Kubernetes: cannot get path "//.well-known/openid-configuration"

I’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:

Read more

Video for a Japanese learning podcast

This week I got to help out with a video for a Japanese learning podcast episode by Momoko sensei. I like taking photos, especially to capture life in Japan, so I was very happy for this opportunity to show them to the world. Most of the photos in the video are mine, except the ones at the purikura section. Enjoy!

Times Car Share

Even though Japan has amazing public transportation, sometimes having a car can make things so much better, like going for a day trip to the countryside or picking up someone at the station. This gets even more important as you leave Tokyo: for example Kyoto’s public transportation is mostly buses that can be significantly delayed due to traffic, and they are slower than cycling (due to stopping all the time). Moreover (especially on the weekend) they might only come once every 30 minutes, so you usually end up waiting at the bus stop for quite a while. Traditional car rentals are great for day trips, but get rather complicated and expensive for short trips.

The solution for this situation is car sharing: essentially a self-service car rental with support for very short rentals. I have been using Times Car Share, but other big players in the Japanese market are Orix and careco with very similar service and prices. At the end of the day it probably comes down to which one has a station close to where you live.

Read more

Argo CD Privesc Example Walk Through

My Argo CD Privilege Escalations post describes some privilege escalation possibilities, if Argo CD projects are not configured securely. In this post I’ll show a complete walkthrough on abusing one of these possible misconfigurations.

Read more

Argo CD Privilege Escalations

Consider a multi-team GitOps setup with Argo CD: each team has their own repository that holds the team’s Kubernetes yaml files that Argo CD deploys to a shared cluster. Inside the cluster, teams are separated into their own namespaces, and Argo CD only deploys resources to the namespace that belongs to the given team.

Let’s see how this setup can be misconfigured to allow deploying to other team’s namespaces or to the cluster level!

Read more