In this article, you will learn how eBPF can provide insights into real-time SSL/TLS encrypted traffic, enabling monitoring and analysis of application performance and traffic patterns without compromising security.

More: https://cloudchirp.medium.com/what-insights-can-ebpf-provide-into-real-time-ssl-tls-encrypted-traffic-and-how-435c8ad33efc

In this article, you'll learn about a new variant of the Gafgyt botnet that targets cloud-native environments with crypto mining attacks and discover how to protect your systems.

More: https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments

Are you running PostgreSQL on Kubernetes and need to choose the right operator?

In this episode, David Pech shares his experience implementing database platforms on Kubernetes and guides teams through operator selection and platform requirements.

You will learn:

- The core requirements for a PostgreSQL platform on Kubernetes, including autopilot capabilities, security practices, and observability
- How to evaluate PostgreSQL operators based on their architecture — from single-instance deployments to cloud-native implementations
- What teams should consider before building their own database-as-a-service and common pitfalls to avoid

Watch (or listen to) it here: https://ku.bz/rGMF2ktdb

🌟 This episode is brought to you by Learnk8s — Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop this January: https://learnk8s.io/training

With @Birthmarkb "Tarmac Connoisseur" Farrell

In this article, you'll learn about mutual TLS on Kubernetes and compare different approaches: ambient mode, sidecar-based service mesh, or a DIY solution.

More: https://blog.howardjohn.info/posts/mtls-kubernetes

This week on Learn Kubernetes Weekly 114:

⏮️ Why did we transition from Gatekeeper to Kyverno for Kubernetes policy management?
🐝 What insights can eBPF provide into real-time SSL/TLS encrypted traffic and how?
🔒 I just want mTLS on Kubernetes
🐥 Mastering progressive delivery: implementing canary releases, a/b testing, and custom metrics with
🚗 How Tesla is using Kubernetes and Kafka to handle trillions of events per day

Read it now: https://learnk8s.io/issues/114

🌟 Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop next week: https://learnk8s.io/online-advanced-january-2025

In this article, you'll learn how to manage secrets using the External Secret Operator, Hashicorp Vault, and Argo CD, and discover how to avoid saving secrets in Git and automatically refresh secrets without pod restarts or application deployments.

More: https://medium.com/containers-101/gitops-secrets-with-argo-cd-hashicorp-vault-and-the-external-secret-operator-eb1eec1dab0d

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070

Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27

DevSecOps Engineer with CVS Pharmacy, Inc.
💰 $175.1K to $334.75K a year
🏠🏃🏻‍♂️🌎 New York, NY, USA
→ https://kube.careers/t/1ee7ee65-591c-4b3b-8feb-bb08a943d8e1

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607

👉 Browse all 1273 Kubernetes jobs on Kube Careers https://kube.careers

Learn how to utilize Kubernetes' certificate system for post-exploitation, including techniques for backdooring a Kubernetes cluster, exploiting ETCD certificates, and forging service account JWT tokens to gain persistent control over cluster resources.

More: https://wgpsec.medium.com/en-kubernetes-has-its-adcs-how-to-backdoor-a-kubernetes-in-silence-08f382183e59

In this article, you will learn about the security implications of running containers as root in Kubernetes, and how using non-root users can mitigate common attack vectors and enhance overall security.

More: https://medium.com/@marcin.wasiucionek/why-is-running-as-root-in-kubernetes-containers-dangerous-e5f1a116080e

In this article, you will learn about Traceeshark, a plugin for Wireshark that enables visual and interactive analysis of Tracee events, and discover how it simplifies the investigation of Linux runtime security issues and malware analysis.

More: https://blog.aquasec.com/go-deeper-linux-runtime-visibility-meets-wireshark

In this episode, William Morgan, CEO of Buoyant, explores the complex trade-offs between cost optimization and reliability in Kubernetes networking.

You will learn:

- How Topology-aware routing attempts to reduce cross-zone traffic costs but can compromise reliability by limiting inter-zone communication
- Why Layer 7 load balancing offers better traffic management through protocol awareness compared to topology-aware routing's Layer 4 approach
- How HAZL (High Availability Zonal Load Balancing) provides a more nuanced solution by balancing cost savings with reliability guarantees through intelligent traffic routing

Watch (or listen to) it here: https://ku.bz/CBwn51pl-

🌟 This episode is brought to you by Learnk8s — Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop this January: https://learnk8s.io/training

With @Birthmarkb "Real Chill Guy" Farrell

In this article, you'll learn how to expose ports in Kubernetes, common misconceptions about securing your applications, and best practices for controlling port access and network traffic using Network Policies.

More: https://awsmorocco.com/exposing-ports-in-kubernetes-what-you-should-to-know-cd1a80655f6c

In this article, you'll learn how to secure sensitive data in confidential containers, including best practices for avoiding common usage patterns that compromise security and restricting Kubernetes APIs to protect your secrets.

More: https://pradiptabanerjee.medium.com/securing-secrets-in-confidential-containers-usage-patterns-to-avoid-941388cde546

This week on Learn Kubernetes Weekly 115:

🥷 Kubernetes has its "ADCS" how to backdoor a Kubernetes in silence
🔒 GitOps secrets with Argo CD, Hashicorp Vault and the External Secret Operator
🌲 Why is running as root in kubernetes containers dangerous? @Marcin Wasiucionek
🔭 Go deeper: linux runtime visibility meets wireshark
🤫 Securing secrets in confidential containers: usage patterns to avoid

Read it now: https://learnk8s.io/issues/115

🌟 Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop next week: https://learnk8s.io/online-advanced-january-2025

In this article, you'll learn how to create and manage Seccomp profiles using Golang to control system calls and enhance security in containerized environments, reducing potential vulnerabilities and attack surfaces.

More: https://cloudchirp.medium.com/container-internals-series-part-4-seccomp-d88543988709

This week's 6 best Kubernetes vacancies that focus on security are:

Security Architect with Adobe Inc.
💰 $191.7K to $345.7K a year
🏠 From the office in Seattle, WA / San Francisco / San Jose, CA, USA
→ https://kube.careers/t/b6de3faf-adb8-462a-9dd9-260446149b27

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607

DevSecOps Engineer with Attentive
💰 $200K to $270K a year
👨‍💻 Remote from the United States of America
→ https://kube.careers/t/9d5fda72-efd7-4b36-9432-e14b829f7912

DevSecOps Engineer with Plaid
💰 $186.84K to $279.72K a year
🏠🏃🏻‍♂️🌎 US
→ https://kube.careers/t/65616251-5ba0-42af-af39-fb64a1c2d20d

👉 Browse all 1218 Kubernetes jobs on Kube Careers https://kube.careers

The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues.

The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.

More: https://github.com/aquasecurity/trivy-operator

In this article, you'll learn how to design effective Kubernetes Network Policies to secure your cluster, including key considerations, best practices, and examples to enforce network isolation and the principle of least privilege.

More: https://medium.com/@rozdolskyvolodymyr/designing-effective-kubernetes-network-policies-key-considerations-6e70255c0ef6

AWRBACS is a tool that audits CRUD permissions in Kubernetes' RBAC, allowing users to enumerate and verify the permissions of users and service accounts.

More: https://github.com/lobuhi/awrbacs

Platform Engineer Artem Lajko breaks down observability into three distinct layers and explains how tools like Prometheus, Grafana, and Falco serve different purposes.

You will learn:

- How to implement the three-layer model (external, internal, and OS-level) and why each layer serves different stakeholders
- How to choose and scale observability tools using a label-based approach (low, medium, high)
- How to manage observability costs by collecting only relevant metrics and logs

Watch (or listen to) it here: https://ku.bz/9sGxhmm8s

🌟 This episode is brought to you by Learnk8s — Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop this January: https://learnk8s.io/training

With @Birthmarkb "Kubernetes historian" Farrell

Discover how to create a secure flow for your AKS applications to access sensitive secrets, such as database credentials, using the Secret Store CSI Driver and User-Assigned Managed Identity (UAMI).

More: https://medium.com/@gharbisofiene98/automating-secure-secrets-management-in-aks-with-terraform-and-azure-key-vault-e6a71f5f6805