Kubesploit

This week on Learn Kubernetes Weekly 147: 🐣 Inside a Pod’s Birth: Veth Pairs, IPAM, and Routing with Kindnet CNI ✂️ How We Cut Cross-AZ Traffic Costs Between Kubernetes Services in AWS Using Istio 🙅‍♀️ allowPrivilegeEscalation: false: The Kubernetes Security Flag With a Hidden Catch 🏞️ Kubernetes v1.33: Streaming List responses ⌛️ Fine-grained control with configurable HPA tolerance Read it now: https://learnkube.com/issues/147 ⭐️ This interview is brought to you by vCluster Labs — get the free eBook "GPU-enabled Platforms on Kubernetes". Learn GPU isolation, security patterns, and production architectures for AI infrastructure https://ku.bz/ZQXLKbwL7

watchall monitors your Kubernetes cluster, snapshots all resource changes into timestamped YAML files, redacts secrets, and lets you diff resource history offline via a deltas subcommand. More: https://ku.bz/WncbdWtvp

Frédéric, Senior SRE at BlaBlaCar, shares how his team solved the cold start problem for their 1,500 Java microservices using Istio's warm-up capabilities. You will learn: - Why Java applications struggle with cold starts and how JIT compilation affects initial request latency - How Istio's warm-up feature works to gradually ramp up traffic to new pods - Why other common solutions fail, including resource over-provisioning, init containers, and tools like GraalVM - Real production impact from implementing this solution, including dramatic improvements in message moderation SLOs at BlaBlaCar's scale of 4,000 pods Watch (or listen to) it here: https://ku.bz/grxcypt9j 🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L With @Birthmarkb "Javascript troll humor" Farrell

This article explains how to understand the limitations of Kubernetes' allowPrivilegeEscalation: false flag and its failure to prevent all privilege escalation methods. More: https://ku.bz/RpcSdbpgK

Conftest lets you enforce security/compliance rules on Kubernetes, Terraform, and other configs using OPA’s Rego. More: https://ku.bz/Cq4x8tmnM

This article explains how to deploy a sidecar container to transform mounted secrets into structured JSON or .env files for applications. It details watching mounted secrets in real-time and regenerating output on changes. More: https://ku.bz/xKKXSNvb7

Pangolin is a self-hosted, WireGuard-based tunnelled reverse proxy that securely exposes internal HTTP/TCP/UDP services without opening ports. More: https://ku.bz/MzkRYlF1l

This week on Learn Kubernetes Weekly 146: 😱 When “Anti-Patterns” Become Best Practice: Lessons from Migrating a Global Pub/Sub Empire to Kubernetes 🥷 Trying to break out of the Python REPL sandbox in a Kubernetes environment: a practical journey 🕳️ Digging Deeper: How Pause containers skew your Kubernetes CPU/Memory Metrics 📕 Kubernetes Services: A Deep Dive with Examples 💰 How We Cut Our Azure Cloud Costs by 3× Read it now: https://learnkube.com/issues/146 ⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/d6d07C20F

This article explains how Kubernetes v1.33 fixes a security flaw by requiring authorization checks for pods using cached private container images already present on a node. More: https://ku.bz/yPgnR0XRm

Brian, VP Cloud Platform Engineering at JPMorgan Chase, shares his ingenious side project that automatically scales Kubernetes workloads based on whether his MacBook is open or closed. You will learn: - How KEDA differs from traditional Kubernetes HPA - The technical architecture connecting macOS notifications through CloudWatch - Cost optimization strategies - Creative approaches to autoscaling signals beyond CPU and memory Watch (or listen to) it here: https://ku.bz/sFd8TL1cS 🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L With @Birthmarkb "New Soundproof Studio" Farrell

Kube-Sec is a CLI that connects to your Kubernetes cluster and runs static security checks on core resources. It detects privileged containers, root pods, risky RBAC policies, open ports, hostPath usage, and public service exposure. More: https://ku.bz/x6JpQm94_

📕 Free ebook: GPU-Enabled Platforms on Kubernetes — Available September 8th As AI workloads become standard in production environments, understanding GPU orchestration on Kubernetes has shifted from a nice-to-have to an essential skill. What's inside: - The complete GPU abstraction stack—from physical hardware through kernel drivers to the Kubernetes API - Why traditional container isolation fails for GPU workloads and what actually works - Production-tested approaches: time-slicing, Multi-Instance GPU (MIG), Multi-Process Service (MPS), and vGPU solutions - Architectural patterns for multi-tenant GPU platforms based on trust levels and performance requirements The book launches September 8th in collaboration with vCluster Reserve your free copy: https://ku.bz/gpu-k8s 💡 Live Discussion: September 10th Join author Daniele for a live session covering the book's structure: https://ku.bz/g8gXCKW12

This tutorial teaches how to manage Kubernetes secrets by syncing from external secret managers like AWS Secrets Manager using External Secrets Operator (ESO). More: https://ku.bz/z4S56kDPQ

Tim Miller, CEO and Co-founder at Kusari, discusses three categories of tools that are transforming the Kubernetes ecosystem. He highlights Ko, which helps developers deploy applications with minimal friction**, Falco by Sysdig, which provides deep system visibility, and SBOM generation tools like Excalibur and Guac, which make container dependencies more transparent. These tools focus on developer experience and system observability. Watch the full interview: https://ku.bz/-2Sqn9Jb9

🚀 Kubernetes Instance Calculator V3 is here! Three major updates to help you optimize your cluster costs: ✅ Cost Sensitivity Widget - Visualize how estimation errors impact your actual costs. See why the "cheapest" instance can become the most expensive. ✅ Akamai Support - Full integration with Akamai's compute platform alongside AWS, GCP, and Azure. ✅ Updated Instance Database - Fresh pricing and instance types pulled directly from all cloud providers. The Cost Sensitivity Widget shows what others don't: a 20% error in resource requests can lead to 2x higher costs as pod density drops. Now you can choose instances based on cost stability, not just sticker price. Check it out: https://learnkube.com/kubernetes-instance-calculator Thank you to Akamai Technologies for sponsoring these improvements. They're offering free consultations to review your results: https://ku.bz/yL1tSYYwq

External Secrets Operator syncs secrets from AWS, Vault, GCP, Azure, and others via their APIs and injects them as native Kubernetes Secrets using CRDs. More: https://ku.bz/PCSkhjRtN

This tutorial teaches how to install and configure Falco on GKE for runtime security, test default rules, create alerts in Google Cloud Monitoring, and add custom rules. More: https://ku.bz/zFRVy94dl

This week on Learn Kubernetes Weekly 145: 📕 The Data Engineer’s Guide to Optimizing Kubernetes 🤔 Why Scale to Zero? 🔮 Great Scott! The AI went ‘Back to the Backend’ without a ‘Transaction Token with Assured Context’! ⚒️ Building a Kubernetes Controller with Kubebuilder 🫸 The dissection of pushing an OCI image to AWS ECR Read it now: https://learnkube.com/issues/145 ⭐️ This issue is brought to you by Akamai — get Kubernetes clusters that just work with a free managed control plane, simple autoscaling, and global scale https://ku.bz/G08dxqrM6

Saptarshi Banerjee, Senior Solutions Architect at AWS, explains how to approach security when designing platform solutions without being a security expert. He outlines AWS's "security as job zero" philosophy and provides a practical framework for building secure systems by leveraging built-in cloud controls rather than trying to become a security specialist. Watch the full interview: https://ku.bz/mLfMNxY9k This interview is a reaction to Mac's episode https://ku.bz/9nFPmG85f

KubeBuddy audits your Kubernetes clusters from PowerShell. It checks node health, pods, events, RBAC, and AKS best practices, then outputs clean HTML or text reports. More: https://ku.bz/85lvgDJpD