In this article, you'll learn how to use Cluster Role, Cluster Role Binding, and Service Account to deploy a simple application capable of accessing the cluster's resources using kubectl from within a pod.

More: https://itnext.io/unleashing-the-power-of-kubernetes-deploying-containers-with-cluster-resource-access-ee2cef29e24e

What type of worker nodes should you use for your Kubernetes cluster?

And how many of them?

This article looks at the pros and cons.

More: https://learnk8s.io/kubernetes-node-size

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨‍💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55

DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55

DevSecOps Engineer with Verkada
💰 $120K to $285K a year
🏠 From the office in San Mateo, CA, USA
→ https://kube.careers/t/48e3f6f7-5043-43b1-8c58-6bc81939bc19?s=55

👉 Browse all 473 Kubernetes jobs on Kube Careers https://kube.careers

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure that applications adhere to best practices.

More: https://github.com/stackrox/kube-linter

In this tutorial, you will learn how to write a validating admission controller to check if Deployments have the proper liveness and readiness probes in place.

More: https://medium.com/@ivan.herrmann89/validate-if-kubernetes-deployment-have-livenessprobe-and-readinessprobe-enabled-6424738deeec

In this tutorial, you will learn how to store your sensitive secrets in a self-hosted Vault and share them with a Kubernetes cluster.

More: https://medium.com/@verove.clement/vault-externals-secrets-in-kubernetes-cluster-407f251a5e89

In this article, you'll discuss the security risks associated with the deprecation of Pod Security Policies and potential issues with webhook validation that could lead to a compromised cluster.

More: https://medium.com/@skraga/how-to-mess-with-admission-webhooks-and-have-a-giant-security-hole-b4f3e8c0c9b9

This week on the Learn Kubernetes Weekly:

⚒️ Choosing a worker node size
✅ Bolstering security & automating management of EKS
📊 Scaling Rails apps with the HPA
🥷 Bypassing admission webhooks
📐 Containers with cluster resource access

Read it now: https://learnk8s.io/issues/53

This tutorial teaches you how to install and configure CrowdSec in a Kubernetes cluster and how to detect attacks on Kubernetes applications.

More: https://itnext.io/securing-kubernetes-applications-with-crowdsec-intrusion-detection-system-8eb2f93d3c9f

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨‍💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55

DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 449 Kubernetes jobs on Kube Careers https://kube.careers

Kubernetes clusters belonging to over 350 organizations were found to be openly accessible and largely unprotected, with at least 60% breached and used for malware deployment.

Learn the attacks (and mitigations) in this article.

More: https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster

Passmower is an OIDC Identity Provider that is designed for Kubernetes environments.

It integrates with Kubernetes, persisting its data, including users and enrolled apps, using Custom Resource Definitions while storing session data in Redis.

More: https://github.com/passmower/passmower

This article explores how SecurityContext in Kubernetes can enhance security by adjusting operating system settings, including process and filesystem permissions, making the root filesystem read-only, and limiting Linux process capabilities.

More: https://medium.com/marionete/kubernetes-securitycontext-with-practical-examples-67d890558d11

What does it take to build a Kubernetes cluster on bare metal?

In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.

You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:

- Identify dependencies and priorities between components to avoid incidents in the future.
- Leverage FluxCD to have a predictable and documented setup.
- Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
- Use Talos to have a self-contained Kubernetes operating system.

Mathias also shared tips and advice for other engineers embarking on the same process.

Watch it here: https://kube.fm/bare-metal-kubernetes-mathias

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

Dex-operator is a Kubernetes operator for deploying and managing Dex IdP.

More: https://github.com/gpu-ninja/dex-operator

This week on the Learn Kubernetes Weekly:

⚖️ Load balancing long-lived connections
💪 40% more performant with Cilium
👷‍♀️ Single-tenant architecture with Crossplane
🥷 1 yaml away from disaster
📚 SecurityContext with examples

Read it now: https://learnk8s.io/issues/54

In this tutorial, you will learn how to create a mutating webhook handler for namespaces using Kubebuilder.

More: https://levelup.gitconnected.com/mutating-webhook-handler-for-built-in-core-types-456aa146cc46

This article discusses Kubernetes security fundamentals and provides five practical steps to bolster security:

1. Proper configuration.
2. Image scanning.
3. Network security.
4. Controlling running applications.
5. Auditing and logging events.

More: https://blog.palark.com/kubernetes-security-best-practices

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨‍💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55

DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 420 Kubernetes jobs on Kube Careers https://kube.careers

Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes·io/kubelet-serving Certificate Signing Request that kubelet uses to serve TLS endpoints.

More: https://github.com/alex1989hu/kubelet-serving-cert-approver

This article contains seven different known privilege-escalation threat vectors, which are enabled by the following permissions:

- Create Pods
- Read Secrets
- Bind Roles
- Escalate existing Roles
- Impersonate entities in the Cluster

More: https://schutzwerk.com/blog/kubernetes-privilege-escalation-01