Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
📈 Performance testing for CoreDNS
🕵️♀️ Using Snowflake to detect threats
♻️ Argo workflows: proven patterns
👆 You should care about container requests and limits
📐 Memory limit and request in JVM
Read it now: https://learnk8s.io/issues/66
📈 Performance testing for CoreDNS
🕵️♀️ Using Snowflake to detect threats
♻️ Argo workflows: proven patterns
👆 You should care about container requests and limits
📐 Memory limit and request in JVM
Read it now: https://learnk8s.io/issues/66
IAM EKS user mapper aims to automatically give selected AWS IAM users access to your Kubernetes cluster.
More: https://github.com/Qovery/iam-eks-user-mapper
More: https://github.com/Qovery/iam-eks-user-mapper
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers
AquaSec found exposed, often unencrypted Kubernetes Secrets in public repositories, with 46% exploitable, stressing the need for robust practices and proper secret scanning tool usage.
More: https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets
More: https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets
Learn to secure Kubernetes deployments with Kyverno: enforce policies on image signatures using Cosign, and manage container lifecycles from creation to cluster deployment with authentication checks.
More: https://blog.devops.dev/dumb-little-things-you-can-to-secure-k8s-container-signing-with-kyverno-and-cosign-fc4630177617
More: https://blog.devops.dev/dumb-little-things-you-can-to-secure-k8s-container-signing-with-kyverno-and-cosign-fc4630177617
In this article, you'll learn the importance of the Software Bill of Material (SBOM) and how Trivy, a security scanner, identifies vulnerabilities in SBOMs, along with suggesting potential fixes.
More: https://medium.com/@krishnaduttpanchagnula/vulnerability-identification-of-images-and-files-using-sbom-with-trivy-23e1a4a5eea4
More: https://medium.com/@krishnaduttpanchagnula/vulnerability-identification-of-images-and-files-using-sbom-with-trivy-23e1a4a5eea4
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Is sharing a cluster with multiple tenants worth it?
Should you share or have a single dedicated cluster per team?
In this KubeFM episode, Artem revisits his journey into Kubernetes multi-tenancy and discusses how the landscapes (and opinions) on multi-tenancy have changed over the years.
Here's what you will learn:
- The trade-offs of multi-tenancy and the tooling necessary to make it happen (e.g. vCluster, Argo CD, Kamaji, etc.).
- The challenges of providing isolated monitoring and logging for tenants.
- How to design and architect a platform on Kubernetes to optimise your developer's experience.
Watch (or listen to) it here: https://kube.fm/multitenancy-artem
Should you share or have a single dedicated cluster per team?
In this KubeFM episode, Artem revisits his journey into Kubernetes multi-tenancy and discusses how the landscapes (and opinions) on multi-tenancy have changed over the years.
Here's what you will learn:
- The trade-offs of multi-tenancy and the tooling necessary to make it happen (e.g. vCluster, Argo CD, Kamaji, etc.).
- The challenges of providing isolated monitoring and logging for tenants.
- How to design and architect a platform on Kubernetes to optimise your developer's experience.
Watch (or listen to) it here: https://kube.fm/multitenancy-artem
This article teaches methods to identify and exploit vulnerabilities in Kubernetes clusters by scanning for insecure API endpoints using tools like shodan·io, search·censys·io, and kube-hunter.
More: https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster-part-1-2e86c3dea123
More: https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster-part-1-2e86c3dea123
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
💥 Health check crashes when over-loaded with requests
☕️ Kubernetes & JVM
⏰ Supply chain attack bomb
🏎️ Speeding up CI with Buildkit
🤔 Native sidecar containers
Read it now: https://learnk8s.io/issues/67
💥 Health check crashes when over-loaded with requests
☕️ Kubernetes & JVM
⏰ Supply chain attack bomb
🏎️ Speeding up CI with Buildkit
🤔 Native sidecar containers
Read it now: https://learnk8s.io/issues/67
In this article, you will verify how Workload Identities in AKS can work across tenants — where a Pod in a cluster can access Azure resources within another tenant.
More: https://paulyu.dev/article/cross-tenant-workload-identity-on-aks
More: https://paulyu.dev/article/cross-tenant-workload-identity-on-aks
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers
The Otterize intents operator is a tool used to easily automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format via a custom resource.
More: https://github.com/otterize/intents-operator
More: https://github.com/otterize/intents-operator
In this article, you will discuss Supply Chain attacks and how attackers can abuse insecure pipelines to have initial access or produce malware in a secure environment.
More: https://systemweakness.com/owasp-k8s-security-supply-chain-vulnerabilities-3b831fefbb0a
More: https://systemweakness.com/owasp-k8s-security-supply-chain-vulnerabilities-3b831fefbb0a
Forwarded from LearnKube news
When planning your infrastructure, one of the fundamental questions is: how many Kubernetes clusters should you have?
One big cluster or multiple smaller clusters?
Should the team share resources, or to each their own?
This Thursday, Dan investigates the pros and cons of different approaches and compares cost efficiency, ease of management resilience and security for different setups.
In this session, you will learn:
- How Kubernetes design is intended for sharing resources and the consequence for isolation and security.
- How can you isolate your workloads with different security trade-offs depending on how trustworthy your tenants are?
- How to estimate costs and efforts in building a single shared cluster vs multiple clusters.
📆 Thu, 29th Feb
⏰ 8am PT | 5pm CET
👉 https://www.vcluster.com/event/workshop-series-1/
One big cluster or multiple smaller clusters?
Should the team share resources, or to each their own?
This Thursday, Dan investigates the pros and cons of different approaches and compares cost efficiency, ease of management resilience and security for different setups.
In this session, you will learn:
- How Kubernetes design is intended for sharing resources and the consequence for isolation and security.
- How can you isolate your workloads with different security trade-offs depending on how trustworthy your tenants are?
- How to estimate costs and efforts in building a single shared cluster vs multiple clusters.
📆 Thu, 29th Feb
⏰ 8am PT | 5pm CET
👉 https://www.vcluster.com/event/workshop-series-1/
Constellation is a Kubernetes engine that wraps your cluster into a single confidential context that is shielded from the underlying cloud infrastructure.
Everything inside is always encrypted, including at runtime in memory.
More: https://github.com/edgelesssys/constellation
Everything inside is always encrypted, including at runtime in memory.
More: https://github.com/edgelesssys/constellation
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Structured Authentication Config is the most significant Kubernetes authentication system update in the last six years.
In this KubeFM episode, Maksim explains how this is going to affect you:
1. You can use multiple authentication providers simultaneously (e.g., Okta, Keycloak, GitLab) — no need for Dex.
2. You can change the configuration dynamically without restarting the API server.
3. You can use any JWT-compliant token for authentication.
4. You can use CEL (Common Expression Language) to determine whether the token's claims match the user's attributes in Kubernetes (username, group).
Watch (or listen to) it here: https://kube.fm/structured-authentication-maksim
In this KubeFM episode, Maksim explains how this is going to affect you:
1. You can use multiple authentication providers simultaneously (e.g., Okta, Keycloak, GitLab) — no need for Dex.
2. You can change the configuration dynamically without restarting the API server.
3. You can use any JWT-compliant token for authentication.
4. You can use CEL (Common Expression Language) to determine whether the token's claims match the user's attributes in Kubernetes (username, group).
Watch (or listen to) it here: https://kube.fm/structured-authentication-maksim
In this article, you'll learn how GCP Workload Identity provides a powerful solution for securely accessing GCP services and APIs from apps running on GKE.
You will also learn how to configure them.
More: https://blog.firney.com/the-power-of-gcp-workload-identity-secure-access-to-google-cloud-platform-2334ea5fe554
You will also learn how to configure them.
More: https://blog.firney.com/the-power-of-gcp-workload-identity-secure-access-to-google-cloud-platform-2334ea5fe554
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🦑 Custom Ink's Kubernetes journey
🤔 Slack's internal compute platform
💣 CoreDNS is going to fail you scale
📺 Workload identity on AKS
🥷 OWASP supply chain
Read it now: https://learnk8s.io/issues/68
🦑 Custom Ink's Kubernetes journey
🤔 Slack's internal compute platform
💣 CoreDNS is going to fail you scale
📺 Workload identity on AKS
🥷 OWASP supply chain
Read it now: https://learnk8s.io/issues/68
The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues.
The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.
More: https://github.com/aquasecurity/trivy-operator
The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.
More: https://github.com/aquasecurity/trivy-operator
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55
Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers
This article covers the Pod Security Admission Controller and how it simplifies enforcing Pod Security Standards.
You'll see an example of a managed offer like GKE Autopilot, which applies the baseline policies with some modifications for usability.
More: https://medium.com/google-cloud/improve-your-kubernetes-security-posture-with-the-pod-security-admission-psa-6bb59cc6923f
You'll see an example of a managed offer like GKE Autopilot, which applies the baseline policies with some modifications for usability.
More: https://medium.com/google-cloud/improve-your-kubernetes-security-posture-with-the-pod-security-admission-psa-6bb59cc6923f