Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 137:
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
🤒 Warmup Your Pods Using Istio
📈 LLM Load Balancing at Scale: Consistent Hashing with Bounded Loads
💰 Balancing Capacity and Cost for Kubernetes Clusters
🔫 When VerticalPodAutoscaler Goes Rogue: How an Autoscaler Took Down Our Cluster
♻️ Building a Cost-Aware Kubernetes Scheduler
Read it now: https://learnk8s.io/issues/137
⭐️ This issue is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH
This media is not supported in your browser
VIEW IN TELEGRAM
This repo is a collection of NetworkPolicy recipes to lock down Kubernetes traffic.
More: https://ku.bz/9CYLSX8vm
More: https://ku.bz/9CYLSX8vm
ingress-nginx CVE-2025-1974 vulnerability allows unauthenticated remote access to its admission controller, enabling full Kubernetes cluster takeover via RCE.
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ
Mitigation requires urgent patching, network hardening, and audit log inspection.
More: https://ku.bz/Vb7mRcxpQ
This deep dive walks through debugging a common Kubernetes issue: running containers with a non-root UID.
More: https://ku.bz/3zgW6dYQX
More: https://ku.bz/3zgW6dYQX
This article shows how to run multiple tenants on one Kubernetes cluster using Namespaces, RBAC, Kyverno, NetworkPolicies, Capsule, and vCluster.
More: https://ku.bz/cY_wDHz89
More: https://ku.bz/cY_wDHz89
Forwarded from Kube Architect
This post introduces an Argo CD RBAC Operator that replaces manual ConfigMap edits with CRDs like
More: https://ku.bz/Z6Nrf3Szw
ArgoCDRole and ArgoCDRoleBinding.More: https://ku.bz/Z6Nrf3Szw
Kubeconform is a Kubernetes manifests validation tool.
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations.
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/jYH4-2Yw6
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations.
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/jYH4-2Yw6
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 138:
🍔 How Using Availability Zones Can Eat Up Your Budget: Our Journey from Prometheus to Thanos
🤖 IPA: Building AI-Driven Kubernetes Autoscaler
💣 Increasing Memory Usage of NGINX Ingress after Upgrading GKE to Version 1.30
💅 Templating Alertmanager Config in kube-prometheus-stack
💰 Envoy Gateway: Overview of the New “Rate Limiting with Cost” Feature
Read it now: https://learnkube.com/issues/138
⭐️ This issue is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
🍔 How Using Availability Zones Can Eat Up Your Budget: Our Journey from Prometheus to Thanos
🤖 IPA: Building AI-Driven Kubernetes Autoscaler
💣 Increasing Memory Usage of NGINX Ingress after Upgrading GKE to Version 1.30
💅 Templating Alertmanager Config in kube-prometheus-stack
💰 Envoy Gateway: Overview of the New “Rate Limiting with Cost” Feature
Read it now: https://learnkube.com/issues/138
⭐️ This issue is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
This article presents a practical method to build Docker images from Dockerfiles under strict no-root, no-privilege-escalation constraints.
It leverages QEMU virtualization to encapsulate BuildKit inside a microVM.
More: https://ku.bz/Mfp6z5wxT
It leverages QEMU virtualization to encapsulate BuildKit inside a microVM.
More: https://ku.bz/Mfp6z5wxT
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, highlight that gaining access to the Docker API socket or an HTTP request can allow an attacker to spawn a privileged container.
This container can share namespaces and volumes with the host Kubernetes node, effectively granting the attacker full node access.
Watch the full episode: https://ku.bz/yr16qNTFx
This container can share namespaces and volumes with the host Kubernetes node, effectively granting the attacker full node access.
Watch the full episode: https://ku.bz/yr16qNTFx
Popeye is a utility that scans live Kubernetes clusters and reports potential issues with deployed resources and configurations.
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://ku.bz/D1Ch_MKP_
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://ku.bz/D1Ch_MKP_
This article demonstrates using Falco as a runtime security layer in Kubernetes.
It explains how system calls are intercepted using eBPF or kernel modules and how Falco rules detect anomalous behavior like spawning shells or reading sensitive files.
More: https://ku.bz/vd3wWs24H
It explains how system calls are intercepted using eBPF or kernel modules and how Falco rules detect anomalous behavior like spawning shells or reading sensitive files.
More: https://ku.bz/vd3wWs24H
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Tim Miller CEO and Co-founder at Kusari explains how GitOps and Flux improve security through automated workflows.
He emphasizes that reducing human intervention in deployment processes leads to more reliable and secure outcomes. While tools like Flux require an upfront investment in automation, they make deployments repeatable and eliminate the need to teach new team members "every single weird thing" in the deployment process.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
He emphasizes that reducing human intervention in deployment processes leads to more reliable and secure outcomes. While tools like Flux require an upfront investment in automation, they make deployments repeatable and eliminate the need to teach new team members "every single weird thing" in the deployment process.
Watch the full interview: https://ku.bz/-2Sqn9Jb9
Nova scans your cluster for installed Helm charts, cross-checks them with public repos and flags outdated or deprecated charts and container images.
More: https://ku.bz/fNvPKdrLm
More: https://ku.bz/fNvPKdrLm
Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement.
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd.
More: https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd.
More: https://ku.bz/W4M7dx2xy
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 139:
🍯 Securing Kubernetes using honeypots to detect and prevent lateral movement attacks
💻 Goodbye Wasted Compute: How I Taught Kubernetes to Autoscale with My MacBook Screen Lock
💣 Our last Kubernetes ingress production incident — explained in 5 minutes
🙈 Stop Treating YAML Like a String
✅ Mastering complex workloads with Kubernetes JobSet and GKE metrics
Read it now: https://learnkube.com/issues/139
⭐️ This issue is brought to you by Densify — Slash costs, improve reliability and spend less time managing Kubernetes https://ku.bz/-Ml6l6kDy
🍯 Securing Kubernetes using honeypots to detect and prevent lateral movement attacks
💻 Goodbye Wasted Compute: How I Taught Kubernetes to Autoscale with My MacBook Screen Lock
💣 Our last Kubernetes ingress production incident — explained in 5 minutes
🙈 Stop Treating YAML Like a String
✅ Mastering complex workloads with Kubernetes JobSet and GKE metrics
Read it now: https://learnkube.com/issues/139
⭐️ This issue is brought to you by Densify — Slash costs, improve reliability and spend less time managing Kubernetes https://ku.bz/-Ml6l6kDy
k8s-aws-iam-controller automates trust policy management for IAM Roles used in IRSA setups.
It watches annotated ServiceAccounts, validates via RoleUsagePolicy, and updates the role trust statements.
More: https://ku.bz/tHgMnBf1s
It watches annotated ServiceAccounts, validates via RoleUsagePolicy, and updates the role trust statements.
More: https://ku.bz/tHgMnBf1s
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Yakir Kadkoda and Assaf Morag from Aqua Security highlight how even sectors known for their security, such as finance and insurance, are facing the challenge of leaked secrets.
They presented an example that involved contractors and engineers accidentally exposing sensitive information, like registry secrets or Docker Hub credentials, on platforms like GitHub (often using their personal accounts).
Watch the full episode: https://ku.bz/5RKVBGlQR
They presented an example that involved contractors and engineers accidentally exposing sensitive information, like registry secrets or Docker Hub credentials, on platforms like GitHub (often using their personal accounts).
Watch the full episode: https://ku.bz/5RKVBGlQR
Gatekeeper's
Attackers exploit prefix matching to pull images from fake subdomains like
More: https://ku.bz/fYQfsmHt-
k8sallowedrepos can be bypassed if repo entries lack a trailing /.Attackers exploit prefix matching to pull images from fake subdomains like
myrepo.io.attacker.com. Aqua shows real examples, a fixed v2 policy, and Trivy detection.More: https://ku.bz/fYQfsmHt-
Secrets Webhook is a tool that enables direct secret injection into Kubernetes Pods through a mutating webhook.
More: https://ku.bz/m4VHrfhL5
More: https://ku.bz/m4VHrfhL5
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Andy Suderman, CTO at Fairwinds, discusses three key areas he's tracking in the Kubernetes ecosystem.
He explains how mutating admission policy builds on the newly stable validating admission policy to provide native policy validation and mutation capabilities. Andy highlights dynamic resource allocation as a long-awaited feature that will transform cluster scheduling. He also covers emerging AI-focused Kubernetes tools, including Solo's recently open-sourced K-Gateway and K-Agent projects, plus Ray's machine learning capabilities.
Watch the full interview: https://ku.bz/ZQTRkMpz5
He explains how mutating admission policy builds on the newly stable validating admission policy to provide native policy validation and mutation capabilities. Andy highlights dynamic resource allocation as a long-awaited feature that will transform cluster scheduling. He also covers emerging AI-focused Kubernetes tools, including Solo's recently open-sourced K-Gateway and K-Agent projects, plus Ray's machine learning capabilities.
Watch the full interview: https://ku.bz/ZQTRkMpz5