Distroless images improve security but lack shell/debug tools.
This article shows two solutions: attach a temporary ephemeral container using kubectl debug, or define a persistent sidecar with a shared PID namespace.
More: https://ku.bz/W2qVr-ffR
This article shows two solutions: attach a temporary ephemeral container using kubectl debug, or define a persistent sidecar with a shared PID namespace.
More: https://ku.bz/W2qVr-ffR
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 135:
🛜 The Kubernetes networking guide
🐜 Configuration Management at Ant Group: Generated Manifest and Immutable Desired State
🪵 My favourite Kubernetes audit log policy
🙅♂️ Can't NAT after NAT
🥊 Readiness vs Liveness Probes: What is the Difference? (and Startup Probes!)
Read it now: https://learnk8s.io/issues/135
⭐️ This newsletter is brought to you by @arm — Explore learning paths and technical resources to start, accelerate, or complete your cloud migration https://ku.bz/xFNgz9S9h
🛜 The Kubernetes networking guide
🐜 Configuration Management at Ant Group: Generated Manifest and Immutable Desired State
🪵 My favourite Kubernetes audit log policy
🙅♂️ Can't NAT after NAT
🥊 Readiness vs Liveness Probes: What is the Difference? (and Startup Probes!)
Read it now: https://learnk8s.io/issues/135
⭐️ This newsletter is brought to you by @arm — Explore learning paths and technical resources to start, accelerate, or complete your cloud migration https://ku.bz/xFNgz9S9h
kpatch enables runtime kernel function patching by injecting precompiled replacement functions directly into the live kernel.
It's built on the
More: https://ku.bz/-mXRJ9kzM
It's built on the
CONFIG_LIVEPATCH infrastructure and uses ftrace to reroute function calls at runtime.More: https://ku.bz/-mXRJ9kzM
Learn how Confidential Containers use Kata Agent Policies to control container execution in secure environments.
This allows administrators to define granular rules restricting images, processes, and actions.
More: https://ku.bz/dcdvjJRry
This allows administrators to define granular rules restricting images, processes, and actions.
More: https://ku.bz/dcdvjJRry
Forwarded from LearnKube news
Why can't you ping a Kubernetes service?
Learnk8s runs a 4-day Advanced Kubernetes course on June 26, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the workshop in full with private training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course on June 26, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:
- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.
This (and much more) is covered on the third day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the workshop in full with private training https://learnk8s.io/corporate-training
This guide shows how to detect Kubernetes runtime threats (e.g. sudo misuse, suspicious file access) using Falco + eBPF, forward logs with Fluent Bit, and route them to Parseable log streams like
More: https://ku.bz/zTdnws-Fd
falcowarn or falconotice.More: https://ku.bz/zTdnws-Fd
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the role of the shell in system interaction and security.
He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries.
From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries.
Watch the full episode: https://ku.bz/n_sJ04xMY
He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries.
From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries.
Watch the full episode: https://ku.bz/n_sJ04xMY
This article dissects how Kyverno's policy generation, combined with Helm's namespace management, leads to race conditions, deletions, and re-creations that break deterministic behaviour, especially when synchronisation and background are enabled.
More: https://ku.bz/trbB_kp21
More: https://ku.bz/trbB_kp21
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Marc breaks down the cost implications, technical constraints, and operational trade-offs between Kubernetes containers and AWS Lambda functions.
You will learn:
- Cost analysis frameworks for comparing Lambda vs Kubernetes across different traffic patterns, including specific examples of 3x savings potential
- Migration complexity factors when moving existing microservices to Lambda, including cold start issues and runtime model changes.
- Decision criteria for choosing between platforms based on traffic consistency, computational requirements, and operational overhead tolerance
Watch (or listen to) it here: https://ku.bz/5gMTkzLhV
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Thanking himself" Farrell
You will learn:
- Cost analysis frameworks for comparing Lambda vs Kubernetes across different traffic patterns, including specific examples of 3x savings potential
- Migration complexity factors when moving existing microservices to Lambda, including cold start issues and runtime model changes.
- Decision criteria for choosing between platforms based on traffic consistency, computational requirements, and operational overhead tolerance
Watch (or listen to) it here: https://ku.bz/5gMTkzLhV
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Thanking himself" Farrell
This diagram maps core Kubernetes security concepts—from RBAC, PodSecurity, and audit logging to container isolation—helping teams visualize enforcement points.
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews.
More: https://ku.bz/4JP4Yvlmt
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews.
More: https://ku.bz/4JP4Yvlmt
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 136:
🍏 How We Integrated Native macOS Workloads with Kubernetes
💉 Why our pods were breaking bad (and how we fixed them)
😊 FacetController: How We Made Infrastructure Changes at Lyft Simple
📦 Operational Considerations for Managing Stateful Workloads
🪔 Can configuration languages (Config DSLs) solve configuration complexity?
Read it now: https://learnk8s.io/issues/136
⭐️ This issue is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
🍏 How We Integrated Native macOS Workloads with Kubernetes
💉 Why our pods were breaking bad (and how we fixed them)
😊 FacetController: How We Made Infrastructure Changes at Lyft Simple
📦 Operational Considerations for Managing Stateful Workloads
🪔 Can configuration languages (Config DSLs) solve configuration complexity?
Read it now: https://learnk8s.io/issues/136
⭐️ This issue is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
Learn how a misconfigured container registry can let attackers gain unauthorized access to sensitive applications and credentials by exploiting exposed Docker APIs and pulling images without authentication.
More: https://ku.bz/P7jNKKZlL
More: https://ku.bz/P7jNKKZlL
RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources.
Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes.
More: https://ku.bz/QnyklGrTq
Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes.
More: https://ku.bz/QnyklGrTq
Forwarded from LearnKube news
Why Kubernetes doesn't rebalance pods in nodes?
Learnk8s runs a 4-day Advanced Kubernetes course next week online , and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the course in full with private training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course next week online , and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the course in full with private training https://learnk8s.io/corporate-training
Docker socket mounting can turn a powerful automation tool into a critical security vulnerability.
Improperly mounted
More: https://ku.bz/cPlJztd4V
Improperly mounted
/var/run/docker.sock can let attackers control your entire system. Learn how in this article.More: https://ku.bz/cPlJztd4V
The Kubeconfig Operator generates restricted kubeconfig files with granular permissions for Kubernetes clusters.
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts.
More: https://ku.bz/X5WpY7QD8
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts.
More: https://ku.bz/X5WpY7QD8
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Mac Chaffee examines why developers often underestimate the complexity of running modern applications and end up rebuilding Kubernetes from scratch.
You will learn:
- Why teams reject Kubernetes then rebuild it piece by piece
- How to identify the tipping point when DIY solutions become more complex than adopting established orchestration tools
- The right approach to abstracting Kubernetes complexity
Watch (or listen to) it here: https://ku.bz/9nFPmG85f
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Many terribles ideas" Farrell
You will learn:
- Why teams reject Kubernetes then rebuild it piece by piece
- How to identify the tipping point when DIY solutions become more complex than adopting established orchestration tools
- The right approach to abstracting Kubernetes complexity
Watch (or listen to) it here: https://ku.bz/9nFPmG85f
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Many terribles ideas" Farrell
This post analyzes CVE-2025-1767, a Kubernetes vulnerability where gitRepo volumes let pods clone any host-local Git repo if the attacker knows the path.
More: https://ku.bz/CDGd1YFlx
More: https://ku.bz/CDGd1YFlx
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 137:
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
This media is not supported in your browser
VIEW IN TELEGRAM
This repo is a collection of NetworkPolicy recipes to lock down Kubernetes traffic.
More: https://ku.bz/9CYLSX8vm
More: https://ku.bz/9CYLSX8vm
ingress-nginx CVE-2025-1974 vulnerability allows unauthenticated remote access to its admission controller, enabling full Kubernetes cluster takeover via RCE.
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ