Tuesday, 2019-03-05

*** stackedsax has joined #kata-general		00:47
*** lcastell has quit IRC		01:33
*** lcastell has joined #kata-general		01:36
*** lcastell has quit IRC		01:40
*** sameo has joined #kata-general		05:04
kata-irc-bot	<eric.ernst> I don't see anyhing on agenda for arch call tomorrow -- any last minute adds?	05:25
*** sameo has quit IRC		06:28
*** sameo has joined #kata-general		06:59
*** tmhoang has joined #kata-general		07:44
*** sameo has quit IRC		08:02
*** sgarzare has joined #kata-general		08:11
*** gwhaley has joined #kata-general		09:00
*** sameo has joined #kata-general		09:16
*** sameo has quit IRC		10:56
*** sameo has joined #kata-general		11:55
*** gwhaley has quit IRC		11:59
*** sameo has quit IRC		12:07
*** gwhaley has joined #kata-general		13:08
*** tmhoang has quit IRC		16:25
kata-irc-bot	<wilsonianb> :wave: I'm wanting to run untrusted code in Kubernetes pod(s). Kata gets me most of the way there, but does anyone know of a way (other than manual firewalling) to prevent the K8s API from being exposed to the untrusted workloads?	16:58
kata-irc-bot	<eric.ernst> hey @wilsonianb	17:05
kata-irc-bot	<krsna1729> Disable mounting default secret token	17:06
kata-irc-bot	<krsna1729> Network level leverage network policy	17:07
*** sgarzare has quit IRC		17:10
*** sameo has joined #kata-general		17:12
kata-irc-bot	<wilsonianb> Thanks I had seen `automountServiceAccountToken: false`. It looks like network policy let's you whitelist instead of blacklist. I'll try an egress policy whitelisting everything except the k8s api. :spock-hand:	17:18
kata-irc-bot	<eric.ernst> @kmacleod - FYI the fix landed in Kata 1.5.1, which is available now	17:55
*** lcastell has joined #kata-general		18:43
*** lcastell has quit IRC		18:48
*** igordc has joined #kata-general		20:28
*** gwhaley has quit IRC		20:36
*** sameo has quit IRC		20:36
*** igordc has quit IRC		23:10

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!