@mattbrownsec

Runtime Security in Kata: Less Visibility, Better Signal

3d ago · 11 min read · Kata containers give you a stronger boundary. That is the point. But that boundary also breaks a lot of the assumptions we rely on for runtime security. The usual model works because containers share

Kata Containers: When "Container Escape" Stops Working

Mar 25 · 10 min read · I wanted to try Kata Containers. Not in a "read the docs and feel informed" way, but in a burrito way. Which of course means: run it, break it, and see what actually changes. Because on paper, Kata so

Kafka on Kubernetes

Mar 16 · 11 min read · Kafka is often treated as background infrastructure. It quietly moves events between services like payments, analytics, notifications, etc. So it easy to view it as internal plumbing. But Kafka is not

Seccomp in Kubernetes

Feb 16 · 7 min read · In Part 1, we stayed close to the kernel. We watched a process call uname(), attach a seccomp filter, and then get shut down at the syscall boundary. No permissions debate. No LSM policy. No capability check. The kernel simply said: that syscall does...

Seccomp: The Syscall Firewall

Feb 5 · 10 min read · Introduction We’ve already covered two Linux security mechanisms that show up in Kubernetes securityContext: LSMs (mainly AppArmor) Capabilities. Both matter. Both do real work. But there’s a third piece that’s just as important: seccomp. If capa...