Learn Kubernetes on the 20th of January!

Learnk8s is running the first 4-day Advanced Kubernetes course of 2022 next week.

If you're looking to get your hands dirty with Kubernetes, join us for a session packed with labs and demos!

Sign up here: https://learnk8s.io/training

An overview of Fulcio — a community-driven code signing Certificate Authority.
Read more https://chainguard.dev/posts/2021-11-12-fulcio-deep-dive

How do packets flow inside and outside a Kubernetes cluster?

In this article, you will learn to trace the traffic in your cluster, starting from the initial web request and down to the container hosting the application.

You will learn:

1. How containers in the same pod behave as if they are on the same host.
2. How pods reach other pods in the cluster.
3. How pods reach Services and how Services load balance requests.

https://learnk8s.io/kubernetes-network-packets

Securing LDAP with TLS certificates using ClusterIssuer in Tanzu Kubernetes Grid
Read more https://cormachogan.com/2021/11/24/securing-ldap-with-tls-certificates-in-tkg-v1-4

How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC
Read more https://dev.to/oktadev/how-to-secure-your-kubernetes-cluster-with-openid-connect-and-rbac-5hic

What's the average salary for a Kubernetes engineer?

Do you need a Kubernetes certification to apply for a job?

What technologies and cloud providers are often used with Kubernetes?

We analyzed 276 Kubernetes jobs from 2021 and found that:

- If you know AWS and Python, the world is your oyster.
- CKA is the top Kubernetes certification. But only a few employers require one.
- Jenkins is more alive than ever. Gitlab CI/CD is a very distant second.
- Prometheus is synonymous with monitoring. No one comes close.

You can read the full report here: https://kube.careers/report-2021-q4

Kubeletmein is a simple penetration testing tool which takes advantage of public cloud provider approaches to providing kubelet credentials to nodes in order to gain privileged access to the k8s API
Read more https://github.com/4ARMED/kubeletmein

Cosign keyless Kubernetes admission webhook is a Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect
Read more https://github.com/appvia/cosign-keyless-admission-webhook

Rego library for detecting miss-configurations in Kubernetes manifests
Read more https://github.com/armosec/regolibrary

AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory.

Using Kubernetes primitives, administrators configure identities and bindings to match pods
Read more https://github.com/Azure/aad-pod-identity

This repository contains a proof of concept that uses cosign and GitHub's in built OIDC to sign container images. It proves that what is in the registry came from your GitHub action
Read more https://github.com/chrisns/cosign-keyless-demo

Kubelogin is a kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Read more https://github.com/int128/kubelogin

Cloud Secret Resolvers is a set of tools to help your applications (on Kubernetes) to retrieve any credentials from cloud managed vaults without the needed to write additional boilerplate code in your applications
Read more https://github.com/kubeopsskills/cloud-secret-resolvers

aws-auth-manager is a kuberneres controller to manage the aws-auth configmap in EKS using a new AWSAuthItem CRD.
Read more https://github.com/maruina/aws-auth-manager

This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules
Read more https://github.com/redhat-cop/dynamic-rbac-operator

In this article you’ll learn how an attacker with access to a Kubernetes cluster can escape from a container and:
1. run a pod to gain root privileges
2. escape to the host
3. persist the attack with invisible pods and fileless executions
Read more https://isovalent.com/blog/post/2021-11-container-escape

Getting rid of passwords (or connection strings) while accessing Azure services and instead making use of Managed Identities is a way to increase the security of your workloads.
Learn how to use Managed Identities in this article.
Read more https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda

Learnk8s and NGINX are launching a month-long, free educational program on Kubernetes networking.

The course is divided into four parts:

- Unit 1: Architecting Kubernetes clusters for high-traffic websites (the 7th of March)
- Unit 2: Exposing APIs in Kubernetes (the 14th of March)
- Unit 3: Microservices Security Patterns (the 21st of March)
- Unit 4: Advanced Kubernetes Deployment Strategies (the 28th of March)

Each part has:

- A live webinar (Chris, Salman & Andrea will present those). The event is recorded, and you can catch up later too.
- A self-paced lab for experimenting with Kubernetes technologies. Nginx will provide interactive labs via Instruqt.
- A step-by-step tutorial where you can try everything on your computer too (and maybe copy and reuse the code).
- Extra links and resources to help you understand and dig deeper into the subjects.

You can read the full agenda here: https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/

Why am I able to bind a privileged port in my container without the NET_BIND_SERVICE capability?
Read more https://medium.com/@olivier.gaumond/why-am-i-able-to-bind-a-privileged-port-in-my-container-without-the-net-bind-service-capability-60972a4d5496

In this article you will learn how to detect anomalies in your cluster using Kubernetes Audit logs and Anomalies Detection Engineering
Read more https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters

In this tutorial, we present three tools to validate and secure your Kubernetes deployments:
1. Kubeval
2. Kubeconform
3. Kubescore
Read more https://semaphoreci.com/blog/kubernetes-deployments