This article will teach you about seccomp, how to configure it for processes, and the differences between strict and filter modes.

Additionally, you will explore how seccomp is implemented in the Linux kernel.

More: https://www.armosec.io/blog/seccomp-internals-part-1

This week on Learn Kubernetes Weekly 93:

🖼️ The art of system debugging — decoding CPU utilization
🔭 Observability at the edge
🫙 Advantages of storing configuration in container registries rather than Git
👤 Optimize your Kubernetes resources with Azure IAM: managed vs. workload identity
👯 Comparing multi-tenancy options in Kubernetes

Read it now: https://learnk8s.io/issues/93

🌟 This newsletter is brought to you by CLASTIX — making Kubernetes cluster management boring for SREs https://clastix.cloud?utm_source=learnk8s&utm_medium=nl&utm_campaign=aug2024

This tutorial gives an example of using Zarf to deploy a Podinfo package into an air-gapped Kubernetes cluster and then upgrading that Podinfo package to a newer version.

More: https://medium.com/@bm54cloud/deploy-and-update-zarf-packages-in-an-air-gap-b2e3ec43abf7

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55

👉 Browse all 1376 Kubernetes jobs on Kube Careers https://kube.careers

Why can't you ping a Kubernetes service?

Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:

- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.

This (and much more) is covered on the third day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

In this episode, Jen, a Technical Marketing Engineer at Tigera, shares her experiences with the transformative impact of a service graph and how its visual representation of traffic flow between pods and services drastically simplifies identifying and resolving network policy issues.

Watch the full episode: https://kube.fm/network-observability-jen

This article shares a simple implementation of a webhook authorizer in Kubernetes, highlighting some nuances and limitations of built-in Authentication and Authorization modules and how you should audit for Kubernetes permission.

More: https://raesene.github.io/blog/2024/04/22/Fun-with-Kubernetes-Authz

ingress-nginx-validate-jwt is an API server which is used along with the nginx·ingress·kubernetes·io/auth-url annotation for ingress-nginx and enables per Ingress customizable JWT validation.

More: https://github.com/IvanJosipovic/ingress-nginx-validate-jwt

This article explores how to automate the IAM workload on Azure using Otterize and the Intent Operator.

It focuses on Network Policies, identifying unused calls and necessary instances, and managing firewall rules through the ingress controller.

More: https://itnext.io/kubernetes-automate-workload-iam-on-azure-with-otterize-860faa221eac

Kubernetes nodes reserve resources for the operating system, Kubernetes agents, and eviction threshold.

GKE, EKS, and AKS have specific resource reservations.

Larger nodes can host more pods, but smaller nodes have their advantages.

More: https://learnk8s.io/allocatable-resources

In this KubeFM episode, Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, explores the intricacies of Kubernetes security, focusing on the benefits and misconceptions of Distroless container images and the broader aspects of container security.

You will learn:

- The advantages and limitations of Distroless container images.
- Best practices for container security.
- Supply chain security.
- Emerging Kubernetes tools and future projects.

Watch (or listen to) it here: https://kube.fm/abusing-distroless-harsha

🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator

With @Birthmarkb "normal person" Farrell

RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources.

Instead of managing role bindings or service accounts directly, you can specify the desired state, and RBAC Manager will make the necessary changes.

More: https://github.com/FairwindsOps/rbac-manager

In this article, you will learn how to prevent broken connections when a Pod starts up or shuts down.

You will also learn how to shut down long-running tasks gracefully.

More: https://learnk8s.io/graceful-shutdown

This week on Learn Kubernetes Weekly 94:

🥅 CNI and Network Namespaces
📈 Benchmark results of Kubernetes network plugins (CNI) over 40gbit/s network
📉 Graceful shutdown and zero downtime deployments in Kubernetes
👌 Katalyst: A QoS-based resource management system for workload colocation on Kubernetes
😆 Fun with Kubernetes Authorization auditing: multiple authz plugins

Read it now: https://learnk8s.io/issues/94

🌟 🌟 This newsletter is brought to you by PerfectScale: achieve peak Kubernetes performance, at the lowest possible cost https://www.perfectscale.io/?utm_source=learnk8_nl&utm_medium=referral&utm_campaign=new-letter&utm_term=header

This article explores using the Kong Ingress Controller in a database-less mode to prevent Denial of Service (DoS) attacks, limit web scraping, and prevent other forms of overuse.

More: https://medium.com/@jervis.ferreira/kong-ingress-controller-for-kubernetes-db-less-mode-840df4301a8e

Why Kubernetes doesn't rebalance pods in nodes?

Learnk8s runs a 4-day Advanced Kubernetes course in 3 weeks, and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when they are created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:

- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?

This (and much more) is covered on the second day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/5cd14a5b-bd2a-496d-9009-5cc802b45fd4

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

Learn how to handle Software Bills of Materials (SBOMs) at scale in Kubernetes using Ratify and the Open Policy Agent.

More: https://medium.com/@jp-gouin/how-to-handle-sboms-at-scale-in-k8s-c92aa5dd418b

This article discusses using Trivy, a security scanning tool, to identify vulnerabilities in OS packages and code dependencies and how to integrate it into CI/CD pipelines and Kubernetes clusters to enable DevSecOps and maintain a secure infrastructure.

More: https://itnext.io/trivy-shifting-security-from-right-to-left-and-then-right-again-ee21d979d8ef

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

In this KubeFM episode, Miguel Luna, Principal Product Manager at Elastic, discusses the intricacies of Observability in Kubernetes, including its components, tools, and future trends.

You will learn:

- The fundamental components of Observability: metrics, logs, and traces, and their roles in understanding system performance and health.
- The integration of AI technologies: how AI is shaping the future of Observability in Kubernetes.
- Practical steps for implementing Observability: starting points, what to monitor, and how to manage alerts effectively.

Watch (or listen to) it here: https://kube.fm/observability-kubernetes-miguel

🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator

With @Birthmarkb "Richie Rich" Farrell

This article demonstrates how to use Cilium to restrict container communications using network policies, Hubble for observability and DNS Proxy for DNS traffic.

More: https://pankajtechblogs.dev/cilium-network-policy-cnp-zero-trust-networking-kubernetes-1c310151c772