Kubesploit

This tutorial teaches how to build a cert-manager external issuer that uses a YubiHSM 2 to sign TLS certificates via Go's crypto.Signer interface. More: https://ku.bz/b9GlYRS88

The Kubernetes control plane is where the cluster accepts changes, stores the desired state, and decides what happens next. In this series of articles, you will learn: - How the API server handles authentication, authorization, admission, and storage - How etcd stores the cluster state and why it can become a bottleneck at scale - How the controller manager turns intent into actions through reconciliation loops - How the scheduler filters and ranks nodes before placing Pods https://learnkube.com/kubernetes-control-plane 🌟 If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday: https://learnkube.com/training

X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire. More: https://ku.bz/BPXM_D-v2

Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them — so you stop writing policies by hand in default-deny Cilium clusters. More: https://ku.bz/hZYF4XgL_

Master Kubernetes with LearnKube's Advanced Kubernetes workshop! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next course starts next week: https://learnkube.com/training We also run in-person courses and private training: https://learnkube.com/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $405K to $485K a year Remote from the United States of America → https://ku.bz/wrrnmcjDQ DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Faire 💰 $268K to $368.5K a year Remote from the United States of America, Canada, the United Kingdom (+1 more) → https://ku.bz/6dD8HVYdT DevSecOps Engineer with Mercor 💰 $130K to $500K a year On-site in San Francisco, CA, USA → https://ku.bz/Hs5qfr1h2 DevSecOps Engineer with Perplexity 💰 $220K to $405K a year Fully remote → https://ku.bz/rnYh0TMpt 👉 Browse 6284 jobs on Kube Careers https://kube.careers

This week on Learn Kubernetes Weekly 179: ☁️ CloudEvents: The Missing Standards of Event-Driven Architecture 🔥 A Field Guide to Sandboxes for AI 🔐 Securing East-West Traffic with GKE Internal Gateway 💥 Designing for Failure: Chaos Engineering Best Practices 📊 Building a Centralized Multi-Account AWS Monitoring Platform Read it now: https://kube.today/issues/179 ⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains a fascinating performance issue they encountered when deploying Open Policy Agent in Kubernetes. He details how Go's default thread management clashed with Kubernetes CPU resource limits, causing significant performance degradation. The core issue: Go automatically spawns threads equal to the number of CPU cores reported by the OS (8 in their case), but Kubernetes with a 750 millicore limit only allowed access to 75% of a single core. This meant all 8 Go threads were competing for limited CPU resources, creating what he describes as "context switch thrashing." Nicholaos shares how they diagnosed this problem and the counterintuitive solution - reducing GOMAXPROCS from 8 to 2 - which immediately improved performance. Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $405K to $485K a year Remote from the United States of America → https://ku.bz/wrrnmcjDQ DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Faire 💰 $268K to $368.5K a year Remote from the United States of America, Canada, the United Kingdom (+1 more) → https://ku.bz/6dD8HVYdT DevSecOps Engineer with Perplexity 💰 $220K to $405K a year Fully remote → https://ku.bz/rnYh0TMpt DevSecOps Engineer with Veeam Software 💰 $172.4K to $441.5K a year Remote from the United States of America → https://ku.bz/lhKbTMggn 👉 Browse 5950 jobs on Kube Careers https://kube.careers

This week on Learn Kubernetes Weekly 178: 🔥 Kubernetes Remote Code Execution via nodes/proxy Get Permission 🦅 Aetòs: From Chaos to Engineering Excellence — A 3-Year Transformation ☸️ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons 🔄 Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons 🗄️ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps Read it now: https://kube.today/issues/178 ⭐️ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y

Rohit Agrawal from Databricks on replacing Kubernetes networking with a proxy-less, client-side load balancing system and eliminating 20-30% over-provisioning across hundreds of services. You will learn: - Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request - How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client - How zone-aware spillover cuts cross-AZ costs without sacrificing availability - Why CPU-based routing failed and what signals to use instead Watch (or listen to) it here: https://ku.bz/y803JMhBk 🌟 Sponsored by LearnKube — Kubernetes training, online or in-person. https://learnkube.com/training With @Birthmarkb

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $405K to $485K a year Remote from the United States of America → https://ku.bz/wrrnmcjDQ DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Faire 💰 $268K to $368.5K a year Remote from the United States of America, Canada, the United Kingdom (+1 more) → https://ku.bz/6dD8HVYdT DevSecOps Engineer with Perplexity 💰 $220K to $405K a year Fully remote → https://ku.bz/rnYh0TMpt DevSecOps Engineer with xAI 💰 $180K to $440K a year On-site in Palo Alto, CA, USA, Washington, DC, USA → https://ku.bz/fk6J-Tflt 👉 Browse 5267 jobs on Kube Careers https://kube.careers

This week on Learn Kubernetes Weekly 177: ☕ What Happens When You Run Java at Scale on Kubernetes 🚀 From Push to Production: Our Deployment Pipeline with Argo CD ⚡ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays 🏕️ Nomad on OpenShift: The Case for the Control Plane 🔬 Deep Dive: The Linkerd Destination Service Read it now: https://kube.today/issues/177 ⭐️ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads — from cloud to edge https://ku.bz/JD0dS5lhZ

60-70% of all Kubernetes exploits start with exposed credentials. Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production: 1. Supply chain security — build from scratch or use hardened base images with zero CVEs from the start. 2. Continuous scanning — a clean image today won't stay clean. 3. Secrets management — Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach. Watch the full interview: https://ku.bz/dB7PDNt0v

Paul Butler, founder at Jamsocket, shares his team's approach to Role-Based Access Control (RBAC) in Kubernetes. He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions. This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations. Watch the full episode: https://ku.bz/Dmn93dd7M

Vincent von Büren was refactoring an old Helm chart when he spotted a debug log line printing a Kubernetes ServiceAccount token to stdout — still running in production. He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident." In this episode, Vincent breaks down: - What's actually inside a ServiceAccount JWT - Why default tokens enable replay attacks - Projected tokens — the solution that's been available since 1.20, but why most teams haven't switched - Practical steps to reduce exposure Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc 🌟 This episode is brought to you by LearnKube — comprehensive Kubernetes training. https://learnkube.com/training With @Birthmarkb

This case study shows how upgrading to Kubernetes 1.34 caused KIAM pods to fail due to service account token expiration changes, revealing that legacy clients using long-lived tokens now expire after 24 hours instead of 90 days. More: https://ku.bz/73CpNdNtb

AgentDiscover Scanner detects autonomous AI agents and Shadow AI in codebases using static analysis for Python and JavaScript, network monitoring for active LLM traffic, and Kubernetes runtime detection via Cilium Tetragon eBPF. More: https://ku.bz/lCqClc_3w

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $405K to $485K a year Remote from the United States of America → https://ku.bz/wrrnmcjDQ DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Faire 💰 $268K to $368.5K a year Remote from the United States of America, Canada, the United Kingdom (+1 more) → https://ku.bz/6dD8HVYdT DevSecOps Engineer with Perplexity 💰 $220K to $405K a year Fully remote → https://ku.bz/rnYh0TMpt DevSecOps Engineer with xAI 💰 $180K to $440K a year Remote from the United States of America → https://ku.bz/R4vBYC5mW 👉 Browse 4557 jobs on Kube Careers https://kube.careers

Amine Hilaly, Software Development Engineer at Amazon Web Services (AWS), explores the fundamental architectural decision of whether to expose multiple Kubernetes resources through a single higher-level API or manage them individually. He examines the security implications of giving users access to all deployment fields versus implementing restricted defaults with secure configurations. Watch the full interview: https://ku.bz/Gq1-34ZN0