Dockadvisor is a lightweight Dockerfile linter built in Go that validates your Dockerfiles with over 60 rules covering syntax, security, and best practices.
More: https://ku.bz/2DT4TqRRk
More: https://ku.bz/2DT4TqRRk
This article explains a critical security issue where AWS CSI drivers gave DaemonSet service accounts the ability to patch nodes, completely breaking node isolation in multi-tenant clusters.
More: https://ku.bz/xGP7ymMvW
More: https://ku.bz/xGP7ymMvW
Kaniop is a Kubernetes operator written in Rust for managing Kanidm identity management clusters, providing declarative identity management through GitOps workflows.
More: https://ku.bz/D1JBBy0B3
More: https://ku.bz/D1JBBy0B3
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ziv Yatzik manages 600+ Postgres clusters in a closed network environment with no public cloud. After existing backup solutions proved unreliable — causing downtime when disks filled up — his team built a new architecture using pgBackRest, Argo CD, and Kubernetes CronJobs.
You will learn:
- Why storing WAL files on shared NAS storage prevents backup failures from cascading into database outages
- How GitOps with Argo CD lets them manage backups for hundreds of clusters by adding a single YAML file
Watch (or listen to) it here: https://ku.bz/Rg_sQYSmw
🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why storing WAL files on shared NAS storage prevents backup failures from cascading into database outages
- How GitOps with Argo CD lets them manage backups for hundreds of clusters by adding a single YAML file
Watch (or listen to) it here: https://ku.bz/Rg_sQYSmw
🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb
This tutorial teaches how to deploy HashiCorp Vault Secrets Operator on Google Kubernetes Engine to synchronize Vault secrets into Kubernetes Secret resources automatically.
More: https://ku.bz/QnvFmQp8h
More: https://ku.bz/QnvFmQp8h
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 169:
🔥 When High Availability Brings Downtime
🔄 Upgrade AWS CSI Drivers in Your Multi-Tenant Kubernetes Cluster
🤖 How We Serve AI/ML Models at Scale in SAP AI Core
✅ Container Readiness Checks for Spring Boot Deployments
🌐 CoreDNS in OpenShift
Read it now: https://kube.today/issues/169
⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
🔥 When High Availability Brings Downtime
🔄 Upgrade AWS CSI Drivers in Your Multi-Tenant Kubernetes Cluster
🤖 How We Serve AI/ML Models at Scale in SAP AI Core
✅ Container Readiness Checks for Spring Boot Deployments
🌐 CoreDNS in OpenShift
Read it now: https://kube.today/issues/169
⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization. He highlights OPA's versatility and performance characteristics, noting that a single node can handle numerous requests with proper optimization.
He describes multiple deployment options, including:
- Standing up multiple OPA instances
- Setting up auto-scaling groups
- Co-locating OPA with server pods
- Running OPA as a WASM module for lower latency
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
He describes multiple deployment options, including:
- Standing up multiple OPA instances
- Setting up auto-scaling groups
- Co-locating OPA with server pods
- Running OPA as a WASM module for lower latency
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
"Self-service capabilities without governance is how you get outages at 3 AM."
Zain Malik from ExoStellar tackles the tension between developer empowerment and platform governance. A mature platform provides standardized interfaces that give users access to what they need—kernel layers, node layers, DOS systems—without compromising reliability.
The key insight: centralization isn't about restriction, it's about creating reliable building blocks that scale.
Watch the full interview: https://ku.bz/rwttMCncv
Zain Malik from ExoStellar tackles the tension between developer empowerment and platform governance. A mature platform provides standardized interfaces that give users access to what they need—kernel layers, node layers, DOS systems—without compromising reliability.
The key insight: centralization isn't about restriction, it's about creating reliable building blocks that scale.
Watch the full interview: https://ku.bz/rwttMCncv
kubectl-rexec is a kubectl plugin that provides full audit logging for kubectl exec sessions, addressing the security gap where standard exec commands leave no trace of what happens inside containers.
More: https://ku.bz/yRQZ9Jrml
More: https://ku.bz/yRQZ9Jrml
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $10.84M to $20.34M a year
👨💻 Remote from
→ https://ku.bz/WdgxCrTlm
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨💻 Remote from
→ https://ku.bz/LzVjTfYNp
DevSecOps Engineer with Scale AI
💰 $264K to $330K a year
👨💻 Remote from
→ https://ku.bz/BdXCcJX58
👉 Browse 1635 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $10.84M to $20.34M a year
👨💻 Remote from
→ https://ku.bz/WdgxCrTlm
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨💻 Remote from
→ https://ku.bz/LzVjTfYNp
DevSecOps Engineer with Scale AI
💰 $264K to $330K a year
👨💻 Remote from
→ https://ku.bz/BdXCcJX58
👉 Browse 1635 jobs on Kube Careers https://kube.careers
This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts.
More: https://ku.bz/F6-Xr10Yv
More: https://ku.bz/F6-Xr10Yv
Synapse is a high-performance reverse proxy and firewall built with Rust, using XDP-based packet filtering for ultra-low latency protection at kernel level.
More: https://ku.bz/w2PFxxfN8
More: https://ku.bz/w2PFxxfN8
This article explains the risks of using unmaintained Docker images and how to detect vulnerabilities with tools like Trivy, SBOM operator, and Dependency Track.
More: https://ku.bz/WJ75qXRbV
More: https://ku.bz/WJ75qXRbV
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Ritesh Patel, Co-founder @ Nirmata, explains how Nirmata's AI platform engineering assistant differentiates itself in the market through strategic focus rather than broad appeal.
He demonstrates a direct approach to competitive positioning by acknowledging that their solution isn't for everyone - it's specifically designed for teams that have already adopted Kyverno as their policy engine.
Watch the interview: https://ku.bz/8nkrRSG_Z
Read the announcement: https://ku.bz/8_yYZZMG4
He demonstrates a direct approach to competitive positioning by acknowledging that their solution isn't for everyone - it's specifically designed for teams that have already adopted Kyverno as their policy engine.
Watch the interview: https://ku.bz/8nkrRSG_Z
Read the announcement: https://ku.bz/8_yYZZMG4
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Tibo on why Kubernetes isn't just for enterprise scale — it can be a practical choice for solo self-hosters too.
You will learn:
- Why Ansible's declarative promise fell short with the Podman collection, forcing sequential imperative steps instead of desired-state definitions
- How community Helm charts replace the need to write and maintain every manifest yourself
- Why GitOps isn't just a deployment workflow — it's a disaster recovery strategy when your infrastructure lives in your living room
Watch (or listen to) it here: https://ku.bz/Xk5S7VqXz
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why Ansible's declarative promise fell short with the Podman collection, forcing sequential imperative steps instead of desired-state definitions
- How community Helm charts replace the need to write and maintain every manifest yourself
- Why GitOps isn't just a deployment workflow — it's a disaster recovery strategy when your infrastructure lives in your living room
Watch (or listen to) it here: https://ku.bz/Xk5S7VqXz
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb
Guardon is a Kubernetes admission controller that enforces security and compliance policies in real-time before resources are created in your cluster.
More: https://ku.bz/d4hT8s9Sw
More: https://ku.bz/d4hT8s9Sw
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 170:
📦 Could lockfiles just be SBOMs?
🌐 Dynamic Istio Ingress Gateway Management with Kyverno
🎮 Factorio in Kubernetes? Well, why not?
🤖 Running DeepSeek Models on Kubernetes: A Backend Engineer's Experiment
⚡ Ephemeral Infrastructure: Why Short-Lived is a Good Thing
Read it now: https://kube.today/issues/170
⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26
📦 Could lockfiles just be SBOMs?
🌐 Dynamic Istio Ingress Gateway Management with Kyverno
🎮 Factorio in Kubernetes? Well, why not?
🤖 Running DeepSeek Models on Kubernetes: A Backend Engineer's Experiment
⚡ Ephemeral Infrastructure: Why Short-Lived is a Good Thing
Read it now: https://kube.today/issues/170
⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26
This article shows how to scan Helm charts for insecure RBAC, secret leaks, and malicious templates using tools like Trivy, GitHub Search, and OPA.
More: https://ku.bz/k4MpGVLyZ
More: https://ku.bz/k4MpGVLyZ
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Tailscale
💰 $16.15M to $20.21M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨💻 Remote from
→ https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨💻 Remote from
→ https://ku.bz/LzVjTfYNp
DevSecOps Engineer with Point72
💰 $225K to $300K a year
👨💻 Remote from
→ https://ku.bz/gG67-vdCY
👉 Browse 2029 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Tailscale
💰 $16.15M to $20.21M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨💻 Remote from
→ https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨💻 Remote from
→ https://ku.bz/LzVjTfYNp
DevSecOps Engineer with Point72
💰 $225K to $300K a year
👨💻 Remote from
→ https://ku.bz/gG67-vdCY
👉 Browse 2029 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Self-service and governance aren't competing forces — they work together.
Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails.
The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom.
Full interview: https://ku.bz/xgqZJhdyn
Watch the full interview: https://ku.bz/xgqZJhdyn
This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-
Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails.
The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom.
Full interview: https://ku.bz/xgqZJhdyn
Watch the full interview: https://ku.bz/xgqZJhdyn
This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Jan Ludvik on how he cut EKS node startup from 65 to 45 seconds and reduced P90 pod startup by 30 seconds across ~1,000 nodes.
You will learn:
- Why Kubelet's serial image pull default quietly blocks pod startup, and how parallel pulls fix it
- How EBS lazy loading can silently negate image caching in AMIs — and the critical path workaround
- A Lambda-based automation that temporarily boosts EBS throughput during startup, then reverts to save cost
- The kubelet metrics and logs that expose pod and node startup latency, most teams never monitor
Watch (or listen to) it here: https://ku.bz/B7TzKXyxf
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why Kubelet's serial image pull default quietly blocks pod startup, and how parallel pulls fix it
- How EBS lazy loading can silently negate image caching in AMIs — and the critical path workaround
- A Lambda-based automation that temporarily boosts EBS throughput during startup, then reverts to save cost
- The kubelet metrics and logs that expose pod and node startup latency, most teams never monitor
Watch (or listen to) it here: https://ku.bz/B7TzKXyxf
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training
With @Birthmarkb