Security

External Secrets Operator is a great FOSS project that, over the last few years, has gained traction in Kubernetes environments, becoming one of the standard security tools for managing and integrating Kubernetes secrets from external sources. ESO is an operator and can be installed in different ways, for example via HELM or the OpenShift Operator Catalog. Here’s their GitHub repo. A couple of weeks ago, the team raised a giant RED FLAG with the following announcement: ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...

Today, I want to share with you a new initiative by OpenSSF called the Open Source Project Security Baseline. The TL;DR: This initiative consists of a series of checks that project maintainers must have in place in their software repositories to demonstrate a strong security posture. The baseline is divided into three well defined levels. I find this to be an interesting and practical initiative, easy to apply for improving and certifying a project’s security level. ...

It’s been a couple of years since I moved to Galway, and I’m still absolutely thrilled with my decision! Over the past few months, I’ve had the chance to meet some awesome people at a local security meetup called BurbSec. It was a fantastic experience—sharing ideas, meeting new faces, and of course, enjoying a few beers! ;-) Now, some of these folks are organizing a security conference called BSIDES Galway, happening on February 22nd, 2025! ...

A couple of weeks ago, CyberArk released a new and interesting version of Conjur: 13.1. This point release is really interesting because it brings important under-the-hood updates that aim to increase the resiliency of followers. If you want to read more about this release, please check out the article I wrote on the SIGHUP blog.

I’ll start with a premise for those who may not already be familiar: the open-source software ecosystem often revolves around foundations, with the most famous probably being the Linux Foundation. In the cloud-native domain, the reference foundation is the Cloud Native Computing Foundation, commonly known as CNCF. CNCF is a foundation created by the Linux Foundation in 2015, specifically to manage projects in the cloud-native domain. In simple terms, it can be defined as a third-party, vendor-neutral entity that oversees the development and activities related to major projects involving containerized technologies like Kubernetes. ...

CyberArk Conjur is released as an appliance and distributed as container images to enable fast, error-free setup. The supported container runtimes include: Docker 20.10 or later Mirantis Container Runtime 20.10 Podman 3.x, 4.x While working with multiple Conjur environments in our labs and at customer sites, we noticed that log rotation (for Conjur, Nginx, cluster, etc.) did not function correctly on Podman, although it worked as expected on Docker. After some investigation with the excellent CyberArk support team, we identified the solution: ...

I believe it’s important to start with a premise: In this article, I’ll talk about a product/service built and offered by my current employer, SIGHUP. No one from my company has asked me to publish this blog post here; these are my honest opinions about Secure Containers. Secure Containers is a paid service built by SIGHUP that provides secure, hardened, and updated container base images. Developers working with containers and images now enjoy several advantages compared to the past, such as standardization, automation, and faster release times. ...

Hello there! How are you? I’m really good! As you may have seen on my social media, starting from the 16th of May, I’ve begun a new position as Senior DevSecOps at SIGHUP. I’m really excited about this new opportunity, and I’m writing this post because it will also have an effect on this blog’s focus. The topics will shift from previous subjects to cloud-native infrastructure security, starting with tools like CyberArk Conjur. The previous content on this blog will remain here forever. I believe it could be helpful for some time, and I also want to honor my HCL Ambassador role. ...