This tutorial will teach you how to use Mitmproxy to solve untrusted certificate issues in pods.

More: https://xxradar.medium.com/mitmproxy-and-kubernetes-e897e903b1cb

In this article, you will discuss how Kubernetes security risks are often neglected or solved with inadequate tools due to their organization-specific, cutting-edge, or abstract nature.

More: https://macchaffee.com/blog/2022/k8s-under-documented-security-tips

This article covers how to inject secrets in Pods using Hashicorp Vault.

More: https://alexandre-vazquez.com/inject-secrets-in-pods-using-hashicorp-vault

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops (starting in 3 weeks)!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

You can sign up here: https://learnk8s.io/online-advanced-march-2023

In Kubernetes, are there hidden costs to running many cluster nodes?

Yes, since not all CPU and memory in your Kubernetes nodes can be used to run Pods.

Learn the details in this article.

More: https://medium.com/@danielepolencic/reserved-cpu-and-memory-in-kubernetes-nodes-65aee1946afd

In this article, you'll learn two approaches for accessing Google APIs from GKE using Google service accounts.

Then, you'll compare it to a better method: using Workload Identity to access Google Cloud services in a secure and manageable manner.

More: https://chauvinhloi.medium.com/how-to-use-workload-identity-for-access-provisioning-of-kubernetes-services-on-google-cloud-7123f93c28b8

Popeye is a utility that scans live Kubernetes clusters and reports potential issues with deployed resources and configurations.

It detects misconfigurations and helps you to ensure that best practices are in place.

More: https://github.com/derailed/popeye

Here are the top 10 things you should focus on to protect EKS workloads against ransomware and all intrusions.

More: https://itnext.io/top-10-ways-to-protect-eks-workloads-from-ransomware-ae96d1c1e839

This week on the Learn Kubernetes Weekly newsletter:

👉 21 Articles
👉 1 Tutorial
👉 7 GitHub repos

📆 44 events (meetups, conferences, workshops) this week
📆 8 Call for paper expiring this week

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Kyverno is a policy engine designed for Kubernetes.

It can validate, mutate, and generate configurations using admission controls and background scans.

Kyverno policies are Kubernetes resources and do not require learning a new language.

More: https://github.com/kyverno/kyverno

argocd-vault-replacer is an Argo CD plugin to replace placeholders in Kubernetes manifests with secrets stored in Hashicorp Vault.

The tool scans the current directory recursively for any YAML files and attempts to replace strings following a pattern.

More: https://github.com/crumbhole/argocd-vault-replacer

Constellation is a Kubernetes engine that wraps your cluster into a single confidential context that is shielded from the underlying cloud infrastructure.

Everything inside is always encrypted, including at runtime in memory.

More: https://github.com/edgelesssys/constellation

Badrobot is a Kubernetes Operator audit tool.

It statically analyses manifests for high-risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole.

More: https://github.com/controlplaneio/badrobot

In this article, you will learn how to solve authentication in a reusable way using sidecar containers in Kubernetes.

More: https://betterprogramming.pub/kubernetes-authentication-sidecars-a-revelation-in-microservice-architecture-12c4608189ab

In this article, you'll learn how the team at Monzo gradually rolled out NetworkPolicies for over 1,500 microservices.

The article describes some interesting techniques for mapping in and outbound connections and some limitations of NetworkPolicies.

More: https://monzo.com/blog/we-built-network-isolation-for-1-500-services

This week on the Learn Kubernetes Weekly newsletter:

🚀 Network policies for 1500 microservices
👯 Scaling to 1000 pods in EKS
📈 HPA for celery workers
👮🏻‍♂️ PCI compliance

📆 44 events
📆 3 CFPs expiring this week

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Vulhub is an open-source collection of pre-built vulnerable docker environments.

No pre-existing knowledge of docker is required, just execute two simple commands, and you have a vulnerable environment.

More: https://github.com/vulhub/vulhub

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops (starting next week)!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

You can sign up here: https://learnk8s.io/online-advanced-march-2023

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way.

Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.

More: https://github.com/bitnami-labs/sealed-secrets

In this post, you'll learn how you can implement supply chain security using open-source tools on Amazon EKS with AWS KMS and Cosign with Kyverno.

More: https://aws.amazon.com/blogs/opensource/supply-chain-security-on-amazon-elastic-kubernetes-service-amazon-eks-using-aws-key-management-service-aws-kms-kyverno-and-cosign

jsPolicy is a policy engine for Kubernetes that allows you to write policies in JavaScript or TypeScript.

Learn how to use it in this tutorial.

More: https://pavan1999-kumar.medium.com/policies-as-code-in-kubernetes-using-jspolicy-8d358d064bfd