If you are starting out with OPA Gatekeeper to enforce policy on Kubernetes resources, you might run into this gotcha: resources created by controllers are rejected (i.e. Service Accounts, Endpoints, etc.).

Find the workarounds in this article.

More: https://blog.skouf.com/posts/opa-gatekeeper-gotcha

In this article, you will learn how abuse of functionality in the OpenSSL binary, installed in the official Google Container Tools Distroless Base container image, allows for command execution and arbitrary file read and write on distroless containers.

More: https://form3.tech/engineering/content/exploiting-distroless-images

In this article, you will learn the theory and practice behind encrypting your secrets with SealedSecret & Kubeseal.

More: https://siddhivinayak-sk.medium.com/kubeseal-sealedsecret-make-your-secrets-secure-in-scm-by-using-sealed-secret-4631bcb39bf8

Otterize network mapper creates a map of in-cluster traffic by capturing DNS traffic and inspecting active connections.

More: https://github.com/otterize/network-mapper

Are Kubernetes network policies good enough?

This article argues that multiple flaws prevent network policies, on their own, from being an effective solution for a real-world use case.

More: https://otterize.com/blog/network-policies-are-not-the-right-abstraction

This week on the Learn Kubernetes Weekly:

💣 Exploiting Distroless images
📦 Deploying non-deployable things on ArgoCD
🗣 Communication between microservices
🔌 Developing a Kustomize custom plugin
🦅 Managing database migrations safely

Read it now: https://learnk8s.io/learn-kubernetes-weekly

In this article, you will learn how to prevent broken connections when a Pod starts up or shuts down.

You will also learn how to shut down long-running tasks gracefully.

More: https://learnk8s.io/graceful-shutdown

In this article, you will assess the correct configuration for an etcd cluster in Kubernetes and discuss a few attack scenarios.

More: https://dev.to/tutorialboy/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-4h02

KubeCon EU 2023 in Amsterdam will be the biggest in-person Kubernetes event in Europe so far.

It's also likely to sell out (for real, no marketing tricks).

If you plan to attend, here's a 10% discount code: KCEU23LK810

https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course is in 1 month (24th of April) and you can sign up here: https://learnk8s.io/online-advanced-april-2023

In this post, you will explore the process of creating immutable CRDs before & after the introduction of CEL(Common Expression Language) validation rules in Kubernetes.

More: https://blog.rewanthtammana.com/kubernetes-crd-validation-with-cel-and-kubebuilder-marker-comments

Azure Key Vault to Kubernetes (akv2k8s) makes Azure Key Vault secrets, certificates and keys available to your applications in Kubernetes, in a simple and secure way.

More: https://github.com/SparebankenVest/azure-key-vault-to-kubernetes

In this article, you will learn how you can use Advanced Cluster Management (ACP) and OSUS (Openshift Update Service) in order to distribute an upgrade path to multiple clusters in an air-gapped environment.

More: https://shonpaz.medium.com/upgrading-a-fleet-of-air-gapped-openshift-clusters-using-advanced-cluster-management-93d767c38f41

In this article, you will learn how to manage user access to individual apps deployed in your cluster using Istio and Authentik.

More: https://medium.com/@wessel__/istio-with-authentik-securing-your-cluster-and-providing-authentication-and-authorization-b5e48b331920

This week on the Learn Kubernetes Weekly:

🚦 Graceful shutdown and zero downtime deployments
⚙️ Automated rollback to 2100 services with Argo
👀 Boosting container runtime observability with Open Telemetry
🐌 Mitigating slow pulls on AKS

Read it now: https://learnk8s.io/learn-kubernetes-weekly

The Vault Secrets Operator creates Kubernetes secrets from Vault.

The idea behind the Vault Secrets Operator is to manage secrets in a Kubernetes cluster using a secure GitOps based workflow.

More: https://github.com/ricoberger/vault-secrets-operator

This tutorial will teach you how to scan secrets in environment variables using Kubewarden and the env-variable-secrets-scanner-policy.

More: https://kubewarden.io/blog/2022/10/env-var-secrets

In this article, you will discuss the challenges of managing secrets in GitOps and two solutions: Sealed Secrets and External secrets.

More: https://medium.com/google-cloud/handle-kubernetes-secrets-the-gitops-way-part-1-7079bd8221f3

In this tutorial, you'll learn how to authenticate and authorize a user to access Kubernetes Clusters with client certificates.

More: https://medium.com/@mehmetodabashi/authentication-and-authorization-in-kubernetes-client-certificates-and-role-based-access-control-d4e98a3c1098

aws-auth-manager is a Kubernetes controller designed to manage the aws-auth ConfigMap in EKS using a new AWSAuthItem CRD.

More: https://github.com/maruina/aws-auth-manager

This week on the Learn Kubernetes Weekly:

🔨 Reducing Pod volume update times
👯‍♀️ Multi-cluster with Cluster API and ArgoCD
💥 From Amazon VPC CNI to Cilum with zero downtime
🧐 Intelligently estimating resource needs

Read it now: https://learnk8s.io/learn-kubernetes-weekly