In this article, you will learn how Role-Based Access Control (RBAC) works in Kubernetes, including infrastructure design, authentication and authorization, role binding, and service accounts to manage user and application access to cluster resources.

More: https://medium.com/@amansinghsonkh/how-rbac-works-in-the-kubernetes-0d421bf5cf39

This week on Learn Kubernetes Weekly 112:

🧐 Monitoring inter-pod traffic at the AZ level with eBPF based tool retina
♻️ Mastering GitOps with Flux at Adore Me
📈 From chaos to control: the importance of tailored autoscaling in Kubernetes
💼 How we use Kubernetes jobs to scale the OpenSSF scorecard
🚦 Exploring the basics of Istio traffic management

Read it now: https://learnk8s.io/issues/112

🌟 Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop in January: https://learnk8s.io/training

In this tutorial, you will learn how to use Falco to detect and prevent potential threats without disrupting critical operations.

More: https://medium.com/@omar.kamal.abouraya/how-i-used-falco-to-secure-my-kubernetes-cluster-without-touching-critical-pods-159ad4546890

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with xAI
💰 $180K to $440K a year
🏠 From the office in San Francisco / Palo Alto, CA, USA
→ https://kube.careers/t/c7cf5fcf-05bc-4e15-948b-f58c1c47fd9f

DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070

Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27

DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻‍♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf

👉 Browse all 1469 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you will learn about network policies in Kubernetes, including the differences between Layer 4 and Layer 7 policies, their pros and cons, and how to implement them to achieve a zero-trust security model in your cluster.

More: https://buoyant.io/blog/a-guide-to-modern-kubernetes-network-policies

kubeseal-convert is a tool for importing secrets from pre-existing secrets management systems (e.g. Vault, Secrets Manager) into a SealedSecret.

More: https://github.com/EladLeev/kubeseal-convert

In this article, you will learn how to take a pragmatic approach to understanding the Kubernetes Threat Matrix, creating a security roadmap, and prioritizing vulnerabilities to build a secure cluster.

More: https://medium.com/@selsmie/a-pragmatic-look-at-the-kubernetes-threat-matrix-d58504e926b5

Validkube combines the best open-source tools to help ensure Kubernetes YAML best practices, hygiene & security.

More: https://github.com/komodorio/validkube

This week on Learn Kubernetes Weekly 113:

🎡 Advanced rollout techniques: custom strategies for stateful apps in Kubernetes
👮‍♀️ A guide to modern Kubernetes network policies
🥷 A pragmatic look at the Kubernetes threat matrix
💰 AWS managed NAT gateway cost optimization with Kubernetes
💸 Gloating about our multi-arch EKS migration: cutting costs with Graviton nodes

Read it now: https://learnk8s.io/issues/113

🌟 Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop in January: https://learnk8s.io/training

In this article, you will learn why Adevinta's team transitioned from Gatekeeper to Kyverno.

Discover the challenges they faced with Gatekeeper's MutatingWebhook capability and the benefits of Kyverno.

More: https://medium.com/adevinta-tech-blog/why-did-we-transition-from-gatekeeper-to-kyverno-for-kubernetes-policy-management-42bc2c4523d0

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with xAI
💰 $180K to $440K a year
🏠 From the office in San Francisco / Palo Alto, CA, USA
→ https://kube.careers/t/c7cf5fcf-05bc-4e15-948b-f58c1c47fd9f

DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070

Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27

DevSecOps Engineer with CVS Pharmacy, Inc.
💰 $175.1K to $334.75K a year
🏠🏃🏻‍♂️🌎 New York, NY, USA
→ https://kube.careers/t/1ee7ee65-591c-4b3b-8feb-bb08a943d8e1

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275

👉 Browse all 1419 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you will learn about a critical ingress-nginx controller vulnerability that allows attackers to bypass annotation validation, potentially leading to unauthorized access and code execution in Kubernetes clusters.

More: https://www.armosec.io/blog/cve-2024-7646-ingress-nginx-annotation-validation-bypass

In this article, you will learn how eBPF can provide insights into real-time SSL/TLS encrypted traffic, enabling monitoring and analysis of application performance and traffic patterns without compromising security.

More: https://cloudchirp.medium.com/what-insights-can-ebpf-provide-into-real-time-ssl-tls-encrypted-traffic-and-how-435c8ad33efc

In this article, you'll learn about a new variant of the Gafgyt botnet that targets cloud-native environments with crypto mining attacks and discover how to protect your systems.

More: https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments

Are you running PostgreSQL on Kubernetes and need to choose the right operator?

In this episode, David Pech shares his experience implementing database platforms on Kubernetes and guides teams through operator selection and platform requirements.

You will learn:

- The core requirements for a PostgreSQL platform on Kubernetes, including autopilot capabilities, security practices, and observability
- How to evaluate PostgreSQL operators based on their architecture — from single-instance deployments to cloud-native implementations
- What teams should consider before building their own database-as-a-service and common pitfalls to avoid

Watch (or listen to) it here: https://ku.bz/rGMF2ktdb

🌟 This episode is brought to you by Learnk8s — Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop this January: https://learnk8s.io/training

With @Birthmarkb "Tarmac Connoisseur" Farrell

In this article, you'll learn about mutual TLS on Kubernetes and compare different approaches: ambient mode, sidecar-based service mesh, or a DIY solution.

More: https://blog.howardjohn.info/posts/mtls-kubernetes

This week on Learn Kubernetes Weekly 114:

⏮️ Why did we transition from Gatekeeper to Kyverno for Kubernetes policy management?
🐝 What insights can eBPF provide into real-time SSL/TLS encrypted traffic and how?
🔒 I just want mTLS on Kubernetes
🐥 Mastering progressive delivery: implementing canary releases, a/b testing, and custom metrics with
🚗 How Tesla is using Kubernetes and Kafka to handle trillions of events per day

Read it now: https://learnk8s.io/issues/114

🌟 Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop next week: https://learnk8s.io/online-advanced-january-2025

In this article, you'll learn how to manage secrets using the External Secret Operator, Hashicorp Vault, and Argo CD, and discover how to avoid saving secrets in Git and automatically refresh secrets without pod restarts or application deployments.

More: https://medium.com/containers-101/gitops-secrets-with-argo-cd-hashicorp-vault-and-the-external-secret-operator-eb1eec1dab0d

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070

Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27

DevSecOps Engineer with CVS Pharmacy, Inc.
💰 $175.1K to $334.75K a year
🏠🏃🏻‍♂️🌎 New York, NY, USA
→ https://kube.careers/t/1ee7ee65-591c-4b3b-8feb-bb08a943d8e1

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607

👉 Browse all 1273 Kubernetes jobs on Kube Careers https://kube.careers

Learn how to utilize Kubernetes' certificate system for post-exploitation, including techniques for backdooring a Kubernetes cluster, exploiting ETCD certificates, and forging service account JWT tokens to gain persistent control over cluster resources.

More: https://wgpsec.medium.com/en-kubernetes-has-its-adcs-how-to-backdoor-a-kubernetes-in-silence-08f382183e59

In this article, you will learn about the security implications of running containers as root in Kubernetes, and how using non-root users can mitigate common attack vectors and enhance overall security.

More: https://medium.com/@marcin.wasiucionek/why-is-running-as-root-in-kubernetes-containers-dangerous-e5f1a116080e