Kubesploit

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Worldcoin 💰 $236K to $323K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55 DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 👉 Browse all 432 Kubernetes jobs on Kube Careers https://kube.careers

This article discusses a critical vulnerability (CVE-2024-23652) in Docker Buildkit = v0.12.4, which allows arbitrary file deletion in the host OS. Mitigation involves updating to Buildkit v0.12.5 or later. More: https://dev.to/snyk/buildkit-build-time-container-teardown-arbitrary-delete-cve-2024-23652-2kkh

This week on the Learn Kubernetes Weekly: 🧓 Understanding the risks of long-lived Kubernetes Service Account tokens 🖖 The impact of numerous GIT branches and tags on Argo CD and cloud budgets 🏥 Surviving OOM in Kubernetes: Java applications 🥷 2023 Kubernetes vulnerability roundup 🚦 Network traffic shaping in Kubernetes: topology aware routing Read it now: https://learnk8s.io/issues/85 🙏 Many thanks to StormForge for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://bit.ly/3Jjz7D9

This article discusses the evolution of declarative image builds, from distroless images to tools like Bazel, ko, and apko. It highlights the challenges and innovations in creating reproducible Docker build rules and the "Images as Code" concept. More: https://chainguard.dev/unchained/images-as-code-the-pursuit-of-declarative-image-builds

The article discusses the importance of securing Kubernetes clusters using CIS Benchmarks and kube-bench. More: https://itnext.io/fortifying-kubernetes-mastering-security-with-cis-benchmarks-904064d7a3d9

This article covers 2023 Kubernetes vulnerabilities, categorizing them based on CVSS, weakness types, impact types, and other relevant factors. More: https://www.armosec.io/blog/kubernetes-vulnerabilities-2023

The article discusses the risks associated with long-lived Kubernetes service account tokens. It also explores mitigation strategies and the benefits of using short-lived tokens. More: https://dev.to/gitguardian/understanding-the-risks-of-long-lived-kubernetes-service-account-tokens-dok

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next courses start next week in June in Munich 🇩🇪: https://kube.events/t/f80476ea-7cd1-4619-999c-e422a1ef3b1b We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Worldcoin 💰 $236K to $323K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55 DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 👉 Browse all 421 Kubernetes jobs on Kube Careers https://kube.careers

Is it right to give GitLab admin permission to run kubectl commands in pipelines? This article explores RBAC permissions in the context of a GitLab pipeline. More: https://medium.com/@tarikyegen35/k8s-creating-a-dedicated-user-serviceaccount-with-restricted-permissions-for-gitlab-ff91c3daa3ce

This week on the Learn Kubernetes Weekly: 🤔 Choosing an orchestrator for multi-tenant code execution system 🪳 KEDA + Kafka: improve performance by 62.15% at peak loads 5️⃣ 5 shortcomings of Helm 🩹 AWS extended EKS support: a costly band-aid for Kubernetes clusters 🚦 A/B testing with Linkerd and Flagger using dynamic routing Read it now: https://learnk8s.io/issues/84 🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://bit.ly/3Jjz7D9

This article demonstrates how to centralize application access management through Single Sign-On (SSO) using OAuth2 Proxy sidecar containers. More: https://cloudchirp.medium.com/sso-authentication-with-oauth2-proxy-sidecar-containers-in-kubernetes-7717fb3ef881

In this KubeFM episode, Yakir and Assaf from Aqua Security explore how a robust Kubernetes secrets strategy is necessary to prevent leaks and maintain a strong security posture. You will learn: - How Kubernetes secrets are leaked, and what tools can you use to prevent that (Hint: Yakir and Assaf suggested using more than one.) - How shadow IT is a more significant threat you might think and why companies should monitor personal Github repositories. - What happens when a secret is leaked and how attackers exploit your resources (or further gain access to more). Watch (or listen to) it here: https://kube.fm/exposed-secrets-yakir-assaf 🙏 Many thanks to Isovalent for supporting our work and sponsoring this episode. Make sure to watch the top Kubernetes security use cases that Tetragon and eBPF cover for platform teams https://isovalent.com/events/2024-04-18-tetragon-webinar/?utm_source=KubeFM-Podcast With @Birthmarkb "The vivacious riddler" Farrell

The article explains the concept of Network Policies in AKS, their importance in securing clusters, and how to create basic network policies. More: https://medium.com/@siddiquimohammad0807/getting-started-with-aks-network-policies-dbb72520c0ae

This article discusses adding availability zone and region labels to Pods using Kyverno. It also explains how Kyverno's mutate rules and background controller dynamically add topology labels to Pods after they are scheduled. More: https://realz.medium.com/add-topology-label-to-your-kubernetes-pods-8c6fb4c1f891

In this tutorial, you will learn how to use eBPF and bcc to detect incidents in Kubernetes. More: https://faun.pub/detecting-specific-incidents-within-your-kubernetes-cluster-using-ebpf-5165771ec9a7

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next courses start in June in Munich 🇩🇪: https://kube.events/t/f80476ea-7cd1-4619-999c-e422a1ef3b1b We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Worldcoin 💰 $236K to $323K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55 DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 👉 Browse all 399 Kubernetes jobs on Kube Careers https://kube.careers

This introduction to Kubernetes security discusses authentication, authorization, admission controllers, pod security policies, control plane hardening, logging and network security. More: https://medium.com/@noah_h/an-intro-to-kubernetes-hardening-c8efd7853f27

This week on the Learn Kubernetes Weekly: 🏎️ 98% faster data imports in deployment previews 0️⃣ (Zero-cost) Kubernetes resource tuning in your GitOps pipelines ⚒️ Simplifying Kubernetes development: your go-to tools guide 🔗 How to achieve real zero downtime in Kubernetes rolling deployments: avoiding broken client connections 💦 Plumbing of spawning container with runc Read it now: https://learnk8s.io/issues/83 🙏 Many thanks to Komodor for supporting our work and sponsoring this newsletter issue. Make sure to check out their Kubernetes troubleshooting platform: https://komodor.com/?utm_source=lkw