Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the
cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed
with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing
into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online courses start next week: https://kube.events/t/5cd14a5b-bd2a-496d-9009-5cc802b45fd4
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the
cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed
with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing
into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online courses start next week: https://kube.events/t/5cd14a5b-bd2a-496d-9009-5cc802b45fd4
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Mircea-Pavel Anton, an MLOps Engineer, highlights Talos's advantage in having a much smaller image and lacking SSH, which significantly reduces the attack surface.
Interaction with the OS is done via an API, limiting an attacker's potential actions if they compromise the system.
Watch the full episode: https://kube.fm/talos-mircea
Interaction with the OS is done via an API, limiting an attacker's potential actions if they compromise the system.
Watch the full episode: https://kube.fm/talos-mircea
This article explains how to create a webhook server to handle ImagePolicy validation and the behaviour of the ImagePolicy webhook, including the rules section that defines API operations and resources to intercept.
More: https://pramodhm112.medium.com/imagepolicy-webhook-in-kubernetes-85f25d3f09fb
More: https://pramodhm112.medium.com/imagepolicy-webhook-in-kubernetes-85f25d3f09fb
netfetch is a tool designed to scan Kubernetes namespaces for network policies and check whether a network policy targets your workloads.
More: https://github.com/deggja/netfetch
More: https://github.com/deggja/netfetch
This tutorial covers External Secrets and working with internal and external secrets.
It also introduces encoding techniques and decoding methods.
More: https://blog.devops.dev/injecting-external-secrets-in-a-kubernetes-cluster-1e9bbe0f0d5b
It also introduces encoding techniques and decoding methods.
More: https://blog.devops.dev/injecting-external-secrets-in-a-kubernetes-cluster-1e9bbe0f0d5b
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
In this KubeFM episode, Kensei Kanada discusses Tortoise, an open-source project he developed to tackle Kubernetes resource optimizations.
You will learn:
- The complexities of resource optimization in Kubernetes, including the challenges of managing HPA, VPA, and manual tuning of resource requests and limits
- How Tortoise automates resource optimization by replacing HPA and VPA, reducing the need for manual intervention and continuous tuning
- The technical implementation of Tortoise, including its use of Custom Resource Definitions (CRDs) and how it interacts with existing Kubernetes components
Watch (or listen to) it here: https://kube.fm/tortoise-kensei
🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator
With @Birthmarkb "But that's not Kubernetes" Farrell
You will learn:
- The complexities of resource optimization in Kubernetes, including the challenges of managing HPA, VPA, and manual tuning of resource requests and limits
- How Tortoise automates resource optimization by replacing HPA and VPA, reducing the need for manual intervention and continuous tuning
- The technical implementation of Tortoise, including its use of Custom Resource Definitions (CRDs) and how it interacts with existing Kubernetes components
Watch (or listen to) it here: https://kube.fm/tortoise-kensei
🌟 What's the best instance for your Kubernetes cluster?
Check out Learnk8s's Kubernetes Instance Calculator and find out: https://learnk8s.io/kubernetes-instance-calculator
With @Birthmarkb "But that's not Kubernetes" Farrell
This media is not supported in your browser
VIEW IN TELEGRAM
Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.
More: https://github.com/defenseunicorns/zarf
More: https://github.com/defenseunicorns/zarf
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 96:
☝️ Fairness aware load distribution
📝 Kubernetes configuration in 2024
👂 Container communication inside a Kubernetes pod
🤔 What determines if a Kubernetes node is ready?
💨 Do pods really get evicted due to CPU pressure?
Read it now: https://learnk8s.io/issues/97
🌟 This newsletter issue is brought to you by VictoriaMetrics — a fast and scalable open-source time series database and monitoring solution. https://victoriametrics.com/?utm_campaign=LearnK8s&utm_medium=newsletter&utm_source=Learnk8s
☝️ Fairness aware load distribution
📝 Kubernetes configuration in 2024
👂 Container communication inside a Kubernetes pod
🤔 What determines if a Kubernetes node is ready?
💨 Do pods really get evicted due to CPU pressure?
Read it now: https://learnk8s.io/issues/97
🌟 This newsletter issue is brought to you by VictoriaMetrics — a fast and scalable open-source time series database and monitoring solution. https://victoriametrics.com/?utm_campaign=LearnK8s&utm_medium=newsletter&utm_source=Learnk8s
This article explores Kubernetes RBAC permissions that you might not know about but should be aware of.
You'll learn about specific verbs and how to use them to manage access and prevent misconfiguration.
More: https://thenewstack.io/kubernetes-rbac-permissions-you-might-not-know-about-but-should
You'll learn about specific verbs and how to use them to manage access and prevent misconfiguration.
More: https://thenewstack.io/kubernetes-rbac-permissions-you-might-not-know-about-but-should
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1387 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1387 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Why can't you ping a Kubernetes service?
Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course on Sep 30, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.
More: https://github.com/int128/kubelogin
More: https://github.com/int128/kubelogin
Learn the differences between a process running as root (UID 0) and a containerized process running as root, and discover why running containerized root processes can increase security risks.
More: https://www.armosec.io/blog/root-process-vs-containerized-root-process
More: https://www.armosec.io/blog/root-process-vs-containerized-root-process
This article discusses the importance of a cloud native protection system in preventing business disruptions due to abnormal data plane releases and shares strategies for adapting to unique risks and preventing cascading deletion of root objects.
More: https://aws.plainenglish.io/bytedance-cloud-native-protection-system-practice-ac84e9443422?sk=22c9693c20caca567b6863ef9ede4377
More: https://aws.plainenglish.io/bytedance-cloud-native-protection-system-practice-ac84e9443422?sk=22c9693c20caca567b6863ef9ede4377
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Alexandre Souza, a senior platform engineer at Getir, explores the challenges of over-provisioning and under-provisioning and discusses strategies for optimizing resource allocation using tools like Horizontal Pod Autoscaler (HPA) and Vertical Pod Autoscaler (VPA).
You will learn:
- How to set appropriate resource requests and limits to balance application performance and cost-efficiency in large-scale Kubernetes environments.
- Strategies for implementing and configuring Horizontal Pod Autoscaler (HPA), including scaling policies and behavior management.
- The differences between CPU and memory management in Kubernetes and their impact on workload performance.
Watch (or listen to) it here: https://kube.fm/hpa-at-scale-alex
🌟 This episode is sponsored by VictoriaMetrics. Start a free trial for VictoriaMetrics enterprise today https://victoriametrics.com/products/enterprise/?utm_campaign=LearnK8s&utm_medium=podcast&utm_source=Learnk8s
With @Birthmarkb "Peter Pan" Farrell
You will learn:
- How to set appropriate resource requests and limits to balance application performance and cost-efficiency in large-scale Kubernetes environments.
- Strategies for implementing and configuring Horizontal Pod Autoscaler (HPA), including scaling policies and behavior management.
- The differences between CPU and memory management in Kubernetes and their impact on workload performance.
Watch (or listen to) it here: https://kube.fm/hpa-at-scale-alex
🌟 This episode is sponsored by VictoriaMetrics. Start a free trial for VictoriaMetrics enterprise today https://victoriametrics.com/products/enterprise/?utm_campaign=LearnK8s&utm_medium=podcast&utm_source=Learnk8s
With @Birthmarkb "Peter Pan" Farrell
This article explores an alternative to long-lived credentials in EKS.
IAM Roles, EKS Pod Identity, OIDC Integration, IAM Roles Anywhere, AWS IAM Identity Center, and Service Account provide alternatives to long-lived credentials.
More: https://medium.com/mycloudseries/alternatives-to-long-lived-credentials-in-aws-29c2582b513f
IAM Roles, EKS Pod Identity, OIDC Integration, IAM Roles Anywhere, AWS IAM Identity Center, and Service Account provide alternatives to long-lived credentials.
More: https://medium.com/mycloudseries/alternatives-to-long-lived-credentials-in-aws-29c2582b513f
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 98:
🧐 AWS VPC Flow Logs, NAT Gateways, and Kubernetes pods: a detailed overview
🐳 How does a Docker container work internally?
📊 Kubernetes fine-grained horizontal pod autoscaling with Container Resource Metrics @Chimbu Chinnadurai
♻️ Rendering the TRUE Argo CD diff on your PRs
📦 What is the difference between a root process and a containerized root process?
Read it now: https://learnk8s.io/issues/98
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=email&utm_campaign=learnk8s-sow2-2024
🧐 AWS VPC Flow Logs, NAT Gateways, and Kubernetes pods: a detailed overview
🐳 How does a Docker container work internally?
📊 Kubernetes fine-grained horizontal pod autoscaling with Container Resource Metrics @Chimbu Chinnadurai
♻️ Rendering the TRUE Argo CD diff on your PRs
📦 What is the difference between a root process and a containerized root process?
Read it now: https://learnk8s.io/issues/98
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here: https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=email&utm_campaign=learnk8s-sow2-2024
This article demonstrates supply chain security:
- Cosign, Kyverno, and HashiCorp Vault to secure container images in Kubernetes
- GitLab CI to build, push, and sign images with Cosign and Vault.
- Kyverno to enforce policies for signature verification.
More: https://angapov.medium.com/kubernetes-container-images-signing-using-cosign-kyverno-hashicorp-vault-and-gitlab-ci-c4e2041d1310
- Cosign, Kyverno, and HashiCorp Vault to secure container images in Kubernetes
- GitLab CI to build, push, and sign images with Cosign and Vault.
- Kyverno to enforce policies for signature verification.
More: https://angapov.medium.com/kubernetes-container-images-signing-using-cosign-kyverno-hashicorp-vault-and-gitlab-ci-c4e2041d1310
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1411 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with ServiceNow
💰 $181.1K to $316.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/46e8c8b9-7122-4ba5-b2a6-a70d6089f758?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
👉 Browse all 1411 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Why Kubernetes doesn't rebalance pods in nodes?
Learnk8s runs a 4-day Advanced Kubernetes course next week in London 🇬🇧, and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course next week in London 🇬🇧, and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/06d19f85-4645-42f7-87c5-040888900b9d
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
AWACS for RBAC (AWRBACS) provides a view of a cluster's RBAC by automating the retrieval of users and service accounts or providing a dump of users defined in LDAP.
It checks individual permissions on each resource in the cluster.
More: https://lobuhisec.medium.com/awrbacs-awacs-for-rbac-b6cb2ac75e3e
It checks individual permissions on each resource in the cluster.
More: https://lobuhisec.medium.com/awrbacs-awacs-for-rbac-b6cb2ac75e3e