This article explains the purpose of the Kubernetes service in the default namespace and how to access the Kubernetes API server from a pod.
It also explains how to configure service accounts, roles, and bindings to control access and permissions.
More: https://medium.com/@jinha4ever/accessing-the-kubernetes-service-in-the-default-namespace-from-your-pods-976d60326fbd
It also explains how to configure service accounts, roles, and bindings to control access and permissions.
More: https://medium.com/@jinha4ever/accessing-the-kubernetes-service-in-the-default-namespace-from-your-pods-976d60326fbd
Forwarded from LearnKube news
This article explores Kubernetes networking, focusing on Services, kube-proxy, and load balancing.
It covers how pods communicate within a cluster, how Services direct traffic, and how external access is managed.
The article covers ClusterIP, NodePort, and LoadBalancer service types, explaining their implementations using iptables rules.
It also discusses advanced topics like preserving source IPs, handling terminating endpoints, and integrating with cloud load balancers.
https://learnk8s.io/kubernetes-services-and-load-balancing
It covers how pods communicate within a cluster, how Services direct traffic, and how external access is managed.
The article covers ClusterIP, NodePort, and LoadBalancer service types, explaining their implementations using iptables rules.
It also discusses advanced topics like preserving source IPs, handling terminating endpoints, and integrating with cloud load balancers.
https://learnk8s.io/kubernetes-services-and-load-balancing
The AWS EKS access entry has a feature called
Learn how to use
More: https://fixit-xdu.medium.com/using-kubernetes-groups-in-eks-access-entry-when-and-how-5180fd178e91
kubernetes_groups, which solves a problem with coarse managed access policies that don't allow customization.Learn how to use
kubernetes_groups in EKS to manage access control.More: https://fixit-xdu.medium.com/using-kubernetes-groups-in-eks-access-entry-when-and-how-5180fd178e91
This article explores the architectures and implementations of Cilium and Istio, covering their approaches to traffic redirection, encryption, authentication, and observability in Kubernetes network security.
More: https://medium.com/@noah_h/on-kubernetes-network-security-exploring-cilium-and-istio-implementations-ba687b685d26
More: https://medium.com/@noah_h/on-kubernetes-network-security-exploring-cilium-and-istio-implementations-ba687b685d26
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Emin Laletović shares his experience debugging a production issue in which a specific API endpoint failed due to out-of-memory errors.
You will learn:
- How Go's garbage collector interacts with Kubernetes resource limits, potentially leading to unexpected
- The importance of the
- Considerations for optimizing Go applications in Kubernetes, balancing performance and resource utilization.
Watch (or listen to) it here: https://kube.fm/kubernetes-go-emin
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
With @Birthmarkb "miniscule" Farrell
You will learn:
- How Go's garbage collector interacts with Kubernetes resource limits, potentially leading to unexpected
OOMKilled errors.- The importance of the
GOMEMLIMIT environment variable in Go 1.19+ for managing memory usage in containerized environments.- Considerations for optimizing Go applications in Kubernetes, balancing performance and resource utilization.
Watch (or listen to) it here: https://kube.fm/kubernetes-go-emin
🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024
With @Birthmarkb "miniscule" Farrell
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 102:
⚖️ Load balancing and scaling long-lived connections in Kubernetes
⚒️ Build your service mesh
📈 Optimizing database performance: Exploring pgpool2 deployment on Azure Kubernetes Service
🙉 Learned it the hard way: Don't use Cilium's default pod CIDR
💸 Reducing cloud costs of Kubernetes clusters
Read it now: https://learnk8s.io/issues/102
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=email&utm_campaign=learnk8s-sow2-2024
⚖️ Load balancing and scaling long-lived connections in Kubernetes
⚒️ Build your service mesh
📈 Optimizing database performance: Exploring pgpool2 deployment on Azure Kubernetes Service
🙉 Learned it the hard way: Don't use Cilium's default pod CIDR
💸 Reducing cloud costs of Kubernetes clusters
Read it now: https://learnk8s.io/issues/102
🌟 Are you ready to double your Kubernetes resource utilization?
StormForge, the sponsor for this issue, has built an HPA-compatible vertical pod rightsizing solution designed to help you save Mem/CPU and optimize your cloud bill. You can try it for free here https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=email&utm_campaign=learnk8s-sow2-2024
This tutorial demonstrates how to set up a zero-trust Kubernetes ingress with Tailscale operator, cert-manager, and external-dns.
The configuration enables easy and rapid deployment of private ingresses accessible only to authorized devices.
More: https://medium.com/@mattiaforc/zero-trust-kubernetes-ingress-with-tailscale-operator-cert-manager-and-external-dns-8f42272f8647
The configuration enables easy and rapid deployment of private ingresses accessible only to authorized devices.
More: https://medium.com/@mattiaforc/zero-trust-kubernetes-ingress-with-tailscale-operator-cert-manager-and-external-dns-8f42272f8647
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf?s=55
👉 Browse all 1302 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf?s=55
👉 Browse all 1302 Kubernetes jobs on Kube Careers https://kube.careers
Kubernetes profiling, enabled by default in the API server, scheduler, controller-manager, etc., can pose a security risk if not properly managed.
While the information is gated behind authz & authn, certain clusters can still be vulnerable to attacks.
More: https://raesene.github.io/blog/2024/06/18/Taking-A-Look-At-Kubernetes-Profiling
While the information is gated behind authz & authn, certain clusters can still be vulnerable to attacks.
More: https://raesene.github.io/blog/2024/06/18/Taking-A-Look-At-Kubernetes-Profiling
Secrets Webhook is a tool that enables direct secret injection into Kubernetes Pods through a mutating webhook.
More: https://github.com/bank-vaults/secrets-webhook
More: https://github.com/bank-vaults/secrets-webhook
The
This article explains that while turning it off can be a valuable security mechanism, not doing so is unlikely to get you hacked.
More: https://blog.christophetd.fr/stop-worrying-about-allowprivilegeescalation
allowPrivilegeEscalation flag prevents processes from gaining more privileges than their parent process.This article explains that while turning it off can be a valuable security mechanism, not doing so is unlikely to get you hacked.
More: https://blog.christophetd.fr/stop-worrying-about-allowprivilegeescalation
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Are you facing challenges with pre-production environments in Kubernetes?
This KubeFM episode shows how to implement efficient deployment previews and solve data seeding bottlenecks.
Nick Nikitas, Senior Platform Engineer at Blueground, shares how his team transformed their static pre-production environments into dynamic previews using ArgoCD Application Sets, Wave and Velero.
He explains their journey from managing informal environment sharing between teams to implementing a scalable preview system that reduced environment creation time from 19 minutes to 25 seconds.
You will learn:
- How to implement GitOps-based preview environments with Argo CD Application Sets and PR generators for automatic environment creation and cleanup.
- How to control cloud costs with TTL-based termination and FIFO queues to manage the number of active preview environments.
- How to optimize data seeding using Velero, AWS EBS snapshots, and Kubernetes PVC management to achieve near-instant environment creation.
Watch it here: https://kube.fm/deployment-previews-nick
This KubeFM episode shows how to implement efficient deployment previews and solve data seeding bottlenecks.
Nick Nikitas, Senior Platform Engineer at Blueground, shares how his team transformed their static pre-production environments into dynamic previews using ArgoCD Application Sets, Wave and Velero.
He explains their journey from managing informal environment sharing between teams to implementing a scalable preview system that reduced environment creation time from 19 minutes to 25 seconds.
You will learn:
- How to implement GitOps-based preview environments with Argo CD Application Sets and PR generators for automatic environment creation and cleanup.
- How to control cloud costs with TTL-based termination and FIFO queues to manage the number of active preview environments.
- How to optimize data seeding using Velero, AWS EBS snapshots, and Kubernetes PVC management to achieve near-instant environment creation.
Watch it here: https://kube.fm/deployment-previews-nick
Contrast is a tool that runs confidential container deployments on Kubernetes.
It is based on the Kata Containers and Confidential Containers projects.
More: https://github.com/edgelesssys/contrast
It is based on the Kata Containers and Confidential Containers projects.
More: https://github.com/edgelesssys/contrast
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 103:
🔐 How Agoda handles load shedding in private cloud
📕 A hands-on guide to Kubernetes endpoints & EndpointSlices
🤠 Kubernetes: containers, and the "lost" SIGTERM signals
🙅♂️ Observability is not equal observability in Kubernetes
⚒️ Amazon EKS: managing and fixing etcd database size
Read it now: https://learnk8s.io/issues/103
⭐️ Single big cluster or multiple clusters?
Why not the best of both?! Simplify Kubernetes with vCluster by Loft Labs, the leading solution for Kubernetes multi-tenancy and cost savings https://www.vcluster.com/?utm_source=learnk8s&utm_medium=newsletter&utm_campaign=102924-learnk8s-nl
🔐 How Agoda handles load shedding in private cloud
📕 A hands-on guide to Kubernetes endpoints & EndpointSlices
🤠 Kubernetes: containers, and the "lost" SIGTERM signals
🙅♂️ Observability is not equal observability in Kubernetes
⚒️ Amazon EKS: managing and fixing etcd database size
Read it now: https://learnk8s.io/issues/103
⭐️ Single big cluster or multiple clusters?
Why not the best of both?! Simplify Kubernetes with vCluster by Loft Labs, the leading solution for Kubernetes multi-tenancy and cost savings https://www.vcluster.com/?utm_source=learnk8s&utm_medium=newsletter&utm_campaign=102924-learnk8s-nl
This article explains how to use Network Policies in Kubernetes to control traffic flow and create isolation between services, with a practical example.
More: https://medium.com/@jdominguezc26/building-secure-kubernetes-environments-a-practical-guide-to-network-policies-3590f372ab2d
More: https://medium.com/@jdominguezc26/building-secure-kubernetes-environments-a-practical-guide-to-network-policies-3590f372ab2d
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1352 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1352 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Kubernetes in action: from pods to production-ready clusters!
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in 2 weeks!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in 2 weeks!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
SOPS: Secrets OPerationS is an operator for managing Kubernetes Secret Resources created from user-defined SopsSecrets CRDs, inspired by Bitnami SealedSecrets and sops.
More: https://github.com/isindir/sops-secrets-operator
More: https://github.com/isindir/sops-secrets-operator
Securing Kubernetes Pods is crucial for production workloads, as they are a common entry point for attackers.
This article outlines the steps to take to mitigate risks using tools like OPA and Kyverno, and configuring network policies to manage traffic.
More: https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh
This article outlines the steps to take to mitigate risks using tools like OPA and Kyverno, and configuring network policies to manage traffic.
More: https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh
Learn how to use a Kubernetes admission controller to authorize external requests by creating a custom authorization service, generating TLS certificates, and configuring deployment and service manifests.
More: https://itnext.io/kubernetes-webhook-admission-controller-3271d041c636
More: https://itnext.io/kubernetes-webhook-admission-controller-3271d041c636
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
This episode explores Admission Controllers and Webhooks with Gordon Myers, who shares his experience implementing webhook solutions in production.
You will learn:
- How the Kubernetes API processes requests through authentication, authorization, and Admission Controllers.
- Best practices for testing webhooks and avoiding common pitfalls that can break cluster deployments.
- Real-world examples of webhook implementations, including injecting secrets from HashiCorp Vault into containers.
Watch (or listen to) it here: https://kube.fm/webhooks-aop-gordon
🌟 This episode is sponsored by @Learnk8s: get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Joyful and empowering voice" Farrell
You will learn:
- How the Kubernetes API processes requests through authentication, authorization, and Admission Controllers.
- Best practices for testing webhooks and avoiding common pitfalls that can break cluster deployments.
- Real-world examples of webhook implementations, including injecting secrets from HashiCorp Vault into containers.
Watch (or listen to) it here: https://kube.fm/webhooks-aop-gordon
🌟 This episode is sponsored by @Learnk8s: get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Joyful and empowering voice" Farrell