I've recently received an email from AWS about me running a deprecated EKS cluster with version 1.22 So I had to upgrade all of my clusters! So I've created this upgrade guide to EKS version 1.23 I Would love to hear your feedback and I hope this will help
Initially as it is in read-only mode, there are no risks. But once you enable policy enforcement it will block non-compliant deployments to your cluster. Your organisation has to be ready for it, as it might block a developer trying to apply a hotfix.. you need to have the right mechanisms of enabling skips and escalating critical deployments, as any security tool i suppose
congrats on the launch.. What is the added value in using Permit as oppose to just implementing ABAC on top of OPA by myself? if I implement it using Rego policies they will be in Git and managed in a GitOps way with tracking changes etc..
Ofc I understand that you aim for the permissions to be as easy as for a monkey.. Do you offer a way of auditing and tracking who made changes to permissions?
Thank you for the congrats and the good question.
First of all building on your own, is a valid option- each application is a snowflake you should find what's best for you.
That said, just like with cryptography, and authentication, it can be risky to roll your own.
If you decide to roll on your own with OPA - I'd also recommend sticking to best practices [Gitops is just one] (checkout this talk I gave on OWASP- https://youtu.be/1_Iz0tRQCH4) , and also finding a solution for managing the authorization layer (e.g. https://opal.ac)
To this point specifically- "Do you offer a way of auditing and tracking who made changes to permissions" - Yes, check out Permit's audit-log interface
In general on top of the interfaces you get with OSS like OPA and OPAL, there are a lot more interfaces to build (e.g. audit logs, user mgmt, policy editing, approval flows, etc.) and none of them are unique to any application.
Who uses FreeBSD those days? As a company that runs on the cloud, AWS/GCP/Azure you run windows/linux, and on desktop people mainly run MacOS/Windows/Linux.
I am really asking as for what is the main use case of FreeBSD in 2022?
We[1] have our entire infrastructure on FreeBSD - and always have.
That's why this has been frustrating - we have a history of committing real money[2][3] to the project in an attempt to make investments ... but there is never a fixed target to make those investments in.
It is a matter of fact that our own use of FreeBSD - in live production for a business - is completely divorced from the experience and day to day usage of FreeBSD developers.
MacOS isn’t FreeBSD. I believe they forked the FreeBSD userland a long time ago but used GNU for their shell and toolchain (and the kernel etc is completely different.)
>This is as much a myth about macOS as about FreeBSD; that macOS is just FreeBSD with a pretty GUI. The two operating systems do share a lot of code, for example most userland utilities and the C library on macOS are derived from FreeBSD versions. Some of this code flow works in the other direction, for example FreeBSD 9.1 and later include a C++ stack and compiler that were originally developed for macOS, with major parts of the work done by Apple employees. Other parts are very different.
>Darwin - which consists of the XNU kernel, IOkit (a driver model), and POSIX compatibility via a BSD compatibility layer - makes up part of macOS (as well as iOS, tvOS, and others) includes a few subsystems (such as the VFS, process model, and network implementation) from (older versions of) FreeBSD, but is mostly an independent implementation. The similarities in the userland, however, make it much easier to port macOS code to FreeBSD than any other system - partially because a lot of command-line utilities were imported along with the BSD bits from FreeBSD. For example, both libdispatch (Grand Central Dispatch in Apple's marketing) and libc++ were written for macOS and worked on FreeBSD before any other OS.
>Apple's kernel programming guide goes into more extensive detail about the similarities and differences.
>The BSD portion of the OS X kernel is derived primarily from FreeBSD, a version of 4.4BSD that offers advanced networking, performance, security, and compatibility features. BSD variants in general are derived (sometimes indirectly) from 4.4BSD-Lite Release 2 from the Computer Systems Research Group (CSRG) at the University of California at Berkeley.
And those core utils are generally seen as a hindrance by developers using it.
Plus how long did MacOS diverge from FreeBSD? 20+ years ago? Does it even resemble current FreeBSD enough that this observation makes sense, except from a software history perspective?
Edit: Actually, considering that the divergence started with NextStep in 1988, from 4.3 BSD and not FreeBSD, and that Unix was created in 1969, this becomes a bit like comparing Unix 1969 to Linux 1999... so not really relevant anymore.
> Plus how long did MacOS diverge from FreeBSD? 20+ years ago? Does it even resemble current FreeBSD enough that this observation makes sense, except from a software history perspective?
You'll always find people who'll say that Android and ChromeOS are Linux distributions and MacOS is based on FreeBSD. I guess it makes them feel good.
They are, but they are not GNU/Linux...Alpine is not Gnu/Linux too, but BusyBox/musl/Linux, maybe it makes others sad that you don't know the difference.
>MacOS is based on FreeBSD. I guess it makes them feel good
For years exactly that was written on Apples own macOSX page, but you know it better right?
> Alpine is not Gnu/Linux too, but BusyBox/musl/Linux, maybe it makes others sad that you don't know the difference.
I'm more concerned with the practical significance of calling Android or ChromeOS a Linux distribution than being pedantic for the history books.
Sure, Alpine doesn't use the usual userland you'll find on most Linux distributions but it isn't an alien experience and you can use it mostly like any other Linux distribution out there. You'll still find a POSIX shell and a package manager to install packages. There's Xorg or Wayland for the GUI and you'll find familiar desktop environments and window managers.
Unlike Android, you won't find absence of root access on Alpine. There's no restriction on placement of data on directories like /usr and /var. You won't find dozens of UIDs for different processes running at the same time on a single user system. You can't just slap Android on any hardware x86_64 hardware you want and expect it to work fine. Hell, you can't even do that on ARM devices if you're not using out-of-tree patches and firmware blobs. The bluetooth and audio stack on Android is completely different than what you'll use on any Linux distribution.
So yeah, if we're being pedantic, sure, Android is a Linux distribution because it uses the Linux kernel. Good luck using it like a typical Linux distribution though.
> For years exactly that was written on Apples own macOSX page, but you know it better right?
What I wrote above. Sure, pages written decades ago indicate that the Apple used FreeBSD as its base for its kernel but I doubt their kernel is anything close to upstream FreeBSD at this point. The same goes for their userland and graphics stack. Would you call OrbisOS, used by PS4, a distribution of FreeBSD? Can you do anything meaningful with it like you can with FreeBSD?
> You'll always find people who'll say that Android and ChromeOS are Linux distributions and MacOS is based on FreeBSD. I guess it makes them feel good.
A "linux distribution" just requires the kernel, and the version they use isn't that modified.
If you want a wrong statement, it would have to be more like saying they're the same distribution as the internal builds used by Android Inc. in 2005.
Yes Mac is a BSD but isn’t FreeBSD as it was forked two decades ago and has a completely different architecture. You wouldn’t say Dragonfly is FreeBSD, why would MacOS be?
>And those core utils are generally seen as a hindrance by developers using it.
I don't like Mac nor do i like gnu-coreutil...but that's my personal taste, and not my problem.
>Plus how long did MacOS diverge from FreeBSD? 20+ years ago? Does it even resemble current FreeBSD enough that this observation makes sense, except from a software history perspective?
I said what kernel it uses (FreeBSD and Mach) and i don't know if Apple re-bases their code on current FreeBSD-Code...you can look that for for yourself. Don't start twisting facts because you didn't knew better, at least now you know.
>but when millions of developers like GNU coreutils over BSD coreutils
I don't care if they cannot install Gnu/Linux on their machine, but being forced to use a proprietary system like Mac. Not my problem. Don't want bsd-core-utils? Don't buy apple, it's so easy.
>There's a reason GNU became popular when there were other tools available before it appeared.
That's not the reason and you know it, stop with that half-knowledge you think you have.
It's funny you wrote that because when browsing HackerNews, for me the 3rd item above this was:
We're migrating many of our servers from Linux to FreeBSD (dragas.net)
The (currently) top-voted comment of that thread is somebody describing, how they went back to Linux after the honeymoon-period with FreeBSD, among others because of systemd.
The BSDs always had a following in network-related roles, since Linux has had some issues in the past (e.g. accept filters used to be useful, iptables more complicated than pf), and OpenBSD cultivated a security-minded reputation.
Have you done any writing about that experience and setup? Both Postgres and ZFS are COW, I seem to recall some warnings back in the day about conflicts between the two systems but I have no first hand experience.
I've seen ZFS being used with Postgres in a few different environments. Seems to work fine for the most part- surprisingly good compression (~8X in one case, usually lower), with the major downside being increased CPU usage when taking advantage of said compression.
I think that only one or two of those environments were heavily used production instances, so if there is a serious gotcha here it might not have been apparent to me.
No we’re kind of a lean shop so we don’t do much tech blogging - it’s something we’re thinking of doing soon though.
As for CoW, we just turn it off on the postgres config and rely strictly on ZFS. We also turned off checksumming and compression in postgres and use Zstd:3 on the file system. Beyond that we just followed your run of the mill tuning guide you’d find on Google.
It's used to build and distribute closed source operating systems and devices to users. Every Mac and iPhone user has a little bit of 2003-era FreeBSD running that provides XNU its BSD "flavor".
SwitchOS is not based on FreeBSD. It has a net stack forked from FreeBSD code but if that makes it a FreeBSD than Windows and Linux are both BSDs I guess.
We just released support for custom rules :) from interviewing our users, we decided to start with [0] JSON Schema as it is very easy to write rules using it and you do not have to learn rego.
Having said that, we might add OPA .rego support in the near future :)
What is the desired way for you to write custom policy rules?
We are big believers in "shift-left" and trying to fix/avoid issues as early as possible.
We started with a CLI tool as it is agnostic and can be run in the devs IDE like VSCODE, in the terminal and finally in the CI/CD process.
We love OPA and think that GateKeeper is a good solution, but we want to provide feedback as early as possible. While Gatekeeper will block a deployment to the Kubernetes cluster at the end of the development process.
As a developer myself I would rather be notified for an issue as early as possible and not find our about it in the very last second before it goes live to production.
We might add support similar to GateKeeper in the future, but we wanted to be shift-left first :)
#/media/File:Diagram_of_Mac_OS_X_architecture.svg){kind=link}