Kubernetes Security Hardening: RBAC, NetworkPolicy, and Pod Security Policies

Overview Kubernetes Security Hardening: RBAC, NetworkPolicy, and Pod Security Policies is an essential skill in SRE operations. In production environments, mastering these techniques can significantly improve system stability and operational efficiency. Why Kubernetes Security Hardening Matters As systems grow in scale and complexity, traditional operations approaches struggle to meet the demands of modern distributed systems. Kubernetes Security Hardening helps operations teams: Rapid Problem Resolution: Systematic tools and methods reduce troubleshooting time Improved System Visibility: Establish comprehensive monitoring and observability Proactive Fault Prevention: Identify and fix potential risks before they cause outages Resource Optimization: Allocate and schedule resources efficiently Core Concepts and Principles Basic Concepts The core of Kubernetes Security Hardening lies in establishing standardized processes and automated toolchains....

July 4, 2026 · 3 mins · 571 words · XuBaojin

Vulnerability Scanning in CI/CD: From Dependency Checks to Image Security

Overview Vulnerability Scanning in CI/CD: From Dependency Checks to Image Security is an essential skill in SRE operations. In production environments, mastering these techniques can significantly improve system stability and operational efficiency. Why Vulnerability Scanning in CI/CD Matters As systems grow in scale and complexity, traditional operations approaches struggle to meet the demands of modern distributed systems. Vulnerability Scanning in CI/CD helps operations teams: Rapid Problem Resolution: Systematic tools and methods reduce troubleshooting time Improved System Visibility: Establish comprehensive monitoring and observability Proactive Fault Prevention: Identify and fix potential risks before they cause outages Resource Optimization: Allocate and schedule resources efficiently Core Concepts and Principles Basic Concepts The core of Vulnerability Scanning in CI/CD lies in establishing standardized processes and automated toolchains....

May 15, 2026 · 3 mins · 577 words · XuBaojin

Cloud Native Security: Container Security, Image Scanning, and Runtime Protection

Overview Cloud Native Security: Container Security, Image Scanning, and Runtime Protection is an essential skill in SRE operations. In production environments, mastering these techniques can significantly improve system stability and operational efficiency. Why Cloud Native Security Matters As systems grow in scale and complexity, traditional operations approaches struggle to meet the demands of modern distributed systems. Cloud Native Security helps operations teams: Rapid Problem Resolution: Systematic tools and methods reduce troubleshooting time Improved System Visibility: Establish comprehensive monitoring and observability Proactive Fault Prevention: Identify and fix potential risks before they cause outages Resource Optimization: Allocate and schedule resources efficiently Core Concepts and Principles Basic Concepts The core of Cloud Native Security lies in establishing standardized processes and automated toolchains....

October 26, 2025 · 3 mins · 572 words · XuBaojin

TLS/SSL Certificate Management: From Application to Auto-Renewal

Overview TLS/SSL Certificate Management: From Application to Auto-Renewal is an essential skill in SRE operations. In production environments, mastering these techniques can significantly improve system stability and operational efficiency. Why TLS/SSL Certificate Management Matters As systems grow in scale and complexity, traditional operations approaches struggle to meet the demands of modern distributed systems. TLS/SSL Certificate Management helps operations teams: Rapid Problem Resolution: Systematic tools and methods reduce troubleshooting time Improved System Visibility: Establish comprehensive monitoring and observability Proactive Fault Prevention: Identify and fix potential risks before they cause outages Resource Optimization: Allocate and schedule resources efficiently Core Concepts and Principles Basic Concepts The core of TLS/SSL Certificate Management lies in establishing standardized processes and automated toolchains....

September 14, 2025 · 3 mins · 569 words · XuBaojin

Ansible Vault Password Management: A Practical Guide to Encrypting Sensitive Data

Overview In automated operations, Ansible Playbooks frequently handle sensitive information such as database passwords, API keys, and SSH private keys. If this data is stored in plaintext in code repositories, a single repository leak exposes all credentials. Ansible Vault, Ansible’s built-in encryption tool, protects sensitive data using the AES-256 symmetric encryption algorithm, ensuring that only authorized users can access it. This article will systematically cover Ansible Vault usage, password management strategies, and CI/CD pipeline integration—from basic concepts to production practices....

September 5, 2024 · 12 mins · 2521 words · XuBaojin

Kubernetes RBAC and Security Contexts

Overview The default Kubernetes security posture can be summed up in one word: open. The default ServiceAccount has broad API access (depending on version and PSP configuration), Pods run as root, containers can mount the host filesystem, and the network is fully open. This “default open” design lowers the barrier to entry but creates significant security risks in production. This article covers RBAC permission models, ServiceAccount management, Pod Security Standards, SecurityContext, NetworkPolicies, and audit logging—systematically explaining K8s security hardening practices....

May 2, 2024 · 12 mins · 2449 words · XuBaojin

SSH Security Best Practices: From Authentication to Tunneling

Overview SSH (Secure Shell) is the core channel for Linux operations and a primary target for attackers. A misconfigured SSH service can lead to a full server compromise. This article covers SSH security best practices comprehensively — from authentication mechanisms, server-side hardening, bastion host architecture, and tunneling techniques to audit logging and brute-force protection. Key-Based Authentication Generating Key Pairs # Generate Ed25519 key (recommended) $ ssh-keygen -t ed25519 -C "admin@sre.wang" -f ~/....

December 12, 2023 · 15 mins · 3005 words · XuBaojin