Forwarded from LearnKube news
Don't miss this week's "Learn Kubernetes weekly" newsletter with stories on:
→ Scaling requests
→ Proactive scaling
→ Capacity & resource management
→ State of persistent storage
→ Bandwidth exhaustion
And more!
https://learnk8s.io/learn-kubernetes-weekly
→ Scaling requests
→ Proactive scaling
→ Capacity & resource management
→ State of persistent storage
→ Bandwidth exhaustion
And more!
https://learnk8s.io/learn-kubernetes-weekly
This tutorial shows how you can leverage Pipy to enforce admission control decisions in Kubernetes clusters without modifying or recompiling any components.
Also, policies can be modified on the fly to satisfy changing operational requirements.
More: https://blog.flomesh.io/using-pipy-as-a-kubernetes-policy-engine-e70a23c8d54c
Also, policies can be modified on the fly to satisfy changing operational requirements.
More: https://blog.flomesh.io/using-pipy-as-a-kubernetes-policy-engine-e70a23c8d54c
What if we need to block an action performed by cluster admins?
You can't do it with RBAC: it only allows for adding permissions, not taking them away.
Learn how you can use Kyverno to do so in this tutorial.
More: https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions
You can't do it with RBAC: it only allows for adding permissions, not taking them away.
Learn how you can use Kyverno to do so in this tutorial.
More: https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions
Auditing Kubernetes authorization can be a bit of a tricky task.
In this article, you will learn what techniques and tools you can use to identify, reassign and manage RBAC rules in your cluster.
More: https://raesene.github.io/blog/2022/08/14/auditing-rbac-redux
In this article, you will learn what techniques and tools you can use to identify, reassign and manage RBAC rules in your cluster.
More: https://raesene.github.io/blog/2022/08/14/auditing-rbac-redux
When you use peering in AKS, with the "default" AKS deployment, your complete cluster, including all pods, is completely open and addressable from your complete peered network.
Learn how to fix in this article.
More: https://blog.coffeeapplied.com/securing-aks-in-peered-virtual-networks-using-only-network-security-groups-nsgs-c43d6a215f32
Learn how to fix in this article.
More: https://blog.coffeeapplied.com/securing-aks-in-peered-virtual-networks-using-only-network-security-groups-nsgs-c43d6a215f32
Forwarded from Kube Careers
What does it take to get a job as a Kubernetes engineer?
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 373 Kubernetes jobs from January to December of 2022 and found that:
- The average Kubernetes job pays €82,554 in Europe and $133,918 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- There is a drop in remote working! Companies are asking employees to go back to the office.
- If you are well-versed in AWS, CI/CD, and Python, you are eligible for more than 60% of the Kubernetes jobs.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q4
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 373 Kubernetes jobs from January to December of 2022 and found that:
- The average Kubernetes job pays €82,554 in Europe and $133,918 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- There is a drop in remote working! Companies are asking employees to go back to the office.
- If you are well-versed in AWS, CI/CD, and Python, you are eligible for more than 60% of the Kubernetes jobs.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q4
Kubernetes Network Policies are designed to control the network's traffic flow in and out of the cluster.
This article will teach you how to use Network Policies with the Calico CNI.
More: https://medium.com/@arbnair97/introduction-to-kubernetes-network-policy-and-calico-based-network-policy-675a7fa6b5dc
This article will teach you how to use Network Policies with the Calico CNI.
More: https://medium.com/@arbnair97/introduction-to-kubernetes-network-policy-and-calico-based-network-policy-675a7fa6b5dc
In this tutorial, you will learn how to verify container images with Kyverno using KMS, Cosign, and Workload Identity.
More: https://blog.sigstore.dev/how-to-verify-container-images-with-kyverno-using-kms-cosign-and-workload-identity-1e07d2b85061
More: https://blog.sigstore.dev/how-to-verify-container-images-with-kyverno-using-kms-cosign-and-workload-identity-1e07d2b85061
This tutorial will teach you how to use Mitmproxy to solve untrusted certificate issues in pods.
More: https://xxradar.medium.com/mitmproxy-and-kubernetes-e897e903b1cb
More: https://xxradar.medium.com/mitmproxy-and-kubernetes-e897e903b1cb
In this article, you will discuss how Kubernetes security risks are often neglected or solved with inadequate tools due to their organization-specific, cutting-edge, or abstract nature.
More: https://macchaffee.com/blog/2022/k8s-under-documented-security-tips
More: https://macchaffee.com/blog/2022/k8s-under-documented-security-tips
This article covers how to inject secrets in Pods using Hashicorp Vault.
More: https://alexandre-vazquez.com/inject-secrets-in-pods-using-hashicorp-vault
More: https://alexandre-vazquez.com/inject-secrets-in-pods-using-hashicorp-vault
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops (starting in 3 weeks)!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
You can sign up here: https://learnk8s.io/online-advanced-march-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
You can sign up here: https://learnk8s.io/online-advanced-march-2023
Forwarded from LearnKube news
In Kubernetes, are there hidden costs to running many cluster nodes?
Yes, since not all CPU and memory in your Kubernetes nodes can be used to run Pods.
Learn the details in this article.
More: https://medium.com/@danielepolencic/reserved-cpu-and-memory-in-kubernetes-nodes-65aee1946afd
Yes, since not all CPU and memory in your Kubernetes nodes can be used to run Pods.
Learn the details in this article.
More: https://medium.com/@danielepolencic/reserved-cpu-and-memory-in-kubernetes-nodes-65aee1946afd
In this article, you'll learn two approaches for accessing Google APIs from GKE using Google service accounts.
Then, you'll compare it to a better method: using Workload Identity to access Google Cloud services in a secure and manageable manner.
More: https://chauvinhloi.medium.com/how-to-use-workload-identity-for-access-provisioning-of-kubernetes-services-on-google-cloud-7123f93c28b8
Then, you'll compare it to a better method: using Workload Identity to access Google Cloud services in a secure and manageable manner.
More: https://chauvinhloi.medium.com/how-to-use-workload-identity-for-access-provisioning-of-kubernetes-services-on-google-cloud-7123f93c28b8
Popeye is a utility that scans live Kubernetes clusters and reports potential issues with deployed resources and configurations.
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://github.com/derailed/popeye
It detects misconfigurations and helps you to ensure that best practices are in place.
More: https://github.com/derailed/popeye
Here are the top 10 things you should focus on to protect EKS workloads against ransomware and all intrusions.
More: https://itnext.io/top-10-ways-to-protect-eks-workloads-from-ransomware-ae96d1c1e839
More: https://itnext.io/top-10-ways-to-protect-eks-workloads-from-ransomware-ae96d1c1e839
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly newsletter:
👉 21 Articles
👉 1 Tutorial
👉 7 GitHub repos
📆 44 events (meetups, conferences, workshops) this week
📆 8 Call for paper expiring this week
Read it now: https://learnk8s.io/learn-kubernetes-weekly
👉 21 Articles
👉 1 Tutorial
👉 7 GitHub repos
📆 44 events (meetups, conferences, workshops) this week
📆 8 Call for paper expiring this week
Read it now: https://learnk8s.io/learn-kubernetes-weekly
Kyverno is a policy engine designed for Kubernetes.
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://github.com/kyverno/kyverno
It can validate, mutate, and generate configurations using admission controls and background scans.
Kyverno policies are Kubernetes resources and do not require learning a new language.
More: https://github.com/kyverno/kyverno
Forwarded from Kube Architect
argocd-vault-replacer is an Argo CD plugin to replace placeholders in Kubernetes manifests with secrets stored in Hashicorp Vault.
The tool scans the current directory recursively for any YAML files and attempts to replace strings following a pattern.
More: https://github.com/crumbhole/argocd-vault-replacer
The tool scans the current directory recursively for any YAML files and attempts to replace strings following a pattern.
More: https://github.com/crumbhole/argocd-vault-replacer
Constellation is a Kubernetes engine that wraps your cluster into a single confidential context that is shielded from the underlying cloud infrastructure.
Everything inside is always encrypted, including at runtime in memory.
More: https://github.com/edgelesssys/constellation
Everything inside is always encrypted, including at runtime in memory.
More: https://github.com/edgelesssys/constellation
Badrobot is a Kubernetes Operator audit tool.
It statically analyses manifests for high-risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole.
More: https://github.com/controlplaneio/badrobot
It statically analyses manifests for high-risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole.
More: https://github.com/controlplaneio/badrobot