Skip to content
View 0hardik1's full-sized avatar
2 followers · 0 following

Achievements

Achievement: StarstruckAchievement: Pair Extraordinairex4Achievement: Pull Sharkx3Achievement: YOLOAchievement: Quickdraw

Achievements

Achievement: StarstruckAchievement: Pair Extraordinairex4Achievement: Pull Sharkx3Achievement: YOLOAchievement: Quickdraw

Block or report 0hardik1

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
0hardik1/README.md

Hi, I'm Hardik 👋

Senior Security Engineer with 10+ years delivering secure-by-default architectures at scale and coordinating cross-functional security programs.

Earlier in my career: threat modeling, application security, secure coding, and penetration testing. Today I'm on the platform security team at Block (Square, Cash App, Afterpay), focused on cloud, Kubernetes, and container security. Previously Twitter, Salesforce, and Synopsys. I write at hardik.info.

Open Source

Recent platform-security work, mostly Kubernetes and cloud:

  • kubesplaining stars Kubernetes security assessment CLI that maps multi-hop RBAC privilege-escalation paths to cluster takeover.
  • rbac-why-can-i stars kubectl plugin that traces why an RBAC permission is granted, showing the exact Role/Binding chain.
  • agentmoat: moves Kubernetes workloads from runc to gVisor to blunt container-escape, safely and reversibly.
  • eks-identity-migrator: audits IRSA usage and migrates EKS clusters to Pod Identity with verification and rollback.
  • eks-scp: highest-impact AWS Organizations SCPs for EKS, built on the new EKS IAM condition keys.

Selected Work

  • Container image signature verification at admission across Square, Cash App, and Afterpay, with a digest cache to keep verification fast at deploy scale; co-authored Kube-Policies Binauthz: Closing the Supply Chain Gap in Kubernetes.
  • Kubernetes admission guardrails (OPA/Rego) that block high-risk workloads before deploy: privileged pods, host networking, unsafe mounts, and insecure RBAC; co-authored Kube-Policies: Guardrails for Apps Running in Kubernetes.
  • Closed a remote-code-execution gap in a foundational Terraform pipeline (terraform plan executes arbitrary code before review) with layered defenses: CODEOWNERS gating, provider allowlisting, and multi-person authorization (Rego).
  • Enforced hardened golden-image (AMI) policy across ~10,000 AWS accounts via a versioned, staged SCP rollout (dev to prod, with bake time at each stage) that became the standard for SCP changes.
  • Defined secure-by-default guardrails for an AWS VPC Lattice service-mesh adoption across four teams: hardened the Kubernetes controller, authored SCPs and data-perimeter controls, and shipped reusable Terraform modules.
  • Security observability: turned silent policy violations into real-time alerts (OPA, Prometheus, Datadog), cutting incident response time 70%.

Certifications

OSCP  |  Advanced Cloud Security Practitioner (CSA)

Stack

Go  |  Python  |  Rego  |  Terraform  |  Kubernetes  |  AWS  |  OPA/Gatekeeper

Popular repositories Loading

  1. kubesplaining kubesplaining Public

    Kubernetes security assessment CLI: RBAC, pod-escape, and privilege-escalation path analysis. Cloudsplaining for Kubernetes.

    Go 63 4

  2. rbac-why-can-i rbac-why-can-i Public

    A kubectl plugin that explains WHY a permission is granted in Kubernetes RBAC by showing the exact Role/ClusterRole + Binding chain.

    Go 16 2

  3. practicode practicode Public

    Python 1

  4. agentmoat agentmoat Public

    agentmoat moves Kubernetes workloads from the default runc runtime to gVisor (runsc), the user-space kernel that defends against the kernel-exploit step of a container-escape chain.

    Go 1

  5. 0hardik1 0hardik1 Public

    Config files for my GitHub profile.

  6. ktalk ktalk Public

    Go