Improve your Kubernetes cluster security with Kyverno, an open-source tool that helps you validate deployments and secure resources.

Learn how to apply best practices and ensure a secure cluster.

More: https://ku.bz/WRklTnMWz

Learn how to extend Kubernetes Service accounts auth scope to application APIs using JWT and Envoy gateway for secure authentication between services in different clusters

More: https://ku.bz/VJ1TRHMn5

kubectl-validate is a SIG-CLI subproject to support the local validation of resources for native Kubernetes types and CRDs.

More: https://github.com/kubernetes-sigs/kubectl-validate

Detect and prevent threats in Argo CD pipelines.

Learn how to identify and mitigate initial admin password compromise, unauthorized application deployment, and other security risks with detection rules and hunting searches.

More: https://ku.bz/7Ly_ykVk6

John Howard, Senior Software Engineer at Solo.io, explains the complexities of implementing Mutual TLS (mTLS) in Kubernetes.

You will learn:

- Why DIY mTLS implementation in Kubernetes is challenging at scale, requiring certificate management, application updates, and careful transition planning
- How Service Mesh solutions offload security concerns from applications, allowing developers to focus on business logic while infrastructure handles encryption
- The advantages of Ambient Mesh's approach to simplifying mTLS implementation with its node proxy and waypoint proxy architecture

Watch (or listen to) it here: https://ku.bz/sk-ZF1PG9

🌟 This episode is brought to you by Learnk8s — Become an expert in Kubernetes! Join the next Advanced Kubernetes workshop: https://learnk8s.io/training

With @Birthmarkb "Nessie" Farrell

Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.

More: https://ku.bz/-chnMYTMc

This week on Learn Kubernetes Weekly 121:

⚖️ Kubernetes networking: service, kube-proxy, load balancing
🆙 How Canonical Kubernetes CAPI providers handle in-place upgrades
🎡 Migrating from DC/OS to Kubernetes: a deep dive into the challenges and opportunities
👮‍♀️ Extend Kubernetes Service accounts auth scope to application APIs
🥷 Securing continuous delivery: Argo CD threat detection

Read it now: https://learnk8s.io/issues/121

⭐️ This newsletter is brought to you by Spectro Cloud: the Kubernetes management platform for enterprise, public sector — and you https://ku.bz/TjrMw39yF

In this article, you will learn how to simplify image pulls in on-premise Kubernetes using the kubelet-credential-provider-api, mimicking managed Kubernetes features.

More: https://ku.bz/0D8gqV4V6

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online courses start in 2 weeks: https://ku.bz/DX6TPV4P_

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

Paralus is a tool that enables controlled, audited access to Kubernetes infrastructure.

It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO.

Ships as a GUI, API, and CLI.

More: https://ku.bz/D2-92bdW4

In this article, you will learn about TeamTNT's new campaign targeting exposed Docker daemons to deploy malware and cryptominers.

They are using compromised Docker Hub accounts and leveraging cloud-native capabilities.

More: https://ku.bz/tQR0YvSL1

Trivy is a comprehensive and versatile security scanner.

What Trivy can scan:

- Container Images.
- Filesystem.
- Git Repository (remote).
- Virtual Machine Image.
- Kubernetes.
- AWS.

More: https://ku.bz/J7cTQ8HBf

Scaling Open Policy Agent (OPA) with batch queries improves performance but requires balancing resource allocation and logging optimization to achieve high scalability in complex systems.

More: https://ku.bz/ysJcKWqSG

This week on Learn Kubernetes Weekly 122:

🚀 Super-scaling Open Policy Agent with batch queries
🟥 Auto-scaling with KEDA using custom RED metrics from Prometheus
🚅 Building a Reliable Notification Service: Solving Duplication and Scaling Issues
🪞 The power of preview Deployments: catching bugs before they bite using Argo CD
📈 Performance testing Kubernetes workloads

Read it now: https://learnk8s.io/issues/122

⭐️ ⭐️ This newsletter is brought to you by Akamai Cloud Computing — built for real cloud portability. Choose the right technologies for each workload. Avoid lock-in with proprietary services https://ku.bz/bhzp6DYBs

Learn how to secure your Kubernetes cluster with Istio Authorization Policy.

This guide shows you how to deploy a Quarkus API and restrict access to allow only the test1 namespace while denying the test2 namespace.

More: https://ku.bz/S5yCJ0M9p

In this article, you will learn how Kubernetes leverages Seccomp, AppArmor, and SELinux to improve container security.

It also covers Pod Security Standards and Admission Control for safer workload execution.

More: https://ku.bz/jcBT3fxfX

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online course starts next week: https://ku.bz/DX6TPV4P_

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

More: https://ku.bz/3J4LYSktJ

Learn how to simplify certificate management in your Kubernetes workloads with a scalable and automated solution.

Discover how Kyverno, Helm, and cert-manager can help you achieve consistent and secure deployment across your environment.

More: https://ku.bz/-Gd2LvSN9

John McBride, VP of Infrastructure and AI Engineering at the Linux Foundation shares how using Kubernetes and open-source AI models saved them tens of thousands of dollars.

You will learn:

- How to deploy VLLM on Kubernetes to serve open-source LLMs like Mistral and Llama
- How running inference workloads on your own infrastructure with T4 GPUs can reduce costs from tens of thousands to just a couple thousand dollars monthly
- Practical approaches to monitoring GPU workloads in production, including handling unpredictable failures and VRAM consumption issues

Watch (or listen to) it here: https://ku.bz/wP6bTlrFs

🌟 This episode is brought to you by StackGen! Don't let infrastructure block your teams. StackGen deterministically generates secure cloud infrastructure from any input - existing cloud environments, IaC or application code https://ku.bz/t0gBX9qQz

With @Birthmarkb "SWAG expert" Farrell

Pinniped is an authentication service for Kubernetes clusters.

It supports various authenticator types and OIDC identity providers and implements different integration strategies for various Kubernetes distributions to facilitate authentication.

More: https://ku.bz/6KZM5b9nV