levels. I find this to be an interesting and practical initiative, easy to apply for improving and certifying a project’s security level. ...