Kubesploit

This week on Learn Kubernetes Weekly 93: 🖼️ The art of system debugging — decoding CPU utilization 🔭 Observability at the edge 🫙 Advantages of storing configuration in container registries rather than Git 👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity 👯 Comparing multi-tenancy options in Kubernetes Read it now: https://learnk8s.io/issues/93 🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024

This article will teach you about seccomp, how to configure it for processes, and the differences between strict and filter modes. Additionally, you will explore how seccomp is implemented in the Linux kernel. More: https://www.armosec.io/blog/seccomp-internals-part-1

vault-kms-plugin is a Kubernetes KMS plugin that uses HashiCorp Vaults Transit Engine for securely encrypting Secrets, ConfigMaps and other Kubernetes objects in etcd at rest (on disk). More: https://github.com/FalcoSuessgott/vault-kubernetes-kms

Awesome-DevOps-telegram is a curated list of public Telegram channels and groups dedicated to DevOps, SRE, and Platform Engineering. More: https://github.com/palark/awesome-devops-telegram

Learn how CRI-O, a Kubernetes container runtime, has a new feature that allows applying seccomp profiles from OCI registries. This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel. More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts

Learn how to set up AWS WAF with Nginx Ingress Controller in Kubernetes. This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP. More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d

Learn how to fine-grain access control in Azure Kubernetes clusters using Identity and Access Management (IAM) and Azure Managed Identities. Understand how service principals work and how to create and configure them for specific purposes. More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Worldcoin 💰 $236K to $323K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55 DevSecOps Engineer with Trace3 💰 $240K to $290K a year 👨‍💻 Remote from the United States → https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55 DevSecOps Engineer with Jobs for Humanity 💰 $189.1K to $317.69K a year 🏠 From the office in Bellevue, WA, USA → https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55 Security Architect with Dexterity 💰 $200K to $300K a year 🏠 From the office in Redwood, CA, USA → https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55 DevSecOps Engineer with Alchemy 💰 $135K to $350K a year 👨‍💻 Remote from the United States → https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55 👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers

Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour. He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno. Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed. Watch the full interview: https://kube.fm/secure-policy-frenchie This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex

This week on Learn Kubernetes Weekly 91: 🏎️ Container Runtime Interface streaming explained 💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah ♻️ ApplicationSet is more practical in version v2.9 🎸 Migrating from MetalLB to Cilium 🛞 Automatic image update to Git using Flux and GitHub Actions Read it now: https://learnk8s.io/issues/92 🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s

Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour. This automated process ensures robust network segmentation, closely aligning with zero-trust principles. Watch the full interview: https://kube.fm/network-security-ben This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori

kacti is designed to functionally test whether admission control is correctly configured. It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy. More: https://github.com/shaneboulden/kacti

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Worldcoin 💰 $236K to $323K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55 DevSecOps Engineer with Trace3 💰 $240K to $290K a year 👨‍💻 Remote from the United States → https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55 DevSecOps Engineer with Alchemy 💰 $135K to $350K a year 👨‍💻 Remote from the United States → https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55 DevSecOps Engineer with Scale AI 💰 $212K to $254.4K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/817bb996-f703-4fc5-8f1b-0cf0b43d7cd2?s=55 DevSecOps Engineer with Glean 💰 $185K to $280K a year 🏠🏃🏻‍♂️🌎 Palo Alto, CA, USA → https://kube.careers/t/384dd05a-a906-4db7-933a-51b15110f87f?s=55 👉 Browse all 1245 Kubernetes jobs on Kube Careers https://kube.careers

Permission Manager is an application that enables a super-easy and user-friendly RBAC management for Kubernetes. With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI. More: https://github.com/sighupio/permission-manager

This week on Learn Kubernetes Weekly 91: 🛞 ServiceRouter: hyperscale and minimal cost service mesh at Meta 🚀 4 ways to reduce cold-start-latency on GKE 📝 Managing Cluster API with kluctl 💎 Varnish sharding with Istio in Kubernetes ⛔️ Authentication and authorization with Istio and OPA on Kubernetes Read it now: https://learnk8s.io/issues/91 🌟 Are you ready to double your Kubernetes resource utilization? StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://www.stormforge.io/?utm_source=Learnk8s&utm_medium=newsletter&utm_campaign=LearnK8s-Q2-27

In this article, you will learn how to manage secrets in GitOps using the age encryption tool. More: https://mirceanton.com/posts/doing-secrets-the-gitops-way

Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. More: https://github.com/kyverno/kyverno

This tutorial demonstrates how to protect an application using Istio, from initial setup to adding security features to the ingress gateway. More: https://medium.com/@marc.guerrini/diy-istio-validate-jwt-1ffbd488b1f3

helm-secrets is a Helm plugin for decrypting encrypted Helm value files on the fly. - Use SOPS to encrypt value files and store them in git. - Store your secrets in a cloud native secret manager and inject them inside value files or templates. More: https://github.com/jkroepke/helm-secrets

Dealing with security issues in containers and Kubernetes is an essential engineering skill. In this article, you will learn how to use a simulator to practice DevSecOps for free and in an engaging manner. More: https://blog.palark.com/kubernetes-security-practical-training-simulator