Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The course starts next week and you can sign up here: https://learnk8s.io/online-advanced-june-2023

Pinniped is the easy, secure way to log in to your Kubernetes clusters.

More: https://github.com/vmware-tanzu/pinniped

In this article, you will review 15 of the most useful kubectl plugins for giving security teams better visibility for incident response and forensics in Kubernetes.

More: https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers

Chappaai is an OAuth management layer for Kubernetes.

It allows you, through Custom Resource Definitions, to describe OAuth APIs you wish to be able to integrate with.

More: https://github.com/rawkode/chappaai

In this article, you'll learn how to manually inject resources without restrictions from RBAC or Admission Controllers by replicating the target infrastructure or by exporting and importing ETCD entries while maintaining the byte length of each value.

More: https://lobuhisec.medium.com/using-etcd-to-inject-resources-and-bypass-rbac-and-admission-controller-restrictions-f240ae31e7f0

In this tutorial, you will learn how to sign container images with Cloud KMS and Google Artifact Registry and then only allow those signed images to run in a GKE cluster.

More: https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea

In this post, you will look at the Node authorization mode and NodeRestriction admission controller, which are used to provide rights to Kubelets to access the resources they need to function.

More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization

In this article, you will learn how to use the Open Policy Agent to enforce security and governance policies to have fine-grain control on the services running in a Kubernetes cluster.

More: https://awstip.com/enforce-security-and-governance-in-kubernetes-using-opa-gatekeeper-2fd5b55f91d1

This week on the Learn Kubernetes Weekly:

🚗 Reacting faster to node failures
🏗 IP and pod allocations in EKS
👮‍♂️ Let's talk about kubelet authorization
🤕 Abusing etcd to inject resources
💘 Cilium: why we use it and why we ♥️ it

Read it now: https://learnk8s.io/issues/32

In this article, you will look into the different mitigations implemented to address privilege escalation and powerful permissions in Kubernetes.

More: https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation

KubeCSR is a lightweight REST service written in Go leveraging the Gin framework that automates the toil of creating Kubernetes x509 certificates for users.

More: https://github.com/tonedefdev/kubecsr

The External Secrets Operator allows the fetching of secret data from external secret management providers.

But a less known feature is that you can push Kubernetes secrets to third parties.

You can use this feature to migrate secrets between providers.

More: https://eminalemdar.medium.com/reversing-the-workflow-with-external-secrets-operators-push-secret-feature-f2a64f3db748

This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies.

More: https://github.com/kubescape/cel-admission-library

Should you have more than one team using the same Kubernetes cluster?
Can you run untrusted workloads safely from untrusted users?
Does Kubernetes do multi-tenancy?

This article will explore the challenges of running a cluster with multiple tenants.

More: https://community.ops.io/danielepolencic/multi-tenancy-in-kubernetes-366n

This week on the Learn Kubernetes Weekly:

🏠 Load balancer architecture on-premises
⚖️ Pod rebalancing and allocations
👮‍♀️ Mitigating RBAC-based privilege escalation
☁️ De-cloud and de-k8s
👍 Promoting releases in GitOps

Read it now: https://learnk8s.io/issues/33

You can use Calico and WireGuard to encrypt data in transit in a Kubernetes cluster without mTLS or IPsec.

Encryption is supported for pod-to-pod traffic on different hosts and host-to-host traffic.

Learn how in this article.

More: https://medium.com/@dhawalsaini.devops_50274/wireguard-with-calico-in-k8s-8608fb8192b5

The sixth annual Sysdig Cloud-Native Security and Usage Report digs into how Sysdig customers of all sizes and industries are using, securing, and paying for cloud and container environments.

More: https://sysdig.com/blog/2023-cloud-native-security-usage-report

In this tutorial, you will explore the Evaluating Validating Admission Policy feature paired with a Custom Resource Definition (CRD) as input for easy customisation of policies.

More: https://github.com/tommy-dk/validating-admission-policy

OWASP Kubernetes is aimed at helping security practitioners, sysadmins, and software developers prioritize risks around the Kubernetes ecosystem.

In this article, you will find the top 10 risks you should consider and mitigations you could adopt.

More: https://sysdig.com/blog/top-owasp-kubernetes

In this tutorial, you'll look at how to configure EKS to use secrets and parameters from Amazon Secrets Manager and AWS Systems Manager Parameter Store.

More: https://blog.bootlabstech.com/aws-secrets-manager-in-kubernetes-secret-rotation-and-reloader

Kyverno is a Kubernetes policy engine that can enforce policies like required labels, container image signing, resource existence, etc.

It has a library of ready-to-use policies and allows for easy evaluation with its CLI.

Learn more in this post.

More: https://medium.com/@mabenoit/kyverno-kubernetes-native-policy-management-7ca01fa372a3