snyk test docker --fail-on= workaround

I’m running Snyk to scan docker images and break the build if they have high or critical vulnerabilities:

snyk test --severity-threshold=high --docker $IMAGE_NAME

However sometimes the upstream image has high or critical vulnerabilities (e.g. at the times of writing this, debian), so there is very little action one can take (other than moving to a different base image, which is usually not easy). Thus I only want to break the build if there are high or critical vulnerabilities AND they can be fixed by ugrading the base image.

Read more

Multi-cluster multi-primary istio on AWS EKS

Recently I was working on setting up istio in a multi-cluster setup following the Install Multi-Primary on different networks guide on EKS clusters. Everything seemed to work (no errors in logs), until I reached the verification step, where requests didn’t go to the other mesh: in CLUSTER1 I always got a response from Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv, while in CLUSTER2 always from Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8.

Read more

Terraform's kubernetes_secret giving 'Error: Provider produced inconsistent result after apply'

I’m creating a new kubernetes_secret via Terraform for an existing service account like this:

resource "kubernetes_secret" "my_service_account_token" {
  metadata {
    name = "my-service-account-token"
    namespace = "example"
    annotations = {
      "kubernetes.io/service-account.name" = "my-service-account"
    }
  }
  type = "kubernetes.io/service-account-token"
}

so that then I can use this token elsewhere like: kubernetes_secret.my_service_account_token.data["token"].

Read more

How to setup Azure AD authentication with AWS EKS kubernetes clusters

I recently worked on setting up Azure Active Directory (AAD from now) authentication with kubernetes clusters running on AWS EKS (Amazon Elastic Kubernetes Service). The goal was to let users of the kubernetes cluster authenticate using their AAD identities, and assing permissions using the usernames and also AAD groups. Here is how I did it.

Read more

How to download the latest release from a Github repository

We often want to download the latest release of an application from Github, however it used to be hard without knowing the latest version. But now we can do the followings:

Moving a blog from Wordpress to Github pages

This blog is hosted on Github pages, which I end up liking a lot, so I decided to move my other blog (originally hosted on Wordpress) too. I was already planning to update the domain of that blog, so I took the opportunity to do both at the same time. Here are the steps I did.

Read more

Authentication using kubernetes service account JWTs

Permissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.

Read more

Kubernetes: cannot get path "//.well-known/openid-configuration"

I’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:

Read more

Cross-app Scripting in Android apps

If an Android app accepts Intents to open a URL in a WebView, then a malicious app installed on the same device might open a javascript:alert(1)-like URL, which will run the provided JavaScript in the context of the victim app’s site (that is currently loaded in the WebView). This vulnerability is called Cross-app Scripting.

Read more

Restricting Google App Script permissions

Google Apps Script is a rapid application development platform that makes it fast and easy to create business applications that integrate with Google Workspace. You write code in modern JavaScript and have access to built-in libraries for favorite Google Workspace applications like Gmail, Calendar, Drive, and more.

https://developers.google.com/apps-script/overview

Google Apps Script provide an easy way to automate repetitive tasks in the Google ecosystem (e.g. Drive). It is somewhat similar to macros in Microsoft Office. An App Script will ask for permissions before it can interact with any document of the user, and by default these permissions are unnecessarily wide. This write up is meant to help restricting these permissions.

Read more

Using LastPass on login forms with more than 2 inputs

LastPass generally handles common login pages with a username and password well, but it breaks on login forms that have more than those two fields. But there is a solution.

The problem

Here is the site I’ll use as an example: the login page of the SMBC bank: [https://direct.smbc.co.jp/aib/aibgsjsw5001.jsp]

The first line gives 2 options for identifying your user: either specify your bank account number (branch code and account number) or use your contractor number. I’m using the first one, so let’s focus on that. The problem is that the branch code and the account numbers are two separate text boxes, thus when I fill them out and login, then LastPass will only save one of them as username.

Read more

Getting a .jp domain

I have a super common family name in Hungary: Szabo. It means tailor, and appr. 2% of Hungarians have this family name (203,126 out of 9,730,000). Thus szabo.hu, szabo.eu, szabo.com, szabo.net, szabo.info, szabo.me, szabo.xyz etc. are mostly taken. However I recently checked and szabo.jp was available! Following a Tokyo Cheapo guide I found Star Domain and bought the domain there for 2560 yen/year. (Star Domain has a referral program, so if you use this link, I might earn a little money.)

I already had hosting elsewhere, so I only needed the domain and Star Domain has a pretty straightforward DNS configurator. I read that only people in Japan can register .jp domains, so I expected some verification, but only my phone number was checked and after I paid for the domain, I could use it immediately.

Most part of the site is text based, so Google Translate makes it possible to use it without knowing too much Japanese.