In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster.

More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

This week on the Learn Kubernetes Weekly:

📈 Understand container metrics
🔎 Tracing pod to pod network traffic
🔗 Envoy WASM extensions
📝 Docker networking models
📥 Kubernetes API server: the storage interface

Read it now: https://learnk8s.io/issues/37

Managing authenticated image pulls to Docker Hub in a large cluster is difficult.

In this article, you'll cover the tools to make it easier:

1. Image pull secrets.
2. imagepullsecret-patcher.
3. External Secrets Operator.
4. Red Hat's patch-operator.

More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets.

More: https://github.com/omninonsense/kustomize-sopsgenerator

Linux namespaces are foundational to how container runtimes like Docker work.

In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources.

More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

In this article, you will discuss how to bypass container security scanners.

You will also build a small proof of concept.

More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts.

It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on.

More: https://github.com/chaosinthecrd/kube-lock

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git.

More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

This week on the Learn Kubernetes Weekly:

🏗️ Kubernetes resources, capacity and allocatable
✅ AKS checklist
📦 Container security fundamentals: isolation & namespaces
🛜 Cluster networking
🆚 "helm template" over "helm install"

Read it now: https://learnk8s.io/issues/38

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes?

This article explores how OIDC works in a Kubernetes cluster to trust external workloads.

More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions.

More: https://github.com/Lerentis/bitwarden-crd-operator

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster.

More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

This tutorial will teach you how to use the Secrets Store CSI Driver to integrate your app with HashiCorp Vault on Kubernetes.

More: https://piotrminkowski.com/2023/03/20/vault-with-secrets-store-csi-driver-on-kubernetes

This week on the Learn Kubernetes Weekly:

⚖️ Distributed and auto-scalable websocket server architecture
🏎️ Demystifying CPU limits
🙅‍♀️ Pod topology spread constraint pitfalls
🤔 When is a CPU not a CPU?
🛑 Never use alpine Linux ever again

Read it now: https://learnk8s.io/issues/39

In this article, you will learn about RBAC Buster.

This new Kubernetes attack exploits the API servers to create a ClusterRoleBinding and gain full access to the cluster with persistence after the misconfiguration is fixed.

More: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

In this tutorial, you'll learn how to install, configure and devise custom rules and alerts for Falco.

With this, you can monitor your infrastructure and receive real-time alerts on critical security events.

More: https://itnext.io/getting-started-with-falco-48e8631b6f86

This article highlights the use of Common Expression Language (CEL) in Kyverno validation rules and the use of Kyverno CLI apply/test commands for Kubernetes Validating Admission policies.

More: https://medium.com/@mariamfahmy66/validating-admission-policies-in-kyverno-1f4a3e972f92

This repository contains a custom Kubernetes controller that can automatically create random secret values.

This may be used for auto-generating random credentials for applications running on Kubernetes.

More: https://github.com/mittwald/kubernetes-secret-generator

🤔 Should you run a Kubernetes cluster with many smaller instances or a few larger ones?

This article explores the pros/cons:

📊 Resource allocations
📝 Optimal node capacity
⚖️ Scaling considerations
🌊 Bandwidth implications
♻️ IP recycling
📦 Storage

https://learnk8s.io/kubernetes-node-size

This week on the Learn Kubernetes Weekly:

📺 How to integrate legacy VMs into container pipelines
📈 Kubernetes-native synthetic monitoring
📐 Choosing a worker node size
📥 Configuring local ingress domains
🤝 Manually scheduling pods

Read it now: https://learnk8s.io/issues/40

There are many factors to consider when deciding how Kubernetes secrets are managed and injected into containers.

This blog post will discuss the most popular approaches available for Kubernetes Secrets management.

More: https://doppler.com/blog/kubernetes-secrets-management-in-2022