In this KubeFM episode, Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, explores the intricacies of Kubernetes security, focusing on the benefits and misconceptions of Distroless container images and the broader aspects of container security.

You will learn:

- The advantages and limitations of Distroless container images.
- Best practices for container security.
- Supply chain security.
- Emerging Kubernetes tools and future projects.

Watch (or listen to) it here: https://kube.fm/abusing-distroless-harsha

🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator

With @Birthmarkb "normal person" Farrell

RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources.

Instead of managing role bindings or service accounts directly, you can specify the desired state, and RBAC Manager will make the necessary changes.

More: https://github.com/FairwindsOps/rbac-manager

In this article, you will learn how to prevent broken connections when a Pod starts up or shuts down.

You will also learn how to shut down long-running tasks gracefully.

More: https://learnk8s.io/graceful-shutdown

This week on Learn Kubernetes Weekly 94:

🥅 CNI and Network Namespaces
📈 Benchmark results of Kubernetes network plugins (CNI) over 40gbit/s network
📉 Graceful shutdown and zero downtime deployments in Kubernetes
👌 Katalyst: A QoS-based resource management system for workload colocation on Kubernetes
😆 Fun with Kubernetes Authorization auditing: multiple authz plugins

Read it now: https://learnk8s.io/issues/94

🌟 🌟 This newsletter is brought to you by PerfectScale: achieve peak Kubernetes performance, at the lowest possible cost https://www.perfectscale.io/?utm_source=learnk8_nl&utm_medium=referral&utm_campaign=new-letter&utm_term=header

This article explores using the Kong Ingress Controller in a database-less mode to prevent Denial of Service (DoS) attacks, limit web scraping, and prevent other forms of overuse.

More: https://medium.com/@jervis.ferreira/kong-ingress-controller-for-kubernetes-db-less-mode-840df4301a8e

Why Kubernetes doesn't rebalance pods in nodes?

Learnk8s runs a 4-day Advanced Kubernetes course in 3 weeks, and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when they are created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:

- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?

This (and much more) is covered on the second day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/5cd14a5b-bd2a-496d-9009-5cc802b45fd4

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

Learn how to handle Software Bills of Materials (SBOMs) at scale in Kubernetes using Ratify and the Open Policy Agent.

More: https://medium.com/@jp-gouin/how-to-handle-sboms-at-scale-in-k8s-c92aa5dd418b

This article discusses using Trivy, a security scanning tool, to identify vulnerabilities in OS packages and code dependencies and how to integrate it into CI/CD pipelines and Kubernetes clusters to enable DevSecOps and maintain a secure infrastructure.

More: https://itnext.io/trivy-shifting-security-from-right-to-left-and-then-right-again-ee21d979d8ef

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

In this KubeFM episode, Miguel Luna, Principal Product Manager at Elastic, discusses the intricacies of Observability in Kubernetes, including its components, tools, and future trends.

You will learn:

- The fundamental components of Observability: metrics, logs, and traces, and their roles in understanding system performance and health.
- The integration of AI technologies: how AI is shaping the future of Observability in Kubernetes.
- Practical steps for implementing Observability: starting points, what to monitor, and how to manage alerts effectively.

Watch (or listen to) it here: https://kube.fm/observability-kubernetes-miguel

🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator

With @Birthmarkb "Richie Rich" Farrell

This article demonstrates how to use Cilium to restrict container communications using network policies, Hubble for observability and DNS Proxy for DNS traffic.

More: https://pankajtechblogs.dev/cilium-network-policy-cnp-zero-trust-networking-kubernetes-1c310151c772

This week on Learn Kubernetes Weekly 95:

⚒️ DIY: Create your own cloud with Kubernetes
🤔 How does etcd achieve high availability and strong consistency of data through the Raft protocol?
🏠 Building an observability solution with ClickHouse
🧐 Can a Kubernetes Pod have more than one network attached?
🧑🏻‍🏫 Kubectl port-forward flow explained

Read it now: https://learnk8s.io/issues/95

🌟 We, Learnk8s, run a few Kubernetes workshops in September (online and in person). Join us and learn about Kubernetes! https://learnk8s.io/training

This article explores how to manage Kubernetes secrets dynamically using HashiCorp Vault and the External Secret Operator.

You'll learn how to create and manage external secrets on a namespace or global basis.

More: https://medium.com/@sametarslantrk/managing-kubernetes-secrets-dynamically-from-vault-via-external-secrets-operator-7e51d71b56cf

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

👉 Browse all 1376 Kubernetes jobs on Kube Careers https://kube.careers

Pinniped is an authentication service for Kubernetes clusters.

It supports various authenticator types and OIDC identity providers and implements different integration strategies for various Kubernetes distributions to facilitate authentication.

More: https://pinniped.dev

This article discusses a multi-cluster ArgoCD setup, where a centralized ArgoCD instance manages multiple remote clusters.

The remote clusters are secured using a short-lived token, which is a service that provides identity and authentication services.

More: https://tremolosecurity.com/post/securing-multi-cluster-argocd

Cartographer allows you to create secure and reusable supply chains that define all of your application CI and CD in one place, in a cluster.

More: https://cartographer.sh

In this KubeFM episode, Ángel Barrera discusses Adidas' strategic shift to a GitOps-based container platform management system, initiated in May 2022, and its impact on their global infrastructure.

You will learn:

- The initial state and challenges: Understand the complexities and inefficiencies of Adidas' pre-GitOps infrastructure.
- The transition process: Explore the steps and strategies used to migrate to a GitOps-based system, including tool changes and planning.
- Technical advantages: Learn about the benefits of the pull mechanism, unified configuration, and improved visibility into cluster states.

Watch (or listen to) it here: https://kube.fm/platform-gitops-angel

🌟 Hardened Flux CD + 0 CVEs + SLSA + SBOMs
ControlPlane Enterprise for Flux CD enhances the security and stability of Kubernetes deployments through comprehensive security assurance. Learn more: https://control-plane.io/enterprise-for-flux-cd/?utm_source=kubefm

With @Birthmarkb "one of the hosts" Farrell

Learn how to grant Kubernetes pods access to AWS services using OpenID Connect, including setting up the necessary environment variables and configuring the OIDC provider.

More: https://meysam.io/grant-kubernetes-pods-access-to-aws-services-using-openid-connect-60d2288e1ab2

This week on Learn Kubernetes Weekly 96:

🕸️ Building a network topology of a Kubernetes application in a non-intrusive way
🙅‍♀️ Why does the etcd community suggest that the database size should not exceed 8GB?
🎻 KubeAdmiral: next-generation multi-cluster orchestration engine based on Kubernetes
💾 Swapping disks in Kubernetes for fun and profit
👮‍♀️ Securing multi-cluster ArgoCD

Read it now: https://learnk8s.io/issues/96

🌟 LoxiLB turns Kubernetes network load balancing into high-speed, flexible and programmable Load Balancer services. LoxiLB is open source and is also the sponsor of this newsletter. You can check out the project here: https://www.loxilb.io/?utm_source=learnk8s&utm_medium=newsletter

OPA Gatekeeper Library is a tool for managing and enforcing policies across your Kubernetes cluster.

It provides a community-owned library of policies and a framework for validating and mutating resources.

More: https://github.com/open-policy-agent/gatekeeper-library