kacti is designed to functionally test whether admission control is correctly configured.
It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy.
More: https://github.com/shaneboulden/kacti
It attempts to deploy known-bad containers to Kubernetes clusters and verifies whether the containers successfully deploy.
More: https://github.com/shaneboulden/kacti
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 91:
🏎️ Container Runtime Interface streaming explained
💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah
♻️ ApplicationSet is more practical in version v2.9
🎸 Migrating from MetalLB to Cilium
🛞 Automatic image update to Git using Flux and GitHub Actions
Read it now: https://learnk8s.io/issues/92
🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s
🏎️ Container Runtime Interface streaming explained
💸 Saving networking costs for traffic flow between Flux and Github @Dev Shah
♻️ ApplicationSet is more practical in version v2.9
🎸 Migrating from MetalLB to Cilium
🛞 Automatic image update to Git using Flux and GitHub Actions
Read it now: https://learnk8s.io/issues/92
🌟 This newsletter is brought to you by #90daysofdevops — an open-source learning initiative that focuses on the foundations of DevOps https://github.com/MichaelCade/90DaysOfDevOps?utm_source=learnk8s
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Trace3
💰 $240K to $290K a year
👨💻 Remote from the United States
→ https://kube.careers/t/d8c90922-9fb6-4a53-bf4d-0e4ac006bed0?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1428 Kubernetes jobs on Kube Careers https://kube.careers
This media is not supported in your browser
VIEW IN TELEGRAM
Learn how to fine-grain access control in Azure Kubernetes clusters using Identity and Access Management (IAM) and Azure Managed Identities.
Understand how service principals work and how to create and configure them for specific purposes.
More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03
Understand how service principals work and how to create and configure them for specific purposes.
More: https://itnext.io/simplify-secure-your-azure-resources-managed-identity-vs-workload-identity-fe49d133fc03
Learn how to set up AWS WAF with Nginx Ingress Controller in Kubernetes.
This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP.
More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d
This guide covers the steps to integrate AWS WAF, including creating a target group and updating the Kubernetes Service type to ClusterIP.
More: https://medium.com/@bennsimonotieno/setting-up-aws-waf-with-nginx-ingress-controller-in-kubernetes-d0136e9ba23d
Learn how CRI-O, a Kubernetes container runtime, has a new feature that allows applying seccomp profiles from OCI registries.
This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel.
More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts
This feature is useful for sandboxing a process's privileges, restricting the calls it can make from userspace into the kernel.
More: https://kubernetes.io/blog/2024/03/07/cri-o-seccomp-oci-artifacts
Forwarded from LearnKube news
Awesome-DevOps-telegram is a curated list of public Telegram channels and groups dedicated to DevOps, SRE, and Platform Engineering.
More: https://github.com/palark/awesome-devops-telegram
More: https://github.com/palark/awesome-devops-telegram
vault-kms-plugin is a Kubernetes KMS plugin that uses HashiCorp Vaults Transit Engine for securely encrypting Secrets, ConfigMaps and other Kubernetes objects in etcd at rest (on disk).
More: https://github.com/FalcoSuessgott/vault-kubernetes-kms
More: https://github.com/FalcoSuessgott/vault-kubernetes-kms
This article will teach you about seccomp, how to configure it for processes, and the differences between strict and filter modes.
Additionally, you will explore how seccomp is implemented in the Linux kernel.
More: https://www.armosec.io/blog/seccomp-internals-part-1
Additionally, you will explore how seccomp is implemented in the Linux kernel.
More: https://www.armosec.io/blog/seccomp-internals-part-1
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 93:
🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes
Read it now: https://learnk8s.io/issues/93
🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024
🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes
Read it now: https://learnk8s.io/issues/93
🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024
This tutorial gives an example of using Zarf to deploy a Podinfo package into an air-gapped Kubernetes cluster and then upgrading that Podinfo package to a newer version.
More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7
More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55
👉 Browse all 1376 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55
👉 Browse all 1376 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Why can't you ping a Kubernetes service?
Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
In this episode, Jen, a Technical Marketing Engineer at Tigera, shares her experiences with the transformative impact of a service graph and how its visual representation of traffic flow between pods and services drastically simplifies identifying and resolving network policy issues.
Watch the full episode: https://kube.fm/network-observability-jen
Watch the full episode: https://kube.fm/network-observability-jen
This article shares a simple implementation of a webhook authorizer in Kubernetes, highlighting some nuances and limitations of built-in Authentication and Authorization modules and how you should audit for Kubernetes permission.
More: https://raesene.github.io/blog/2024/04/22/Fun-with-Kubernetes-Authz
More: https://raesene.github.io/blog/2024/04/22/Fun-with-Kubernetes-Authz
ingress-nginx-validate-jwt is an API server which is used along with the
More: https://github.com/IvanJosipovic/ingress-nginx-validate-jwt
nginx·ingress·kubernetes·io/auth-url annotation for ingress-nginx and enables per Ingress customizable JWT validation.More: https://github.com/IvanJosipovic/ingress-nginx-validate-jwt
This media is not supported in your browser
VIEW IN TELEGRAM
This article explores how to automate the IAM workload on Azure using Otterize and the Intent Operator.
It focuses on Network Policies, identifying unused calls and necessary instances, and managing firewall rules through the ingress controller.
More: https://itnext.io/kubernetes-automate-workload-iam-on-azure-with-otterize-860faa221eac
It focuses on Network Policies, identifying unused calls and necessary instances, and managing firewall rules through the ingress controller.
More: https://itnext.io/kubernetes-automate-workload-iam-on-azure-with-otterize-860faa221eac
Forwarded from LearnKube news
Kubernetes nodes reserve resources for the operating system, Kubernetes agents, and eviction threshold.
GKE, EKS, and AKS have specific resource reservations.
Larger nodes can host more pods, but smaller nodes have their advantages.
More: https://learnk8s.io/allocatable-resources
GKE, EKS, and AKS have specific resource reservations.
Larger nodes can host more pods, but smaller nodes have their advantages.
More: https://learnk8s.io/allocatable-resources
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
In this KubeFM episode, Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, explores the intricacies of Kubernetes security, focusing on the benefits and misconceptions of Distroless container images and the broader aspects of container security.
You will learn:
- The advantages and limitations of Distroless container images.
- Best practices for container security.
- Supply chain security.
- Emerging Kubernetes tools and future projects.
Watch (or listen to) it here: https://kube.fm/abusing-distroless-harsha
🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator
With @Birthmarkb "normal person" Farrell
You will learn:
- The advantages and limitations of Distroless container images.
- Best practices for container security.
- Supply chain security.
- Emerging Kubernetes tools and future projects.
Watch (or listen to) it here: https://kube.fm/abusing-distroless-harsha
🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator
With @Birthmarkb "normal person" Farrell