Comment on Question on SSL traffic between podman containers and clients (should I run k3s?)

<- View Parent
vegetaaaaaaa@lemmy.world ⁨1⁩ ⁨year⁩ ago

Is the fact that I mentioned ChatGPT setting a wrong impression?

Not at all, but the fact that it suggested jumping straight to k8s for such a trivial problem is… interesting.

how using Unix sockets would improve my security posture here

Unix sockets enforce another layer of protection by requiring the user/application writing/reading to/from them to have a valid UID or be part of the correct group (traditional Linux/Unix permission system). Whereas using plain localhost HTTP networking, a rogue application could somehow listen on the loopback interface and/or exploit a race condition to bind the port and prentend to be the “real” application. Network namespaces (which container management tools use to create isolated virtual networks) mostly solve this problem. Again, basic unencrypted localhost networking is fine for a vast majority of use cases/threat models.

source
Sort:hotnewtop