In this tutorial, you'll look at how to configure EKS to use secrets and parameters from Amazon Secrets Manager and AWS Systems Manager Parameter Store.

More: https://blog.bootlabstech.com/aws-secrets-manager-in-kubernetes-secret-rotation-and-reloader

Kyverno is a Kubernetes policy engine that can enforce policies like required labels, container image signing, resource existence, etc.

It has a library of ready-to-use policies and allows for easy evaluation with its CLI.

Learn more in this post.

More: https://medium.com/@mabenoit/kyverno-kubernetes-native-policy-management-7ca01fa372a3

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs.

This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA.

More: https://github.com/cert-manager/aws-privateca-issuer

This week on the Learn Kubernetes Weekly:

💦 Mitigating memory leak in Kubernetes with a one-liner commit
🐾 Tracing the path of network traffic
🍼 My first experience with Kyverno
📕 Kustomize best practices
⚙️ WebAssembly on Kubernetes

Read it now: https://learnk8s.io/issues/35

In this article, you will learn how your Kubernetes deployment can access a database with random roles and passwords (and eventually restricted privileges) that are rotated every hour and deleted after expiration.

More: https://itsufficient.me/blog/postgres-vault

mirrors is a custom Kubernetes controller that copies Kubernetes Secret to and from various locations.

Currently, it supports the following sources and destinations:

- Native Kubernetes Secret
- HashiCorp Vault Secret

More: https://github.com/ktsstudio/mirrors

In this article, you will inspect the CoreDNS source code and learn how it is susceptible to cache poisoning.

You will also learn how to mitigate such an attack.

More: http://sbudella.altervista.org/blog/20230308-coredns-conjecture.html

The Otterize Credentials Operator automatically resolves pods to dev-friendly service names, registers them with a SPIRE server or with Otterize Cloud, and optionally provisions credentials as Kubernetes secrets.

More: https://github.com/otterize/credentials-operator

Netchecks is a set of tools for testing network conditions and asserting that they are as expected.

There are two main components:

1. The operator that runs network checks and reports results.
2. Netcheck CLI and Python Library.

More: https://github.com/hardbyte/netchecks

This week on the Learn Kubernetes Weekly:

🆚 CPU requests & limits VS autoscaling
🤢 CoreDNS cache poisoning
🐣 What happens when you create a pod
🎭 Managing roles for PostgreSQL with Vault
💸 Price comparison of managed Kubernetes

Read it now: https://learnk8s.io/issues/36

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency.

In the process, you will uncover:

- Usage of DaemonSets to utilize all nodes.
- "Fake" pause containers.

More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs.

More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8

In this article, you will learn how you can combine RuntimeClass, Kata containers and Kyverno to provide a more robust sandbox for workloads running in Kubernetes.

More: https://itnext.io/enhancing-kubernetes-security-with-kyverno-runtimeclass-and-kata-containers-f513308c7a23

In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster.

More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

This week on the Learn Kubernetes Weekly:

📈 Understand container metrics
🔎 Tracing pod to pod network traffic
🔗 Envoy WASM extensions
📝 Docker networking models
📥 Kubernetes API server: the storage interface

Read it now: https://learnk8s.io/issues/37

Managing authenticated image pulls to Docker Hub in a large cluster is difficult.

In this article, you'll cover the tools to make it easier:

1. Image pull secrets.
2. imagepullsecret-patcher.
3. External Secrets Operator.
4. Red Hat's patch-operator.

More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets.

More: https://github.com/omninonsense/kustomize-sopsgenerator

Linux namespaces are foundational to how container runtimes like Docker work.

In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources.

More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

In this article, you will discuss how to bypass container security scanners.

You will also build a small proof of concept.

More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts.

It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on.

More: https://github.com/chaosinthecrd/kube-lock

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git.

More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops