In this article, you will learn how you can combine manual and automatic unsealing of secrets in Kubernetes using multiple Vaults and Kubernetes.
More: https://dev.to/luafanti/vault-auto-unseal-using-transit-secret-engine-on-kubernetes-13k8
More: https://dev.to/luafanti/vault-auto-unseal-using-transit-secret-engine-on-kubernetes-13k8
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course is in 3 weeks and you can sign up here: https://learnk8s.io/online-advanced-june-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course is in 3 weeks and you can sign up here: https://learnk8s.io/online-advanced-june-2023
Bridgekeeper helps you to enforce policies in your kubernetes cluster by providing a simple declarative way to define policies using the python programming language.
More: https://github.com/MaibornWolff/bridgekeeper
More: https://github.com/MaibornWolff/bridgekeeper
Helm is a useful tool for managing the Kubernetes applications lifecycle.
This article covers some best practices and helm security recommendations.
More: https://sysdig.com/blog/how-to-secure-helm
This article covers some best practices and helm security recommendations.
More: https://sysdig.com/blog/how-to-secure-helm
In this tutorial, you'll learn how to install the Trivy-Operator and continuously scan containers for security issues and misconfiguration.
You'll also export the metrics to Prometheus, visualize them in Grafana and receive alerts with AlertManager.
More: https://thomasroot.com/2023/01/16/trivy-operator-improve-container-runtime-security
You'll also export the metrics to Prometheus, visualize them in Grafana and receive alerts with AlertManager.
More: https://thomasroot.com/2023/01/16/trivy-operator-improve-container-runtime-security
This guide explains how to use IRSA, IAM Roles for Service Accounts, with Terraform and Kubernetes to provide secure and granular access to AWS services for EKS-hosted apps.
More: https://blog.mariano.cloud/irsa-in-eks-a-kubernetes-aws-bridge
More: https://blog.mariano.cloud/irsa-in-eks-a-kubernetes-aws-bridge
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🗻 Isolating pods for debugging
🔒 Vault auto-unseal
⎈ Helm security and best practices
❽ Kubernetes, Java & fabric8
💥 Manifest complexity
📝 Pod presets
Read it now: https://learnk8s.io/learn-kubernetes-weekly
🗻 Isolating pods for debugging
🔒 Vault auto-unseal
⎈ Helm security and best practices
❽ Kubernetes, Java & fabric8
💥 Manifest complexity
📝 Pod presets
Read it now: https://learnk8s.io/learn-kubernetes-weekly
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course is in 2 weeks and you can sign up here: https://learnk8s.io/online-advanced-june-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course is in 2 weeks and you can sign up here: https://learnk8s.io/online-advanced-june-2023
In EKS, by default, public access is enabled, which means the Kubernetes API server is accessible from the internet.
In this article, you'll learn how to access the EKS API server through the AWS client VPN.
More: https://medium.com/@Aleroawani/connect-to-an-eks-private-endpoint-with-aws-clientvpn-72b5000f558a
In this article, you'll learn how to access the EKS API server through the AWS client VPN.
More: https://medium.com/@Aleroawani/connect-to-an-eks-private-endpoint-with-aws-clientvpn-72b5000f558a
Sealed Secrets is a great solution to secure secrets in Git.
For larger teams and projects, the External Secrets Operator or the Secrets Store CSI Driver is a better solution to manage secrets securely.
Learn the pros and cons in this article.
More: https://auth0.com/blog/kubernetes-secrets-management
For larger teams and projects, the External Secrets Operator or the Secrets Store CSI Driver is a better solution to manage secrets securely.
Learn the pros and cons in this article.
More: https://auth0.com/blog/kubernetes-secrets-management
Forwarded from LearnKube news
The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store and mount them into Kubernetes pods.
More: https://github.com/aws/secrets-store-csi-driver-provider-aws
More: https://github.com/aws/secrets-store-csi-driver-provider-aws
Paranoia is a tool to analyse and export trust bundles (e.g., "ca-certificates") from container images.
These certificates identify the certificate authorities that your container trusts when establishing TLS connections.
More: https://github.com/jetstack/paranoia
These certificates identify the certificate authorities that your container trusts when establishing TLS connections.
More: https://github.com/jetstack/paranoia
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
📈 Scalability test for CNIs
📊 Cgroups — deep dive
🖥 Deploying microVMs on top of Kubernetes
💥 Non-graceful node shutdown
👻 Ephemeral environments with Helm
Read it now: https://learnk8s.io/learn-kubernetes-weekly
📈 Scalability test for CNIs
📊 Cgroups — deep dive
🖥 Deploying microVMs on top of Kubernetes
💥 Non-graceful node shutdown
👻 Ephemeral environments with Helm
Read it now: https://learnk8s.io/learn-kubernetes-weekly
In this (controversial) article, Tim argues that Kubernetes security should have clearly assigned responsibility and that it should be Product Security's scope.
More: https://timwilcoxson.com/dear-product-security-team-kubernetes-is-your-problem-acebffc2d788
More: https://timwilcoxson.com/dear-product-security-team-kubernetes-is-your-problem-acebffc2d788
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts next week and you can sign up here: https://learnk8s.io/online-advanced-june-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts next week and you can sign up here: https://learnk8s.io/online-advanced-june-2023
Pinniped is the easy, secure way to log in to your Kubernetes clusters.
More: https://github.com/vmware-tanzu/pinniped
More: https://github.com/vmware-tanzu/pinniped
In this article, you will review 15 of the most useful kubectl plugins for giving security teams better visibility for incident response and forensics in Kubernetes.
More: https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers
More: https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers
Chappaai is an OAuth management layer for Kubernetes.
It allows you, through Custom Resource Definitions, to describe OAuth APIs you wish to be able to integrate with.
More: https://github.com/rawkode/chappaai
It allows you, through Custom Resource Definitions, to describe OAuth APIs you wish to be able to integrate with.
More: https://github.com/rawkode/chappaai
In this article, you'll learn how to manually inject resources without restrictions from RBAC or Admission Controllers by replicating the target infrastructure or by exporting and importing ETCD entries while maintaining the byte length of each value.
More: https://lobuhisec.medium.com/using-etcd-to-inject-resources-and-bypass-rbac-and-admission-controller-restrictions-f240ae31e7f0
More: https://lobuhisec.medium.com/using-etcd-to-inject-resources-and-bypass-rbac-and-admission-controller-restrictions-f240ae31e7f0
In this tutorial, you will learn how to sign container images with Cloud KMS and Google Artifact Registry and then only allow those signed images to run in a GKE cluster.
More: https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
More: https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea
In this post, you will look at the Node authorization mode and NodeRestriction admission controller, which are used to provide rights to Kubelets to access the resources they need to function.
More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization
More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization