In this article, you'll look at the essential components needed to make your Kubernetes deployments secure, fast and reliable and answer what is required to build a complete DevSecOps platform on Kubernetes.

More: https://www.stakater.com/post/the-essentials-for-building-a-devsecops-platform-on-kubernetes

The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

More: https://github.com/kubernetes-sigs/security-profiles-operator

What if Kubernetes was so easy to install and manage to be foolproof?

In this KubeFM, Mat argues that GKE is the only Kubernetes managed service that offers a beginner-friendly and thought-through experience in running a Kubernetes cluster.

Follow Mat's journey to AKS, GKE and EJS and learn:

- How GKE autopilot can help you optimize costs and reduce underutilized node resources.
- How the GKE container-optimized OS prevents and eliminates an entire set of security misconfigurations in node management.
- How GCP's application of machine learning on the IAM permissions can help you gradually refine security permissions as applications are deployed.

Watch it here: https://kube.fm/foolproof-gke-mat

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

In this tutorial, you will use the open-source tool Zarf to deploy a Podinfo with Flux application to a Kubernetes cluster.

Then, you will test the same deployment but air-gapped.

More: https://medium.com/defense-unicorns/using-zarf-to-deploy-a-podinfo-flux-application-in-a-kubernetes-cluster-22dc6c02510c

This week on the Learn Kubernetes Weekly:

📊 The case for Kubernetes resource limits
❌ 3 common mistakes with PromQL
🤔 Different kinds of managed Kubernetes
⚛️ Helm's atomic
🤒 High availability for pods

Read it now: https://learnk8s.io/issues/62

This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container.

The generated profile would allow all the syscalls made and deny every other syscall.

More: https://github.com/containers/oci-seccomp-bpf-hook

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

DevSecOps Engineer with Verkada
💰 $130K to $280K a year
🏠 From the office in San Mateo, CA, USA
→ https://kube.careers/t/34423797-da07-4f75-a714-ab6e4ad208bf?s=55

DevSecOps Engineer with KoBold Metals
💰 $150K to $225K a year
👨‍💻 Remote from the United States, Canada
→ https://kube.careers/t/73a7a73a-c29e-4647-8968-297acc829312?s=55

👉 Browse all 469 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course starts on the 19th of Feb (in Amsterdam, NL): https://learnk8s.io/amsterdam-advanced-february-2024

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

Containerized apps frequently require access to services running within and outside the cluster.

In this article, you'll explore how Cilium can be used alongside the security groups for EKS pods when running in chaining mode.

More: https://medium.com/@agupta301281/security-groups-for-pods-in-eks-cilium-and-networking-f809cf72fc31

In this article, you will learn how WIZ Research compromised a cloud-managed PostgreSQL database, accessed Alibaba's container registry, and pushed malicious code using shared volumes and privileged containers.

More: https://medium.com/@dmosyan/hacking-alibaba-clouds-kubernetes-cluster-c6baec0c0639

This article will teach you how to easily and securely store your Kubernetes secrets in AWS Secret Manager with Argo CD, Crossplane and External Secrets Operator.

More: https://medium.com/hiredscore-engineering/manage-kubernetes-secrets-with-crossplane-and-external-secrets-1423302c92fd

The best way to learn something is to break it or to build it yourself.

And that's precisely what Luca did to understand how Linux containers (and Docker) work: he built his own, Barco.

In this episode of KubeFM, you will learn:

- Why Linux containers "don't exist" but are the product of several Linux features you can put together and configure properly to get what we know as containers.
- How Kernel features such as cgroups and namespaces isolate a process.
- How you can use seccomp and capabilities to secure the container.
- How to make the right syscall from C to build your own container engine.

Watch it here: https://kube.fm/barco-luca

This tutorial teaches you how to use Argo Events to synchronize GCP Secret Manager secrets with Kubernetes.

More: https://cdelmonte.medium.com/argo-events-how-to-synchronize-gcp-secret-manager-and-kubernetes-secrets-d9807dbf8d30

Traditionally, EKS pods inherit the node's IAM role, contradicting least privilege principles by sharing one IAM role across multiple pods on the same node.

You can now use the EKS Pod Identity Agent to enable specific role assumption for pods.

More: https://medium.com/binome/reinvent-2023-trying-out-pod-identity-agent-de823f6b1178

This week on the Learn Kubernetes Weekly:

📺 Video streaming at scale with Kubernetes and RabbitMQ
🙅 Don't name your EKS-managed nodegroups
🔢 Cilium: decoding the packet
🥷 Secrets with Crossplane and ESO
🔎 eBPF to navigate monitoring

Read it now: https://learnk8s.io/issues/63

In this article, you'll discuss three ways to secure Kubernetes pods using AppArmor, Seccomp, and immutable pods.

These techniques can help to prevent malicious attacks and protect your Kubernetes cluster.

More: https://medium.com/@seifeddinerajhi/securing-kubernetes-a-comprehensive-guide-to-runtime-security-and-system-hardening-33f5a5328f1

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

Security Architect with Collectors
💰 $160K to $250K a year
🏠 From the office in Santa Ana, CA, USA
→ https://kube.careers/t/b13459c6-6642-4c50-bdc0-c95a11cdd990?s=55

DevSecOps Engineer with Verkada
💰 $130K to $280K a year
🏠 From the office in San Mateo, CA, USA
→ https://kube.careers/t/34423797-da07-4f75-a714-ab6e4ad208bf?s=55

👉 Browse all 456 Kubernetes jobs on Kube Careers https://kube.careers

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schemas locations.
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course starts on the 19th of Feb (in Amsterdam, NL): https://learnk8s.io/amsterdam-advanced-february-2024

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This article will show how to implement a Zero Trust Architecture on Kubernetes with Istio.

1. What is Zero Trust Architecture.
2. Istio Architecture.
3. How to enable mTLS.
4. How to enable access control and authorization between your microservices.

More: https://medium.com/@lupass93/zero-trust-architecture-on-kubernetes-with-istio-service-mesh-eade6c5a3c53

Get ready for a 3-part, free educational program on building Kubernetes platforms with Learnk8s and Loft labs!

Each session comes with a webinar, code samples and a step-by-step article:

- Unit 1: Architecting Kubernetes clusters: single shared cluster or to each their own.
- Unit 2: Kubernetes namespaces offer no isolation, and how you can work around it
- Unit 3: Building a self-serve Kubernetes platform from scratch

You can register here (it's free): https://www.vcluster.com/building-a-multi-tenant-kubernetes-platform/