This tutorial explores how to use cert-manager to manage Kubernetes Gateway certificates automatically.
More: https://addozhang.medium.com/automated-kubernetes-gateway-certificates-management-with-cert-manager-b6b43bb6c5ea
More: https://addozhang.medium.com/automated-kubernetes-gateway-certificates-management-with-cert-manager-b6b43bb6c5ea
This article explains how to use iptables to enhance security in a Kubernetes network.
It covers the default policy, managing rules, and keeping configurations after reboots.
More: https://itnext.io/shielding-your-kubernetes-network-mastering-iptables-for-enhanced-security-7286540b2f17
It covers the default policy, managing rules, and keeping configurations after reboots.
More: https://itnext.io/shielding-your-kubernetes-network-mastering-iptables-for-enhanced-security-7286540b2f17
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 100:
👩🚒 Rescue my OpenShift cluster from loss of 2 masters
📸 Optimize Kubernetes pods' startup time using VolumeSnapshots
📞 5 solutions for multi-cluster communication in Kubernetes
1️⃣ Streamlining Microservices Management: A Unified Helm Chart Approach
🙋♂️ Argo Events: conditional triggers
Read it now: https://learnk8s.io/issues/100
🌟 Are you still securing your Kubernetes control plane with an SSH bastion?
That's probably valid but a bit dated. The sponsor of this issue is Tailscale — connect and secure your Kubernetes clusters with anything, anywhere https://tailscale.com/use-cases/kubernetes?utm_source=LearnK8s&utm_medium=paid-email&utm_campaign=LearnK8s-Q3-25
👩🚒 Rescue my OpenShift cluster from loss of 2 masters
📸 Optimize Kubernetes pods' startup time using VolumeSnapshots
📞 5 solutions for multi-cluster communication in Kubernetes
1️⃣ Streamlining Microservices Management: A Unified Helm Chart Approach
🙋♂️ Argo Events: conditional triggers
Read it now: https://learnk8s.io/issues/100
🌟 Are you still securing your Kubernetes control plane with an SSH bastion?
That's probably valid but a bit dated. The sponsor of this issue is Tailscale — connect and secure your Kubernetes clusters with anything, anywhere https://tailscale.com/use-cases/kubernetes?utm_source=LearnK8s&utm_medium=paid-email&utm_campaign=LearnK8s-Q3-25
This article guides you through the process of signing and verifying container images using Cosign and Kyverno.
It covers the installation of Kyverno and Cosign and provides a step-by-step guide on securing CI/CD pipelines for production deployment.
More: https://vinayakpandey-7997.medium.com/signing-and-verifying-ecr-images-using-cosign-and-kyverno-d3c84e2d8a00
It covers the installation of Kyverno and Cosign and provides a step-by-step guide on securing CI/CD pipelines for production deployment.
More: https://vinayakpandey-7997.medium.com/signing-and-verifying-ecr-images-using-cosign-and-kyverno-d3c84e2d8a00
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55
👉 Browse all 1326 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55
Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55
DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55
DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55
👉 Browse all 1326 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Why can't you ping a Kubernetes service?
Learnk8s runs a 4-day Advanced Kubernetes course on Oct 21, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/3aa0148a-d54a-471c-adbc-cc5cabb86d23
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course on Oct 21, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/3aa0148a-d54a-471c-adbc-cc5cabb86d23
Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training
This article introduces network policies in Kubernetes.
You will learn how labels are used to identify pods and apply network policies.
You will also see how network policies are applied to traffic between pods.
More: https://jamali.hashnode.dev/cilium-network-policies
You will learn how labels are used to identify pods and apply network policies.
You will also see how network policies are applied to traffic between pods.
More: https://jamali.hashnode.dev/cilium-network-policies
Sealed Secrets provides declarative Kubernetes Secret Management in a secure way.
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.
More: https://github.com/bitnami-labs/sealed-secrets
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.
More: https://github.com/bitnami-labs/sealed-secrets
In this article, you will explore Kyverno: a Kubernetes policy engine that receives admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return the result of executing the admission policy or denying the request.
More: https://aws.plainenglish.io/kubernetes-policy-management-engine-kyverno-b255ec9d9bf1?sk=9b8b9970bc2681dc22cd89d8bfe4b1f1
More: https://aws.plainenglish.io/kubernetes-policy-management-engine-kyverno-b255ec9d9bf1?sk=9b8b9970bc2681dc22cd89d8bfe4b1f1
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Brian Grant, CTO of ConfigHub and former tech lead on Google's Borg team discusses the Kubernetes Resource Model (KRM) and its profound impact on the Kubernetes ecosystem.
You will learn:
- How the Kubernetes API evolved from inconsistency to a uniform structure, enabling support for thousands of resource types.
- Why Kubernetes' self-describing resources and Server-side Apply simplify client implementations and configuration management.
- The evolution of Kubernetes configuration tools like Helm, Kustomize, and GitOps solutions.
Watch (or listen to) it here: https://kube.fm/krm-brian
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
You will learn:
- How the Kubernetes API evolved from inconsistency to a uniform structure, enabling support for thousands of resource types.
- Why Kubernetes' self-describing resources and Server-side Apply simplify client implementations and configuration management.
- The evolution of Kubernetes configuration tools like Helm, Kustomize, and GitOps solutions.
Watch (or listen to) it here: https://kube.fm/krm-brian
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
The Secrets Store CSI Driver allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume.
Once the Volume is attached, its data is mounted into the container's file system.
More: https://github.com/kubernetes-sigs/secrets-store-csi-driver
Once the Volume is attached, its data is mounted into the container's file system.
More: https://github.com/kubernetes-sigs/secrets-store-csi-driver
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 101:
💯 How we made self-hosting plane a breeze for 100k Docker and 44k Kubernetes deploys
⚔️ Building resilient applications on Kubernetes
📦 Stateful apps in Kubernetes: from history and fundamentals to operators
📉 Reducing EKS Windows node 5 min start time to ~90s
Read it now: https://learnk8s.io/issues/101
⭐️ Looking for cost-effective GPU-powered Kubernetes clusters?
GPU-enabled worker nodes are now available for DigitalOcean Kubernetes https://www.digitalocean.com/products/kubernetes?utm_medium=newsletter&utm_source=learnk8s&utm_campaign=global_gpu-doks_k8s_en&utm_content=product
💯 How we made self-hosting plane a breeze for 100k Docker and 44k Kubernetes deploys
⚔️ Building resilient applications on Kubernetes
📦 Stateful apps in Kubernetes: from history and fundamentals to operators
📉 Reducing EKS Windows node 5 min start time to ~90s
Read it now: https://learnk8s.io/issues/101
⭐️ Looking for cost-effective GPU-powered Kubernetes clusters?
GPU-enabled worker nodes are now available for DigitalOcean Kubernetes https://www.digitalocean.com/products/kubernetes?utm_medium=newsletter&utm_source=learnk8s&utm_campaign=global_gpu-doks_k8s_en&utm_content=product
In this article, you will learn how seccomp provides an additional security layer by restricting system calls that containers can execute.
This reduces the attack surface and minimizes potential damage from compromised processes.
More: https://www.armosec.io/blog/kubernetes-workloads-seccomp
This reduces the attack surface and minimizes potential damage from compromised processes.
More: https://www.armosec.io/blog/kubernetes-workloads-seccomp
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf?s=55
👉 Browse all 1370 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf?s=55
👉 Browse all 1370 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online courses start in November: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee?s=16
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online courses start in November: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee?s=16
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
Sealed Secrets Web is a tool that provides a web interface for managing and encrypting sensitive data in Kubernetes using the Sealed Secrets service by Bitnami.
More: https://github.com/bakito/sealed-secrets-web
More: https://github.com/bakito/sealed-secrets-web
This article explains the purpose of the Kubernetes service in the default namespace and how to access the Kubernetes API server from a pod.
It also explains how to configure service accounts, roles, and bindings to control access and permissions.
More: https://medium.com/@jinha4ever/accessing-the-kubernetes-service-in-the-default-namespace-from-your-pods-976d60326fbd
It also explains how to configure service accounts, roles, and bindings to control access and permissions.
More: https://medium.com/@jinha4ever/accessing-the-kubernetes-service-in-the-default-namespace-from-your-pods-976d60326fbd
Forwarded from LearnKube news
This article explores Kubernetes networking, focusing on Services, kube-proxy, and load balancing.
It covers how pods communicate within a cluster, how Services direct traffic, and how external access is managed.
The article covers ClusterIP, NodePort, and LoadBalancer service types, explaining their implementations using iptables rules.
It also discusses advanced topics like preserving source IPs, handling terminating endpoints, and integrating with cloud load balancers.
https://learnk8s.io/kubernetes-services-and-load-balancing
It covers how pods communicate within a cluster, how Services direct traffic, and how external access is managed.
The article covers ClusterIP, NodePort, and LoadBalancer service types, explaining their implementations using iptables rules.
It also discusses advanced topics like preserving source IPs, handling terminating endpoints, and integrating with cloud load balancers.
https://learnk8s.io/kubernetes-services-and-load-balancing
The AWS EKS access entry has a feature called
Learn how to use
More: https://fixit-xdu.medium.com/using-kubernetes-groups-in-eks-access-entry-when-and-how-5180fd178e91
kubernetes_groups, which solves a problem with coarse managed access policies that don't allow customization.Learn how to use
kubernetes_groups in EKS to manage access control.More: https://fixit-xdu.medium.com/using-kubernetes-groups-in-eks-access-entry-when-and-how-5180fd178e91
This article explores the architectures and implementations of Cilium and Istio, covering their approaches to traffic redirection, encryption, authentication, and observability in Kubernetes network security.
More: https://medium.com/@noah_h/on-kubernetes-network-security-exploring-cilium-and-istio-implementations-ba687b685d26
More: https://medium.com/@noah_h/on-kubernetes-network-security-exploring-cilium-and-istio-implementations-ba687b685d26
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Emin Laletović shares his experience debugging a production issue in which a specific API endpoint failed due to out-of-memory errors.
You will learn:
- How Go's garbage collector interacts with Kubernetes resource limits, potentially leading to unexpected
- The importance of the
- Considerations for optimizing Go applications in Kubernetes, balancing performance and resource utilization.
Watch (or listen to) it here: https://kube.fm/kubernetes-go-emin
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
With @Birthmarkb "miniscule" Farrell
You will learn:
- How Go's garbage collector interacts with Kubernetes resource limits, potentially leading to unexpected
OOMKilled errors.- The importance of the
GOMEMLIMIT environment variable in Go 1.19+ for managing memory usage in containerized environments.- Considerations for optimizing Go applications in Kubernetes, balancing performance and resource utilization.
Watch (or listen to) it here: https://kube.fm/kubernetes-go-emin
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
With @Birthmarkb "miniscule" Farrell