This article explains how Kubernetes handles Linux capability names inconsistently, with behavior differing between container runtimes like containerd and CRI-O.
More: https://ku.bz/Fk3B8xWbr
More: https://ku.bz/Fk3B8xWbr
Forwarded from Kube Architect
Learn how UiPath replaced mutating webhooks with a Helm library solution, enabling flexible cross-service configuration management in Kubernetes without cluster-wide permissions.
More: https://ku.bz/frf79NxRC
More: https://ku.bz/frf79NxRC
KSOPS is a kustomize exec plugin for SOPS encrypted resources.
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/615H3TNYJ
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://ku.bz/615H3TNYJ
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Hillai Ben-Sasson and Ronen Shustin, Security Researchers at Wiz, explain how gaining code execution on a node can allow attackers to exploit kubelet credentials to access sensitive cluster resources.
This issue highlights the risks of overly powerful service accounts, even on isolated nodes, as they can inadvertently expose sensitive data from other customers.
Watch the full episode: https://ku.bz/yr16qNTFx
This issue highlights the risks of overly powerful service accounts, even on isolated nodes, as they can inadvertently expose sensitive data from other customers.
Watch the full episode: https://ku.bz/yr16qNTFx
Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.
More: https://ku.bz/wPZw27PGH
More: https://ku.bz/wPZw27PGH
ToolHive secures Model Context Protocol (MCP) servers in Kubernetes using native features like RBAC, network policies, and StatefulSets.
It isolates servers via a proxy, blocking direct network access for enterprise-grade security.
More: https://ku.bz/cJ4HXTrnS
It isolates servers via a proxy, blocking direct network access for enterprise-grade security.
More: https://ku.bz/cJ4HXTrnS
Forwarded from Kube Architect
Sveltos installs as a controller in a management cluster, deploying add-ons and policies (Helm charts, Kustomize, raw YAML) to target clusters by label selectors and sync rules, automating multi-cluster resource management and compliance.
More: https://ku.bz/RgJVTPtfJ
More: https://ku.bz/RgJVTPtfJ
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 143:
🤔 Can a Simple 4-Core, 16 GB RAM Machine Reach 1000 TPS?
🧢 Cap or no cap
🔙 Reclaiming Idle GPUs in Kubernetes: A Practical Approach (and a Call for Ideas!)
💰 How We Saved $1.22 Million Annually on GCP Costs in a Few Simple Steps
🕰️ Inside Kubernetes Scheduler: What really happens before your pod lands on a node
Read it now: https://learnkube.com/issues/143
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
🤔 Can a Simple 4-Core, 16 GB RAM Machine Reach 1000 TPS?
🧢 Cap or no cap
🔙 Reclaiming Idle GPUs in Kubernetes: A Practical Approach (and a Call for Ideas!)
💰 How We Saved $1.22 Million Annually on GCP Costs in a Few Simple Steps
🕰️ Inside Kubernetes Scheduler: What really happens before your pod lands on a node
Read it now: https://learnkube.com/issues/143
⭐️ This newsletter is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.
More: https://ku.bz/0Gz8zfVch
More: https://ku.bz/0Gz8zfVch
This guide will teach you how to integrate HashiCorp Vault with Kubernetes Secrets CSI Driver, configure Kubernetes authentication, and create SecretProviderClass resources for secure secret management.
More: https://ku.bz/FSg9XsTZc
More: https://ku.bz/FSg9XsTZc
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks.
More: https://ku.bz/WVcV9HKN7
More: https://ku.bz/WVcV9HKN7
Forwarded from LearnKube news
In Kubernetes, containers typically start with root privileges.
This happens because, by default, container processes run as UID 0 unless overridden. While convenient during development, it introduces unnecessary risk in production environments.
If an attacker compromises the container, root access increases the likelihood of privilege escalation to the host.
Our latest article "From Linux Primitives to Kubernetes Security Contexts" demystifies these concepts.
Read the full article: https://learnkube.com/security-contexts
This happens because, by default, container processes run as UID 0 unless overridden. While convenient during development, it introduces unnecessary risk in production environments.
If an attacker compromises the container, root access increases the likelihood of privilege escalation to the host.
Our latest article "From Linux Primitives to Kubernetes Security Contexts" demystifies these concepts.
Read the full article: https://learnkube.com/security-contexts
This article explains how to use offensive container security techniques for Docker and Kubernetes, covering misconfigurations, attack paths, and defenses.
More: https://ku.bz/WKmQXwcMN
More: https://ku.bz/WKmQXwcMN
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Alessandro from IBM Research how his team transformed their chaotic bare-metal clusters into a well-governed, self-service platform for AI and scientific workloads.
You will learn:
- How to implement GitOps workflows that reduce administrative burden while maintaining governance and visibility
- Practical policy enforcement strategies using Kyverno to prevent GPU monopolization, block interactive pod usage, and automatically inject scheduling constraints
- Fair resource sharing techniques with Kueue to manage scarce GPU resources across different hardware types
Watch (or listen to) it here: https://ku.bz/5sK7BFZ-8
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Udinese Lead Press Officer" Farrell
You will learn:
- How to implement GitOps workflows that reduce administrative burden while maintaining governance and visibility
- Practical policy enforcement strategies using Kyverno to prevent GPU monopolization, block interactive pod usage, and automatically inject scheduling constraints
- Fair resource sharing techniques with Kueue to manage scarce GPU resources across different hardware types
Watch (or listen to) it here: https://ku.bz/5sK7BFZ-8
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Udinese Lead Press Officer" Farrell
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Jim Bugwadia, Co-Founder & CEO @ Nirmata, explains why policy as code is transforming Kubernetes resource management.
Drawing a parallel to how infrastructure as code revolutionized configuration management, Jim positions policy as code as the critical building block for platform engineering teams to automate security guardrails rather than enforcing rigid processes.
Watch the full interview: https://ku.bz/hYZXTmPV9
This interview is a reaction to Alexandre Souza's episode https://ku.bz/z2Vj9PBYh
Drawing a parallel to how infrastructure as code revolutionized configuration management, Jim positions policy as code as the critical building block for platform engineering teams to automate security guardrails rather than enforcing rigid processes.
Watch the full interview: https://ku.bz/hYZXTmPV9
This interview is a reaction to Alexandre Souza's episode https://ku.bz/z2Vj9PBYh
kubeconfig-ca-fetch is a tool that aggregates CA certs from multiple hardcoded clusters into a single kubeconfig using GitHub OIDC.
More: https://ku.bz/2MPKkZ5Bj
More: https://ku.bz/2MPKkZ5Bj
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 144:
✅ Modern Kubernetes: can we replace Helm?
💰 How We Saved 80% on Our Observability Bill!
🥷 Offensive Container Security: Techniques, Misconfigurations, and Attack Paths
💡 Scaling Kubernetes Smarter with Karpenter
✈️ ECR to OCIR: Event-driven Docker Image Updates
Read it now: https://learnkube.com/issues/144
⭐️ This newsletter is brought to you by Testkube — because if your app is Kubernetes-native, your testing should be too. Run any kind of test automation with the help of the platform built for it https://ku.bz/JqgJVcfRh
✅ Modern Kubernetes: can we replace Helm?
💰 How We Saved 80% on Our Observability Bill!
🥷 Offensive Container Security: Techniques, Misconfigurations, and Attack Paths
💡 Scaling Kubernetes Smarter with Karpenter
✈️ ECR to OCIR: Event-driven Docker Image Updates
Read it now: https://learnkube.com/issues/144
⭐️ This newsletter is brought to you by Testkube — because if your app is Kubernetes-native, your testing should be too. Run any kind of test automation with the help of the platform built for it https://ku.bz/JqgJVcfRh
This tutorial teaches how to implement SPIFFE/SPIRE for cloud-native workload identity management and integrate with Istio for mutual TLS and authorization policies.
More: https://ku.bz/HYVTDDcVz
More: https://ku.bz/HYVTDDcVz
kubelet-csr-approver is a hardened Kubernetes controller that auto-approves kubelet-serving CSRs only after verifying strict node identity rules—regex-matched hostnames, IP prefix constraints, username matching, DNS resolution, and X.509 CN checks.
More: https://ku.bz/-HVF5sB0h
More: https://ku.bz/-HVF5sB0h
Forwarded from LearnKube news
Master Kubernetes with LearnKube's Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts in September: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts in September: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
This article explains how to use Transaction Tokens (TraTs) and the Tokenetes framework to securely propagate user identity and request context across microservices in Kubernetes.
More: https://ku.bz/YJ8vdTDvX
More: https://ku.bz/YJ8vdTDvX