This week on the Learn Kubernetes Weekly:

🗻 Isolating pods for debugging
🔒 Vault auto-unseal
⎈ Helm security and best practices
❽ Kubernetes, Java & fabric8
💥 Manifest complexity
📝 Pod presets

Read it now: https://learnk8s.io/learn-kubernetes-weekly

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The course is in 2 weeks and you can sign up here: https://learnk8s.io/online-advanced-june-2023

In EKS, by default, public access is enabled, which means the Kubernetes API server is accessible from the internet.

In this article, you'll learn how to access the EKS API server through the AWS client VPN.

More: https://medium.com/@Aleroawani/connect-to-an-eks-private-endpoint-with-aws-clientvpn-72b5000f558a

Sealed Secrets is a great solution to secure secrets in Git.

For larger teams and projects, the External Secrets Operator or the Secrets Store CSI Driver is a better solution to manage secrets securely.

Learn the pros and cons in this article.

More: https://auth0.com/blog/kubernetes-secrets-management

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store and mount them into Kubernetes pods.

More: https://github.com/aws/secrets-store-csi-driver-provider-aws

Paranoia is a tool to analyse and export trust bundles (e.g., "ca-certificates") from container images.

These certificates identify the certificate authorities that your container trusts when establishing TLS connections.

More: https://github.com/jetstack/paranoia

This week on the Learn Kubernetes Weekly:

📈 Scalability test for CNIs
📊 Cgroups — deep dive
🖥 Deploying microVMs on top of Kubernetes
💥 Non-graceful node shutdown
👻 Ephemeral environments with Helm

Read it now: https://learnk8s.io/learn-kubernetes-weekly

In this (controversial) article, Tim argues that Kubernetes security should have clearly assigned responsibility and that it should be Product Security's scope.

More: https://timwilcoxson.com/dear-product-security-team-kubernetes-is-your-problem-acebffc2d788

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The course starts next week and you can sign up here: https://learnk8s.io/online-advanced-june-2023

Pinniped is the easy, secure way to log in to your Kubernetes clusters.

More: https://github.com/vmware-tanzu/pinniped

In this article, you will review 15 of the most useful kubectl plugins for giving security teams better visibility for incident response and forensics in Kubernetes.

More: https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers

Chappaai is an OAuth management layer for Kubernetes.

It allows you, through Custom Resource Definitions, to describe OAuth APIs you wish to be able to integrate with.

More: https://github.com/rawkode/chappaai

In this article, you'll learn how to manually inject resources without restrictions from RBAC or Admission Controllers by replicating the target infrastructure or by exporting and importing ETCD entries while maintaining the byte length of each value.

More: https://lobuhisec.medium.com/using-etcd-to-inject-resources-and-bypass-rbac-and-admission-controller-restrictions-f240ae31e7f0

In this tutorial, you will learn how to sign container images with Cloud KMS and Google Artifact Registry and then only allow those signed images to run in a GKE cluster.

More: https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea

In this post, you will look at the Node authorization mode and NodeRestriction admission controller, which are used to provide rights to Kubelets to access the resources they need to function.

More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization

In this article, you will learn how to use the Open Policy Agent to enforce security and governance policies to have fine-grain control on the services running in a Kubernetes cluster.

More: https://awstip.com/enforce-security-and-governance-in-kubernetes-using-opa-gatekeeper-2fd5b55f91d1

This week on the Learn Kubernetes Weekly:

🚗 Reacting faster to node failures
🏗 IP and pod allocations in EKS
👮‍♂️ Let's talk about kubelet authorization
🤕 Abusing etcd to inject resources
💘 Cilium: why we use it and why we ♥️ it

Read it now: https://learnk8s.io/issues/32

In this article, you will look into the different mitigations implemented to address privilege escalation and powerful permissions in Kubernetes.

More: https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation

KubeCSR is a lightweight REST service written in Go leveraging the Gin framework that automates the toil of creating Kubernetes x509 certificates for users.

More: https://github.com/tonedefdev/kubecsr

The External Secrets Operator allows the fetching of secret data from external secret management providers.

But a less known feature is that you can push Kubernetes secrets to third parties.

You can use this feature to migrate secrets between providers.

More: https://eminalemdar.medium.com/reversing-the-workflow-with-external-secrets-operators-push-secret-feature-f2a64f3db748

This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies.

More: https://github.com/kubescape/cel-admission-library