This article explains how to configure Kubernetes SecurityContext settings at the pod and container levels to enforce security policies like non-root execution, volume permissions, and Linux capabilities.
More: https://ku.bz/nJ8Zkh6x9
More: https://ku.bz/nJ8Zkh6x9
kubeseal-convert is a tool for importing secrets from pre-existing secrets management systems (e.g. Vault, Secrets Manager) into a SealedSecret.
More: https://ku.bz/fQPD8MvbX
More: https://ku.bz/fQPD8MvbX
This article explains how to configure Istio to observe encrypted and unencrypted egress traffic in Kubernetes using TLS termination, origination, and certificate management.
More: https://ku.bz/rc3DypN0f
More: https://ku.bz/rc3DypN0f
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
A 45-minute production outage at Weaveworks changed how we deploy software forever.
We just released the first episode of "The Making of Flux," a four–part KubeFM original series in which we interview the people who built, maintained, and deployed Flux at scale.
Episode 1 features Alexis Richardson (former Weaveworks CEO), Chris Aniszczyk (CNCF CTO), and Andrew Martin (ControlPlane CEO) discussing how that production disaster led to GitOps, what CNCF graduation actually means, and how Flux is thriving.
You'll hear about the technical decisions, governance challenges, and production failures that shaped the project and what these practitioners learned the hard way.
Thanks to our guests for their candor, to ControlPlane for making this series possible, and to @Birthmarkb.
Episode 1 is live now: https://ku.bz/5Sf5wpd8y
P.S. If you're going to KubeCon, FluxCon is on November 11th in Salt Lake City https://ku.bz/L843kg0CK
We just released the first episode of "The Making of Flux," a four–part KubeFM original series in which we interview the people who built, maintained, and deployed Flux at scale.
Episode 1 features Alexis Richardson (former Weaveworks CEO), Chris Aniszczyk (CNCF CTO), and Andrew Martin (ControlPlane CEO) discussing how that production disaster led to GitOps, what CNCF graduation actually means, and how Flux is thriving.
You'll hear about the technical decisions, governance challenges, and production failures that shaped the project and what these practitioners learned the hard way.
Thanks to our guests for their candor, to ControlPlane for making this series possible, and to @Birthmarkb.
Episode 1 is live now: https://ku.bz/5Sf5wpd8y
P.S. If you're going to KubeCon, FluxCon is on November 11th in Salt Lake City https://ku.bz/L843kg0CK
kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in
More: https://ku.bz/jtT5DjB6h
kube-prometheus-stack by deploying a secure Prometheus Agent as a DaemonSet.More: https://ku.bz/jtT5DjB6h
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Thibault shares the technical details of debugging a complex VPA failure at Adevinta, where webhook timeouts triggered continuous pod evictions across their multi-tenant Kubernetes platform.
You will learn:
- VPA architecture deep dive - How the recommender, updater, and mutating webhook components interact
- Hidden Kubernetes limits - How default QPS and burst rate limits in the Kubernetes Go client can cause widespread failures
- Monitoring strategies for autoscaling - What metrics to track for webhook latency and pod eviction rates to catch similar issues
Watch (or listen to) it here: https://ku.bz/rf1pbWXdN
🌟 This episode is brought to you by Testkube—where teams run millions of performance tests in real Kubernetes infrastructure. From air-gapped environments to massive scale deployments, orchestrate every testing tool in one platform https://ku.bz/lnxYK3s0L
With @Birthmarkb "Reading Rainbow" Farrell
You will learn:
- VPA architecture deep dive - How the recommender, updater, and mutating webhook components interact
- Hidden Kubernetes limits - How default QPS and burst rate limits in the Kubernetes Go client can cause widespread failures
- Monitoring strategies for autoscaling - What metrics to track for webhook latency and pod eviction rates to catch similar issues
Watch (or listen to) it here: https://ku.bz/rf1pbWXdN
🌟 This episode is brought to you by Testkube—where teams run millions of performance tests in real Kubernetes infrastructure. From air-gapped environments to massive scale deployments, orchestrate every testing tool in one platform https://ku.bz/lnxYK3s0L
With @Birthmarkb "Reading Rainbow" Farrell
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Jim Bugwadia, Co-Founder & CEO @ Nirmata, discusses the concerning statistic that 71% of Kubernetes security vulnerabilities stem from misconfigurations (according to a 2021 Red Hat report).
He explains how policy engines like Kyverno enable teams to not only "shift left" but also "shift down" by building security directly into the platform layer. Jim shares how Nirmata customers implement this approach by enforcing policies upfront, scanning in pipelines, and blocking problematic configurations at admission control points, resulting in cleaner Kubernetes environments.
Watch the full interview: https://ku.bz/hYZXTmPV9
He explains how policy engines like Kyverno enable teams to not only "shift left" but also "shift down" by building security directly into the platform layer. Jim shares how Nirmata customers implement this approach by enforcing policies upfront, scanning in pipelines, and blocking problematic configurations at admission control points, resulting in cleaner Kubernetes environments.
Watch the full interview: https://ku.bz/hYZXTmPV9
This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments.
More: https://ku.bz/ttgXTYdrZ
More: https://ku.bz/ttgXTYdrZ
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Phil Estes, Principal Engineer at Amazon Web Services (AWS), explains why container security extends far beyond using minimal images.
He emphasizes examining the entire supply chain including dependencies, software composition analysis, and software bill of materials (SBOM).
He discusses the importance of image signing, package signing, and certificate management initiatives, including the OpenSSF's work providing maintainers with physical keys for proper package signing.
Watch the full interview: https://ku.bz/K4LmmL2NN
This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY
He emphasizes examining the entire supply chain including dependencies, software composition analysis, and software bill of materials (SBOM).
He discusses the importance of image signing, package signing, and certificate management initiatives, including the OpenSSF's work providing maintainers with physical keys for proper package signing.
Watch the full interview: https://ku.bz/K4LmmL2NN
This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 149:
🔥 More DevOps than I Bargained For
🧪 Testing to See if You Can Run a MariaDB Cluster on a $150 Kubernetes Lab
⚡ Ceph on NVMe Made No Sense to Us — So We Built a 40x Better Alternative
🌐 Observing Egress Traffic with Istio
🐍 Trying to Break Out of the Python REPL Sandbox in a Kubernetes Environment: A Practical Journey
Read it now: https://learnkube.com/issues/149
⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/b7Nm3GkwL
🔥 More DevOps than I Bargained For
🧪 Testing to See if You Can Run a MariaDB Cluster on a $150 Kubernetes Lab
⚡ Ceph on NVMe Made No Sense to Us — So We Built a 40x Better Alternative
🌐 Observing Egress Traffic with Istio
🐍 Trying to Break Out of the Python REPL Sandbox in a Kubernetes Environment: A Practical Journey
Read it now: https://learnkube.com/issues/149
⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/b7Nm3GkwL
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Andy Suderman, CTO @ Fairwinds, discusses the transition from playground to production Kubernetes environments. He agrees that clusters only feel real once they're serving actual customer traffic, but expands beyond just Ingress and DNS to emphasize the broader ecosystem requirements.
Andy explains that vanilla Kubernetes clusters are not 100% functional out of the box. Production readiness requires a comprehensive suite of add-ons including ingress controllers, DNS controllers, cert managers, and various operators.
The key insight is that the ecosystem of add-ons is crucial to any functional Kubernetes platform, and once these components are in place serving production workloads, the cluster graduates from playground status to a real operational environment.
Watch the full interview: https://ku.bz/ZQTRkMpz5
This interview is a reaction to Dan Garfield's episode https://ku.bz/m3YNgCh1W
Andy explains that vanilla Kubernetes clusters are not 100% functional out of the box. Production readiness requires a comprehensive suite of add-ons including ingress controllers, DNS controllers, cert managers, and various operators.
The key insight is that the ecosystem of add-ons is crucial to any functional Kubernetes platform, and once these components are in place serving production workloads, the cluster graduates from playground status to a real operational environment.
Watch the full interview: https://ku.bz/ZQTRkMpz5
This interview is a reaction to Dan Garfield's episode https://ku.bz/m3YNgCh1W
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure that applications adhere to best practices.
More: https://ku.bz/yCpPFTs73
More: https://ku.bz/yCpPFTs73
Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust.
It integrates eBPF via Aya and manages routing logic via Kube-RS.
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only.
More: https://ku.bz/1cZxMK7Ck
It integrates eBPF via Aya and manages routing logic via Kube-RS.
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only.
More: https://ku.bz/1cZxMK7Ck
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the nuanced decision of using empty scratch containers.
He emphasizes that while experienced developers might manage fine with these minimalistic containers, less experienced developers could face significant issues due to missing essential libraries and configurations.
Koushik points out that missing elements like C libraries,
Watch the full episode: https://ku.bz/n_sJ04xMY
He emphasizes that while experienced developers might manage fine with these minimalistic containers, less experienced developers could face significant issues due to missing essential libraries and configurations.
Koushik points out that missing elements like C libraries,
/etc/passwd files, and timezone defaults can lead to failures in logging, cron jobs, and other system functions.Watch the full episode: https://ku.bz/n_sJ04xMY
This tutorial explains Kubernetes authentication (“who you are”) and authorization (“what you can do”) workflows.
It shows how to issue user certificates, create a CertificateSigningRequest, approve it, and bind RBAC roles.
More: https://ku.bz/mN0GKSR_c
It shows how to issue user certificates, create a CertificateSigningRequest, approve it, and bind RBAC roles.
More: https://ku.bz/mN0GKSR_c
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Danyl, a veteran .NET engineer and architect at Eneco, presents his controversial thesis that 90% of teams don't actually need Kubernetes.
You will learn:
- The COST decision framework - How to evaluate infrastructure choices based on Complexity, Ownership, Skills, and Time rather than industry hype
- Platform engineering vs. managed services - How to honestly assess whether your team can compete with AWS, Azure, and Google's managed container platforms
- Evolutionary architecture approach - Why modular monoliths with clear boundaries often provide better foundations than distributed systems from day one
Watch (or listen to) it here: https://ku.bz/BYhFw8RwW
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "DSA hero" Farrell
You will learn:
- The COST decision framework - How to evaluate infrastructure choices based on Complexity, Ownership, Skills, and Time rather than industry hype
- Platform engineering vs. managed services - How to honestly assess whether your team can compete with AWS, Azure, and Google's managed container platforms
- Evolutionary architecture approach - Why modular monoliths with clear boundaries often provide better foundations than distributed systems from day one
Watch (or listen to) it here: https://ku.bz/BYhFw8RwW
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "DSA hero" Farrell
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 150:
📊 From utilization to PSI: Rethinking resource starvation monitoring in Kubernetes
🔀 Inside Intra-Node Pod Traffic in Kubernetes: How Kindnet with PTP Moves Packets
💬 The story behind the great sidecar debate
🤖 Scalable ML with Azure, Kubernetes and KEDA: Generating Inputs with 500 Pods
Read it now: https://learnkube.com/issues/150
⭐️ This newsletter is brought to you by AWS — reduce the costs of your AI infrastructure with Amazon EKS https://ku.bz/gdkVpKB3H
📊 From utilization to PSI: Rethinking resource starvation monitoring in Kubernetes
🔀 Inside Intra-Node Pod Traffic in Kubernetes: How Kindnet with PTP Moves Packets
💬 The story behind the great sidecar debate
🤖 Scalable ML with Azure, Kubernetes and KEDA: Generating Inputs with 500 Pods
Read it now: https://learnkube.com/issues/150
⭐️ This newsletter is brought to you by AWS — reduce the costs of your AI infrastructure with Amazon EKS https://ku.bz/gdkVpKB3H
argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.
More: https://ku.bz/XbpB666ql
More: https://ku.bz/XbpB666ql
This tutorial shows how to enable passwordless kubectl access to an Oracle Kubernetes Engine (OKE) cluster by using OCI Instance Principals, dynamic groups, scoped IAM policies, and the OCI CLI exec plugin.
More: https://ku.bz/ZpCQLpM4V
More: https://ku.bz/ZpCQLpM4V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ben walks through Faire's complete CI transformation, from a single Jenkins instance struggling with thousands of lines of Groovy to a distributed Buildkite system running across multiple Kubernetes clusters.
You will learn:
- How to architect CI systems that match team ownership and eliminate shared failure points across services
- Kubernetes scaling patterns for CI workloads, including multi-cluster strategies, predictive node provisioning, and handling API throttling
- Performance optimization techniques like Git mirroring, node-level caching, and spot instance management for variable CI demands
Watch (or listen to) it here: https://ku.bz/klBmzMY5-
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Creatine lover" Farrell
You will learn:
- How to architect CI systems that match team ownership and eliminate shared failure points across services
- Kubernetes scaling patterns for CI workloads, including multi-cluster strategies, predictive node provisioning, and handling API throttling
- Performance optimization techniques like Git mirroring, node-level caching, and spot instance management for variable CI demands
Watch (or listen to) it here: https://ku.bz/klBmzMY5-
🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L
With @Birthmarkb "Creatine lover" Farrell
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 151:
📊 Kubernetes observability from day one – mixins on Grafana, mimir and alloy
🕵️ Troubleshooting packet drops in a Kubernetes-based observability platform
🌍 How We Migrated 30+ Kubernetes Clusters to Terraform
🚪 Gateway API v1.3.0: Advancements in Request Mirroring, CORS, Gateway Merging, and Retry Budgets
🧩 Introducing Gateway API Inference Extension
Read it now: https://kube.today/issues/151
⭐️ This newsletter is brought to you by @KubeToday — a daily feed of Kubernetes news, events, jobs, announcements, and more! https://kube.today
📊 Kubernetes observability from day one – mixins on Grafana, mimir and alloy
🕵️ Troubleshooting packet drops in a Kubernetes-based observability platform
🌍 How We Migrated 30+ Kubernetes Clusters to Terraform
🚪 Gateway API v1.3.0: Advancements in Request Mirroring, CORS, Gateway Merging, and Retry Budgets
🧩 Introducing Gateway API Inference Extension
Read it now: https://kube.today/issues/151
⭐️ This newsletter is brought to you by @KubeToday — a daily feed of Kubernetes news, events, jobs, announcements, and more! https://kube.today