jeluard
jeluard
Containers do not provide strong sandbox features. Sudo is currently disabled. Consider using user namespaces for stronger isolation. * https://www.youtube.com/watch?t=176&v=l4I2TVAnBuw * https://docs.docker.com/engine/security/userns-remap/ * https://www.jujens.eu/posts/en/2017/Jul/02/docker-userns-remap/ * https://www.objectif-libre.com/en/blog/2020/06/30/securiser-docker-au-travers-de-la-fonctionnalite-userns-remap/ * https://success.mirantis.com/article/introduction-to-user-namespaces-in-docker-engine * https://www.linux.com/audience/devops/hardening-docker-hosts-user-namespaces/...
* https://github.com/samber/remote-dev-environment * https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464 * https://github.com/okteto/remote-kubernetes
* https://gist.github.com/itaysk/7bc3e56d69c4d72a549286d98fd557dd * https://github.com/kubernetes/kubeadm/issues/34 * https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images * https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages * https://codefresh.io/kubernetes-tutorial/single-use-daemonset-pattern-pre-pulling-images-kubernetes/ * https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ * https://codefresh.io/kubernetes-tutorial/single-use-daemonset-pattern-pre-pulling-images-kubernetes/ * https://github.com/itaysk/kube-imagepuller
* https://github.com/eclipse-theia/theia/issues/8459 * https://vscode.github.com/ * https://github.com/vinokurig/github-authentication-plugin/blob/master/src/github-authentication-plugin.ts
A test that checks k8s cluster is correctly deployed. Could be written in JS * https://github.com/godaddy/kubernetes-client * https://github.com/kubernetes-client/javascript # Deploy PRs * https://sanderknape.com/2020/05/deploy-pull-requests-github-actions-deployments/ * https://github.com/marketplace/actions/kind-kubernetes-in-docker-action # Scaling * https://github.com/Zooz/predator *...
Preset git credentials configuration. Allow user to specify repository used to configure the container. Add a hook command to be run before a container is started. Can be implemented as...
See * https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#rate-limiting * https://kubernetes.github.io/ingress-nginx/user-guide/monitoring/ * https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ * https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/ * https://github.com/SpiderLabs/ModSecurity-nginx
Mounting theia as a volume would allow to simply inject it into any Docker image (as opposed to have to create an extra image per template version). It would require:...
Interesting approach to session to access a local env: https://www.gitpod.io/blog/local-services-in-gitpod/
* https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools * https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools *https://cloud.google.com/kubernetes-engine/docs/reference/rest/ ```json POST https://container.googleapis.com/v1beta1/projects/substrateplayground-252112/locations/us-central1-a/clusters/substrate-playground-production/nodePools { "nodePool": { "name": "session", "config": { "machineType": "n2-highcpu-16", "diskSizeGb": 100, "oauthScopes": [ "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/trace.append" ], "metadata": {...