In this article, you will verify how Workload Identities in AKS can work across tenants — where a Pod in a cluster can access Azure resources within another tenant.

More: https://paulyu.dev/article/cross-tenant-workload-identity-on-aks

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers

The Otterize intents operator is a tool used to easily automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format via a custom resource.

More: https://github.com/otterize/intents-operator

In this article, you will discuss Supply Chain attacks and how attackers can abuse insecure pipelines to have initial access or produce malware in a secure environment.

More: https://systemweakness.com/owasp-k8s-security-supply-chain-vulnerabilities-3b831fefbb0a

When planning your infrastructure, one of the fundamental questions is: how many Kubernetes clusters should you have?

One big cluster or multiple smaller clusters?

Should the team share resources, or to each their own?

This Thursday, Dan investigates the pros and cons of different approaches and compares cost efficiency, ease of management resilience and security for different setups.

In this session, you will learn:

- How Kubernetes design is intended for sharing resources and the consequence for isolation and security.
- How can you isolate your workloads with different security trade-offs depending on how trustworthy your tenants are?
- How to estimate costs and efforts in building a single shared cluster vs multiple clusters.

📆 Thu, 29th Feb
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-1/

Constellation is a Kubernetes engine that wraps your cluster into a single confidential context that is shielded from the underlying cloud infrastructure.

Everything inside is always encrypted, including at runtime in memory.

More: https://github.com/edgelesssys/constellation

Structured Authentication Config is the most significant Kubernetes authentication system update in the last six years.

In this KubeFM episode, Maksim explains how this is going to affect you:

1. You can use multiple authentication providers simultaneously (e.g., Okta, Keycloak, GitLab) — no need for Dex.
2. You can change the configuration dynamically without restarting the API server.
3. You can use any JWT-compliant token for authentication.
4. You can use CEL (Common Expression Language) to determine whether the token's claims match the user's attributes in Kubernetes (username, group).

Watch (or listen to) it here: https://kube.fm/structured-authentication-maksim

In this article, you'll learn how GCP Workload Identity provides a powerful solution for securely accessing GCP services and APIs from apps running on GKE.

You will also learn how to configure them.

More: https://blog.firney.com/the-power-of-gcp-workload-identity-secure-access-to-google-cloud-platform-2334ea5fe554

This week on the Learn Kubernetes Weekly:

🦑 Custom Ink's Kubernetes journey
🤔 Slack's internal compute platform
💣 CoreDNS is going to fail you scale
📺 Workload identity on AKS
🥷 OWASP supply chain

Read it now: https://learnk8s.io/issues/68

The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues.

The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.

More: https://github.com/aquasecurity/trivy-operator

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers

This article covers the Pod Security Admission Controller and how it simplifies enforcing Pod Security Standards.

You'll see an example of a managed offer like GKE Autopilot, which applies the baseline policies with some modifications for usability.

More: https://medium.com/google-cloud/improve-your-kubernetes-security-posture-with-the-pod-security-admission-psa-6bb59cc6923f

In this tutorial, you will learn how to use cert-manager for automated certificate handling using a GitHub Action for e2e testing on a CI environment.

More: https://skarlso.github.io/2023/10/25/self-signed-locally-trusted-certificates-with-cert-manager

This article explores the fundamental concepts, syntax, semantics, and implementation considerations associated with Network Policies.

It also delves into best practices and real-world examples to illustrate their practical application and benefits.

More: https://medium.com/cloud-native-daily/learn-network-policies-in-kubernetes-4b2258fe8572

Can you run databases on Kubernetes and survive to tell the story?

Or should you refrain from running stateful workloads as much as possible?

In this KubeFM episode, Steven argues that you should run databases on Kubernetes.

He also goes further and demonstrates how to build your custom operator to manage your database.

Listen to the episode and learn how:

- You can use Kubebuilder and the Operator Framework to build your operator.
- Custom Resources lets you create higher abstractions to manage your infrastructure as code.
- Steven's operator manages hundreds of databases at scale at QuestDB.

Watch (or listen to) it here: https://kube.fm/operators-steven

Kubernetes namespaces are the basic building block for identity and isolation but don't provide any of those features out of the box.

In this session, you will explore in a great level of detail:

- How namespaces are (not) used during scheduling.
- How namespaces are (not) used in the cluster network and the implementation of Network Policies.
- How namespaces provide the starting point for RBAC.

The insights will help you understand the trade-offs in designing a multi-tenant platform on Kubernetes.

📆 Thu, 7th Mar
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-2/

This tutorial teaches how to integrate Hashicorp Vault with Kubernetes for dynamic, secure secrets management using the External Secrets Operator (ESO).

It covers setting up Vault roles, policies, and the Key/Value secrets engine for ESO.

More: https://faun.pub/vault-integration-with-kubernetes-using-external-secrets-operator-7e13a78db406

This week on the Learn Kubernetes Weekly:

♻️ From 0 to 10'000 Jenkins builds a week
1️⃣ Only one label to improve your security posture
🔐 Vault integration
🔨 Testing on Kubernetes with Testkube
🆙 Migrating from MetaLB to Cilium

Read it now: https://learnk8s.io/issues/69

In this article, you'll compare three popular container signing solutions: Sigstore Cosign, Notary v2, and Docker Content Trust (DCT).

You'll learn about their features, capabilities, and suitability for securing container image supply chains.

More: https://snyk.io/blog/signing-container-images

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 448 Kubernetes jobs on Kube Careers https://kube.careers

Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.

More: https://github.com/emberstack/kubernetes-reflector