Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 124:
🍎 Kubernetes at Mercado Libre
💸 From Autopilot to Standard GKE: The Key to 15x Cheaper Istio
🧨 How We Built a Dynamic Kubernetes API Server for the API Aggregation Layer in Cozystack
🥇 All my DevOps pipelines from GitLab commit to ArgoCD got beaten by FTP
🕵️♂️ Examining approaches and patterns for debuggability: ephemeral containers and Argo Workflows
And more! If you prefer to receive the newsletter every week in your inbox, you can subscribe here: https://learnk8s.io/learn-kubernetes-weekly
Read it now: https://learnk8s.io/issues/124
⭐️ KubeFM published a book of battle-tested experiences from engineers who pushed Kubernetes to its limits and lived to tell the tale. Download for free here https://ku.bz/Z0j-v-pdG
🍎 Kubernetes at Mercado Libre
💸 From Autopilot to Standard GKE: The Key to 15x Cheaper Istio
🧨 How We Built a Dynamic Kubernetes API Server for the API Aggregation Layer in Cozystack
🥇 All my DevOps pipelines from GitLab commit to ArgoCD got beaten by FTP
🕵️♂️ Examining approaches and patterns for debuggability: ephemeral containers and Argo Workflows
And more! If you prefer to receive the newsletter every week in your inbox, you can subscribe here: https://learnk8s.io/learn-kubernetes-weekly
Read it now: https://learnk8s.io/issues/124
⭐️ KubeFM published a book of battle-tested experiences from engineers who pushed Kubernetes to its limits and lived to tell the tale. Download for free here https://ku.bz/Z0j-v-pdG
Learn how to build secure Docker images with Trivy, a tool for vulnerability scanning, and improve your application's security posture.
More: https://ku.bz/FvZDmCF5k
More: https://ku.bz/FvZDmCF5k
In this article, you will learn how Validating Admission Policy offers a native, declarative way to enforce cluster resource rules directly in the API server using CEL, replacing complex webhooks with simpler, performance-driven validation policies.
More: https://ku.bz/9L7yQfCvk
More: https://ku.bz/9L7yQfCvk
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Alexander Lawrence, Director of Cloud Security Strategy at Sysdig, explains why implementing security in Kubernetes environments is particularly challenging.
He highlights that 60% of containers live for less than a minute, making traditional security approaches ineffective. The scale and speed of Kubernetes operations create significant barriers to security adoption, with environment sprawl that makes the VMware era "look like child's play." Lawrence suggests that making security tools native, easy to use, and available out-of-the-box is essential for overcoming these adoption challenges.
Watch the full interview: https://ku.bz/-MqhJchmb
This interview is a reaction to John McBride's episode https://ku.bz/wP6bTlrFs
He highlights that 60% of containers live for less than a minute, making traditional security approaches ineffective. The scale and speed of Kubernetes operations create significant barriers to security adoption, with environment sprawl that makes the VMware era "look like child's play." Lawrence suggests that making security tools native, easy to use, and available out-of-the-box is essential for overcoming these adoption challenges.
Watch the full interview: https://ku.bz/-MqhJchmb
This interview is a reaction to John McBride's episode https://ku.bz/wP6bTlrFs
Tokenetes is an open-source, cloud-native Transaction Tokens (TraTs) Service that leverages the standards defined in the Transaction Tokens draft.
More: https://ku.bz/5kYH15LBX
More: https://ku.bz/5kYH15LBX
Sveltos simplifies secret management across Kubernetes clusters by automating distribution, storage, and propagation.
It centralizes secrets in the management cluster, reducing manual effort and enhancing security.
More: https://ku.bz/PTqdWvf_S
It centralizes secrets in the management cluster, reducing manual effort and enhancing security.
More: https://ku.bz/PTqdWvf_S
The ClusterSecret operator keeps matching namespaces updated with secrets:
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/vDWHTkPht
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/vDWHTkPht
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 125:
💰 The infrastructure to handle 10m requests in 10 minutes for $0.0116
🏊♀️ Deep Dive into Kubernetes CPU Usage, Requests, and Limits
📈 Optimizing Kubernetes Resource Utilization: CPU and Memory Requests and Limits
🚮 We threw away 13 years of work for EKS
0️⃣ Proxyless scale-to-zero with eBPF
Read it now: https://learnk8s.io/issues/125
⭐️ This newsletter is brought to you by LoftLabs — simplify Kubernetes with vCluster, the leading solution for Kubernetes multi-tenancy and cost savings https://ku.bz/3DgN6HyWR
💰 The infrastructure to handle 10m requests in 10 minutes for $0.0116
🏊♀️ Deep Dive into Kubernetes CPU Usage, Requests, and Limits
📈 Optimizing Kubernetes Resource Utilization: CPU and Memory Requests and Limits
🚮 We threw away 13 years of work for EKS
0️⃣ Proxyless scale-to-zero with eBPF
Read it now: https://learnk8s.io/issues/125
⭐️ This newsletter is brought to you by LoftLabs — simplify Kubernetes with vCluster, the leading solution for Kubernetes multi-tenancy and cost savings https://ku.bz/3DgN6HyWR
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Yakir Kadkoda and Assaf Morag from Aqua Security emphasized the importance of using multiple secret scanning tools to identify different types of vulnerabilities.
Their research revealed that most secrets were found in personal employee repositories rather than the company's official repositories, underscoring the need for comprehensive scanning practices.
Watch the full episode: https://ku.bz/5RKVBGlQR
Their research revealed that most secrets were found in personal employee repositories rather than the company's official repositories, underscoring the need for comprehensive scanning practices.
Watch the full episode: https://ku.bz/5RKVBGlQR
Forwarded from Kube Architect
This article outlines a GitOps approach using Otterize, Kyverno, and Argo CD to manage dynamic Kubernetes Network Policies at scale across 25+ clusters, simplifying policy creation and automating updates without service disruptions.
More: https://ku.bz/gbHZPBXhR
More: https://ku.bz/gbHZPBXhR
In this article, you will learn how to create a Service Account, associate it with a Role, and use it in a Pod.
Additionally, you will also verify the permissions of the Service Account to ensure it has the appropriate access.
More: https://ku.bz/_mpRnssSZ
Additionally, you will also verify the permissions of the Service Account to ensure it has the appropriate access.
More: https://ku.bz/_mpRnssSZ
This media is not supported in your browser
VIEW IN TELEGRAM
Dracan is a lightweight middleware for Kubernetes that enhances filtering and validation capabilities.
It ensures that only valid requests reach your applications.
More: https://ku.bz/PyX7LNrhJ
It ensures that only valid requests reach your applications.
More: https://ku.bz/PyX7LNrhJ
AWS EKS Pod Identity streamlines IAM permissions for pods, bypassing OIDC/IRSA's trust policies and scaling limits.
It uses session tags for fine-grained access, works exclusively with EKS, and coexists with IRSA.
More: https://ku.bz/rFs8Np0Gr
It uses session tags for fine-grained access, works exclusively with EKS, and coexists with IRSA.
More: https://ku.bz/rFs8Np0Gr
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Nicholas Morey, Senior Developer Advocate at Akuity, advises against managing your own secrets manager.
Drawing from personal experience, he highlights the challenges of misconfigurations, troubleshooting outages, and maintaining security.
Watch the full interview: https://ku.bz/KCX-qwJ7M
This interview is a reaction to Mac's episode https://ku.bz/rFlp8Yj9s
Drawing from personal experience, he highlights the challenges of misconfigurations, troubleshooting outages, and maintaining security.
Watch the full interview: https://ku.bz/KCX-qwJ7M
This interview is a reaction to Mac's episode https://ku.bz/rFlp8Yj9s
Learn how Sigstore and HashiCorp Vault enable cryptographic container image signing, allowing organizations to verify image integrity and control deployments through automated, policy-driven signature validation.
More: https://ku.bz/QsG1kbj7q
More: https://ku.bz/QsG1kbj7q
This article outlines key practices for secure container images: run as non-root, use minimal base images (e.g., distroless), avoid hardcoded secrets, and sign/scan images to reduce vulnerabilities and ensure robust security.
More: https://ku.bz/p7knvnrB6
More: https://ku.bz/p7knvnrB6
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 126:
👮♀️ GitOps: How to manage dynamic Network Policy changes at scale across 25 clusters?
🧹 Automating the Kubernetes cleanup with Argo Workflows: because even admins need a break
0️⃣ Kubernetes: Scale to Zero with Karpenter
👽 A Brief overview of the Kubernetes node lifecycle
🕵️♀️ Demystifying Kubernetes CNI providers
Read it now: https://learnk8s.io/issues/126
⭐️ This newsletter is brought to you by Komodor — Simplify Kubernetes management at scale, from migration to day-to-day operations https://ku.bz/ZX4PSHsx8
👮♀️ GitOps: How to manage dynamic Network Policy changes at scale across 25 clusters?
🧹 Automating the Kubernetes cleanup with Argo Workflows: because even admins need a break
0️⃣ Kubernetes: Scale to Zero with Karpenter
👽 A Brief overview of the Kubernetes node lifecycle
🕵️♀️ Demystifying Kubernetes CNI providers
Read it now: https://learnk8s.io/issues/126
⭐️ This newsletter is brought to you by Komodor — Simplify Kubernetes management at scale, from migration to day-to-day operations https://ku.bz/ZX4PSHsx8
This tutorial shows how to deploy & use the Tailscale Kubernetes operator to share private Kubernetes apps securely.
More: https://ku.bz/fGGyM_1tK
More: https://ku.bz/fGGyM_1tK
KSOPS is a kustomize exec plugin for SOPS encrypted resources.
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/ynzVK8y_0
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/ynzVK8y_0
Forwarded from LearnKube news
Kubernetes in action: from pods to production-ready clusters!
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in May!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://ku.bz/Zz7jkHy7q
Corporate training: https://learnk8s.io/corporate-training
📆 Learnk8s runs a 4-day online Advanced Kubernetes course in May!
You will learn how to:
1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.
What you need to know:
✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.
Ticket and info: https://ku.bz/Zz7jkHy7q
Corporate training: https://learnk8s.io/corporate-training
This Simulated EKS attack shows command injection in a web app escalates to cluster takeover via JWT theft, IMDS abuse, and AWS credential misuse.
More: https://ku.bz/0k8y0kWLM
More: https://ku.bz/0k8y0kWLM