Forwarded from Kube Events
🎉 Kubernetes scaling: combining autoscalers for optimal resource allocations
📅 28 Sep
⏰ 8am PT | 5pm CET
In this session, you will learn the theory and practical tips for combining cluster autoscalers (e.g. HPA+CA).
https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
📅 28 Sep
⏰ 8am PT | 5pm CET
In this session, you will learn the theory and practical tips for combining cluster autoscalers (e.g. HPA+CA).
https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces.
More: https://github.com/emberstack/kubernetes-reflector
More: https://github.com/emberstack/kubernetes-reflector
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
👌 Developing high-quality Helm charts faster
⎈ Helm dependencies updates made easy
📝 GKE review
⛩️ The future of API gateways
🥷 Bypassing policies with finalizers
Read it now: https://learnk8s.io/issues/45
👌 Developing high-quality Helm charts faster
⎈ Helm dependencies updates made easy
📝 GKE review
⛩️ The future of API gateways
🥷 Bypassing policies with finalizers
Read it now: https://learnk8s.io/issues/45
The Security Profiles Operator is a feature-rich operator for Kubernetes to make managing seccomp, SELinux & AppArmor profiles easier than ever.
In this article, you will explore spoc — a little helper tool for recording and replaying seccomp profiles.
More: https://kubernetes.io/blog/2023/05/18/seccomp-profiles-edge
In this article, you will explore spoc — a little helper tool for recording and replaying seccomp profiles.
More: https://kubernetes.io/blog/2023/05/18/seccomp-profiles-edge
Forwarded from LearnKube news
Learn the best strategies to combine autoscalers (i.e. HPA + CA), minimise reaction time and reduce costs.
@SoulmanIqbal will cover:
- How the Cluster Autoscaler works.
- Preemptive scaling.
- Proactive scaling.
📅 28 Sep
⏰ 8am PT | 5pm CET
👉 https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
@SoulmanIqbal will cover:
- How the Cluster Autoscaler works.
- Preemptive scaling.
- Proactive scaling.
📅 28 Sep
⏰ 8am PT | 5pm CET
👉 https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
m9sweeper makes securing a cluster easy with:
- CVE Scanning
- Enforcement of CVE Scanning Rules.
- Reports and Dashboards.
- CIS Security Benchmarking.
- Pen Testing.
- Deployment Coaching.
- Intrusion Detection.
- Gatekeeper Policy Management.
More: https://github.com/m9sweeper/m9sweeper
- CVE Scanning
- Enforcement of CVE Scanning Rules.
- Reports and Dashboards.
- CIS Security Benchmarking.
- Pen Testing.
- Deployment Coaching.
- Intrusion Detection.
- Gatekeeper Policy Management.
More: https://github.com/m9sweeper/m9sweeper
While Pod Security Admission can prevent common security risks, it lacks mutation ability, controller restriction, high-level violation reports, and fine-grained control options.
Learn more about it in this article.
More: https://devopsforyou.com/my-experiments-with-pod-security-admission-in-kubernetes-cluster-8028b7fc0249
Learn more about it in this article.
More: https://devopsforyou.com/my-experiments-with-pod-security-admission-in-kubernetes-cluster-8028b7fc0249
In this article, you will learn how to restrict access to S3 buckets using IAM Roles for Service Accounts.
More: https://towardsaws.com/restricting-s3-access-to-eks-and-k8s-pods-and-deployments-with-irsa-ebab1dd9a8dd
More: https://towardsaws.com/restricting-s3-access-to-eks-and-k8s-pods-and-deployments-with-irsa-ebab1dd9a8dd
Forwarded from Kube Architect
Discover the best strategies to combine autoscalers (i.e. HPA + CA), minimise reaction time and reduce costs.
In this webinar you'll learn:
- How the Cluster Autoscaler works.
- Preemptive scaling.
- Proactive scaling.
📅 28 Sep
⏰ 8am PT | 5pm CET
👉 https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
In this webinar you'll learn:
- How the Cluster Autoscaler works.
- Preemptive scaling.
- Proactive scaling.
📅 28 Sep
⏰ 8am PT | 5pm CET
👉 https://kube.events/t/51afe79e-9a79-460e-b00f-449bc7474ccc
The article explores two secret handling mechanisms in EKS:
1. Secrets Store CSI driver and ASCP.
2. External Secrets Operator.
The author argues that the latter is a better fit since it doesn't rely on DaemonSets.
More: https://medium.com/@chetlo/problems-using-secrets-store-csi-driver-and-securing-your-kubernetes-real-estate-f5baeaab50ae
1. Secrets Store CSI driver and ASCP.
2. External Secrets Operator.
The author argues that the latter is a better fit since it doesn't rely on DaemonSets.
More: https://medium.com/@chetlo/problems-using-secrets-store-csi-driver-and-securing-your-kubernetes-real-estate-f5baeaab50ae
Forwarded from LearnKube news
In this article, you will learn how the Spotify engineering team has developed a new method for conducting memory analysis on Google Kubernetes Engine (GKE) by combining three open source tools: AVML, dwarf2json, and Volatility 3.
More: https://engineering.atspotify.com/2023/06/analyzing-volatile-memory-on-a-google-kubernetes-engine-node
More: https://engineering.atspotify.com/2023/06/analyzing-volatile-memory-on-a-google-kubernetes-engine-node
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🖼️ Troubleshooting deployments
🔥 Firecracker-powered course platform
💥 Kubernetes pod IP conflict
🔍 Analyzing volatile memory on GKE
🏹 Understanding multi-arch containers
Read it now: https://learnk8s.io/issues/46
🖼️ Troubleshooting deployments
🔥 Firecracker-powered course platform
💥 Kubernetes pod IP conflict
🔍 Analyzing volatile memory on GKE
🏹 Understanding multi-arch containers
Read it now: https://learnk8s.io/issues/46
In this tutorial, you will learn how to use Kyverno to verify Kubernetes container images running in the control plane are signed.
More: https://medium.com/@charled.breteche/kyverno-verify-kubernetes-control-plane-images-372ea2fe1680
More: https://medium.com/@charled.breteche/kyverno-verify-kubernetes-control-plane-images-372ea2fe1680
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Tubi
💰 $197K to $259K a year
👨💻 Remote from the United States
→ https://kube.careers/t/fbfd93b4-e284-47f8-89a9-6e7cfa4c82ad?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
DevSecOps Engineer with Pure Storage
💰 $167K to $251K a year
🏠 From the office in Santa Clara, CA, USA
→ https://kube.careers/t/611fe80e-6e6d-4ece-b428-4af7561f7af7?s=55
DevSecOps Engineer with Verkada
💰 $120K to $285K a year
🏠 From the office in San Mateo, CA, USA
→ https://kube.careers/t/48e3f6f7-5043-43b1-8c58-6bc81939bc19?s=55
DevSecOps Engineer with Voltron Data
💰 $170K to $220K a year
🌎 Fully remote
→ https://kube.careers/t/f2509a98-e72c-4444-a44e-7f9502b58e1a?s=55
👉 Browse all 486 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Tubi
💰 $197K to $259K a year
👨💻 Remote from the United States
→ https://kube.careers/t/fbfd93b4-e284-47f8-89a9-6e7cfa4c82ad?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
DevSecOps Engineer with Pure Storage
💰 $167K to $251K a year
🏠 From the office in Santa Clara, CA, USA
→ https://kube.careers/t/611fe80e-6e6d-4ece-b428-4af7561f7af7?s=55
DevSecOps Engineer with Verkada
💰 $120K to $285K a year
🏠 From the office in San Mateo, CA, USA
→ https://kube.careers/t/48e3f6f7-5043-43b1-8c58-6bc81939bc19?s=55
DevSecOps Engineer with Voltron Data
💰 $170K to $220K a year
🌎 Fully remote
→ https://kube.careers/t/f2509a98-e72c-4444-a44e-7f9502b58e1a?s=55
👉 Browse all 486 Kubernetes jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts this October in Amsterdam and you can sign up here: https://learnk8s.io/amsterdam-advanced-october-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts this October in Amsterdam and you can sign up here: https://learnk8s.io/amsterdam-advanced-october-2023
CRI-compatible container runtimes feature full support for container image signature verification in v1.28.
In this article, you will learn how a single instance can validate the signatures before any image pull can occur.
More: https://kubernetes.io/blog/2023/06/29/container-image-signature-verification
In this article, you will learn how a single instance can validate the signatures before any image pull can occur.
More: https://kubernetes.io/blog/2023/06/29/container-image-signature-verification
When your container gets breached, the attacker can use tools like curl to download more tools for further exploitation and lateral movement within your system.
LProbe is as wget/curl replacement for hardened and secure container images.
More: https://github.com/fivexl/lprobe
LProbe is as wget/curl replacement for hardened and secure container images.
More: https://github.com/fivexl/lprobe
Forwarded from KubeFM
Making autoscaling dead simple in Kubernetes: KEDA
In this episode, Jorge Turrado tells the story of how he became a KEDA maintainer while learning to write Go.
📺 Watch or listen to the full episode here: https://kube.fm/keda-jorge-turrado
In this episode, Jorge Turrado tells the story of how he became a KEDA maintainer while learning to write Go.
📺 Watch or listen to the full episode here: https://kube.fm/keda-jorge-turrado
Forwarded from LearnKube news
The VPC CNI plugin and pods inherit the EKS node IAM role by default.
If the node role has the AmazonEKS_CNI_Plugin attached, pods running on the node can attach and detach ENIs and assign IP addresses.
In this article, you'll learn how to solve this.
More: https://medium.com/@jandersson89/securing-aws-eks-configure-the-vpc-cni-plugin-to-use-irsa-51351f893c18
If the node role has the AmazonEKS_CNI_Plugin attached, pods running on the node can attach and detach ENIs and assign IP addresses.
In this article, you'll learn how to solve this.
More: https://medium.com/@jandersson89/securing-aws-eks-configure-the-vpc-cni-plugin-to-use-irsa-51351f893c18
In this tutorial, you will learn how to use Kyverno to inject fields into Kubernetes resources to remove dangling jobs automatically.
More: https://blog.wtcx.dev/2022/07/09/automatically-clean-up-dangling-jobs-with-policy-engine
More: https://blog.wtcx.dev/2022/07/09/automatically-clean-up-dangling-jobs-with-policy-engine
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts the 30th of October in Amsterdam and you can sign up here: https://learnk8s.io/amsterdam-advanced-october-2023
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The course starts the 30th of October in Amsterdam and you can sign up here: https://learnk8s.io/amsterdam-advanced-october-2023