This article details how Distroless images reduce attack surface by removing shells and package managers.
It compares image sizes, shows how to build with multistage Dockerfiles, and validates security via Grype—finding 53 vs 107 CVEs in slim images.
More: https://ku.bz/Njn7BN6S-
It compares image sizes, shows how to build with multistage Dockerfiles, and validates security via Grype—finding 53 vs 107 CVEs in slim images.
More: https://ku.bz/Njn7BN6S-
The article analyzes attacker entry points to control plane, including API server exposure, etcd compromise, misconfigured authentication, and insecure kubeconfigs.
It explains exploitation steps, providing technical mitigation for each vector.
More: https://ku.bz/x-vZVkmkd
It explains exploitation steps, providing technical mitigation for each vector.
More: https://ku.bz/x-vZVkmkd
kubectl-validate is a SIG-CLI subproject to support the local validation of resources for native Kubernetes types and CRDs.
More: https://ku.bz/Mc8q9qGCz
More: https://ku.bz/Mc8q9qGCz
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 131:
♻️ Synchronizing Database schema updates between projects and environments
🛡️ Building Resilient Applications on Kubernetes
🤺 Amazon EKS Auto Mode vs Azure AKS Automatic: Which is the Better Managed Kubernetes Solution?
🤔 A CNI 'chicken-and-egg' dilemma: How does Calico assign IPs to itself?
🤏 API Streaming in Kubernetes: Memory-Efficient List Responses
Read it now: https://learnk8s.io/issues/131
⭐️ This newsletter is sponsored by RunWhen — build AI Engineering Assistants with thousands of tools for your infrastructure, platform services, logs, metrics and more https://ku.bz/FxmM9QtQ4
♻️ Synchronizing Database schema updates between projects and environments
🛡️ Building Resilient Applications on Kubernetes
🤺 Amazon EKS Auto Mode vs Azure AKS Automatic: Which is the Better Managed Kubernetes Solution?
🤔 A CNI 'chicken-and-egg' dilemma: How does Calico assign IPs to itself?
🤏 API Streaming in Kubernetes: Memory-Efficient List Responses
Read it now: https://learnk8s.io/issues/131
⭐️ This newsletter is sponsored by RunWhen — build AI Engineering Assistants with thousands of tools for your infrastructure, platform services, logs, metrics and more https://ku.bz/FxmM9QtQ4
Forwarded from Kube Architect
By leveraging Kyverno, Kueue, and Argo CD, IBM Research transformed chaotic GPU resource sharing into a policy-driven, fair computing environment—solving GPU hogging, scheduling conflicts, and administrative overhead in research computing.
More: https://ku.bz/XhPWZypGS
More: https://ku.bz/XhPWZypGS
flux2-multi-tenancy provides GitOps templates and Kyverno policies to automate tenant onboarding.
It provisions namespaces, RBAC, and policy controls in Kubernetes using pull requests, enabling secure multi-tenant cluster management from Git.
More: https://ku.bz/_X6s8kP28
It provisions namespaces, RBAC, and policy controls in Kubernetes using pull requests, enabling secure multi-tenant cluster management from Git.
More: https://ku.bz/_X6s8kP28
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, emphasizes that fewer binaries and libraries result in fewer vulnerabilities.
He points out that even newer libraries add functionality but also introduce additional vulnerabilities.
This highlights the importance of minimizing unnecessary components to enhance security, as simply removing a shell does not guarantee safety.
Watch the full episode: https://ku.bz/n_sJ04xMY
He points out that even newer libraries add functionality but also introduce additional vulnerabilities.
This highlights the importance of minimizing unnecessary components to enhance security, as simply removing a shell does not guarantee safety.
Watch the full episode: https://ku.bz/n_sJ04xMY
Gatekeeper is a Kubernetes admission controller that enforces policies defined with Open Policy Agent (OPA).
It uses CRDs like
More: https://ku.bz/J_2l-lqQZ
It uses CRDs like
ConstraintTemplate and Constraint to validate and mutate resources, supporting audit and external data integration.More: https://ku.bz/J_2l-lqQZ
This article shows how to use Kyverno policies and Helm to rewrite container image registry URLs at admission for all pod container types.
This image mutation enables namespace-controlled migration to new registries without editing every manifest.
More: https://ku.bz/Hn4LDyShr
This image mutation enables namespace-controlled migration to new registries without editing every manifest.
More: https://ku.bz/Hn4LDyShr
This article shows how Kubernetes ValidatingAdmissionPolicy lets you directly enforce custom rules like immutability or uniqueness in the API server using Common Expression Language (CEL).
It eliminates the need for external webhooks or custom code.
More: https://ku.bz/F5gkJs4KC
It eliminates the need for external webhooks or custom code.
More: https://ku.bz/F5gkJs4KC
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Zain Malik shares his experience managing multi-tenant Kubernetes clusters with up to 30,000 pods across clusters capped at 950 nodes.
You will learn:
- How to address challenges in large-scale Kubernetes operations, including node pool management inconsistencies and lengthy provisioning times
- Why Cluster API provides a powerful foundation for multi-cloud cluster management, and how to extend it with custom operators for production-specific needs
- How implementing GitOps principles eliminates manual intervention in critical operations like cluster upgrades
Watch (or listen to) it here: https://ku.bz/5PLksqVlk
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Big Boy" Farrell
You will learn:
- How to address challenges in large-scale Kubernetes operations, including node pool management inconsistencies and lengthy provisioning times
- Why Cluster API provides a powerful foundation for multi-cloud cluster management, and how to extend it with custom operators for production-specific needs
- How implementing GitOps principles eliminates manual intervention in critical operations like cluster upgrades
Watch (or listen to) it here: https://ku.bz/5PLksqVlk
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Big Boy" Farrell
Forwarded from Kube Builders
This tutorial builds a hardened 3-node ETCD cluster using OpenSSL with full TLS encryption (peer/client), CA management, and systemd setup.
You'll learn how to generate certs, configure secure endpoints, and verify cluster health.
More: https://ku.bz/Rh8DkWYCz
You'll learn how to generate certs, configure secure endpoints, and verify cluster health.
More: https://ku.bz/Rh8DkWYCz
Forwarded from LearnKube news
This tutorial explains how Istio Gateways control ingress and egress traffic in Kubernetes, using Gateway, VirtualService, and ServiceEntry CRDs.
More: https://ku.bz/vBV2znXq7
More: https://ku.bz/vBV2znXq7
push-to-K8s is as a Kubernetes controller that monitors a specified source namespace for secret changes and replicates them across all other namespaces in the cluster.
More: https://ku.bz/bxvYHJTfg
More: https://ku.bz/bxvYHJTfg
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 132:
🕵️♂️ An In-Depth Analysis of the OpenAI's Incident and Mitigation Strategies
👩🔬 Taming the wild west of research computing: how policies saved us a thousand headaches
👋 We're leaving Kubernetes
📊 Resource management in Kubernetes
📉 Reducing Pod Startup Time for Java Application on EKS
Read it now: https://learnk8s.io/issues/132
⭐️ This newsletter is sponsored by Dagger — build software engineering workflows and environments https://ku.bz/GPL98fg84
🕵️♂️ An In-Depth Analysis of the OpenAI's Incident and Mitigation Strategies
👩🔬 Taming the wild west of research computing: how policies saved us a thousand headaches
👋 We're leaving Kubernetes
📊 Resource management in Kubernetes
📉 Reducing Pod Startup Time for Java Application on EKS
Read it now: https://learnk8s.io/issues/132
⭐️ This newsletter is sponsored by Dagger — build software engineering workflows and environments https://ku.bz/GPL98fg84
The Kubernetes API server includes an HTTP proxy that allows authorized users to access pods, nodes, and external hosts from the cluster network.
With proxy and node rights, attackers can SSRF into the API server or override pod IPs to exfiltrate data.
More: https://ku.bz/r70-_Vww0
With proxy and node rights, attackers can SSRF into the API server or override pod IPs to exfiltrate data.
More: https://ku.bz/r70-_Vww0
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online course starts in June: https://ku.bz/bRfWBNxJc
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next online course starts in June: https://ku.bz/bRfWBNxJc
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
Kleidi is a Kubernetes KMSv2 plugin that enables envelope encryption by offloading data key encryption to external providers like HashiCorp Vault or SoftHSM.
More: https://ku.bz/M8Xx40XfG
More: https://ku.bz/M8Xx40XfG
This analysis details how Kubernetes' deprecated
More: https://ku.bz/X8KN1PdB2
gitRepo volume enables root-level container escape via Git hook injection using a fake bare repo to exploit default behavior in kubelet.More: https://ku.bz/X8KN1PdB2
Forwarded from Kube Builders
Learn how to use Istio, a service mesh, to manage microservices in Kubernetes.
This article covers traffic control, mTLS security, and observability with Kiali, Prometheus, and Jaeger, using a Garage Management System as a practical example.
More: https://ku.bz/x4c-Bw2K1
This article covers traffic control, mTLS security, and observability with Kiali, Prometheus, and Jaeger, using a Garage Management System as a practical example.
More: https://ku.bz/x4c-Bw2K1
kapi is a lightweight proxy that sits in front of the Kubernetes API server.
It logs, inspects, and can mutate API requests and responses, supporting auditing, debugging, and workflow automation without altering the cluster control plane.
More: https://ku.bz/sjrM4Q1ch
It logs, inspects, and can mutate API requests and responses, supporting auditing, debugging, and workflow automation without altering the cluster control plane.
More: https://ku.bz/sjrM4Q1ch