This week on the Learn Kubernetes Weekly:

🆚 CPU requests & limits VS autoscaling
🤢 CoreDNS cache poisoning
🐣 What happens when you create a pod
🎭 Managing roles for PostgreSQL with Vault
💸 Price comparison of managed Kubernetes

Read it now: https://learnk8s.io/issues/36

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency.

In the process, you will uncover:

- Usage of DaemonSets to utilize all nodes.
- "Fake" pause containers.

More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs.

More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8

In this article, you will learn how you can combine RuntimeClass, Kata containers and Kyverno to provide a more robust sandbox for workloads running in Kubernetes.

More: https://itnext.io/enhancing-kubernetes-security-with-kyverno-runtimeclass-and-kata-containers-f513308c7a23

In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster.

More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

This week on the Learn Kubernetes Weekly:

📈 Understand container metrics
🔎 Tracing pod to pod network traffic
🔗 Envoy WASM extensions
📝 Docker networking models
📥 Kubernetes API server: the storage interface

Read it now: https://learnk8s.io/issues/37

Managing authenticated image pulls to Docker Hub in a large cluster is difficult.

In this article, you'll cover the tools to make it easier:

1. Image pull secrets.
2. imagepullsecret-patcher.
3. External Secrets Operator.
4. Red Hat's patch-operator.

More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets.

More: https://github.com/omninonsense/kustomize-sopsgenerator

Linux namespaces are foundational to how container runtimes like Docker work.

In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources.

More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

In this article, you will discuss how to bypass container security scanners.

You will also build a small proof of concept.

More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts.

It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on.

More: https://github.com/chaosinthecrd/kube-lock

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git.

More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

This week on the Learn Kubernetes Weekly:

🏗️ Kubernetes resources, capacity and allocatable
✅ AKS checklist
📦 Container security fundamentals: isolation & namespaces
🛜 Cluster networking
🆚 "helm template" over "helm install"

Read it now: https://learnk8s.io/issues/38

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes?

This article explores how OIDC works in a Kubernetes cluster to trust external workloads.

More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions.

More: https://github.com/Lerentis/bitwarden-crd-operator

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster.

More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

This tutorial will teach you how to use the Secrets Store CSI Driver to integrate your app with HashiCorp Vault on Kubernetes.

More: https://piotrminkowski.com/2023/03/20/vault-with-secrets-store-csi-driver-on-kubernetes

This week on the Learn Kubernetes Weekly:

⚖️ Distributed and auto-scalable websocket server architecture
🏎️ Demystifying CPU limits
🙅‍♀️ Pod topology spread constraint pitfalls
🤔 When is a CPU not a CPU?
🛑 Never use alpine Linux ever again

Read it now: https://learnk8s.io/issues/39

In this article, you will learn about RBAC Buster.

This new Kubernetes attack exploits the API servers to create a ClusterRoleBinding and gain full access to the cluster with persistence after the misconfiguration is fixed.

More: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

In this tutorial, you'll learn how to install, configure and devise custom rules and alerts for Falco.

With this, you can monitor your infrastructure and receive real-time alerts on critical security events.

More: https://itnext.io/getting-started-with-falco-48e8631b6f86

This article highlights the use of Common Expression Language (CEL) in Kyverno validation rules and the use of Kyverno CLI apply/test commands for Kubernetes Validating Admission policies.

More: https://medium.com/@mariamfahmy66/validating-admission-policies-in-kyverno-1f4a3e972f92