Kubesploit

Self-service and governance aren't competing forces — they work together. Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails. The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom. Full interview: https://ku.bz/xgqZJhdyn Watch the full interview: https://ku.bz/xgqZJhdyn This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Tailscale 💰 $16.15M to $20.21M a year 🌎 Fully remote → https://ku.bz/J9Cs7QBBp DevSecOps Engineer with Accenture Federal Services 💰 $11.49M to $15.13M a year 👨‍💻 Remote from → https://ku.bz/bsl59cPMh DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year 👨‍💻 Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Anthropic 💰 $300K to $405K a year 👨‍💻 Remote from → https://ku.bz/LzVjTfYNp DevSecOps Engineer with Point72 💰 $225K to $300K a year 👨‍💻 Remote from → https://ku.bz/gG67-vdCY 👉 Browse 2029 jobs on Kube Careers https://kube.careers

This article shows how to scan Helm charts for insecure RBAC, secret leaks, and malicious templates using tools like Trivy, GitHub Search, and OPA. More: https://ku.bz/k4MpGVLyZ

This week on Learn Kubernetes Weekly 170: 📦 Could lockfiles just be SBOMs? 🌐 Dynamic Istio Ingress Gateway Management with Kyverno 🎮 Factorio in Kubernetes? Well, why not? 🤖 Running DeepSeek Models on Kubernetes: A Backend Engineer's Experiment ⚡ Ephemeral Infrastructure: Why Short-Lived is a Good Thing Read it now: https://kube.today/issues/170 ⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

Guardon is a Kubernetes admission controller that enforces security and compliance policies in real-time before resources are created in your cluster. More: https://ku.bz/d4hT8s9Sw

Tibo on why Kubernetes isn't just for enterprise scale — it can be a practical choice for solo self-hosters too. You will learn: - Why Ansible's declarative promise fell short with the Podman collection, forcing sequential imperative steps instead of desired-state definitions - How community Helm charts replace the need to write and maintain every manifest yourself - Why GitOps isn't just a deployment workflow — it's a disaster recovery strategy when your infrastructure lives in your living room Watch (or listen to) it here: https://ku.bz/Xk5S7VqXz 🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training With @Birthmarkb

Ritesh Patel, Co-founder @ Nirmata, explains how Nirmata's AI platform engineering assistant differentiates itself in the market through strategic focus rather than broad appeal. He demonstrates a direct approach to competitive positioning by acknowledging that their solution isn't for everyone - it's specifically designed for teams that have already adopted Kyverno as their policy engine. Watch the interview: https://ku.bz/8nkrRSG_Z Read the announcement: https://ku.bz/8_yYZZMG4

This article explains the risks of using unmaintained Docker images and how to detect vulnerabilities with tools like Trivy, SBOM operator, and Dependency Track. More: https://ku.bz/WJ75qXRbV

Synapse is a high-performance reverse proxy and firewall built with Rust, using XDP-based packet filtering for ultra-low latency protection at kernel level. More: https://ku.bz/w2PFxxfN8

This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts. More: https://ku.bz/F6-Xr10Yv

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Tailscale 💰 $16.01M to $20.04M a year 🌎 Fully remote → https://ku.bz/J9Cs7QBBp DevSecOps Engineer with Accenture Federal Services 💰 $10.84M to $20.34M a year 👨‍💻 Remote from → https://ku.bz/WdgxCrTlm DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year 👨‍💻 Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Anthropic 💰 $300K to $405K a year 👨‍💻 Remote from → https://ku.bz/LzVjTfYNp DevSecOps Engineer with Scale AI 💰 $264K to $330K a year 👨‍💻 Remote from → https://ku.bz/BdXCcJX58 👉 Browse 1635 jobs on Kube Careers https://kube.careers

kubectl-rexec is a kubectl plugin that provides full audit logging for kubectl exec sessions, addressing the security gap where standard exec commands leave no trace of what happens inside containers. More: https://ku.bz/yRQZ9Jrml

"Self-service capabilities without governance is how you get outages at 3 AM." Zain Malik from ExoStellar tackles the tension between developer empowerment and platform governance. A mature platform provides standardized interfaces that give users access to what they need—kernel layers, node layers, DOS systems—without compromising reliability. The key insight: centralization isn't about restriction, it's about creating reliable building blocks that scale. Watch the full interview: https://ku.bz/rwttMCncv

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization. He highlights OPA's versatility and performance characteristics, noting that a single node can handle numerous requests with proper optimization. He describes multiple deployment options, including: - Standing up multiple OPA instances - Setting up auto-scaling groups - Co-locating OPA with server pods - Running OPA as a WASM module for lower latency Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

This week on Learn Kubernetes Weekly 169: 🔥 When High Availability Brings Downtime 🔄 Upgrade AWS CSI Drivers in Your Multi-Tenant Kubernetes Cluster 🤖 How We Serve AI/ML Models at Scale in SAP AI Core ✅ Container Readiness Checks for Spring Boot Deployments 🌐 CoreDNS in OpenShift Read it now: https://kube.today/issues/169 ⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This tutorial teaches how to deploy HashiCorp Vault Secrets Operator on Google Kubernetes Engine to synchronize Vault secrets into Kubernetes Secret resources automatically. More: https://ku.bz/QnvFmQp8h

Ziv Yatzik manages 600+ Postgres clusters in a closed network environment with no public cloud. After existing backup solutions proved unreliable — causing downtime when disks filled up — his team built a new architecture using pgBackRest, Argo CD, and Kubernetes CronJobs. You will learn: - Why storing WAL files on shared NAS storage prevents backup failures from cascading into database outages - How GitOps with Argo CD lets them manage backups for hundreds of clusters by adding a single YAML file Watch (or listen to) it here: https://ku.bz/Rg_sQYSmw 🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training With @Birthmarkb

Kaniop is a Kubernetes operator written in Rust for managing Kanidm identity management clusters, providing declarative identity management through GitOps workflows. More: https://ku.bz/D1JBBy0B3

This article explains a critical security issue where AWS CSI drivers gave DaemonSet service accounts the ability to patch nodes, completely breaking node isolation in multi-tenant clusters. More: https://ku.bz/xGP7ymMvW

Dockadvisor is a lightweight Dockerfile linter built in Go that validates your Dockerfiles with over 60 rules covering syntax, security, and best practices. More: https://ku.bz/2DT4TqRRk