Kubesploit

Service meshes and the community's opinion of them have changed drastically over the years. From being perceived as unnecessary, complicated and bloated, they matured into security and observability powerhouses (while still retaining much of their complexity). In this KubeFM episode, William deep dives into the world of service meshes and explains a few of the technical choices and trade-offs of service meshes in simple terms. You will learn: - What is a service mesh and its design (i.e. control plane and data plane). - How Ambient mesh departs from the traditional sidecar model and how it affects reliability and security. - Why there's more than just eBPF in sidecarless service meshes and the limitation of this technology. - The direct costs (compute) and human factors involved in operating a service mesh. Watch (or listen to) it here: https://kube.fm/service-mesh-william

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs. This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA. More: https://github.com/cert-manager/aws-privateca-issuer

Kubernetes: 50 namespaces vs 50 control planes vs 50 clusters. For the last episode of "Building Kubernetes platforms", we decided to run an experiment: how much does multi-tenancy cost? We created three scenarios: - 50 tenants using the Hierarchical Namespace Controller. - 50 tenants using vCluster. - 50 dedicated clusters managed via Karmada. Which one was the most expensive? Spoiler: the dedicated clusters are very expensive. But is it worth the investment? Chris will cover it live on Thursday! 📆 Thu, 14th Mar ⏰ 8am PT | 5pm CET 👉 https://www.vcluster.com/event/workshop-series-3/

In this article, you will learn how envelope encryption works in EKS with KMS through illustrations. More: https://teamoptimizers.hashnode.dev/envelope-encryption-in-eks

Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces. More: https://github.com/emberstack/kubernetes-reflector

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Plaid 💰 $215.3K to $322.9K a year 👨‍💻 Remote from the United States → https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 Security Architect with Apollo 💰 $190K to $250K a year 🏠🏃🏻‍♂️🌎 Alhambra, CA, USA → https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55 Security Architect with Sigma Computing 💰 $190K to $250K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55 DevSecOps Engineer with Palo Alto Networks 💰 $180.2K to $236.5K a year 🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA → https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55 👉 Browse all 448 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you'll compare three popular container signing solutions: Sigstore Cosign, Notary v2, and Docker Content Trust (DCT). You'll learn about their features, capabilities, and suitability for securing container image supply chains. More: https://snyk.io/blog/signing-container-images

This week on the Learn Kubernetes Weekly: ♻️ From 0 to 10'000 Jenkins builds a week 1️⃣ Only one label to improve your security posture 🔐 Vault integration 🔨 Testing on Kubernetes with Testkube 🆙 Migrating from MetaLB to Cilium Read it now: https://learnk8s.io/issues/69

This tutorial teaches how to integrate Hashicorp Vault with Kubernetes for dynamic, secure secrets management using the External Secrets Operator (ESO). It covers setting up Vault roles, policies, and the Key/Value secrets engine for ESO. More: https://faun.pub/vault-integration-with-kubernetes-using-external-secrets-operator-7e13a78db406

Kubernetes namespaces are the basic building block for identity and isolation but don't provide any of those features out of the box. In this session, you will explore in a great level of detail: - How namespaces are (not) used during scheduling. - How namespaces are (not) used in the cluster network and the implementation of Network Policies. - How namespaces provide the starting point for RBAC. The insights will help you understand the trade-offs in designing a multi-tenant platform on Kubernetes. 📆 Thu, 7th Mar ⏰ 8am PT | 5pm CET 👉 https://www.vcluster.com/event/workshop-series-2/

Can you run databases on Kubernetes and survive to tell the story? Or should you refrain from running stateful workloads as much as possible? In this KubeFM episode, Steven argues that you should run databases on Kubernetes. He also goes further and demonstrates how to build your custom operator to manage your database. Listen to the episode and learn how: - You can use Kubebuilder and the Operator Framework to build your operator. - Custom Resources lets you create higher abstractions to manage your infrastructure as code. - Steven's operator manages hundreds of databases at scale at QuestDB. Watch (or listen to) it here: https://kube.fm/operators-steven

This article explores the fundamental concepts, syntax, semantics, and implementation considerations associated with Network Policies. It also delves into best practices and real-world examples to illustrate their practical application and benefits. More: https://medium.com/cloud-native-daily/learn-network-policies-in-kubernetes-4b2258fe8572

In this tutorial, you will learn how to use cert-manager for automated certificate handling using a GitHub Action for e2e testing on a CI environment. More: https://skarlso.github.io/2023/10/25/self-signed-locally-trusted-certificates-with-cert-manager

This article covers the Pod Security Admission Controller and how it simplifies enforcing Pod Security Standards. You'll see an example of a managed offer like GKE Autopilot, which applies the baseline policies with some modifications for usability. More: https://medium.com/google-cloud/improve-your-kubernetes-security-posture-with-the-pod-security-admission-psa-6bb59cc6923f

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Plaid 💰 $215.3K to $322.9K a year 👨‍💻 Remote from the United States → https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 Security Architect with Apollo 💰 $190K to $250K a year 🏠🏃🏻‍♂️🌎 Alhambra, CA, USA → https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55 Security Architect with Sigma Computing 💰 $190K to $250K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55 DevSecOps Engineer with Palo Alto Networks 💰 $180.2K to $236.5K a year 🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA → https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55 👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers

The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API. More: https://github.com/aquasecurity/trivy-operator

This week on the Learn Kubernetes Weekly: 🦑 Custom Ink's Kubernetes journey 🤔 Slack's internal compute platform 💣 CoreDNS is going to fail you scale 📺 Workload identity on AKS 🥷 OWASP supply chain Read it now: https://learnk8s.io/issues/68

In this article, you'll learn how GCP Workload Identity provides a powerful solution for securely accessing GCP services and APIs from apps running on GKE. You will also learn how to configure them. More: https://blog.firney.com/the-power-of-gcp-workload-identity-secure-access-to-google-cloud-platform-2334ea5fe554

Structured Authentication Config is the most significant Kubernetes authentication system update in the last six years. In this KubeFM episode, Maksim explains how this is going to affect you: 1. You can use multiple authentication providers simultaneously (e.g., Okta, Keycloak, GitLab) — no need for Dex. 2. You can change the configuration dynamically without restarting the API server. 3. You can use any JWT-compliant token for authentication. 4. You can use CEL (Common Expression Language) to determine whether the token's claims match the user's attributes in Kubernetes (username, group). Watch (or listen to) it here: https://kube.fm/structured-authentication-maksim

Constellation is a Kubernetes engine that wraps your cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory. More: https://github.com/edgelesssys/constellation