mirrors is a custom Kubernetes controller that copies Kubernetes Secret to and from various locations.

Currently, it supports the following sources and destinations:

- Native Kubernetes Secret
- HashiCorp Vault Secret

More: https://github.com/ktsstudio/mirrors

In this article, you will inspect the CoreDNS source code and learn how it is susceptible to cache poisoning.

You will also learn how to mitigate such an attack.

More: http://sbudella.altervista.org/blog/20230308-coredns-conjecture.html

The Otterize Credentials Operator automatically resolves pods to dev-friendly service names, registers them with a SPIRE server or with Otterize Cloud, and optionally provisions credentials as Kubernetes secrets.

More: https://github.com/otterize/credentials-operator

Netchecks is a set of tools for testing network conditions and asserting that they are as expected.

There are two main components:

1. The operator that runs network checks and reports results.
2. Netcheck CLI and Python Library.

More: https://github.com/hardbyte/netchecks

This week on the Learn Kubernetes Weekly:

🆚 CPU requests & limits VS autoscaling
🤢 CoreDNS cache poisoning
🐣 What happens when you create a pod
🎭 Managing roles for PostgreSQL with Vault
💸 Price comparison of managed Kubernetes

Read it now: https://learnk8s.io/issues/36

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency.

In the process, you will uncover:

- Usage of DaemonSets to utilize all nodes.
- "Fake" pause containers.

More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs.

More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8

In this article, you will learn how you can combine RuntimeClass, Kata containers and Kyverno to provide a more robust sandbox for workloads running in Kubernetes.

More: https://itnext.io/enhancing-kubernetes-security-with-kyverno-runtimeclass-and-kata-containers-f513308c7a23

In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster.

More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

This week on the Learn Kubernetes Weekly:

📈 Understand container metrics
🔎 Tracing pod to pod network traffic
🔗 Envoy WASM extensions
📝 Docker networking models
📥 Kubernetes API server: the storage interface

Read it now: https://learnk8s.io/issues/37

Managing authenticated image pulls to Docker Hub in a large cluster is difficult.

In this article, you'll cover the tools to make it easier:

1. Image pull secrets.
2. imagepullsecret-patcher.
3. External Secrets Operator.
4. Red Hat's patch-operator.

More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets.

More: https://github.com/omninonsense/kustomize-sopsgenerator

Linux namespaces are foundational to how container runtimes like Docker work.

In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources.

More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

In this article, you will discuss how to bypass container security scanners.

You will also build a small proof of concept.

More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts.

It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on.

More: https://github.com/chaosinthecrd/kube-lock

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git.

More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

This week on the Learn Kubernetes Weekly:

🏗️ Kubernetes resources, capacity and allocatable
✅ AKS checklist
📦 Container security fundamentals: isolation & namespaces
🛜 Cluster networking
🆚 "helm template" over "helm install"

Read it now: https://learnk8s.io/issues/38

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes?

This article explores how OIDC works in a Kubernetes cluster to trust external workloads.

More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions.

More: https://github.com/Lerentis/bitwarden-crd-operator

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster.

More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

This tutorial will teach you how to use the Secrets Store CSI Driver to integrate your app with HashiCorp Vault on Kubernetes.

More: https://piotrminkowski.com/2023/03/20/vault-with-secrets-store-csi-driver-on-kubernetes