Ory Kratos is the developer-friendly, security-hardened and battle-tested Identity, User Management and Authentication system for the Cloud.
It is designed to run best on a Container Orchestration system such as Kubernetes.
More: https://ku.bz/PdzGBDwjh
It is designed to run best on a Container Orchestration system such as Kubernetes.
More: https://ku.bz/PdzGBDwjh
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 141:
💣 Kubernetes failure stories
👩🏫 YAML templating was a mistake
✍️ Defining and Implementing Effective SLOs and SLIs for ArgoCD
📈 Scaling to the future: Kubernetes reimagined with Graviton processors
🔎 Tracing Strategies For LLMs Running On Google Cloud Run
Read it now: https://learnkube.com/issues/141
⭐️ This newsletter is brought to you by Dynatrace - Transform complexity into your greatest asset AI-powered observability https://ku.bz/4KNlNJYz9
💣 Kubernetes failure stories
👩🏫 YAML templating was a mistake
✍️ Defining and Implementing Effective SLOs and SLIs for ArgoCD
📈 Scaling to the future: Kubernetes reimagined with Graviton processors
🔎 Tracing Strategies For LLMs Running On Google Cloud Run
Read it now: https://learnkube.com/issues/141
⭐️ This newsletter is brought to you by Dynatrace - Transform complexity into your greatest asset AI-powered observability https://ku.bz/4KNlNJYz9
The article explains how attackers can exploit Kubernetes clusters by leveraging pod vulnerabilities to gain filesystem access, execute shell commands, escape containers, and exfiltrate tokens for potential cluster-admin escalation.
More: https://ku.bz/L4Pl5-zHl
More: https://ku.bz/L4Pl5-zHl
k8s-remix is an operator to compose secrets with the same flexibility as a pod env spec field.
It monitors changes to configmaps and secrets mentioned in the dataFrom field, and triggers an update whenever these resources are updated.
More: https://ku.bz/vpTfmB6mP
It monitors changes to configmaps and secrets mentioned in the dataFrom field, and triggers an update whenever these resources are updated.
More: https://ku.bz/vpTfmB6mP
The tutorial explains how to securely integrate AWS Secrets Manager with Kubernetes using the External Secrets Operator (ESO), automating secret synchronization via YAML configurations and IAM credentials to eliminate hardcoded secrets.
More: https://ku.bz/TR1h6vSwl
More: https://ku.bz/TR1h6vSwl
The ClusterSecret operator keeps matching namespaces updated with secrets:
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/L452YC-Mp
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/L452YC-Mp
This tutorial covers east-west routing configuration utilizing CoreDNS, Traefik, cert-manager, and trust-manager for domain resolution and secure certificate management.
More: https://ku.bz/QfzB7zPcf
More: https://ku.bz/QfzB7zPcf
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 142:
🐳 How Kubernetes Runs Containers: A Practical Deep Dive
0️⃣ Why Scale to Zero?
💰 How We Saved 80% on Our Observability Bill!
📝 Kubernetes configuration and infrastructure as code taxonomy
🏎️ Kubernetes performance tuning: eviction thresholds
Read it now: https://learnkube.com/issues/142
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
🐳 How Kubernetes Runs Containers: A Practical Deep Dive
0️⃣ Why Scale to Zero?
💰 How We Saved 80% on Our Observability Bill!
📝 Kubernetes configuration and infrastructure as code taxonomy
🏎️ Kubernetes performance tuning: eviction thresholds
Read it now: https://learnkube.com/issues/142
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
Kyverno is a policy engine designed for Kubernetes.
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://ku.bz/swJ_5DtbJ
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://ku.bz/swJ_5DtbJ
This article explains how Kubernetes handles Linux capability names inconsistently, with behavior differing between container runtimes like containerd and CRI-O.
More: https://ku.bz/Fk3B8xWbr
More: https://ku.bz/Fk3B8xWbr
Forwarded from Kube Architect
Learn how UiPath replaced mutating webhooks with a Helm library solution, enabling flexible cross-service configuration management in Kubernetes without cluster-wide permissions.
More: https://ku.bz/frf79NxRC
More: https://ku.bz/frf79NxRC
KSOPS is a kustomize exec plugin for SOPS encrypted resources.
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/615H3TNYJ
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/615H3TNYJ
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, explain how gaining code execution on a node can allow attackers to exploit kubelet credentials to access sensitive cluster resources.
This issue highlights the risks of overly powerful service accounts, even on isolated nodes, as they can inadvertently expose sensitive data from other customers.
Watch the full episode: https://ku.bz/yr16qNTFx
This issue highlights the risks of overly powerful service accounts, even on isolated nodes, as they can inadvertently expose sensitive data from other customers.
Watch the full episode: https://ku.bz/yr16qNTFx
Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.
More: https://ku.bz/wPZw27PGH
More: https://ku.bz/wPZw27PGH
ToolHive secures Model Context Protocol (MCP) servers in Kubernetes using native features like RBAC, network policies, and StatefulSets.
It isolates servers via a proxy, blocking direct network access for enterprise-grade security.
More: https://ku.bz/cJ4HXTrnS
It isolates servers via a proxy, blocking direct network access for enterprise-grade security.
More: https://ku.bz/cJ4HXTrnS
Forwarded from Kube Architect
Sveltos installs as a controller in a management cluster, deploying add-ons and policies (Helm charts, Kustomize, raw YAML) to target clusters by label selectors and sync rules, automating multi-cluster resource management and compliance.
More: https://ku.bz/RgJVTPtfJ
More: https://ku.bz/RgJVTPtfJ
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 143:
🤔 Can a Simple 4-Core, 16 GB RAM Machine Reach 1000 TPS?
🧢 Cap or no cap
🔙 Reclaiming Idle GPUs in Kubernetes: A Practical Approach (and a Call for Ideas!)
💰 How We Saved $1.22 Million Annually on GCP Costs in a Few Simple Steps
🕰️ Inside Kubernetes Scheduler: What really happens before your pod lands on a node
Read it now: https://learnkube.com/issues/143
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
🤔 Can a Simple 4-Core, 16 GB RAM Machine Reach 1000 TPS?
🧢 Cap or no cap
🔙 Reclaiming Idle GPUs in Kubernetes: A Practical Approach (and a Call for Ideas!)
💰 How We Saved $1.22 Million Annually on GCP Costs in a Few Simple Steps
🕰️ Inside Kubernetes Scheduler: What really happens before your pod lands on a node
Read it now: https://learnkube.com/issues/143
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.
More: https://ku.bz/0Gz8zfVch
More: https://ku.bz/0Gz8zfVch
This guide will teach you how to integrate HashiCorp Vault with Kubernetes Secrets CSI Driver, configure Kubernetes authentication, and create SecretProviderClass resources for secure secret management.
More: https://ku.bz/FSg9XsTZc
More: https://ku.bz/FSg9XsTZc
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks.
More: https://ku.bz/WVcV9HKN7
More: https://ku.bz/WVcV9HKN7
Forwarded from LearnKube news
In Kubernetes, containers typically start with root privileges.
This happens because, by default, container processes run as UID 0 unless overridden. While convenient during development, it introduces unnecessary risk in production environments.
If an attacker compromises the container, root access increases the likelihood of privilege escalation to the host.
Our latest article "From Linux Primitives to Kubernetes Security Contexts" demystifies these concepts.
Read the full article: https://learnkube.com/security-contexts
This happens because, by default, container processes run as UID 0 unless overridden. While convenient during development, it introduces unnecessary risk in production environments.
If an attacker compromises the container, root access increases the likelihood of privilege escalation to the host.
Our latest article "From Linux Primitives to Kubernetes Security Contexts" demystifies these concepts.
Read the full article: https://learnkube.com/security-contexts