Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 128:
🤔 Why Pull Base Images When You Can Build Your Own?
☁️ Scaling in the Clouds: Istio Ambient vs Cilium
🧹 Kubernetes configuration linting tools
♻️ Git happens: how Argo CD took over our deployments
🤗 I Stopped Using Kubernetes: Our DevOps Team Is Happier Than Ever
Read it now: https://learnk8s.io/issues/128
⭐️ This issue is brought to you by Akamai Cloud — build and deliver low-latency, edge native applications on the world's most distributed cloud computing platform https://ku.bz/93rJKSr_V
🤔 Why Pull Base Images When You Can Build Your Own?
☁️ Scaling in the Clouds: Istio Ambient vs Cilium
🧹 Kubernetes configuration linting tools
♻️ Git happens: how Argo CD took over our deployments
🤗 I Stopped Using Kubernetes: Our DevOps Team Is Happier Than Ever
Read it now: https://learnk8s.io/issues/128
⭐️ This issue is brought to you by Akamai Cloud — build and deliver low-latency, edge native applications on the world's most distributed cloud computing platform https://ku.bz/93rJKSr_V
Integrate Azure Policy with AKS to automatically enforce Kubernetes security standards.
Learn how to use built-in policies, prevent privileged containers, and implement compliance checks across your cluster infrastructure.
More: https://ku.bz/PkGQptrMt
Learn how to use built-in policies, prevent privileged containers, and implement compliance checks across your cluster infrastructure.
More: https://ku.bz/PkGQptrMt
Trousseau is an open-source project that leverages the Kubernetes Key Management Service (KMS) provider framework to secure Secrets within the Kubernetes etcd instance using a Transit Key stored within a remote KMS.
More: https://ku.bz/lM2hC3Hkz
More: https://ku.bz/lM2hC3Hkz
Forwarded from Kube Events
🚀 KubeCrash is Coming! Mark Your Calendars for May 8th!
KubeCrash brings together open source maintainers and industry experts to share cloud native best practices specifically for platform engineers.
At this event, you'll learn about:
- Platform engineering approaches that work in the real world
- Observability implementation strategies
- Kubernetes management techniques
- Practical solutions used by companies like Intuit, Bloomberg, and Capital One
Join to hear from an exceptional lineup of speakers including @Birthmarkb (KubeFM), Ramiro Berrelleza (Okteto), Guy Menahem (The Platformers Community), and many more.
Plus, it's completely FREE and supports the "Deaf Kids Code" charity.
📆 May 8, 2025
🕓 4 pm CET | 10 am ET | 7 am PT
📍 Online
More info: https://ku.bz/KD73z_cTY
KubeCrash brings together open source maintainers and industry experts to share cloud native best practices specifically for platform engineers.
At this event, you'll learn about:
- Platform engineering approaches that work in the real world
- Observability implementation strategies
- Kubernetes management techniques
- Practical solutions used by companies like Intuit, Bloomberg, and Capital One
Join to hear from an exceptional lineup of speakers including @Birthmarkb (KubeFM), Ramiro Berrelleza (Okteto), Guy Menahem (The Platformers Community), and many more.
Plus, it's completely FREE and supports the "Deaf Kids Code" charity.
📆 May 8, 2025
🕓 4 pm CET | 10 am ET | 7 am PT
📍 Online
More info: https://ku.bz/KD73z_cTY
Learn how to secure applications by deploying Keycloak on Kubernetes using Helm, automating user management, implementing strong security policies, and creating a scalable identity infrastructure with minimal manual configuration.
More: https://ku.bz/g3BC2BCw_
More: https://ku.bz/g3BC2BCw_
Cerbos is an authorization layer that enables you to define context-aware access control rules for your application resources in simple, intuitive YAML policies managed and deployed via your Git-ops infrastructure.
More: https://ku.bz/_l3Jd0L1b
More: https://ku.bz/_l3Jd0L1b
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Grzegorz, Kubernetes Engineer at Cloud Kitchens, shares his team's journey developing a comprehensive self-healing framework for Kubernetes.
You will learn:
- How managed Kubernetes services like AKS provide benefits but require customization for specific use cases
- The architecture of an effective self-healing framework using DaemonSets and deployments with Kubernetes-native components
- Practical solutions for common challenges like StatefulSet pods stuck on unreachable nodes and cleaning up orphaned pods
- Techniques for workload-level automation, including throttling CPU-hungry pods and automating diagnostic data collection
Watch (or listen to) it here: https://ku.bz/yg_fkP0LN
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Making you smile" Farrell
You will learn:
- How managed Kubernetes services like AKS provide benefits but require customization for specific use cases
- The architecture of an effective self-healing framework using DaemonSets and deployments with Kubernetes-native components
- Practical solutions for common challenges like StatefulSet pods stuck on unreachable nodes and cleaning up orphaned pods
- Techniques for workload-level automation, including throttling CPU-hungry pods and automating diagnostic data collection
Watch (or listen to) it here: https://ku.bz/yg_fkP0LN
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Making you smile" Farrell
helm-secrets is a Helm plugin for decrypting encrypted Helm value files on the fly.
- Use SOPS to encrypt value files and store them in git.
- Store your secrets in a cloud native secret manager and inject them into value files or templates.
More: https://ku.bz/jhX4NWYKs
- Use SOPS to encrypt value files and store them in git.
- Store your secrets in a cloud native secret manager and inject them into value files or templates.
More: https://ku.bz/jhX4NWYKs
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 129:
🤔 How CoreDNS and NodeLocalDNS Work in a Kubernetes Cluster
👋 Building a container filesytem by hand
🏃♀️ Migrating GitLab CI from Docker+Machine to Kubernetes
📈 Scaling a development environment on a budget
💪 Karpenter: The Future of Worker Management and Autoscaling on Kubernetes
Read it now: https://learnk8s.io/issues/129
⭐️ This issue is brought to you by Akamai Cloud — Akamai is offering up to $5,000 in cloud credits to our subscribers (see details inside). Build and deliver low-latency, edge native applications on the world's most distributed cloud computing platform.
🤔 How CoreDNS and NodeLocalDNS Work in a Kubernetes Cluster
👋 Building a container filesytem by hand
🏃♀️ Migrating GitLab CI from Docker+Machine to Kubernetes
📈 Scaling a development environment on a budget
💪 Karpenter: The Future of Worker Management and Autoscaling on Kubernetes
Read it now: https://learnk8s.io/issues/129
⭐️ This issue is brought to you by Akamai Cloud — Akamai is offering up to $5,000 in cloud credits to our subscribers (see details inside). Build and deliver low-latency, edge native applications on the world's most distributed cloud computing platform.
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Jim Bugwadia, Co-Founder & CEO @ Nirmata, explains how policy as code addresses the tension between platform standardization and team autonomy in Kubernetes environments.
He highlights how Kyverno, a policy engine for Kubernetes, enables teams to write declarative policies using CEL and other languages. This approach creates a collaborative framework where developers and security operations teams can work together on policies, striking the right balance between necessary guardrails and self-service capabilities.
Watch the full interview: https://ku.bz/hYZXTmPV9
This interview is a reaction to Calin Florescu's episode https://ku.bz/mcPtH5395
He highlights how Kyverno, a policy engine for Kubernetes, enables teams to write declarative policies using CEL and other languages. This approach creates a collaborative framework where developers and security operations teams can work together on policies, striking the right balance between necessary guardrails and self-service capabilities.
Watch the full interview: https://ku.bz/hYZXTmPV9
This interview is a reaction to Calin Florescu's episode https://ku.bz/mcPtH5395
This media is not supported in your browser
VIEW IN TELEGRAM
helmper is a Go program that reads Helm Charts from remote OCI registries and pushes the charts container images to your registries with optional OS-level vulnerability patching.
More: https://ku.bz/sjn0NBtXQ
More: https://ku.bz/sjn0NBtXQ
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, discuss crucial strategies for implementing multi-tenancy in Kubernetes. They emphasize two primary areas:
1. Network Security: Kubernetes does not inherently prevent network access between nodes, making robust network isolation essential.
2. Namespace Separation.
They also highlight the importance of advanced container security technologies, such as GVisor and Kata Containers, to prevent container escapes.
Watch the full episode: https://ku.bz/yr16qNTFx
1. Network Security: Kubernetes does not inherently prevent network access between nodes, making robust network isolation essential.
2. Namespace Separation.
They also highlight the importance of advanced container security technologies, such as GVisor and Kata Containers, to prevent container escapes.
Watch the full episode: https://ku.bz/yr16qNTFx
This post is a deep dive into comparing different solutions for authenticating into a Kubernetes cluster.
It will give you an idea of what the various solutions provide for a typical cluster deployment using production-capable configurations.
More: https://tremolosecurity.com/post/kubernetes-authentication-comparing-solutions
It will give you an idea of what the various solutions provide for a typical cluster deployment using production-capable configurations.
More: https://tremolosecurity.com/post/kubernetes-authentication-comparing-solutions
Tetragon enables powerful real-time, eBPF-based security observability and runtime enforcement.
It is Kubernetes-aware and understands identities so that security event detection can be configured in relation to individual workloads.
More: https://github.com/cilium/tetragon
It is Kubernetes-aware and understands identities so that security event detection can be configured in relation to individual workloads.
More: https://github.com/cilium/tetragon
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Tim Miller CEO and Co-founder at Kusari discusses why implementing robust processes is more critical than relying on scanning tools for secret management.
While multiple scanning approaches (regex and entropy-based) can detect secrets, the priority should be on preventing leaks through SLSA attestations, proper access controls, and using short-lived credentials. This proactive approach addresses the root cause rather than detecting secrets after they've entered repositories.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
This interview is a reaction to Assaf Morag and Yakir Kadkoda's episode https://ku.bz/5RKVBGlQR
While multiple scanning approaches (regex and entropy-based) can detect secrets, the priority should be on preventing leaks through SLSA attestations, proper access controls, and using short-lived credentials. This proactive approach addresses the root cause rather than detecting secrets after they've entered repositories.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
This interview is a reaction to Assaf Morag and Yakir Kadkoda's episode https://ku.bz/5RKVBGlQR
In this article, you will learn how Apko can build container images via YAML configuration using the APK package format from Alpine.
It creates small, fast booting images with less memory and disk footprint, thereby reducing security risks.
More: https://gsantoro.dev/apko-from-chainguard
It creates small, fast booting images with less memory and disk footprint, thereby reducing security risks.
More: https://gsantoro.dev/apko-from-chainguard
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Discover how Adevinta manages Kubernetes upgrades at scale in this conversation with Tanat.
You will learn:
- How to transition from blue-green to in-place Kubernetes upgrades while maintaining service reliability
- Techniques for tracking and addressing API deprecations using tools like Pluto and Kube-no-trouble
- Strategies for minimizing SLO impact during node rebuilds through serialized approaches and proper PDB configuration
- Why a phased upgrade approach with "cluster waves" provides safer production deployments even with thorough testing
Watch (or listen to) it here: https://ku.bz/VVHFfXGl_
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Secret explorer" Farrell
You will learn:
- How to transition from blue-green to in-place Kubernetes upgrades while maintaining service reliability
- Techniques for tracking and addressing API deprecations using tools like Pluto and Kube-no-trouble
- Strategies for minimizing SLO impact during node rebuilds through serialized approaches and proper PDB configuration
- Why a phased upgrade approach with "cluster waves" provides safer production deployments even with thorough testing
Watch (or listen to) it here: https://ku.bz/VVHFfXGl_
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Secret explorer" Farrell
This article explains Kubernetes NetworkPolicies, which control pod traffic at OSI layers 3 and 4.
It covers enforcement via iptables and eBPF, detailing how CNIs like Calico and Cilium apply rules using pod labels, namespaces, and IP blocks.
More: https://ku.bz/lW0TStBL9
It covers enforcement via iptables and eBPF, detailing how CNIs like Calico and Cilium apply rules using pod labels, namespaces, and IP blocks.
More: https://ku.bz/lW0TStBL9
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 130:
🚀 L4-L7 Performance: Comparing LoxiLB, MetalLB, NGINX, and HAProxy
🧹 The Karpenter effect: redefining our Kubernetes operations
💿 Replacing StatefulSets with a custom operator in our Postgres cloud platform
🔒 Kubernetes Authentication: comparing solutions
9️⃣ From four to five 9s of uptime by migrating to Kubernetes
Read it now: https://learnk8s.io/issues/130
⭐️ This newsletter is brought to you by Fairwinds - Expert-led fully managed Kubernetes services, designed for engineering teams who need production-grade infrastructure without the operational burden https://ku.bz/HT6WyTF-H
🚀 L4-L7 Performance: Comparing LoxiLB, MetalLB, NGINX, and HAProxy
🧹 The Karpenter effect: redefining our Kubernetes operations
💿 Replacing StatefulSets with a custom operator in our Postgres cloud platform
🔒 Kubernetes Authentication: comparing solutions
9️⃣ From four to five 9s of uptime by migrating to Kubernetes
Read it now: https://learnk8s.io/issues/130
⭐️ This newsletter is brought to you by Fairwinds - Expert-led fully managed Kubernetes services, designed for engineering teams who need production-grade infrastructure without the operational burden https://ku.bz/HT6WyTF-H
Vals is a Helm-compatible tool that injects secrets and config values from backends like Vault, AWS SSM, GCP Secrets Manager, and Kubernetes.
It resolves
More: https://ku.bz/ZrrpTvVCl
It resolves
ref+ URIs in YAML, supporting helmfile, direnv, and kubectl workflows.More: https://ku.bz/ZrrpTvVCl
This article demonstrates how to extend Kubernetes RBAC using Aggregate ClusterRoles.
Learn how to combine multiple roles for dynamic access control, simplify permission management, and apply changes declaratively with best practices.
More: https://ku.bz/2YT-Hy9vX
Learn how to combine multiple roles for dynamic access control, simplify permission management, and apply changes declaratively with best practices.
More: https://ku.bz/2YT-Hy9vX