Kubesploit

This article shows how to run multiple tenants on one Kubernetes cluster using Namespaces, RBAC, Kyverno, NetworkPolicies, Capsule, and vCluster. More: https://ku.bz/cY_wDHz89

This deep dive walks through debugging a common Kubernetes issue: running containers with a non-root UID. More: https://ku.bz/3zgW6dYQX

ingress-nginx CVE-2025-1974 vulnerability allows unauthenticated remote access to its admission controller, enabling full Kubernetes cluster takeover via RCE. Mitigation requires urgent patching, network hardening, and audit log inspection. More: https://ku.bz/Vb7mRcxpQ

This repo is a collection of NetworkPolicy recipes to lock down Kubernetes traffic. More: https://ku.bz/9CYLSX8vm

This week on Learn Kubernetes Weekly 137: 🤒 Warmup Your Pods Using Istio 📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads 💰 Balancing Capacity and Cost for Kubernetes Clusters 🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster ♻️ Building a Cost-Aware Kubernetes Scheduler Read it now: https://learnk8s.io/issues/137 ⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH

This post analyzes CVE-2025-1767, a Kubernetes vulnerability where gitRepo volumes let pods clone any host-local Git repo if the attacker knows the path. More: https://ku.bz/CDGd1YFlx

Mac Chaffee examines why developers often underestimate the complexity of running modern applications and end up rebuilding Kubernetes from scratch. You will learn: - Why teams reject Kubernetes then rebuild it piece by piece - How to identify the tipping point when DIY solutions become more complex than adopting established orchestration tools - The right approach to abstracting Kubernetes complexity Watch (or listen to) it here: https://ku.bz/9nFPmG85f 🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training With @Birthmarkb "Many terribles ideas" Farrell

The Kubeconfig Operator generates restricted kubeconfig files with granular permissions for Kubernetes clusters. Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts. More: https://ku.bz/X5WpY7QD8

Docker socket mounting can turn a powerful automation tool into a critical security vulnerability. Improperly mounted /var/run/docker.sock can let attackers control your entire system. Learn how in this article. More: https://ku.bz/cPlJztd4V

Why Kubernetes doesn't rebalance pods in nodes? Learnk8s runs a 4-day Advanced Kubernetes course next week online , and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions). You will also learn the nitty-gritty details of the Kubernetes architecture: - How pods can serve traffic even if the control plane is unavailable. - Why does Kubernetes run a single controller manager and scheduler even in HA? - Why does the kubelet prefer to poll for updates rather than the master dispatching events? This (and much more) is covered on the second day of the course. You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc Are you training your team? Customize the course in full with private training https://learnk8s.io/corporate-training

RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources. Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes. More: https://ku.bz/QnyklGrTq

Learn how a misconfigured container registry can let attackers gain unauthorized access to sensitive applications and credentials by exploiting exposed Docker APIs and pulling images without authentication. More: https://ku.bz/P7jNKKZlL

This week on Learn Kubernetes Weekly 136: 🍏 How We Integrated Native macOS Workloads with Kubernetes 💉 Why our pods were breaking bad (and how we fixed them) 😊 FacetController: How We Made Infrastructure Changes at Lyft Simple 📦 Operational Considerations for Managing Stateful Workloads 🪔 Can configuration languages (Config DSLs) solve configuration complexity? Read it now: https://learnk8s.io/issues/136 ⭐️ This issue is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

This diagram maps core Kubernetes security concepts—from RBAC, PodSecurity, and audit logging to container isolation—helping teams visualize enforcement points. Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews. More: https://ku.bz/4JP4Yvlmt

Marc breaks down the cost implications, technical constraints, and operational trade-offs between Kubernetes containers and AWS Lambda functions. You will learn: - Cost analysis frameworks for comparing Lambda vs Kubernetes across different traffic patterns, including specific examples of 3x savings potential - Migration complexity factors when moving existing microservices to Lambda, including cold start issues and runtime model changes. - Decision criteria for choosing between platforms based on traffic consistency, computational requirements, and operational overhead tolerance Watch (or listen to) it here: https://ku.bz/5gMTkzLhV 🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training With @Birthmarkb "Thanking himself" Farrell

This article dissects how Kyverno's policy generation, combined with Helm's namespace management, leads to race conditions, deletions, and re-creations that break deterministic behaviour, especially when synchronisation and background are enabled. More: https://ku.bz/trbB_kp21

Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the role of the shell in system interaction and security. He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries. From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries. Watch the full episode: https://ku.bz/n_sJ04xMY

This guide shows how to detect Kubernetes runtime threats (e.g. sudo misuse, suspicious file access) using Falco + eBPF, forward logs with Fluent Bit, and route them to Parseable log streams like falcowarn or falconotice. More: https://ku.bz/zTdnws-Fd

Why can't you ping a Kubernetes service? Learnk8s runs a 4-day Advanced Kubernetes course on June 26, and you will get to the bottom of questions like this (spoiler: services only exist in etcd). You will also learn the nitty-gritty details of Kubernetes networking: - How to plan and design a cluster network. - How do the four Kubernetes services extend each other, and what do you gain from each? - How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints. This (and much more) is covered on the third day of the course. You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc Are you training your team? Customize the workshop in full with private training https://learnk8s.io/corporate-training

Learn how Confidential Containers use Kata Agent Policies to control container execution in secure environments. This allows administrators to define granular rules restricting images, processes, and actions. More: https://ku.bz/dcdvjJRry