This week on the Learn Kubernetes Weekly:

☁️ Using topology aware hints in EKS
👮‍♀️ 12 security scanners for Kubernetes
👻 Temporary environments with ApplicationSet
🦐 oslabs-beta/Palaemon
📦 Endpoints monitoring with blackbox-exporter

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Google Secret Manager Provider for Secret Store CSI Driver allows you to access secrets stored in Secret Manager as files mounted in Kubernetes pods.

More: https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp

In this article, you will learn how to deploy the same app across multiple Kubernetes clusters with ArgoCD, vcluster and Kyverno.

More: https://piotrminkowski.com/2022/12/09/manage-multiple-kubernetes-clusters-with-argocd

In this article, you will learn how to prevent a Denial-of-Service (DoS) attack in Kubernetes, and how to use cloud-native tools such as Calico and Falco to detect it.

More: https://sysdig.com/blog/denial-of-service-kubernetes-calico-falco

This post discusses using SSO authentication and authorization to secure apps in Kubernetes.

The tutorial uses Dex and Traefik Forward Auth (or Oauth2-Proxy) to add additional security to ingresses or apps that do not support built-in OIDC.

More: https://allanjohn909.medium.com/sso-authentication-for-applications-in-kubernetes-aedc3c189d89

In this tutorial, you will deploy a vulnerable app to SQL and XSS injections in Kubernetes and learn how to protect it using Pipy and sidecar containers.

More: https://dev.to/flomesh/pipy-protecting-kubernetes-apps-from-sql-injection-xss-attacks-dol

In this article, you will learn how to manage secrets securely on Kubernetes in the GitOps approach using Sealed Secrets, ArgoCD, and Terraform.

More: https://piotrminkowski.com/2022/12/14/sealed-secrets-on-kubernetes-with-argocd-and-terraform

This blog post describes an attempt to assess the security posture of Kubernetes clusters scattered across the internet, detailing our research methodology, findings and analysis.

More: https://redhuntlabs.com/blog/unsecured-kubernetes-clusters-exposed.html

authentik is an open-source Identity Provider focused on flexibility and versatility.

More: https://github.com/goauthentik/authentik

open-appsec provides preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks.

It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways.

More: https://github.com/openappsec/openappsec

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.

More: https://github.com/aws/secrets-store-csi-driver-provider-aws

This week on the Learn Kubernetes Weekly:

🙅‍♀️ Ingress controller in bash
🧐 Pods health checks mystery
8️⃣ Comparing 8 managed Kubernetes providers
🚦 Advancements in traffic engineering
🔗 The problem of state

Read it now: https://learnk8s.io/learn-kubernetes-weekly

This article has a few tips for hardening your GKE setup:

1. Network policies.
2. Custom service accounts.
3. Workload identities.
4. Pod Security admissions and admission controllers.
5. GKE sandbox.

More: https://medium.com/@pbijjala/considerations-for-hardening-your-gke-a-workload-perceptive-943be26949d2

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course is in June and you can sign up here: https://learnk8s.io/online-advanced-june-2023

Konstraint is a CLI tool to assist with the creation and management of templates and constraints when using Gatekeeper.

More: https://github.com/plexsystems/konstraint

With Seccomp, you can restrict processes' calls from userspace into kernel space.

In this article, you will learn how Kubernetes can automatically apply Seccomp profiles to Pods and containers.

More: https://levelup.gitconnected.com/seccomp-secure-computing-mode-kubernetes-docker-97130516662c

Trivy is a comprehensive and versatile security scanner.

What Trivy can scan:

- Container Images.
- Filesystem.
- Git Repository (remote).
- Virtual Machine Image.
- Kubernetes.
- AWS.

More: https://github.com/aquasecurity/trivy

In this article, you will learn how to map all the pods in the cluster and correlate IP with workloads, facilitating the management of cluster network status and speeding up debugging.

More: https://betterprogramming.pub/improve-cluster-monitoring-with-network-mapping-in-grafana-fa8bb479fd47

This week on the Learn Kubernetes Weekly:

🚦 Service communication monitoring
🕵️‍♀️ The life of a DNS query
🗺 Network mapping in Grafana
± Preview and diff Argo CD deployments
☁️ Istio multicluster deployment with Terraform

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Securing Kubernetes with open-source tools has become increasingly prevalent.

Read all you need to know about this shift in this detailed report.

More: https://landing.armosec.io/state-of-kubernetes-open-source-security-2022

In this tutorial, you will learn how to use oauth2-proxy as a sidecar container to authorize requests to your Identity Provider of choice.

More: https://dev.to/gabrielbiasi/automatic-sso-in-kubernetes-workloads-using-a-sidecar-container-3752