Pinniped is an authentication service for Kubernetes clusters.

It supports various authenticator types and OIDC identity providers and implements different integration strategies for various Kubernetes distributions to facilitate authentication.

More: https://pinniped.dev

This article discusses a multi-cluster ArgoCD setup, where a centralized ArgoCD instance manages multiple remote clusters.

The remote clusters are secured using a short-lived token, which is a service that provides identity and authentication services.

More: https://tremolosecurity.com/post/securing-multi-cluster-argocd

Cartographer allows you to create secure and reusable supply chains that define all of your application CI and CD in one place, in a cluster.

More: https://cartographer.sh

In this KubeFM episode, Ángel Barrera discusses Adidas' strategic shift to a GitOps-based container platform management system, initiated in May 2022, and its impact on their global infrastructure.

You will learn:

- The initial state and challenges: Understand the complexities and inefficiencies of Adidas' pre-GitOps infrastructure.
- The transition process: Explore the steps and strategies used to migrate to a GitOps-based system, including tool changes and planning.
- Technical advantages: Learn about the benefits of the pull mechanism, unified configuration, and improved visibility into cluster states.

Watch (or listen to) it here: https://kube.fm/platform-gitops-angel

🌟 Hardened Flux CD + 0 CVEs + SLSA + SBOMs
ControlPlane Enterprise for Flux CD enhances the security and stability of Kubernetes deployments through comprehensive security assurance. Learn more: https://control-plane.io/enterprise-for-flux-cd/?utm_source=kubefm

With @Birthmarkb "one of the hosts" Farrell

Learn how to grant Kubernetes pods access to AWS services using OpenID Connect, including setting up the necessary environment variables and configuring the OIDC provider.

More: https://meysam.io/grant-kubernetes-pods-access-to-aws-services-using-openid-connect-60d2288e1ab2

This week on Learn Kubernetes Weekly 96:

🕸️ Building a network topology of a Kubernetes application in a non-intrusive way
🙅‍♀️ Why does the etcd community suggest that the database size should not exceed 8GB?
🎻 KubeAdmiral: next-generation multi-cluster orchestration engine based on Kubernetes
💾 Swapping disks in Kubernetes for fun and profit
👮‍♀️ Securing multi-cluster ArgoCD

Read it now: https://learnk8s.io/issues/96

🌟 LoxiLB turns Kubernetes network load balancing into high-speed, flexible and programmable Load Balancer services. LoxiLB is open source and is also the sponsor of this newsletter. You can check out the project here: https://www.loxilb.io/?utm_source=learnk8s&utm_medium=newsletter

OPA Gatekeeper Library is a tool for managing and enforcing policies across your Kubernetes cluster.

It provides a community-owned library of policies and a framework for validating and mutating resources.

More: https://github.com/open-policy-agent/gatekeeper-library

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

👉 Browse all 1379 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the
cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed
with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing
into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online courses start next week: https://kube.events/t/5cd14a5b-bd2a-496d-9009-5cc802b45fd4

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

Mircea-Pavel Anton, an MLOps Engineer, highlights Talos's advantage in having a much smaller image and lacking SSH, which significantly reduces the attack surface.

Interaction with the OS is done via an API, limiting an attacker's potential actions if they compromise the system.

Watch the full episode: https://kube.fm/talos-mircea

This article explains how to create a webhook server to handle ImagePolicy validation and the behaviour of the ImagePolicy webhook, including the rules section that defines API operations and resources to intercept.

More: https://pramodhm112.medium.com/imagepolicy-webhook-in-kubernetes-85f25d3f09fb

netfetch is a tool designed to scan Kubernetes namespaces for network policies and check whether a network policy targets your workloads.

More: https://github.com/deggja/netfetch

This tutorial covers External Secrets and working with internal and external secrets.

It also introduces encoding techniques and decoding methods.

More: https://blog.devops.dev/injecting-external-secrets-in-a-kubernetes-cluster-1e9bbe0f0d5b

In this KubeFM episode, Kensei Kanada discusses Tortoise, an open-source project he developed to tackle Kubernetes resource optimizations.

You will learn:

- The complexities of resource optimization in Kubernetes, including the challenges of managing HPA, VPA, and manual tuning of resource requests and limits
- How Tortoise automates resource optimization by replacing HPA and VPA, reducing the need for manual intervention and continuous tuning
- The technical implementation of Tortoise, including its use of Custom Resource Definitions (CRDs) and how it interacts with existing Kubernetes components

Watch (or listen to) it here: https://kube.fm/tortoise-kensei

🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator

With @Birthmarkb "But that's not Kubernetes" Farrell

Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.

More: https://github.com/defenseunicorns/zarf

This week on Learn Kubernetes Weekly 96:

☝️ Fairness aware load distribution
📝 Kubernetes configuration in 2024
👂 Container communication inside a Kubernetes pod
🤔 What determines if a Kubernetes node is ready?
💨 Do pods really get evicted due to CPU pressure?

Read it now: https://learnk8s.io/issues/97

🌟 This newsletter issue is brought to you by VictoriaMetrics — a fast and scalable open-source time series database and monitoring solution. https://victoriametrics.com/?utm_campaign=LearnK8s&utm_medium=newsletter&utm_source=Learnk8s

This article explores Kubernetes RBAC permissions that you might not know about but should be aware of.

You'll learn about specific verbs and how to use them to manage access and prevent misconfiguration.

More: https://thenewstack.io/kubernetes-rbac-permissions-you-might-not-know-about-but-should

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

👉 Browse all 1387 Kubernetes jobs on Kube Careers https://kube.careers

Why can't you ping a Kubernetes service?

Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:

- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.

This (and much more) is covered on the third day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.

More: https://github.com/int128/kubelogin

Learn the differences between a process running as root (UID 0) and a containerized process running as root, and discover why running containerized root processes can increase security risks.

More: https://www.armosec.io/blog/root-process-vs-containerized-root-process