Linux namespaces are foundational to how container runtimes like Docker work.

In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources.

More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

In this article, you will discuss how to bypass container security scanners.

You will also build a small proof of concept.

More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts.

It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on.

More: https://github.com/chaosinthecrd/kube-lock

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git.

More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

This week on the Learn Kubernetes Weekly:

🏗️ Kubernetes resources, capacity and allocatable
✅ AKS checklist
📦 Container security fundamentals: isolation & namespaces
🛜 Cluster networking
🆚 "helm template" over "helm install"

Read it now: https://learnk8s.io/issues/38

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes?

This article explores how OIDC works in a Kubernetes cluster to trust external workloads.

More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions.

More: https://github.com/Lerentis/bitwarden-crd-operator

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster.

More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

This tutorial will teach you how to use the Secrets Store CSI Driver to integrate your app with HashiCorp Vault on Kubernetes.

More: https://piotrminkowski.com/2023/03/20/vault-with-secrets-store-csi-driver-on-kubernetes

This week on the Learn Kubernetes Weekly:

⚖️ Distributed and auto-scalable websocket server architecture
🏎️ Demystifying CPU limits
🙅‍♀️ Pod topology spread constraint pitfalls
🤔 When is a CPU not a CPU?
🛑 Never use alpine Linux ever again

Read it now: https://learnk8s.io/issues/39

In this article, you will learn about RBAC Buster.

This new Kubernetes attack exploits the API servers to create a ClusterRoleBinding and gain full access to the cluster with persistence after the misconfiguration is fixed.

More: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

In this tutorial, you'll learn how to install, configure and devise custom rules and alerts for Falco.

With this, you can monitor your infrastructure and receive real-time alerts on critical security events.

More: https://itnext.io/getting-started-with-falco-48e8631b6f86

This article highlights the use of Common Expression Language (CEL) in Kyverno validation rules and the use of Kyverno CLI apply/test commands for Kubernetes Validating Admission policies.

More: https://medium.com/@mariamfahmy66/validating-admission-policies-in-kyverno-1f4a3e972f92

This repository contains a custom Kubernetes controller that can automatically create random secret values.

This may be used for auto-generating random credentials for applications running on Kubernetes.

More: https://github.com/mittwald/kubernetes-secret-generator

🤔 Should you run a Kubernetes cluster with many smaller instances or a few larger ones?

This article explores the pros/cons:

📊 Resource allocations
📝 Optimal node capacity
⚖️ Scaling considerations
🌊 Bandwidth implications
♻️ IP recycling
📦 Storage

https://learnk8s.io/kubernetes-node-size

This week on the Learn Kubernetes Weekly:

📺 How to integrate legacy VMs into container pipelines
📈 Kubernetes-native synthetic monitoring
📐 Choosing a worker node size
📥 Configuring local ingress domains
🤝 Manually scheduling pods

Read it now: https://learnk8s.io/issues/40

There are many factors to consider when deciding how Kubernetes secrets are managed and injected into containers.

This blog post will discuss the most popular approaches available for Kubernetes Secrets management.

More: https://doppler.com/blog/kubernetes-secrets-management-in-2022

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The course starts this September and you can sign up here: https://learnk8s.io/online-advanced-september-2023

Checkov is a static code analysis tool for infrastructure as code and also a software composition analysis tool for images and open-source packages.

It scans cloud infrastructure provisioned using Terraform, Kubernetes, Helm charts, Kustomize, and more.

More: https://github.com/bridgecrewio/checkov

In this tutorial, you will learn how to authenticate users to your apps deployed in Kubernetes using Nginx-ingress, Oauth2 and Azure AD.

More: http://work.haufegroup.io/secure-your-application-with-k8s-nginx-ingress-oauth2-azuread

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure that applications adhere to best practices.

More: https://github.com/stackrox/kube-linter