Kubesploit

In this KubeFM episode, Mircea shares his journey of migrating a home lab to Kubernetes, specifically choosing Talos over other operating systems like Ubuntu, Flatcar, or Bottlerocket. Mircea also discusses his decision-making process and experiences in setting up and optimizing his Kubernetes home lab. You will learn: - What is Talos Linux and how it compares to other operating systems. - The challenges and considerations involved in migrating to Kubernetes, including selecting network plugins and GitOps. - Insights into managing and securing Kubernetes clusters, focusing on the advantages of immutable operating systems. Watch (or listen to) it here: https://kube.fm/talos-mircea 🙏 Many thanks to DigitalOcean for supporting our work and sponsoring this episode. Make sure to check out their managed Kubernetes service (and enjoy $200 free credits) https://do.co/kubefm With @Birthmarkb "Crazy Rich Asian" Farrell

The article discusses Trivy, a tool for security scanning in CI/CD pipelines and Kubernetes clusters. It highlights the shift-left paradigm in identifying potential issues early in development. More: https://moshe0076.hashnode.dev/trivy-shifting-security-from-right-to-left-and-then-right-again

netfetch is a tool designed to scan Kubernetes namespaces for network policies and check whether a network policy targets your workloads. More: https://github.com/deggja/netfetch

This article explores browsing websites through a Kubernetes pod by setting up a tunnel for traffic, encountering challenges with CSRF protection, and finding workarounds like modifying headers or using an MITM proxy. More: https://medium.com/@marius94/browsing-websites-through-a-kubernetes-pod-7daea324c8b7

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $300K to $405K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55 DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers

Kubernetes Goat is a **Vulnerable by Design" cluster environment where you can learn and practice Kubernetes security using an interactive, hands-on playground. More: https://github.com/madhuakula/kubernetes-goat

This week on the Learn Kubernetes Weekly: 🙅‍♀️ conntrack limiting your Gateway 👀 Lookup in Helm Charts 🐝 Cilium native routing 🛑 EKS pods stuck 🗿 DaemonSets: the Philosopher’s Stone of lazy sysadmins Read it now: https://learnk8s.io/issues/78

Restricting kubectl exec in Kubernetes is crucial for maintaining a secure and compliant environment. In this article, you'll learn how to leverage Gatekeeper to safeguard your Kubernetes environment. More: https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9

With a passion for security and a knack for troubleshooting, Jennifer Luther Thomas, a Technical Marketing Engineer at Tigera, discusses the critical role of network policies in Kubernetes security, the complexities involved in their implementation, and the balance between security and manageability. In this KubeFM episode, you will learn: - The importance of observability in troubleshooting network policies and how it aids in debugging complex issues. - The trade-offs between the complexity of network policies and the security benefits they provide. - The skills, thought process and humility behind troubleshooting technologies you are unfamiliar with. Watch (or listen to) it here: https://kube.fm/network-observability-jen 🙏 Many thanks to Otterize for supporting our work and sponsoring this episode. Make sure to check out their product for automating policies and zero-trust security! https://otterize.com With 🎙Bart "La falsa modestia" Farrell

DaemonSets in Kubernetes offer a convenient way for sysadmins to deploy system-level services across a cluster, but using them for privileged and non-isolated workloads raises security concerns. Learn why in this article. More: https://lobuhisec.medium.com/daemonsets-the-philosophers-stone-of-lazy-sysadmins-0183bae8a75d

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next courses start in June (online & in Munich): https://learnk8s.io/training We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

Kyverno and Gatekeeper are robust policy engines with similar features and use cases. In this article, the author argues that Kyverno stands out for its ease of use and straightforward policy composition. More: https://medium.com/@glen.yu/why-i-prefer-kyverno-over-gatekeeper-for-native-kubernetes-policy-management-35a05bb94964

Ascenda Loyalty's team encountered issues with pods stuck in ContainerCreating due to maxing out pod ENIs, a limitation when using security groups for pods. The fix involved reducing ENI usage and addressing discrepancies caused by db migration jobs. More: https://dev.to/hazmei/eks-pods-stuck-in-initcontainercreating-state-14ch

In this article, you'll learn how to store secrets while ensuring multi-tenancy, local work and scalability with: - SSM Parameter Store to store configs and secrets. - IAM to restrict access. - KMS to encrypt/decrypt secrets. - External Secret Operator. More: https://medium.com/@geoffrey.muselli/secret-management-in-eks-using-ssm-parameter-store-kms-and-eso-e00a8f63bb4a

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $300K to $405K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55 DevSecOps Engineer with Plaid 💰 $215.3K to $322.9K a year 👨‍💻 Remote from the United States → https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55 DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 👉 Browse all 447 Kubernetes jobs on Kube Careers https://kube.careers

Container image hardening involves adhering to best practices, monitoring vulnerabilities, and enhancing container security. This article provides guidelines to mitigate risks in running Docker containers in production. More: https://medium.com/@SecurityArchitect/hardening-container-images-best-practices-and-examples-for-docker-e941263cab13

This week on the Learn Kubernetes Weekly: 👆 Moving up the stack ✂️ Cut container startup time 😈 Abusing Distroless 🥷 Hacking Kubernetes in AWS 🤔 2vCPU app run faster in a VM than in a container Read it now: https://learnk8s.io/issues/77

KBOM (Kubernetes Bill of Materials) is a CLI tool that can generate a software bill of materials for your Kubernetes cluster. More: https://github.com/ksoclabs/kbom

In this KubeFM episode, Alexander Block delves into the intricacies of Kubernetes templating and deployment tools, sharing his journey from frustration with existing solutions to creating his tool, kluctl. Alex also discusses the challenges and solutions in Kubernetes templating and deployment, emphasizing the need for more adaptable tools in the Kubernetes ecosystem. You will learn: - The fundamental flaws of Helm and how they impact Kubernetes deployments and tools packaging. - How tools such as Kustomize, CUE, jsonnet are only a partial solution to templating. - Alternatives to Helm and the future of Kubernetes resource templating and distribution. Watch (or listen to) it here: https://kube.fm/kluctl-templating-codablock

This article teaches how to use the Secrets Store CSI driver to mount secrets to Kubernetes pods and covers how to configure and simulate the CSI driver failover feature. More: https://medium.com/@dksoni4530/how-to-use-the-secrets-store-csi-driver-to-mount-secrets-to-kubernetes-pods-e0e61b481d79