Dealing with security issues in containers and Kubernetes is an essential engineering skill.
In this article, you will learn how to use a simulator to practice DevSecOps for free and in an engaging manner.
More: https://blog.palark.com/kubernetes-security-practical-training-simulator
In this article, you will learn how to use a simulator to practice DevSecOps for free and in an engaging manner.
More: https://blog.palark.com/kubernetes-security-practical-training-simulator
Forwarded from Kube Architect
helm-secrets is a Helm plugin for decrypting encrypted Helm value files on the fly.
- Use SOPS to encrypt value files and store them in git.
- Store your secrets in a cloud native secret manager and inject them inside value files or templates.
More: https://github.com/jkroepke/helm-secrets
- Use SOPS to encrypt value files and store them in git.
- Store your secrets in a cloud native secret manager and inject them inside value files or templates.
More: https://github.com/jkroepke/helm-secrets
This tutorial demonstrates how to protect an application using Istio, from initial setup to adding security features to the ingress gateway.
More: https://medium.com/@marc.guerrini/diy-istio-validate-jwt-1ffbd488b1f3
More: https://medium.com/@marc.guerrini/diy-istio-validate-jwt-1ffbd488b1f3
Kyverno is a policy engine designed for Kubernetes.
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://github.com/kyverno/kyverno
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://github.com/kyverno/kyverno
In this article, you will learn how to manage secrets in GitOps using the
More: https://mirceanton.com/posts/doing-secrets-the-gitops-way
age encryption tool.More: https://mirceanton.com/posts/doing-secrets-the-gitops-way
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 91:
🛞 ServiceRouter: hyperscale and minimal cost service mesh at Meta
🚀 4 ways to reduce cold-start-latency on GKE
📝 Managing Cluster API with kluctl
💎 Varnish sharding with Istio in Kubernetes
⛔️ Authentication and authorization with Istio and OPA on Kubernetes
Read it now: https://learnk8s.io/issues/91
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://www.stormforge.io/?utm_source=Learnk8s&utm_medium=newsletter&utm_campaign=LearnK8s-Q2-27
🛞 ServiceRouter: hyperscale and minimal cost service mesh at Meta
🚀 4 ways to reduce cold-start-latency on GKE
📝 Managing Cluster API with kluctl
💎 Varnish sharding with Istio in Kubernetes
⛔️ Authentication and authorization with Istio and OPA on Kubernetes
Read it now: https://learnk8s.io/issues/91
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://www.stormforge.io/?utm_source=Learnk8s&utm_medium=newsletter&utm_campaign=LearnK8s-Q2-27
Permission Manager is an application that enables a super-easy and user-friendly RBAC management for Kubernetes.
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI.
More: https://github.com/sighupio/permission-manager
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI.
More: https://github.com/sighupio/permission-manager
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Scale AI
💰 $212K to $254.4K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/817bb996-f703-4fc5-8f1b-0cf0b43d7cd2?s=55
DevSecOps Engineer with Glean
💰 $185K to $280K a year
🏠🏃🏻♂️🌎 Palo Alto, CA, USA
→ https://kube.careers/t/384dd05a-a906-4db7-933a-51b15110f87f?s=55
👉 Browse all 1245 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Scale AI
💰 $212K to $254.4K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/817bb996-f703-4fc5-8f1b-0cf0b43d7cd2?s=55
DevSecOps Engineer with Glean
💰 $185K to $280K a year
🏠🏃🏻♂️🌎 Palo Alto, CA, USA
→ https://kube.careers/t/384dd05a-a906-4db7-933a-51b15110f87f?s=55
👉 Browse all 1245 Kubernetes jobs on Kube Careers https://kube.careers
kacti is designed to functionally test whether admission control is correctly configured.
It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy.
More: https://github.com/shaneboulden/kacti
It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy.
More: https://github.com/shaneboulden/kacti
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 91:
🏎️ Container Runtime Interface streaming explained
💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah
♻️ ApplicationSet is more practical in version v2.9
🎸 Migrating from MetalLB to Cilium
🛞 Automatic image update to Git using Flux and GitHub Actions
Read it now: https://learnk8s.io/issues/92
🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s
🏎️ Container Runtime Interface streaming explained
💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah
♻️ ApplicationSet is more practical in version v2.9
🎸 Migrating from MetalLB to Cilium
🛞 Automatic image update to Git using Flux and GitHub Actions
Read it now: https://learnk8s.io/issues/92
🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers
This media is not supported in your browser
VIEW IN TELEGRAM
Learn how to fine-grain access control in Azure Kubernetes clusters using Identity and Access Management (IAM) and Azure Managed Identities.
Understand how service principals work and how to create and configure them for specific purposes.
More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03
Understand how service principals work and how to create and configure them for specific purposes.
More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03
Learn how to set up AWS WAF with Nginx Ingress Controller in Kubernetes.
This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP.
More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d
This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP.
More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d
Learn how CRI-O, a Kubernetes container runtime, has a new feature that allows applying seccomp profiles from OCI registries.
This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel.
More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts
This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel.
More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts
Forwarded from LearnKube news
Awesome-DevOps-telegram is a curated list of public Telegram channels and groups dedicated to DevOps, SRE, and Platform Engineering.
More: https://github.com/palark/awesome-devops-telegram
More: https://github.com/palark/awesome-devops-telegram
vault-kms-plugin is a Kubernetes KMS plugin that uses HashiCorp Vaults Transit Engine for securely encrypting Secrets, ConfigMaps and other Kubernetes objects in etcd at rest (on disk).
More: https://github.com/FalcoSuessgott/vault-kubernetes-kms
More: https://github.com/FalcoSuessgott/vault-kubernetes-kms
This article will teach you about seccomp, how to configure it for processes, and the differences between strict and filter modes.
Additionally, you will explore how seccomp is implemented in the Linux kernel.
More: https://www.armosec.io/blog/seccomp-internals-part-1
Additionally, you will explore how seccomp is implemented in the Linux kernel.
More: https://www.armosec.io/blog/seccomp-internals-part-1
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 93:
🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes
Read it now: https://learnk8s.io/issues/93
🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024
🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes
Read it now: https://learnk8s.io/issues/93
🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024
This tutorial gives an example of using Zarf to deploy a Podinfo package into an air-gapped Kubernetes cluster and then upgrading that Podinfo package to a newer version.
More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7
More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7