Kyverno is a policy engine designed for Kubernetes.

It can validate, mutate, and generate configurations using admission controls and background scans.

Kyverno policies are Kubernetes resources and do not require learning a new language.

More: https://github.com/kyverno/kyverno

In this article, you will learn how to manage secrets in GitOps using the age encryption tool.

More: https://mirceanton.com/posts/doing-secrets-the-gitops-way

This week on Learn Kubernetes Weekly 91:

🛞 ServiceRouter: hyperscale and minimal cost service mesh at Meta
🚀 4 ways to reduce cold-start-latency on GKE
📝 Managing Cluster API with kluctl
💎 Varnish sharding with Istio in Kubernetes
⛔️ Authentication and authorization with Istio and OPA on Kubernetes

Read it now: https://learnk8s.io/issues/91

🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://www.stormforge.io/?utm_source=Learnk8s&utm_medium=newsletter&utm_campaign=LearnK8s-Q2-27

Permission Manager is an application that enables a super-easy and user-friendly RBAC management for Kubernetes.

With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI.

More: https://github.com/sighupio/permission-manager

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

DevSecOps Engineer with Scale AI
💰 $212K to $254.4K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/817bb996-f703-4fc5-8f1b-0cf0b43d7cd2?s=55

DevSecOps Engineer with Glean
💰 $185K to $280K a year
🏠🏃🏻‍♂️🌎 Palo Alto, CA, USA
→ https://kube.careers/t/384dd05a-a906-4db7-933a-51b15110f87f?s=55

👉 Browse all 1245 Kubernetes jobs on Kube Careers https://kube.careers

kacti is designed to functionally test whether admission control is correctly configured.

It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy.

More: https://github.com/shaneboulden/kacti

Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.

This automated process ensures robust network segmentation, closely aligning with zero-trust principles.

Watch the full interview: https://kube.fm/network-security-ben

This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori

This week on Learn Kubernetes Weekly 91:

🏎️ Container Runtime Interface streaming explained
💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah
♻️ ApplicationSet is more practical in version v2.9
🎸 Migrating from MetalLB to Cilium
🛞 Automatic image update to Git using Flux and GitHub Actions

Read it now: https://learnk8s.io/issues/92

🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s

Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.

He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.

Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.

Watch the full interview: https://kube.fm/secure-policy-frenchie

This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers

Learn how to fine-grain access control in Azure Kubernetes clusters using Identity and Access Management (IAM) and Azure Managed Identities.

Understand how service principals work and how to create and configure them for specific purposes.

More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03

Learn how to set up AWS WAF with Nginx Ingress Controller in Kubernetes.

This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP.

More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d

Learn how CRI-O, a Kubernetes container runtime, has a new feature that allows applying seccomp profiles from OCI registries.

This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel.

More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts

Awesome-DevOps-telegram is a curated list of public Telegram channels and groups dedicated to DevOps, SRE, and Platform Engineering.

More: https://github.com/palark/awesome-devops-telegram

vault-kms-plugin is a Kubernetes KMS plugin that uses HashiCorp Vaults Transit Engine for securely encrypting Secrets, ConfigMaps and other Kubernetes objects in etcd at rest (on disk).

More: https://github.com/FalcoSuessgott/vault-kubernetes-kms

This article will teach you about seccomp, how to configure it for processes, and the differences between strict and filter modes.

Additionally, you will explore how seccomp is implemented in the Linux kernel.

More: https://www.armosec.io/blog/seccomp-internals-part-1

This week on Learn Kubernetes Weekly 93:

🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes

Read it now: https://learnk8s.io/issues/93

🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024

This tutorial gives an example of using Zarf to deploy a Podinfo package into an air-gapped Kubernetes cluster and then upgrading that Podinfo package to a newer version.

More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55

👉 Browse all 1376 Kubernetes jobs on Kube Careers https://kube.careers

Why can't you ping a Kubernetes service?

Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:

- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.

This (and much more) is covered on the third day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

In this episode, Jen, a Technical Marketing Engineer at Tigera, shares her experiences with the transformative impact of a service graph and how its visual representation of traffic flow between pods and services drastically simplifies identifying and resolving network policy issues.

Watch the full episode: https://kube.fm/network-observability-jen