sig-security VS Ansible

Cloud Native Security Whitepaper

As Daniel Walsh himself wrote in a blog post, CRI-O integrates very well with SELinux and prevents dangerous actions like a container loading an old, unmaintained and therefore potentially vulnerable kernel module and breaking out of the isolation. Additionally, the Kubernetes API itself contains resources to specifically configure SELinux labels for containers. Doesn't sound like something they would do for a tool that "doesn't work with Kubernetes", according to some. Also, the CNCF security whitepaper mentions SELinux as a tool that can be used to provide isolation and limit privileges, which is as much as we could expect from an high-level, architecturally-minded document.

Fortunately, not every attack has a big enough impact to appear in the newspaper, but let’s analyze some of the most relevant and recent ones. Many other examples of different types of supply chain attacks are also collected by the CNCF in their Catalog of Supply Chain Compromises.

They support for-if from python, too: https://jinja.palletsprojects.com/en/3.1.x/templates/#loop-f... but I haven't tried the "recursive" keyword to know if ansible supports that. I say "ansible supports that" because they don't just drop jinja2 into ansible and call it a draw, they have a bunch of custom execution integrations: https://github.com/ansible/ansible/blob/v2.16.3/lib/ansible/...

To manage a VM, you can use something as simple as just manual actions over SSH, or can use tools like Ansible, Hashicorp's Packer and Terraform or other automations. For an app where there is minimal load and security/reliability concern, VMs are still a great option that provide a lot of value for the buck

In this article's context, it is simply a tool that provides a declarative way to automate your machine/OS to configure the development machine as you want (install package, modify the configuration, etc). Examples of these tools are Ansible, Puppet, etc.

Now we're getting more tangential, but for years, Ansible releases were named for Van Halen songs (see old Changelog here: https://github.com/ansible/ansible/blob/v1.8.4/CHANGELOG.md)

In the lab to follow, we'll quickly provision a 3-node kubeadm cluster (1 master, 2 workers) on the cloud provider of your choice using an automation stack comprised of OpenTofu and Ansible, then deploy Rook Ceph using the official Helm charts and confirm that we are now able to successfully create CSI volume snapshots from PVCs by reusing the MinIO example from our last article.

Ansible-Core ↗

The lookup works fine when parsed as say a msg and braced in "{{ }}" but we're told not to use jinja delimiters in when statements (no idea on the whys to that to be honest) - The issue lies around the first ": " and yaml sees that everything preceding this being a mapping... I have tried all manner of fixes described in YAML syntax error when string contains a colon + space · Issue #2769 · ansible/ansible (github.com) but no dice... the error is a variety of 'The error was: template error while templating string' type errors depending on what attempted fix I'm applying..

IBM -> RedHat -> Ansible (https://docs.ansible.com/platform.html)

I think the new ansible docs are opaque, and the new "everything is an ansible collection" scheme makes troubleshooting any issues reported by users hundreds of times harder than "the old days"

I keep this (https://github.com/ansible-community/ansible-build-data/blob...) bookmarked because it's the only way to match up what "ansible 8.1.0" (https://pypi.org/project/ansible/8.1.0/) even means since it for damn sure not any of this: https://github.com/ansible/ansible/releases (they used to have a 'release' pinned on that releases tab saying "these are not the droids you are looking for"). I believe I tried asking for them to update the completely erroneous pypi "source code" link to point to that repo and ... well, one can see how well that turned out