Kubesploit

This article explains how to use Gatekeeper to enforce in-cluster admission policies, such as rejecting :latest images, mandating labels, and disallowing privileged workloads. More: https://ku.bz/1Zskfkkvg

This tutorial shows how to run OWASP ZAP scans inside GitHub Actions using SecureCodeBox on a Kubernetes kind cluster. More: https://ku.bz/nDZJpmg5F

This week on Learn Kubernetes Weekly 189: 🔥 Zero-Downtime Kubernetes Ingress Controllers on GCP 🏗️ Architecting GPUaaS for Enterprise AI On-Prem 📋 Conditions, Phases, and Declarative Phase Rules in Kubernetes Operators ⚙️ Container-Aware GOMAXPROCS 💀 Why Your Kubernetes Pod Was OOM Killed and Who Really Killed It Read it now: https://kube.today/issues/189 ⭐️ This issue is brought to you by Solanica - replace RDS with a self-hosted DBaaS on your own Kubernetes clusters with automated Day 2 operations and zero vendor lock-in https://ku.bz/NTszfwH40

This guide walks through deploying Istio via Terraform and Helm to secure service-to-service and external communication with mTLS, automatic sidecar injection, and encrypted ingress via Istio Gateway. More: https://ku.bz/wxcXWRYy2

Kogaro continuously validates Kubernetes config with 60+ checks across reference, resource, security, image, and network domains, catching silent failures before they impact production. More: https://ku.bz/_DdDJ5wzj

AI can quickly create Kubernetes changes, but it is still important to validate them. Mauricio Salatino from Dash0 tests generated manifests before releasing them. He uses tools like vCluster Bind and provides clear examples to ensure the output matches established patterns. Good governance begins with testing, understanding the context, and setting clear expectations. Watch the full interview: https://ku.bz/Q7q0K2RyH

Netfence runs as a daemon, injecting eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates IP allowlists, and connecting to a central control plane to synchronize network rules. More: https://ku.bz/wCc37BMNY

This article covers network security fundamentals in Kubernetes, explaining how clusters default to a flat pod network, how network policies enforce segmentation, and best practices like “default deny” and restricting host networking. More: https://ku.bz/T2VfCvjdJ

Hortator lets AI agents spawn sub-agents at runtime, with each agent running in its own pod with budget caps, network policies, PII redaction, and capability inheritance so children can never escalate beyond their parent's permissions. More: https://ku.bz/kh47Xb28t

Artem Lajko explains OS-level observability - the deepest layer of Kubernetes monitoring focused on infrastructure security and performance. He describes how specialized tools like Falco and eBPF monitor system calls and kernel events to detect security threats. Using the example of unauthorized container shell access, Artem demonstrates how this layer provides platform teams and security engineers with deep insights while maintaining system performance. Watch the full episode: https://ku.bz/9sGxhmm8s

This tutorial shows how to deploy OpenClaw on Kubernetes with a Helm chart and ArgoCD, using persistent storage, config modes, secrets handling, and network policies to reduce the blast radius of an AI agent. More: https://ku.bz/4-b9pCNFz

This article shows how to configure Role-Based Access Control (RBAC) in Kubernetes Engine (GKE), create roles, role bindings, and enforce least privilege across namespaces and cluster APIs. More: https://ku.bz/RFzkXpXg9

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how they implemented auditable decision logging for Open Policy Agent (OPA) in their Kubernetes environment. He describes how Styra's Declarative Authorization Service (DAS) ingests and indexes OPA decision logs from all instances, making them searchable in a centralized location. Nicholaos details how DAS enables: - Searching for actions taken by specific users - Identifying users with access to particular resources - Tracking when and how access was granted - Simulating policy changes against historical decision logs He also mentions how they overcame challenges with legacy batch decision logs that weren't easily searchable by implementing a new batch API provided by Styra. Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

This week on Learn Kubernetes Weekly 188: 🔥 When ipBlock Breaks HTTPS in Kubernetes: Debugging NetworkPolicy, Traefik, and Hairpin Routing 🔧 How Nginx's New resolve Directive Finally Fixed Our Kubernetes 502s ⚡ Before You Implement KEDA, Do This First 🤝 Why Your CI/CD Pipeline Failures Still Need a Human — And How We're Changing That 📊 Your SLOs Should Be Kubernetes Resources, Not Grafana Dashboards Read it now: https://kube.today/issues/188 ⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/7py0zX-ct

This tutorial teaches how to extend EKS with hybrid nodes using IAM Roles Anywhere and HashiCorp Vault for secure authentication of on-premises or edge workloads. More: https://ku.bz/s3DxFxdHf

This tutorial teaches how to collect Prometheus metrics from Kubernetes clusters and securely route them to remote Prometheus instances using Vector with mTLS encryption. More: https://ku.bz/_QBDYV4t7

This tutorial teaches how to secure LLM inference services on Kubernetes using Authorino and Envoy for authentication and authorization. More: https://ku.bz/NWFrLKFbF

This tutorial teaches how to implement container image signature verification in Kubernetes using Cosign for signing, Kyverno for policy enforcement, and Sigstore Policy Controller for admission control. More: https://ku.bz/vT_tmP0lj

This tutorial shows how to secure east-west traffic in GKE using an Internal Regional Gateway with Envoy proxies, certificates, HTTP Routes with path rewriting, and a zero-trust architecture for service-to-service communication. More: https://ku.bz/VqqYrclKm

This week on Learn Kubernetes Weekly 187: 🧠 Applying Kubernetes Patterns to LLM Workloads 🐢 Why Your Grafana is Slow on Kubernetes (and 3 Replicas Won't Fix It) 📊 Observability at Albert Heijn 🎬 Vibe Coding a Kubernetes Media Server: What I Learned About AI-First Engineering 🔌 Installing Kong Gateway Custom Plugins on Kubernetes using Helm Charts Read it now: https://kube.today/issues/187 ⭐️ This newsletter is brought to you by WeAreDevelopers World Congress — The World’s Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/cwnthSpPK