Mac Chaffee

icon indicating a website link https://www.macchaffee.com icon indicating an email [email protected]

icon company Qdrant icon location United States icon location DevSecOps (he/him)

Results 60 comments of Mac Chaffee

Documentation for common config changes and whether they cause downtime

Another idea: * Moving volumes between backends - if that is possible, it may open up new opportunities for gracefully changing config by just creating a new backend with the...

ONTAP storage driver for S3

Trident conforms to the [Container Storage Interface](https://github.com/container-storage-interface/spec/blob/master/spec.md), which only supports Block storage and File storage, not Object storage. There is an effort to create a [Container Object Storage Interface](https://github.com/kubernetes-sigs/container-object-storage-interface-spec), but...

Document/include a default NetworkPolicy

I'm more worried about having a NetworkPolicy to protect the trident controller API. It is protected by client TLS by default, but having a NetworkPolicy would be a nice defense-in-depth...

Document/include a default NetworkPolicy

I also noticed that if the host has access to IP addresses/LIFs on the SVM, then user pods also have access. So users could `curl `, or even read/write to...

Increased CPU usage from 21.07 to 21.10, no way to set limits

Looks like the daemonset definition comes from here, so I see it has no way to set the resource limits: https://github.com/NetApp/trident/blob/48af782eb8deb09256f710c876cc41ec37e0a757/cli/k8s_client/yaml_factory.go#L891 So this is officially a feature request. Apologies for...

Misleading & clumsy ModSecurity doc

Apparently there's also inconsistency in which modsecurity settings take precedence when there are conflicts (https://github.com/SpiderLabs/ModSecurity-nginx/issues/280), which undermines a lot of the assumptions of #8021. In fact, that PR broke my...

Misleading & clumsy ModSecurity doc

One possibility for the confusion is that updates to the modsecurity settings roll out slowly as the nginx workers restart. If there are long-lived connections keeping old nginx workers from...

Dynamic reconfiguration failed, blocked by ModSecurity CRS

I ended up killing the ingress-nginx pods since once they get to ~99% RAM usage, new attempts to reload the configuration cause OOMKills. Interestingly, the newly-creating ingress-nginx pods also attempted...

Dynamic reconfiguration failed, blocked by ModSecurity CRS

> Can the issue be closed then? I would say that enabling modsecurity in "enforcing" mode seems to be an officially supported configuration (albeit not the default config): https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/ If...

Dynamic reconfiguration failed, blocked by ModSecurity CRS

I wrote this rule in a panic during the outage, so it could be improved: ``` SecRule REQUEST_HEADERS:Host "@streq 127.0.0.1:10246" "id:21029,phase:1,t:none,nolog,pass,ctl:ruleEngine=Off" ``` Since ingress-nginx uses the host header to route...