Kubesploit

Andy Suderman, CTO @ Fairwinds, discusses the transition from playground to production Kubernetes environments. He agrees that clusters only feel real once they're serving actual customer traffic, but expands beyond just Ingress and DNS to emphasize the broader ecosystem requirements. Andy explains that vanilla Kubernetes clusters are not 100% functional out of the box. Production readiness requires a comprehensive suite of add-ons including ingress controllers, DNS controllers, cert managers, and various operators. The key insight is that the ecosystem of add-ons is crucial to any functional Kubernetes platform, and once these components are in place serving production workloads, the cluster graduates from playground status to a real operational environment. Watch the full interview: https://ku.bz/ZQTRkMpz5 This interview is a reaction to Dan Garfield's episode https://ku.bz/m3YNgCh1W

This week on Learn Kubernetes Weekly 149: 🔥 More DevOps than I Bargained For 🧪 Testing to See if You Can Run a MariaDB Cluster on a $150 Kubernetes Lab ⚡ Ceph on NVMe Made No Sense to Us — So We Built a 40x Better Alternative 🌐 Observing Egress Traffic with Istio 🐍 Trying to Break Out of the Python REPL Sandbox in a Kubernetes Environment: A Practical Journey Read it now: https://learnkube.com/issues/149 ⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/b7Nm3GkwL

Phil Estes, Principal Engineer at Amazon Web Services (AWS), explains why container security extends far beyond using minimal images. He emphasizes examining the entire supply chain including dependencies, software composition analysis, and software bill of materials (SBOM). He discusses the importance of image signing, package signing, and certificate management initiatives, including the OpenSSF's work providing maintainers with physical keys for proper package signing. Watch the full interview: https://ku.bz/K4LmmL2NN This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY

This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments. More: https://ku.bz/ttgXTYdrZ

Jim Bugwadia, Co-Founder & CEO @ Nirmata, discusses the concerning statistic that 71% of Kubernetes security vulnerabilities stem from misconfigurations (according to a 2021 Red Hat report). He explains how policy engines like Kyverno enable teams to not only "shift left" but also "shift down" by building security directly into the platform layer. Jim shares how Nirmata customers implement this approach by enforcing policies upfront, scanning in pipelines, and blocking problematic configurations at admission control points, resulting in cleaner Kubernetes environments. Watch the full interview: https://ku.bz/hYZXTmPV9

Thibault shares the technical details of debugging a complex VPA failure at Adevinta, where webhook timeouts triggered continuous pod evictions across their multi-tenant Kubernetes platform. You will learn: - VPA architecture deep dive - How the recommender, updater, and mutating webhook components interact - Hidden Kubernetes limits - How default QPS and burst rate limits in the Kubernetes Go client can cause widespread failures - Monitoring strategies for autoscaling - What metrics to track for webhook latency and pod eviction rates to catch similar issues Watch (or listen to) it here: https://ku.bz/rf1pbWXdN 🌟 This episode is brought to you by Testkube—where teams run millions of performance tests in real Kubernetes infrastructure. From air-gapped environments to massive scale deployments, orchestrate every testing tool in one platform https://ku.bz/lnxYK3s0L With @Birthmarkb "Reading Rainbow" Farrell

kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in kube-prometheus-stack by deploying a secure Prometheus Agent as a DaemonSet. More: https://ku.bz/jtT5DjB6h

A 45-minute production outage at Weaveworks changed how we deploy software forever. We just released the first episode of "The Making of Flux," a four–part KubeFM original series in which we interview the people who built, maintained, and deployed Flux at scale. Episode 1 features Alexis Richardson (former Weaveworks CEO), Chris Aniszczyk (CNCF CTO), and Andrew Martin (ControlPlane CEO) discussing how that production disaster led to GitOps, what CNCF graduation actually means, and how Flux is thriving. You'll hear about the technical decisions, governance challenges, and production failures that shaped the project and what these practitioners learned the hard way. Thanks to our guests for their candor, to ControlPlane for making this series possible, and to @Birthmarkb. Episode 1 is live now: https://ku.bz/5Sf5wpd8y P.S. If you're going to KubeCon, FluxCon is on November 11th in Salt Lake City https://ku.bz/L843kg0CK

This article explains how to configure Istio to observe encrypted and unencrypted egress traffic in Kubernetes using TLS termination, origination, and certificate management. More: https://ku.bz/rc3DypN0f

kubeseal-convert is a tool for importing secrets from pre-existing secrets management systems (e.g. Vault, Secrets Manager) into a SealedSecret. More: https://ku.bz/fQPD8MvbX

This article explains how to configure Kubernetes SecurityContext settings at the pod and container levels to enforce security policies like non-root execution, volume permissions, and Linux capabilities. More: https://ku.bz/nJ8Zkh6x9

This week on Learn Kubernetes Weekly 148: 🙈 Everything was fine until Kubernetes said ‘No more CPU’ 🫄 Kubernetes Capacity Planning: Getting It Wrong Is Step One (And That’s Okay!) ♻️ Kubernetes v1.33: Updates to Container Lifecycle 📕 From CI to Kubernetes Catalog: Building a Composable Platform with GitOps and vCluster 🍀 Orchestrating a Greener Cloud: Carbon-Aware Kubernetes Scheduling with Liqo and Karmada Read it now: https://learnkube.com/issues/148 ⭐️ This newsletter is brought to you by Testkube — Keep your existing API, performance, and security testing tools. Run it at scale in Kubernetes https://ku.bz/Zfrty_fcC

Shahar Azulay, Co-Founder and CEO at groundcover, explains how observability and security have become increasingly interconnected in Kubernetes environments. He discusses how eBPF technology blurs the line between these domains, allowing groundcover to provide security insights through observability features like API mapping that identifies encryption status and PII exposure. Shahar also highlights the critical security considerations for observability data itself, explaining why groundcover uses a "bring your own cloud" approach rather than the SaaS model common among competitors. Watch the full interview: https://ku.bz/qt-j8gMlS

This repo demonstrates CVE-2024-0132, a container escape in NVIDIA Container Toolkit. It swaps directory contents during validation, causing the toolkit to mount the entire host filesystem into the container instead of just a library file. More: https://ku.bz/0Z5QPQl_N

Jorrick shares how his team of eight students built a complete predictive scaling system for Kubernetes clusters using machine learning. You will learn: - How to implement predictive scaling using Prophet ML model, Prometheus metrics, and custom APIs to forecast Kubernetes workload patterns - The Node Ranking Index (NRI) - a unified metric that combines CPU, RAM, and request data into a single comparable number for efficient scaling decisions - Real-world implementation challenges, including data validation, node startup timing constraints, load testing strategies, and the importance of proper research Watch (or listen to) it here: https://ku.bz/clbDWqPYp 🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L With @Birthmarkb "Kidnapped by an artist" Farrell

This tutorial sets up Vault's database secrets engine in AKS to generate short-lived Postgres credentials on demand, using ExternalSecrets and VaultDynamicSecret to sync them into native Kubernetes Secrets. More: https://ku.bz/MbNs69CsB

This repository demonstrates CVE-2024-3094, the backdoor discovered in xz utils versions 5.6.0+. It provides a Docker container with the vulnerable Debian package and a patched liblzma library to reproduce the SSH authentication bypass exploit. More: https://ku.bz/4K_lDB_ff

This tutorial shows how to restrict access to Kubernetes services without a VPN using oauth2-proxy with ingress-nginx. More: https://ku.bz/z67cDR8Fg

KubernetesEnumerationTool audits clusters for exploitable misconfigs, missing best practices, and RBAC overreach. It identifies weak points like privileged pods, hostIPC, insecure tokens and tests node-level access via PowerShell modules. More: https://ku.bz/-zW_QZVKM

This week on Learn Kubernetes Weekly 147: 🐣 Inside a Pod’s Birth: Veth Pairs, IPAM, and Routing with Kindnet CNI ✂️ How We Cut Cross-AZ Traffic Costs Between Kubernetes Services in AWS Using Istio 🙅‍♀️ allowPrivilegeEscalation: false: The Kubernetes Security Flag With a Hidden Catch 🏞️ Kubernetes v1.33: Streaming List responses ⌛️ Fine-grained control with configurable HPA tolerance Read it now: https://learnkube.com/issues/147 ⭐️ This interview is brought to you by vCluster Labs — get the free eBook "GPU-enabled Platforms on Kubernetes". Learn GPU isolation, security patterns, and production architectures for AI infrastructure https://ku.bz/ZQXLKbwL7