In this tutorial, you'll learn how to sign and verify Docker distroless images with Cosign and Kyverno.
More: https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264
More: https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264
Forwarded from KubeFM
By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
- How to define a threat model to inform your security posture and mitigations.
- How Kubernetes Secrets offer sufficient guarantees for most common threat models.
- If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Watch it here: https://kube.fm/kubernetes-secrets-mac
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
- How to define a threat model to inform your security posture and mitigations.
- How Kubernetes Secrets offer sufficient guarantees for most common threat models.
- If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Watch it here: https://kube.fm/kubernetes-secrets-mac
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
In this article, you will learn how an attacker with access to a privileged container can break out of it using a Kernel module and get access to the underlying host.
More: https://raesene.github.io/blog/2023/08/06/fun-with-privileged-container-breakout
More: https://raesene.github.io/blog/2023/08/06/fun-with-privileged-container-breakout
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🏎️ Kubernetes image proxy cache
🏃♀️ Kubernetes workloads to Graviton
📈 Memory settings for Java processes in Kubernetes
🙅 What is GitOps and why is it (almost) useless?
Read it now: https://learnk8s.io/issues/55
🏎️ Kubernetes image proxy cache
🏃♀️ Kubernetes workloads to Graviton
📈 Memory settings for Java processes in Kubernetes
🙅 What is GitOps and why is it (almost) useless?
Read it now: https://learnk8s.io/issues/55
In this tutorial, you'll learn how to set up Vault and the injector service with the Vault Helm chart.
Then, you'll deploy an app to demonstrate how the injector service handles secrets.
More: https://medium.com/@seifeddinerajhi/securely-inject-secrets-to-pods-with-the-vault-agent-injector-3238eb774342
Then, you'll deploy an app to demonstrate how the injector service handles secrets.
More: https://medium.com/@seifeddinerajhi/securely-inject-secrets-to-pods-with-the-vault-agent-injector-3238eb774342
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 428 Kubernetes jobs on Kube Careers https://kube.careers
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 428 Kubernetes jobs on Kube Careers https://kube.careers
In this article, you will learn how to create a simple yet effective incident response mechanism within Kubernetes, leveraging Falco for threat detection, CRIU for container snapshotting, and OpenFaaS for automating responses.
More: https://blog.fraktal.fi/navigating-kubernetes-incident-response-with-falco-criu-and-openfaas-285021bbdbe4
More: https://blog.fraktal.fi/navigating-kubernetes-incident-response-with-falco-criu-and-openfaas-285021bbdbe4
Forwarded from Kube Events
This February attend the Kubernetes Community Days Brazil 🇧🇷 and extend your stay to enjoy the iconic Brazilian Carnival!
📆 24-24 of Feb
📍 Online and São Paulo, BR
More info: https://kube.events/t/fca77347-2776-4fd6-92aa-d70c0d43e0d8?s=16
📆 24-24 of Feb
📍 Online and São Paulo, BR
More info: https://kube.events/t/fca77347-2776-4fd6-92aa-d70c0d43e0d8?s=16
In this project, you'll learn how to create a Mutating Webhook targeting pods.
The webhook server will intercept requests to create or update pods and apply custom logic to modify the specifications before they are admitted to the cluster.
More: https://github.com/rajibmitra/pod-mutator
The webhook server will intercept requests to create or update pods and apply custom logic to modify the specifications before they are admitted to the cluster.
More: https://github.com/rajibmitra/pod-mutator
In this article, you will learn how to issue X.509 certificates to authenticate users to a Kubernetes cluster.
You'll also explore how to use the credential from within a NodeJS app.
More: https://krateo.medium.com/kubernetes-user-authorization-with-certificates-d3cde5897ff7
You'll also explore how to use the credential from within a NodeJS app.
More: https://krateo.medium.com/kubernetes-user-authorization-with-certificates-d3cde5897ff7
Forwarded from KubeFM
Helm is a popular tool for templating and packaging Kubernetes resources, but does it mean it's the best?
In this episode of KubeFM, Jacco draws a parallel between Helm and PHP and the similarity in which both tools became a success despite their focus on templating strings.
You will also learn:
- Helm's flaws and how you can avoid them.
- Alternative tools that can (partially) replace Helm.
- How to manage third-party packages and templating internal YAML resources.
Jacco shared several examples demonstrating duplication in Helm charts and a lack of structured typing.
Watch it here: https://kube.fm/helm-flawed-jacco
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
In this episode of KubeFM, Jacco draws a parallel between Helm and PHP and the similarity in which both tools became a success despite their focus on templating strings.
You will also learn:
- Helm's flaws and how you can avoid them.
- Alternative tools that can (partially) replace Helm.
- How to manage third-party packages and templating internal YAML resources.
Jacco shared several examples demonstrating duplication in Helm charts and a lack of structured typing.
Watch it here: https://kube.fm/helm-flawed-jacco
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
Forwarded from LearnKube news
nodegizmo is a kubectl plugin for your Kubernetes nodes that displays:
- Generic node-related information (taints, topology, etc.).
- Nodepool settings.
- Node capacity.
You can also exec into any node using nsenter pods.
More: https://github.com/Kavinraja-G/node-gizmo
- Generic node-related information (taints, topology, etc.).
- Nodepool settings.
- Node capacity.
You can also exec into any node using nsenter pods.
More: https://github.com/Kavinraja-G/node-gizmo
k8s-secret-expiry-controller is a Kubernetes controller that watches for the expiration of Kubernetes Secrets and raises events accordingly.
More: https://github.com/devops-360-online/k8s-secret-expiry-controller
More: https://github.com/devops-360-online/k8s-secret-expiry-controller
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
😩 Handling pods when nodes fail
🕵️ Troubleshooting missing logs
📈 Optimizing scalability and cost-efficiency with Karpenter
🗜️ Setting Java Heap size in Docker
💅 Labels and annotations
Read it now: https://learnk8s.io/issues/56
😩 Handling pods when nodes fail
🕵️ Troubleshooting missing logs
📈 Optimizing scalability and cost-efficiency with Karpenter
🗜️ Setting Java Heap size in Docker
💅 Labels and annotations
Read it now: https://learnk8s.io/issues/56
This article describes the challenges and solutions to connecting kubectl from your local computer to a private GKE cluster while impersonating a service account.
More: https://medium.com/compendium/accessing-private-gke-cluster-using-bastion-host-and-service-account-impersonating-bac11c86deac
More: https://medium.com/compendium/accessing-private-gke-cluster-using-bastion-host-and-service-account-impersonating-bac11c86deac
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 423 Kubernetes jobs on Kube Careers https://kube.careers
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 423 Kubernetes jobs on Kube Careers https://kube.careers
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems.
It scans runtime Kubernetes clusters and CI/CD pipelines for enhanced software supply chain security.
More: https://github.com/openclarity/kubeclarity
It scans runtime Kubernetes clusters and CI/CD pipelines for enhanced software supply chain security.
More: https://github.com/openclarity/kubeclarity
This guide will explore the best practices for managing secrets in Kubernetes and how to integrate with AWS Secrets Manager to enhance security and simplify management.
More: https://sharonsahadevan.medium.com/kubernetes-secret-management-a-comprehensive-guide-with-aws-secrets-manager-bdebbd70d7b1
More: https://sharonsahadevan.medium.com/kubernetes-secret-management-a-comprehensive-guide-with-aws-secrets-manager-bdebbd70d7b1
Forwarded from LearnKube news
Hubble is a fully distributed networking and security observability platform for cloud native workloads.
It is built on top of Cilium and eBPF to enable deep visibility into the communication and behaviour of services and the networking infrastructure.
More: https://github.com/cilium/hubble
It is built on top of Cilium and eBPF to enable deep visibility into the communication and behaviour of services and the networking infrastructure.
More: https://github.com/cilium/hubble
KubeHound is a Kubernetes attack graph tool that allows automated calculation of attack paths between assets in a cluster.
More: https://github.com/DataDog/KubeHound
More: https://github.com/DataDog/KubeHound
Forwarded from KubeFM
Network Policy usage is inverted.
It's easier to list the services that you want to connect to, but Network Policy forces you to list all clients that can connect to your pod.
How would you even know that another team plans to connect your apps?
But if Network Policy is not the right tool, then what should you use?
In this KubeFM podcast, you will explore:
- How Network Policies are not as bad as you might think, but they are low-level APIs that are not always practical to use directly.
- Intent-based Access Control (IBAC) as a higher-level abstraction to describe your network segmentation requirements.
- How you can use IBAC to generate Network Policies, Istio Authorization Policies, AWS IAM & Roles, and more.
Watch it here: https://kube.fm/network-policies-ori
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
It's easier to list the services that you want to connect to, but Network Policy forces you to list all clients that can connect to your pod.
How would you even know that another team plans to connect your apps?
But if Network Policy is not the right tool, then what should you use?
In this KubeFM podcast, you will explore:
- How Network Policies are not as bad as you might think, but they are low-level APIs that are not always practical to use directly.
- Intent-based Access Control (IBAC) as a higher-level abstraction to describe your network segmentation requirements.
- How you can use IBAC to generate Network Policies, Istio Authorization Policies, AWS IAM & Roles, and more.
Watch it here: https://kube.fm/network-policies-ori
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer