The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues.

The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.

More: https://github.com/aquasecurity/trivy-operator

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 455 Kubernetes jobs on Kube Careers https://kube.careers

This article covers the Pod Security Admission Controller and how it simplifies enforcing Pod Security Standards.

You'll see an example of a managed offer like GKE Autopilot, which applies the baseline policies with some modifications for usability.

More: https://medium.com/google-cloud/improve-your-kubernetes-security-posture-with-the-pod-security-admission-psa-6bb59cc6923f

In this tutorial, you will learn how to use cert-manager for automated certificate handling using a GitHub Action for e2e testing on a CI environment.

More: https://skarlso.github.io/2023/10/25/self-signed-locally-trusted-certificates-with-cert-manager

This article explores the fundamental concepts, syntax, semantics, and implementation considerations associated with Network Policies.

It also delves into best practices and real-world examples to illustrate their practical application and benefits.

More: https://medium.com/cloud-native-daily/learn-network-policies-in-kubernetes-4b2258fe8572

Can you run databases on Kubernetes and survive to tell the story?

Or should you refrain from running stateful workloads as much as possible?

In this KubeFM episode, Steven argues that you should run databases on Kubernetes.

He also goes further and demonstrates how to build your custom operator to manage your database.

Listen to the episode and learn how:

- You can use Kubebuilder and the Operator Framework to build your operator.
- Custom Resources lets you create higher abstractions to manage your infrastructure as code.
- Steven's operator manages hundreds of databases at scale at QuestDB.

Watch (or listen to) it here: https://kube.fm/operators-steven

Kubernetes namespaces are the basic building block for identity and isolation but don't provide any of those features out of the box.

In this session, you will explore in a great level of detail:

- How namespaces are (not) used during scheduling.
- How namespaces are (not) used in the cluster network and the implementation of Network Policies.
- How namespaces provide the starting point for RBAC.

The insights will help you understand the trade-offs in designing a multi-tenant platform on Kubernetes.

📆 Thu, 7th Mar
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-2/

This tutorial teaches how to integrate Hashicorp Vault with Kubernetes for dynamic, secure secrets management using the External Secrets Operator (ESO).

It covers setting up Vault roles, policies, and the Key/Value secrets engine for ESO.

More: https://faun.pub/vault-integration-with-kubernetes-using-external-secrets-operator-7e13a78db406

This week on the Learn Kubernetes Weekly:

♻️ From 0 to 10'000 Jenkins builds a week
1️⃣ Only one label to improve your security posture
🔐 Vault integration
🔨 Testing on Kubernetes with Testkube
🆙 Migrating from MetaLB to Cilium

Read it now: https://learnk8s.io/issues/69

In this article, you'll compare three popular container signing solutions: Sigstore Cosign, Notary v2, and Docker Content Trust (DCT).

You'll learn about their features, capabilities, and suitability for securing container image supply chains.

More: https://snyk.io/blog/signing-container-images

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 448 Kubernetes jobs on Kube Careers https://kube.careers

Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.

More: https://github.com/emberstack/kubernetes-reflector

In this article, you will learn how envelope encryption works in EKS with KMS through illustrations.

More: https://teamoptimizers.hashnode.dev/envelope-encryption-in-eks

Kubernetes: 50 namespaces vs 50 control planes vs 50 clusters.

For the last episode of "Building Kubernetes platforms", we decided to run an experiment: how much does multi-tenancy cost?

We created three scenarios:

- 50 tenants using the Hierarchical Namespace Controller.
- 50 tenants using vCluster.
- 50 dedicated clusters managed via Karmada.

Which one was the most expensive?

Spoiler: the dedicated clusters are very expensive.

But is it worth the investment?

Chris will cover it live on Thursday!

📆 Thu, 14th Mar
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-3/

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs.

This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA.

More: https://github.com/cert-manager/aws-privateca-issuer

Service meshes and the community's opinion of them have changed drastically over the years.

From being perceived as unnecessary, complicated and bloated, they matured into security and observability powerhouses (while still retaining much of their complexity).

In this KubeFM episode, William deep dives into the world of service meshes and explains a few of the technical choices and trade-offs of service meshes in simple terms.

You will learn:

- What is a service mesh and its design (i.e. control plane and data plane).
- How Ambient mesh departs from the traditional sidecar model and how it affects reliability and security.
- Why there's more than just eBPF in sidecarless service meshes and the limitation of this technology.
- The direct costs (compute) and human factors involved in operating a service mesh.

Watch (or listen to) it here: https://kube.fm/service-mesh-william

In this article, you will take a comprehensive look at the OWASP Kubernetes Top 10, discuss each risk in detail, and provide recommendations for mitigating it.

Finally, you'll look at tools and techniques for auditing your configuration.

More: https://medium.com/@seifeddinerajhi/owasp-kubernetes-top-10-a-comprehensive-guide-f03af6fd66ed

This week on the Learn Kubernetes Weekly:

✍️ Signing container images: sigstore, Notary, and Docker content trust
✉️ Envelope encryption in EKS
🏅 OWASP Kubernetes top 10
🗃️ imgpkg
🛜 webmesh-cni

Read it now: https://learnk8s.io/issues/70

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store and mount them into Kubernetes pods.

More: https://github.com/aws/secrets-store-csi-driver-provider-aws

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hinge Health
💰 $189K to $283K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/7848823a-5edb-406f-86f8-a505220dc8e4?s=55

DevSecOps Engineer with PagerDuty
💰 $176K to $277K a year
🏠 From the office in Atlanta, GA, USA
→ https://kube.careers/t/f7204480-93a6-477a-996f-eee9e4c5f9bd?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

👉 Browse all 456 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you'll find instructions for setting up and installing Pod Security Admission (PSA), step-by-step migration guides to transition from Pod Security Policies (PSP) to PSA, and precise commands for transferring existing PSP rules to PSA.

More: https://hackernoon.com/migrating-from-pod-security-policies-a-comprehensive-guide-part-1-transitioning-to-psa