Kubesploit

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads. It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters. More: https://itnext.io/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

In this KubeFM episode, Stéphane shares his journey of migrating, optimizing and scaling Jenkins on Kubernetes. He discusses the technical challenges, solutions, and strategies employed. You will learn: - How Jenkins on Kubernetes was scaled to handle 10,000 weekly builds. - How they started their journey in 2015 and how the cluster has evolved in the past nine years. - The challenges of managing builds in Jenkins: Docker in Docker, Docker out of Docker and KubeVirt. - The lessons learned in created ephemeral environments. Watch (or listen to) it here: https://kube.fm/10k-builds-jenkins-stephane 🙏 Many thanks to CloudBees for supporting our work and sponsoring this episode. Make sure to check out their video on how to use pods as Jenkins agents https://www.youtube.com/watch?v=ZXaorni-icg?utm_source=kubefm With @Birthmarkb "The barbarian" Farrell

This article explores how Zero-Trust with automated IAM can streamline secure access, leveraging Intent-Based Access Control (IBAC) for policy generation and the Otterize OSS credentials and Intents Operator for end-to-end automation. More: https://otterize.com/blog/iam-automation-for-eks-and-ack

The article discusses developing a Kubernetes Admission Controller with Kotlin to address an issue with the Application Routing add-on and Flux on AKS. More: https://eggboy.medium.com/developing-kubernetes-admission-controller-with-kotlin-fixing-aks-add-on-issue-in-udr-23418ab21d56

Kubernetes doesn't load balance long-lived connections, and some Pods might receive more requests than others. In this article, you will learn why and how to fix it with client-side load balancing or a proxy. 👉 https://learnk8s.io/kubernetes-long-lived-connections

This project aims to quickly set up kubernetes deployments with somewhat realistic/controllable traffic and attacks to test load balancing, WAF, and other security solutions in the cluster. More: https://github.com/kellyjonbrazil/microsim

The article discusses the importance of secure secret management in Kubernetes deployments, highlighting challenges with native secrets. It explores the use of External-Secrets Operator and Config-Reloader to automate secret synchronization More: https://medium.com/squareops/transforming-kubernetes-secret-management-d6c25f776bca

MKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments. More: https://github.com/DataDog/managed-kubernetes-auditing-toolkit

This week on the Learn Kubernetes Weekly: 🚉 How we are managing a container platform 💧 Leaky Vessels deep dive: escaping from Docker one syscall at a time 🕵️‍♀️ How to inspect Kubernetes networking 🔧 Removing specific images from all Kubernetes nodes 🌎 Kubernetes resiliency (RTO/RPO) in multi-cluster deployments Read it now: https://learnk8s.io/issues/82 🙏 Many thanks to StormForgeIO for supporting our work and sponsoring this issue. Make sure to check out their platform to optimise resources and save on your cloud spend https://www.stormforge.io/?utm_campaign=LearnK8s-Q2-24

The "TunnelVision" attacks reinforce the need for a new security paradigm. In this article, you will explore how this type of attack can be mitigated in the future and what tools you need. More: https://otterize.com/blog/moving-beyond-perimeter-security

In this KubeFM episode, Hans, a Principal Cloud engineer, shares his experiences empowering teams to use, build and manage platforms built on Kubernetes. You will learn: - How OpenTelemetry and Prometheus shape cluster management and observability. - The role of tools like ArgoCD and Flux in enabling GitOps and streamlining deployment processes. - The significance of governance tools such as Gatekeeper and OPA for secure and validated resource creation. - The benefits of Custom Resource Definitions (CRDs) and operators in automating processes and enhancing the developer experience. Watch (or listen to) it here: https://kube.fm/platform-engineering-hans 🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast With @Birthmarkb "Zero certified" Farrell

Otterize integrates with GitHub repositories to automatically generate pull requests as application access requirements change in the cluster. This enables platform administrators to continuously align security requirements with code updates. More: https://docs.otterize.com/features/github/tutorials/automated-pull-requests

Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour. He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno. Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed. Watch the full interview: https://kube.fm/secure-policy-frenchie This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex

In this article, you will learn about Istio AuthorizationPolicies and how they function, as well as use an alternative approach to declare them using IBAC (Intent-Based Access Control) More: https://otterize.com/blog/Istio-authz-and-ingress-authn

Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour. This automated process ensures robust network segmentation, closely aligning with zero-trust principles. Watch the full interview: https://kube.fm/network-security-ben This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori

The article discusses automating the building, signing, and verifying of Docker images using tools like Kaniko, Cosign, and Kyverno. It explains how these tools can be integrated into a GitLab CI/CD pipeline to improve efficiency and security. More: https://medium.com/@nizepart/automation-of-building-signing-and-verifying-docker-images-kaniko-cosign-kyverno-769d4ccccf3d

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 DevSecOps Engineer with iHerb 💰 $162.19K to $221.17K a year 🏠 From the office in Irvine, CA, USA → https://kube.careers/t/ae334c71-c968-4ed7-93b2-a1a7d13fe4d8?s=55 👉 Browse all 442 Kubernetes jobs on Kube Careers https://kube.careers

Learn how Snyk security researchers uncovered the Leaky Vessels container breakout Docker vulnerabilities that allow a malicious attacker to break out of a container environment with a controlled Dockerfile under docker build and docker run. More: https://dev.to/snyk/leaky-vessels-deep-dive-escaping-from-docker-one-syscall-at-a-time-4479

This week on the Learn Kubernetes Weekly: 🥷 Kubernetes webhook used by attackers 👨🏻‍💼 When is admin not admin? When it's super-admin! 📆 Kubernetes HPA based on events in Google Calendar 🔀 Seamless data exchange with Kafka Connect and Strimzi on Kubernetes at Decathlon 🛑 Database in Kubernetes: is that a good idea? Read it now: https://learnk8s.io/issues/81 🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://otterize.com?utm_source=lkw

Tetragon enables powerful real-time, eBPF-based security observability and runtime enforcement. It is Kubernetes-aware and understands identities so that security event detection can be configured to individual workloads. More: https://tetragon.io