-
BGP part two – A VPN connection to the cloud.
As promised in my last blog post, here is part two of my BGP series. I’ve decided to split it into two, one covering the VPN, and another one covering the BGP end of it. So this one isn’t actually about BGP, it is about IPSEC. I am running services at home – but that…
-
Kubernetes at Home: Internal and external services
Disclaimer: Separating at a hardware level will always be better. But my home lab consists of exactly one server, so I focus on what I can do in software in Kubernetes. So far, I have configured all my services to be exposed to the internet, no matter if they are for external or internal consumption.…
-
Kubernetes Security 101
While getting stuff to just work is fun, I decided I couldn’t set up a cluster without at least giving some thought to security. Here’s my small attempt at a nominally useful security strategy. By default, anything is allowed in Kubernetes. No, noone is stopping you. If you are on the node or in the…
-
Docker Networking Part 2 – what happens in docker stays in docker.
After having created my docker DMZ in part 1, I realized that if I just connected the networks of the docker-containers I wanted to access from the internet to the firewall container, I could avoid exposing their ports to the underlying machine altogether, thereby reducing the number of open ports on the server itself. I…
-
A virtualized DMZ with docker
Being somewhat of a minimalist, having only one server at home, but still trying to make a good, secure and stable infrastructure, it bothered me to forward network traffic directly to my server. Granted, most of the services exposed was running in docker, but it still was forwarding it directly into my «red zone». A…
-
Keeper Password Manager – a small technical review
Last year, the company I work for signed up for Keeper Enterprise. A good password manager was something I’d been vouching for at work for a while, for a few reasons: Security policies often dictate practises that simply isn’t feasible to follow. Even though sharing passwords is discouraged, sometimes it just can’t be helped. There…