Permissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.
Read moreI’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:
This week I got to help out with a video for a Japanese learning podcast episode by Momoko sensei. I like taking photos, especially to capture life in Japan, so I was very happy for this opportunity to show them to the world. Most of the photos in the video are mine, except the ones at the purikura section. Enjoy!
Even though Japan has amazing public transportation, sometimes having a car can make things so much better, like going for a day trip to the countryside or picking up someone at the station. This gets even more important as you leave Tokyo: for example Kyoto’s public transportation is mostly buses that can be significantly delayed due to traffic, and they are slower than cycling (due to stopping all the time). Moreover (especially on the weekend) they might only come once every 30 minutes, so you usually end up waiting at the bus stop for quite a while. Traditional car rentals are great for day trips, but get rather complicated and expensive for short trips.
The solution for this situation is car sharing: essentially a self-service car rental with support for very short rentals. I have been using Times Car Share, but other big players in the Japanese market are Orix and careco with very similar service and prices. At the end of the day it probably comes down to which one has a station close to where you live.
Read moreMy Argo CD Privilege Escalations post describes some privilege escalation possibilities, if Argo CD projects are not configured securely. In this post I’ll show a complete walkthrough on abusing one of these possible misconfigurations.
Read more