Contrast is a tool that runs confidential container deployments on Kubernetes.
It is based on the Kata Containers and Confidential Containers projects.
More: https://github.com/edgelesssys/contrast
It is based on the Kata Containers and Confidential Containers projects.
More: https://github.com/edgelesssys/contrast
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 103:
🔐 How Agoda handles load shedding in private cloud
📕 A hands-on guide to Kubernetes endpoints & EndpointSlices
🤠 Kubernetes: containers, and the "lost" SIGTERM signals
🙅♂️ Observability is not equal observability in Kubernetes
⚒️ Amazon EKS: managing and fixing etcd database size
Read it now: https://learnk8s.io/issues/103
⭐️ Single big cluster or multiple clusters?
Why not the best of both?! Simplify Kubernetes with vCluster by Loft Labs, the leading solution for Kubernetes multi-tenancy and cost savings https://www.vcluster.com/?utm_source=learnk8s&utm_medium=newsletter&utm_campaign=102924-learnk8s-nl
🔐 How Agoda handles load shedding in private cloud
📕 A hands-on guide to Kubernetes endpoints & EndpointSlices
🤠 Kubernetes: containers, and the "lost" SIGTERM signals
🙅♂️ Observability is not equal observability in Kubernetes
⚒️ Amazon EKS: managing and fixing etcd database size
Read it now: https://learnk8s.io/issues/103
⭐️ Single big cluster or multiple clusters?
Why not the best of both?! Simplify Kubernetes with vCluster by Loft Labs, the leading solution for Kubernetes multi-tenancy and cost savings https://www.vcluster.com/?utm_source=learnk8s&utm_medium=newsletter&utm_campaign=102924-learnk8s-nl
This article explains how to use Network Policies in Kubernetes to control traffic flow and create isolation between services, with a practical example.
More: https://medium.com/@jdominguezc26/building-secure-kubernetes-environments-a-practical-guide-to-network-policies-3590f372ab2d
More: https://medium.com/@jdominguezc26/building-secure-kubernetes-environments-a-practical-guide-to-network-policies-3590f372ab2d
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1352 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1352 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Kubernetes in action: from pods to production-ready clusters!
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in 2 weeks!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in 2 weeks!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
SOPS: Secrets OPerationS is an operator for managing Kubernetes Secret Resources created from user-defined SopsSecrets CRDs, inspired by Bitnami SealedSecrets and sops.
More: https://github.com/isindir/sops-secrets-operator
More: https://github.com/isindir/sops-secrets-operator
Securing Kubernetes Pods is crucial for production workloads, as they are a common entry point for attackers.
This article outlines the steps to take to mitigate risks using tools like OPA and Kyverno, and configuring network policies to manage traffic.
More: https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh
This article outlines the steps to take to mitigate risks using tools like OPA and Kyverno, and configuring network policies to manage traffic.
More: https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh
Learn how to use a Kubernetes admission controller to authorize external requests by creating a custom authorization service, generating TLS certificates, and configuring deployment and service manifests.
More: https://itnext.io/kubernetes-webhook-admission-controller-3271d041c636
More: https://itnext.io/kubernetes-webhook-admission-controller-3271d041c636
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
This episode explores Admission Controllers and Webhooks with Gordon Myers, who shares his experience implementing webhook solutions in production.
You will learn:
- How the Kubernetes API processes requests through authentication, authorization, and Admission Controllers.
- Best practices for testing webhooks and avoiding common pitfalls that can break cluster deployments.
- Real-world examples of webhook implementations, including injecting secrets from HashiCorp Vault into containers.
Watch (or listen to) it here: https://kube.fm/webhooks-aop-gordon
🌟 This episode is sponsored by @Learnk8s: get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Joyful and empowering voice" Farrell
You will learn:
- How the Kubernetes API processes requests through authentication, authorization, and Admission Controllers.
- Best practices for testing webhooks and avoiding common pitfalls that can break cluster deployments.
- Real-world examples of webhook implementations, including injecting secrets from HashiCorp Vault into containers.
Watch (or listen to) it here: https://kube.fm/webhooks-aop-gordon
🌟 This episode is sponsored by @Learnk8s: get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Joyful and empowering voice" Farrell
This article provides an in-depth exploration of Kubernetes networking, tracing the journey of a network packet through a cluster and highlighting the crucial role of Network Policies in securing applications.
More: https://otterize.com/blog/mastering-kubernetes-networking-otterize-s-journey-in-cloud-native-packet-management
More: https://otterize.com/blog/mastering-kubernetes-networking-otterize-s-journey-in-cloud-native-packet-management
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 104:
🤔 Why sometimes the PID 1 process cannot be killed in a container
📕 Understanding DNS in Kubernetes
🏥 From fragile to faultless: Kubernetes self-healing in practice
🚧 The trouble with topology-aware routing: sacrificing reliability in the name of cost savings
♻️ Taming FluxCD Helm releases: the Kustomize way approach
Read it now: https://learnk8s.io/issues/104
⭐️ Become an expert in Kubernetes. Join the next instructor-led Learnk8s training and learn how to master Kubernetes scaling, security and development https://learnk8s.io/training
🤔 Why sometimes the PID 1 process cannot be killed in a container
📕 Understanding DNS in Kubernetes
🏥 From fragile to faultless: Kubernetes self-healing in practice
🚧 The trouble with topology-aware routing: sacrificing reliability in the name of cost savings
♻️ Taming FluxCD Helm releases: the Kustomize way approach
Read it now: https://learnk8s.io/issues/104
⭐️ Become an expert in Kubernetes. Join the next instructor-led Learnk8s training and learn how to master Kubernetes scaling, security and development https://learnk8s.io/training
This article provides a guide to Falco, a system threat detection engine.
It covers its installation, rule creation, architecture, and use with containers and Kubernetes.
More: https://a-cup-of.coffee/blog/falco
It covers its installation, rule creation, architecture, and use with containers and Kubernetes.
More: https://a-cup-of.coffee/blog/falco
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1231 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55
DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55
DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55
Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27?s=55
👉 Browse all 1231 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, emphasized that containers should not be solely relied upon as security barriers due to their vulnerability to kernel exploits and common misconfiguration.
They also pointed out significant risks associated with strong secrets within Kubernetes environments, which can grant extensive read and write access across different cloud services and customers.
Watch the full episode: https://kube.fm/hacking-alibaba-ronen-hillai
They also pointed out significant risks associated with strong secrets within Kubernetes environments, which can grant extensive read and write access across different cloud services and customers.
Watch the full episode: https://kube.fm/hacking-alibaba-ronen-hillai
The article examines the kube-proxy API, covering its healthz and metrics components, and the information it provides without authentication.
More: https://raesene.github.io/blog/2024/06/16/Taking-A-Look-At-The-Kube-Proxy-API
More: https://raesene.github.io/blog/2024/06/16/Taking-A-Look-At-The-Kube-Proxy-API
Forwarded from LearnKube news
Kubernetes in action: from pods to production-ready clusters!
📆 Learnk8s runs a 4-day online Advanced Kubernetes course next week!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
📆 Learnk8s runs a 4-day online Advanced Kubernetes course next week!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee
Corporate training: https://learnk8s.io/corporate-training
kubeztl is a tool that zitifies the Kubernetes client, allowing users to access their Kubernetes cluster securely using a zero-trust overlay network.
More: https://github.com/openziti-test-kitchen/kubeztl
More: https://github.com/openziti-test-kitchen/kubeztl
The article walks through a hands-on lab where a Flask application is exploited to gain initial access to a Kubernetes cluster.
This is followed by privilege escalation using GitHub CI/CD credentials and exfiltrating sensitive data from a database.
More: https://soc-inspiration.medium.com/hands-on-lab-full-kubernetes-compromise-what-will-your-soc-do-about-it-3866106cf041
This is followed by privilege escalation using GitHub CI/CD credentials and exfiltrating sensitive data from a database.
More: https://soc-inspiration.medium.com/hands-on-lab-full-kubernetes-compromise-what-will-your-soc-do-about-it-3866106cf041
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Paul Butler, founder of Jamsocket, discusses how to identify necessary vs unnecessary complexity in Kubernetes and explains how his team successfully runs production workloads by being selective about which features they use.
You will learn:
- Why to be cautious with features like CRDs, StatefulSets, and Helm and how to evaluate if you really need them.
- How to stay on the "happy path" in Kubernetes by focusing on stable and simple resources like Deployments, Services, and ConfigMaps.
- When to consider alternatives like Google Cloud Run for simpler deployments that don't need the full complexity of Kubernetes.
Watch (or listen to) it here: https://kube.fm/kubernetes-hater-s-guide-paul
🌟 This episode is sponsored by Syntasso, the creators of Kratix, a framework for building composable internal developer platforms https://ku.bz/CJNDlLXVS
With @Birthmarkb "Diet Coke Lover" Farrell
You will learn:
- Why to be cautious with features like CRDs, StatefulSets, and Helm and how to evaluate if you really need them.
- How to stay on the "happy path" in Kubernetes by focusing on stable and simple resources like Deployments, Services, and ConfigMaps.
- When to consider alternatives like Google Cloud Run for simpler deployments that don't need the full complexity of Kubernetes.
Watch (or listen to) it here: https://kube.fm/kubernetes-hater-s-guide-paul
🌟 This episode is sponsored by Syntasso, the creators of Kratix, a framework for building composable internal developer platforms https://ku.bz/CJNDlLXVS
With @Birthmarkb "Diet Coke Lover" Farrell
This media is not supported in your browser
VIEW IN TELEGRAM
helmper is a Go program that reads Helm Charts from remote OCI registries and pushes the charts container images to your registries with optional OS-level vulnerability patching.
More: https://github.com/ChristofferNissen/helmper
More: https://github.com/ChristofferNissen/helmper
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 105:
🇨🇳 Chinese Docker Hub complete shutdown: how far can Kubernetes image repositories go?
🤯 Overengineering this blog's preview site with Kubernetes
🧐 Taking a look at the Kube-proxy API
🥇 Kubernetes: the road to 1.0
🏃♂️ Extending Kubernetes functionality: A practical guide to custom resource definitions
Read it now: https://learnk8s.io/issues/105
🌟 This newsletter is brought to you by Syntasso, creators of Kratix, a framework for building composable developer platforms. Deploy on Kubernetes with speed, safety, and scalability https://ku.bz/0F0XMbqgN
🇨🇳 Chinese Docker Hub complete shutdown: how far can Kubernetes image repositories go?
🤯 Overengineering this blog's preview site with Kubernetes
🧐 Taking a look at the Kube-proxy API
🥇 Kubernetes: the road to 1.0
🏃♂️ Extending Kubernetes functionality: A practical guide to custom resource definitions
Read it now: https://learnk8s.io/issues/105
🌟 This newsletter is brought to you by Syntasso, creators of Kratix, a framework for building composable developer platforms. Deploy on Kubernetes with speed, safety, and scalability https://ku.bz/0F0XMbqgN