https://blogs.law.harvard.edu/tech/rss https://this-is-fine.io/tags/zeroclaw/ Recent content in ZeroClaw on Fuchsbau https://this-is-fine.io/tags/zeroclaw/ https://source.unsplash.com/2000x1322/?fox 1440 Hugo 0.125.4 de-DE Wed, 20 May 2026 22:26:12 UT https://this-is-fine.io/posts/20251121-cosign-kyverno-zeroclaw/ Fri, 21 Nov 2025 12:00:00 UT ff0x https://this-is-fine.io/posts/20251121-cosign-kyverno-zeroclaw/ For images you build yourself, a practical supply-chain loop is: build in CI, sign the digest, verify at admission. The lab uses Cosign (Sigstore), a private Zot registry at oci.this-is-fine.io, and Kyverno verifyImages so unsigned ZeroClaw pods do not start. CI holds the private signing key; the cluster policy carries the matching public key. Signing answers a simple question: did this image come from your build pipeline? Scanning for CVEs is still worth doing, but signature verification stops casual image substitution even when a tag name looks familiar. Infrastructure Security https://this-is-fine.io/posts/20251120-zeroclaw-in-the-lab/ Thu, 20 Nov 2025 09:00:00 UT ff0x https://this-is-fine.io/posts/20251120-zeroclaw-in-the-lab/ ZeroClaw (nickname Claw) is a small AI agent for cluster work: check Flux status, explain failing pods, dry-run Renovate, draft Git patches. It shares the same GitOps monorepo as the cluster — it is not a second control plane. You talk to it on Matrix at matrix.this-is-fine.social. Web fetches go through MCP to a Scrapling sidecar instead of built-in browser tools, so there is one audited path for HTTP. The agent is deliberately ops-focused. It is not a general chatbot for the public internet; it reads cluster state, follows skills checked into Git, and proposes changes that still pass human review. That keeps expectations aligned with what automation can safely do inside a production-shaped lab. Infrastructure