In this post, you'll learn how you can implement supply chain security using open-source tools on Amazon EKS with AWS KMS and Cosign with Kyverno.

More: https://aws.amazon.com/blogs/opensource/supply-chain-security-on-amazon-elastic-kubernetes-service-amazon-eks-using-aws-key-management-service-aws-kms-kyverno-and-cosign

jsPolicy is a policy engine for Kubernetes that allows you to write policies in JavaScript or TypeScript.

Learn how to use it in this tutorial.

More: https://pavan1999-kumar.medium.com/policies-as-code-in-kubernetes-using-jspolicy-8d358d064bfd

In this blog post, you'll cover the following topics:

1. What a NetworkPolicy is, and why do you need it.
2. How NetworkPolicies are structured.
3. Best practices for defining NetworkPolicies.
4. An example of defining NetworkPolicies.

More: https://medium.com/dynatrace-engineering/kubernetes-security-best-practices-part-2-network-policies-405b36ed9d94

This week on the Learn Kubernetes Weekly newsletter:

📈 Kubernetes scalability thresholds
☁️ Cloud portability
🕵️‍♂️ Kubernetes traffic discovery
⛓ Supply chain security on EKS
👮‍♂️ Network policies

📆 3 CFPs expiring this week

Read it now: https://learnk8s.io/learn-kubernetes-weekly

In this article, you will discuss some security considerations and see how you can ensure (at least to some extent) that the application's specifications follow some of the best security practices.

More: https://itnext.io/journey-of-a-microservice-application-in-the-kubernetes-world-6abd625c60fe

In this 2-part series, you will address 12 common attack points in Kubernetes clusters and discuss various risks in cloud-native scenarios based on practical experience.

More: https://tutorialboy24.blogspot.com/2022/09/a-detailed-talk-about-k8s-cluster.html

In this tutorial, you will learn how to deploy a Vault cluster on EKS with a Helm chart and consume the secrets from a Spring Boot app.

More: https://medium.com/@prithuadhikary/hashicorp-vault-cluster-on-the-aws-elastic-kubernetes-service-ddf185ba2e25

Pod Priority can be useful for some use cases, such as prioritizing critical applications, but definitely can catch you off guard if you don't have the right guardrails in place.

This post illustrates the potential consequences of not having them.

More: https://nunoadrego.com/posts/abusing-pod-priority

This week on the Learn Kubernetes Weekly newsletter:

✈️ Kubernetes-like control plane
✅ Kubernetes checkpointing API
🚗 Tuning JVM limits for Kubernetes
👮‍♂️ Abusing pod priority
🦊 box/kube-iptables-tailer

📆 1 CFPs expiring this week

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Shifting left can help organizations optimize their use of fully-managed cloud environments and managed services, and tools like Open Policy Agent and Gatekeeper can help organizations ensure compliance in these environments.

More: https://medium.com/google-cloud/shifting-even-further-left-on-kubernetes-resource-compliance-8f96fb8c72eb

If you are starting out with OPA Gatekeeper to enforce policy on Kubernetes resources, you might run into this gotcha: resources created by controllers are rejected (i.e. Service Accounts, Endpoints, etc.).

Find the workarounds in this article.

More: https://blog.skouf.com/posts/opa-gatekeeper-gotcha

In this article, you will learn how abuse of functionality in the OpenSSL binary, installed in the official Google Container Tools Distroless Base container image, allows for command execution and arbitrary file read and write on distroless containers.

More: https://form3.tech/engineering/content/exploiting-distroless-images

In this article, you will learn the theory and practice behind encrypting your secrets with SealedSecret & Kubeseal.

More: https://siddhivinayak-sk.medium.com/kubeseal-sealedsecret-make-your-secrets-secure-in-scm-by-using-sealed-secret-4631bcb39bf8

Otterize network mapper creates a map of in-cluster traffic by capturing DNS traffic and inspecting active connections.

More: https://github.com/otterize/network-mapper

Are Kubernetes network policies good enough?

This article argues that multiple flaws prevent network policies, on their own, from being an effective solution for a real-world use case.

More: https://otterize.com/blog/network-policies-are-not-the-right-abstraction

This week on the Learn Kubernetes Weekly:

💣 Exploiting Distroless images
📦 Deploying non-deployable things on ArgoCD
🗣 Communication between microservices
🔌 Developing a Kustomize custom plugin
🦅 Managing database migrations safely

Read it now: https://learnk8s.io/learn-kubernetes-weekly

In this article, you will learn how to prevent broken connections when a Pod starts up or shuts down.

You will also learn how to shut down long-running tasks gracefully.

More: https://learnk8s.io/graceful-shutdown

In this article, you will assess the correct configuration for an etcd cluster in Kubernetes and discuss a few attack scenarios.

More: https://dev.to/tutorialboy/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-4h02

KubeCon EU 2023 in Amsterdam will be the biggest in-person Kubernetes event in Europe so far.

It's also likely to sell out (for real, no marketing tricks).

If you plan to attend, here's a 10% discount code: KCEU23LK810

https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course is in 1 month (24th of April) and you can sign up here: https://learnk8s.io/online-advanced-april-2023

In this post, you will explore the process of creating immutable CRDs before & after the introduction of CEL(Common Expression Language) validation rules in Kubernetes.

More: https://blog.rewanthtammana.com/kubernetes-crd-validation-with-cel-and-kubebuilder-marker-comments