This tutorial teaches how to manage Kubernetes secrets by syncing from external secret managers like AWS Secrets Manager using External Secrets Operator (ESO).
More: https://ku.bz/z4S56kDPQ
More: https://ku.bz/z4S56kDPQ
Forwarded from LearnKube news
📕 Free ebook: GPU-Enabled Platforms on Kubernetes — Available September 8th
As AI workloads become standard in production environments, understanding GPU orchestration on Kubernetes has shifted from a nice-to-have to an essential skill.
What's inside:
- The complete GPU abstraction stack—from physical hardware through kernel drivers to the Kubernetes API
- Why traditional container isolation fails for GPU workloads and what actually works
- Production-tested approaches: time-slicing, Multi-Instance GPU (MIG), Multi-Process Service (MPS), and vGPU solutions
- Architectural patterns for multi-tenant GPU platforms based on trust levels and performance requirements
The book launches September 8th in collaboration with vCluster Reserve your free copy: https://ku.bz/gpu-k8s
💡 Live Discussion: September 10th
Join author Daniele for a live session covering the book's structure: https://ku.bz/g8gXCKW12
As AI workloads become standard in production environments, understanding GPU orchestration on Kubernetes has shifted from a nice-to-have to an essential skill.
What's inside:
- The complete GPU abstraction stack—from physical hardware through kernel drivers to the Kubernetes API
- Why traditional container isolation fails for GPU workloads and what actually works
- Production-tested approaches: time-slicing, Multi-Instance GPU (MIG), Multi-Process Service (MPS), and vGPU solutions
- Architectural patterns for multi-tenant GPU platforms based on trust levels and performance requirements
The book launches September 8th in collaboration with vCluster Reserve your free copy: https://ku.bz/gpu-k8s
💡 Live Discussion: September 10th
Join author Daniele for a live session covering the book's structure: https://ku.bz/g8gXCKW12
Kube-Sec is a CLI that connects to your Kubernetes cluster and runs static security checks on core resources.
It detects privileged containers, root pods, risky RBAC policies, open ports, hostPath usage, and public service exposure.
More: https://ku.bz/x6JpQm94_
It detects privileged containers, root pods, risky RBAC policies, open ports, hostPath usage, and public service exposure.
More: https://ku.bz/x6JpQm94_
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Brian, VP Cloud Platform Engineering at JPMorgan Chase, shares his ingenious side project that automatically scales Kubernetes workloads based on whether his MacBook is open or closed.
You will learn:
- How KEDA differs from traditional Kubernetes HPA
- The technical architecture connecting macOS notifications through CloudWatch
- Cost optimization strategies
- Creative approaches to autoscaling signals beyond CPU and memory
Watch (or listen to) it here: https://ku.bz/sFd8TL1cS
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "New Soundproof Studio" Farrell
You will learn:
- How KEDA differs from traditional Kubernetes HPA
- The technical architecture connecting macOS notifications through CloudWatch
- Cost optimization strategies
- Creative approaches to autoscaling signals beyond CPU and memory
Watch (or listen to) it here: https://ku.bz/sFd8TL1cS
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "New Soundproof Studio" Farrell
This article explains how Kubernetes v1.33 fixes a security flaw by requiring authorization checks for pods using cached private container images already present on a node.
More: https://ku.bz/yPgnR0XRm
More: https://ku.bz/yPgnR0XRm
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 146:
😱 When “Anti-Patterns” Become Best Practice: Lessons from Migrating a Global Pub/Sub Empire to Kubernetes
🥷 Trying to break out of the Python REPL sandbox in a Kubernetes environment: a practical journey
🕳️ Digging Deeper: How Pause containers skew your Kubernetes CPU/Memory Metrics
📕 Kubernetes Services: A Deep Dive with Examples
💰 How We Cut Our Azure Cloud Costs by 3×
Read it now: https://learnkube.com/issues/146
⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/d6d07C20F
😱 When “Anti-Patterns” Become Best Practice: Lessons from Migrating a Global Pub/Sub Empire to Kubernetes
🥷 Trying to break out of the Python REPL sandbox in a Kubernetes environment: a practical journey
🕳️ Digging Deeper: How Pause containers skew your Kubernetes CPU/Memory Metrics
📕 Kubernetes Services: A Deep Dive with Examples
💰 How We Cut Our Azure Cloud Costs by 3×
Read it now: https://learnkube.com/issues/146
⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/d6d07C20F
Pangolin is a self-hosted, WireGuard-based tunnelled reverse proxy that securely exposes internal HTTP/TCP/UDP services without opening ports.
More: https://ku.bz/MzkRYlF1l
More: https://ku.bz/MzkRYlF1l
This article explains how to deploy a sidecar container to transform mounted secrets into structured JSON or
It details watching mounted secrets in real-time and regenerating output on changes.
More: https://ku.bz/xKKXSNvb7
.env files for applications.It details watching mounted secrets in real-time and regenerating output on changes.
More: https://ku.bz/xKKXSNvb7
Conftest lets you enforce security/compliance rules on Kubernetes, Terraform, and other configs using OPA’s Rego.
More: https://ku.bz/Cq4x8tmnM
More: https://ku.bz/Cq4x8tmnM
This article explains how to understand the limitations of Kubernetes'
More: https://ku.bz/RpcSdbpgK
allowPrivilegeEscalation: false flag and its failure to prevent all privilege escalation methods.More: https://ku.bz/RpcSdbpgK
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Frédéric, Senior SRE at BlaBlaCar, shares how his team solved the cold start problem for their 1,500 Java microservices using Istio's warm-up capabilities.
You will learn:
- Why Java applications struggle with cold starts and how JIT compilation affects initial request latency
- How Istio's warm-up feature works to gradually ramp up traffic to new pods
- Why other common solutions fail, including resource over-provisioning, init containers, and tools like GraalVM
- Real production impact from implementing this solution, including dramatic improvements in message moderation SLOs at BlaBlaCar's scale of 4,000 pods
Watch (or listen to) it here: https://ku.bz/grxcypt9j
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Javanoscript troll humor" Farrell
You will learn:
- Why Java applications struggle with cold starts and how JIT compilation affects initial request latency
- How Istio's warm-up feature works to gradually ramp up traffic to new pods
- Why other common solutions fail, including resource over-provisioning, init containers, and tools like GraalVM
- Real production impact from implementing this solution, including dramatic improvements in message moderation SLOs at BlaBlaCar's scale of 4,000 pods
Watch (or listen to) it here: https://ku.bz/grxcypt9j
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Javanoscript troll humor" Farrell
watchall monitors your Kubernetes cluster, snapshots all resource changes into timestamped YAML files, redacts secrets, and lets you diff resource history offline via a deltas subcommand.
More: https://ku.bz/WncbdWtvp
More: https://ku.bz/WncbdWtvp
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 147:
🐣 Inside a Pod’s Birth: Veth Pairs, IPAM, and Routing with Kindnet CNI
✂️ How We Cut Cross-AZ Traffic Costs Between Kubernetes Services in AWS Using Istio
🙅♀️ allowPrivilegeEscalation: false: The Kubernetes Security Flag With a Hidden Catch
🏞️ Kubernetes v1.33: Streaming List responses
⌛️ Fine-grained control with configurable HPA tolerance
Read it now: https://learnkube.com/issues/147
⭐️ This interview is brought to you by vCluster Labs — get the free eBook "GPU-enabled Platforms on Kubernetes". Learn GPU isolation, security patterns, and production architectures for AI infrastructure https://ku.bz/ZQXLKbwL7
🐣 Inside a Pod’s Birth: Veth Pairs, IPAM, and Routing with Kindnet CNI
✂️ How We Cut Cross-AZ Traffic Costs Between Kubernetes Services in AWS Using Istio
🙅♀️ allowPrivilegeEscalation: false: The Kubernetes Security Flag With a Hidden Catch
🏞️ Kubernetes v1.33: Streaming List responses
⌛️ Fine-grained control with configurable HPA tolerance
Read it now: https://learnkube.com/issues/147
⭐️ This interview is brought to you by vCluster Labs — get the free eBook "GPU-enabled Platforms on Kubernetes". Learn GPU isolation, security patterns, and production architectures for AI infrastructure https://ku.bz/ZQXLKbwL7
KubernetesEnumerationTool audits clusters for exploitable misconfigs, missing best practices, and RBAC overreach.
It identifies weak points like privileged pods, hostIPC, insecure tokens and tests node-level access via PowerShell modules.
More: https://ku.bz/-zW_QZVKM
It identifies weak points like privileged pods, hostIPC, insecure tokens and tests node-level access via PowerShell modules.
More: https://ku.bz/-zW_QZVKM
This tutorial shows how to restrict access to Kubernetes services without a VPN using oauth2-proxy with ingress-nginx.
More: https://ku.bz/z67cDR8Fg
More: https://ku.bz/z67cDR8Fg
This repository demonstrates CVE-2024-3094, the backdoor discovered in xz utils versions 5.6.0+.
It provides a Docker container with the vulnerable Debian package and a patched liblzma library to reproduce the SSH authentication bypass exploit.
More: https://ku.bz/4K_lDB_ff
It provides a Docker container with the vulnerable Debian package and a patched liblzma library to reproduce the SSH authentication bypass exploit.
More: https://ku.bz/4K_lDB_ff
This tutorial sets up Vault's database secrets engine in AKS to generate short-lived Postgres credentials on demand, using ExternalSecrets and VaultDynamicSecret to sync them into native Kubernetes Secrets.
More: https://ku.bz/MbNs69CsB
More: https://ku.bz/MbNs69CsB
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Jorrick shares how his team of eight students built a complete predictive scaling system for Kubernetes clusters using machine learning.
You will learn:
- How to implement predictive scaling using Prophet ML model, Prometheus metrics, and custom APIs to forecast Kubernetes workload patterns
- The Node Ranking Index (NRI) - a unified metric that combines CPU, RAM, and request data into a single comparable number for efficient scaling decisions
- Real-world implementation challenges, including data validation, node startup timing constraints, load testing strategies, and the importance of proper research
Watch (or listen to) it here: https://ku.bz/clbDWqPYp
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Kidnapped by an artist" Farrell
You will learn:
- How to implement predictive scaling using Prophet ML model, Prometheus metrics, and custom APIs to forecast Kubernetes workload patterns
- The Node Ranking Index (NRI) - a unified metric that combines CPU, RAM, and request data into a single comparable number for efficient scaling decisions
- Real-world implementation challenges, including data validation, node startup timing constraints, load testing strategies, and the importance of proper research
Watch (or listen to) it here: https://ku.bz/clbDWqPYp
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Kidnapped by an artist" Farrell
This repo demonstrates CVE-2024-0132, a container escape in NVIDIA Container Toolkit.
It swaps directory contents during validation, causing the toolkit to mount the entire host filesystem into the container instead of just a library file.
More: https://ku.bz/0Z5QPQl_N
It swaps directory contents during validation, causing the toolkit to mount the entire host filesystem into the container instead of just a library file.
More: https://ku.bz/0Z5QPQl_N
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Shahar Azulay, Co-Founder and CEO at groundcover, explains how observability and security have become increasingly interconnected in Kubernetes environments.
He discusses how eBPF technology blurs the line between these domains, allowing groundcover to provide security insights through observability features like API mapping that identifies encryption status and PII exposure. Shahar also highlights the critical security considerations for observability data itself, explaining why groundcover uses a "bring your own cloud" approach rather than the SaaS model common among competitors.
Watch the full interview: https://ku.bz/qt-j8gMlS
He discusses how eBPF technology blurs the line between these domains, allowing groundcover to provide security insights through observability features like API mapping that identifies encryption status and PII exposure. Shahar also highlights the critical security considerations for observability data itself, explaining why groundcover uses a "bring your own cloud" approach rather than the SaaS model common among competitors.
Watch the full interview: https://ku.bz/qt-j8gMlS
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 148:
🙈 Everything was fine until Kubernetes said ‘No more CPU’
🫄 Kubernetes Capacity Planning: Getting It Wrong Is Step One (And That’s Okay!)
♻️ Kubernetes v1.33: Updates to Container Lifecycle
📕 From CI to Kubernetes Catalog: Building a Composable Platform with GitOps and vCluster
🍀 Orchestrating a Greener Cloud: Carbon-Aware Kubernetes Scheduling with Liqo and Karmada
Read it now: https://learnkube.com/issues/148
⭐️ This newsletter is brought to you by Testkube — Keep your existing API, performance, and security testing tools. Run it at scale in Kubernetes https://ku.bz/Zfrty_fcC
🙈 Everything was fine until Kubernetes said ‘No more CPU’
🫄 Kubernetes Capacity Planning: Getting It Wrong Is Step One (And That’s Okay!)
♻️ Kubernetes v1.33: Updates to Container Lifecycle
📕 From CI to Kubernetes Catalog: Building a Composable Platform with GitOps and vCluster
🍀 Orchestrating a Greener Cloud: Carbon-Aware Kubernetes Scheduling with Liqo and Karmada
Read it now: https://learnkube.com/issues/148
⭐️ This newsletter is brought to you by Testkube — Keep your existing API, performance, and security testing tools. Run it at scale in Kubernetes https://ku.bz/Zfrty_fcC