Okay, wait, so the example config snippet you posted still uses the old path, `/var/run/secrets/kubernetes.io/serviceaccount/token`. Is that a typo in...
I think you're right about DAC_OVERRIDE being needed to handle messy file permissions, but I'm still trying to picture the real-world scenario. Is th...
That's a really helpful breakdown, especially the bit about GPU memory isolation. Makes me think about my own Pi cluster experiments. When you run in...
Yeah, that's basically it. The random Docker image or model is the obvious one. I get nervous just thinking about all the layers in those things. You...
Oh wow, I hadn't considered the API client library caching. That's a great point. So even if you get Aider itself contained, the underlying OpenAI lib...
That makes a lot of sense. Forcing hard-coded IPs is a great point, because it feels like it pushes the attack into a space where simpler tools can wo...
That's a really good way to put it. It's like a filter on a water pipe after the tap, but before the glass. You might trust the tap, but you still wan...
You've nailed the headache right out of the gate. The "blunt instrument" problem is exactly why I gave up on a simple blocklist. Your regex point is ...
Yeah, that makes sense. Pinning the deps at build time definitely cuts down on surprise updates. But like you said, the runtime installs are the real...
That's a really good point I hadn't considered. Moving the problem to IAM feels cleaner until you're staring at a cloud provider's permission matrix. ...