Learn how a misconfigured container registry can let attackers gain unauthorized access to sensitive applications and credentials by exploiting exposed Docker APIs and pulling images without authentication.
More: https://ku.bz/P7jNKKZlL
More: https://ku.bz/P7jNKKZlL
RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources.
Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes.
More: https://ku.bz/QnyklGrTq
Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes.
More: https://ku.bz/QnyklGrTq
Forwarded from LearnKube news
Why Kubernetes doesn't rebalance pods in nodes?
Learnk8s runs a 4-day Advanced Kubernetes course next week online , and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the course in full with private training https://learnk8s.io/corporate-training
Learnk8s runs a 4-day Advanced Kubernetes course next week online , and you will get to the bottom of questions like this (spoiler: the scheduler allocates pods when created, and it doesn't re-evaluate decisions).
You will also learn the nitty-gritty details of the Kubernetes architecture:
- How pods can serve traffic even if the control plane is unavailable.
- Why does Kubernetes run a single controller manager and scheduler even in HA?
- Why does the kubelet prefer to poll for updates rather than the master dispatching events?
This (and much more) is covered on the second day of the course.
You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc
Are you training your team?
Customize the course in full with private training https://learnk8s.io/corporate-training
Docker socket mounting can turn a powerful automation tool into a critical security vulnerability.
Improperly mounted
More: https://ku.bz/cPlJztd4V
Improperly mounted
/var/run/docker.sock can let attackers control your entire system. Learn how in this article.More: https://ku.bz/cPlJztd4V
The Kubeconfig Operator generates restricted kubeconfig files with granular permissions for Kubernetes clusters.
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts.
More: https://ku.bz/X5WpY7QD8
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts.
More: https://ku.bz/X5WpY7QD8
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Mac Chaffee examines why developers often underestimate the complexity of running modern applications and end up rebuilding Kubernetes from scratch.
You will learn:
- Why teams reject Kubernetes then rebuild it piece by piece
- How to identify the tipping point when DIY solutions become more complex than adopting established orchestration tools
- The right approach to abstracting Kubernetes complexity
Watch (or listen to) it here: https://ku.bz/9nFPmG85f
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Many terribles ideas" Farrell
You will learn:
- Why teams reject Kubernetes then rebuild it piece by piece
- How to identify the tipping point when DIY solutions become more complex than adopting established orchestration tools
- The right approach to abstracting Kubernetes complexity
Watch (or listen to) it here: https://ku.bz/9nFPmG85f
🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training
With @Birthmarkb "Many terribles ideas" Farrell
This post analyzes CVE-2025-1767, a Kubernetes vulnerability where gitRepo volumes let pods clone any host-local Git repo if the attacker knows the path.
More: https://ku.bz/CDGd1YFlx
More: https://ku.bz/CDGd1YFlx
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 137:
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
This media is not supported in your browser
VIEW IN TELEGRAM
This repo is a collection of NetworkPolicy recipes to lock down Kubernetes traffic.
More: https://ku.bz/9CYLSX8vm
More: https://ku.bz/9CYLSX8vm
ingress-nginx CVE-2025-1974 vulnerability allows unauthenticated remote access to its admission controller, enabling full Kubernetes cluster takeover via RCE.
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ
This deep dive walks through debugging a common Kubernetes issue: running containers with a non-root UID.
More: https://ku.bz/3zgW6dYQX
More: https://ku.bz/3zgW6dYQX
This article shows how to run multiple tenants on one Kubernetes cluster using Namespaces, RBAC, Kyverno, NetworkPolicies, Capsule, and vCluster.
More: https://ku.bz/cY_wDHz89
More: https://ku.bz/cY_wDHz89
Forwarded from Kube Architect
This post introduces an Argo CD RBAC Operator that replaces manual ConfigMap edits with CRDs like
More: https://ku.bz/Z6Nrf3Szw
ArgoCDRole and ArgoCDRoleBinding.More: https://ku.bz/Z6Nrf3Szw
Kubeconform is a Kubernetes manifests validation tool.
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations.
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/jYH4-2Yw6
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations.
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/jYH4-2Yw6
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 138:
🍔 How Using Availability Zones Can Eat Up Your Budget: Our Journey from Prometheus to Thanos
🤖 IPA: Building AI-Driven Kubernetes Autoscaler
💣 Increasing Memory Usage of NGINX Ingress after Upgrading GKE to Version 1.30
💅 Templating Alertmanager Config in kube-prometheus-stack
💰 Envoy Gateway: Overview of the New “Rate Limiting with Cost” Feature
Read it now: https://learnkube.com/issues/138
⭐️ This issue is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
🍔 How Using Availability Zones Can Eat Up Your Budget: Our Journey from Prometheus to Thanos
🤖 IPA: Building AI-Driven Kubernetes Autoscaler
💣 Increasing Memory Usage of NGINX Ingress after Upgrading GKE to Version 1.30
💅 Templating Alertmanager Config in kube-prometheus-stack
💰 Envoy Gateway: Overview of the New “Rate Limiting with Cost” Feature
Read it now: https://learnkube.com/issues/138
⭐️ This issue is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
This article presents a practical method to build Docker images from Dockerfiles under strict no-root, no-privilege-escalation constraints.
It leverages QEMU virtualization to encapsulate BuildKit inside a microVM.
More: https://ku.bz/Mfp6z5wxT
It leverages QEMU virtualization to encapsulate BuildKit inside a microVM.
More: https://ku.bz/Mfp6z5wxT
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, highlight that gaining access to the Docker API socket or an HTTP request can allow an attacker to spawn a privileged container.
This container can share namespaces and volumes with the host Kubernetes node, effectively granting the attacker full node access.
Watch the full episode: https://ku.bz/yr16qNTFx
This container can share namespaces and volumes with the host Kubernetes node, effectively granting the attacker full node access.
Watch the full episode: https://ku.bz/yr16qNTFx
Popeye is a utility that scans live Kubernetes clusters and reports potential issues with deployed resources and configurations.
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://ku.bz/D1Ch_MKP_
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://ku.bz/D1Ch_MKP_
This article demonstrates using Falco as a runtime security layer in Kubernetes.
It explains how system calls are intercepted using eBPF or kernel modules and how Falco rules detect anomalous behavior like spawning shells or reading sensitive files.
More: https://ku.bz/vd3wWs24H
It explains how system calls are intercepted using eBPF or kernel modules and how Falco rules detect anomalous behavior like spawning shells or reading sensitive files.
More: https://ku.bz/vd3wWs24H
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Tim Miller CEO and Co-founder at Kusari explains how GitOps and Flux improve security through automated workflows.
He emphasizes that reducing human intervention in deployment processes leads to more reliable and secure outcomes. While tools like Flux require an upfront investment in automation, they make deployments repeatable and eliminate the need to teach new team members "every single weird thing" in the deployment process.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
He emphasizes that reducing human intervention in deployment processes leads to more reliable and secure outcomes. While tools like Flux require an upfront investment in automation, they make deployments repeatable and eliminate the need to teach new team members "every single weird thing" in the deployment process.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
Nova scans your cluster for installed Helm charts, cross-checks them with public repos and flags outdated or deprecated charts and container images.
More: https://ku.bz/fNvPKdrLm
More: https://ku.bz/fNvPKdrLm