This tutorial teaches how to integrate Hashicorp Vault with Kubernetes for dynamic, secure secrets management using the External Secrets Operator (ESO).

It covers setting up Vault roles, policies, and the Key/Value secrets engine for ESO.

More: https://faun.pub/vault-integration-with-kubernetes-using-external-secrets-operator-7e13a78db406

This week on the Learn Kubernetes Weekly:

♻️ From 0 to 10'000 Jenkins builds a week
1️⃣ Only one label to improve your security posture
🔐 Vault integration
🔨 Testing on Kubernetes with Testkube
🆙 Migrating from MetaLB to Cilium

Read it now: https://learnk8s.io/issues/69

In this article, you'll compare three popular container signing solutions: Sigstore Cosign, Notary v2, and Docker Content Trust (DCT).

You'll learn about their features, capabilities, and suitability for securing container image supply chains.

More: https://snyk.io/blog/signing-container-images

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

Security Architect with Sigma Computing
💰 $190K to $250K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e6a8ff9b-834f-4e57-bd6f-13b3be3d3b7a?s=55

DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻‍♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55

👉 Browse all 448 Kubernetes jobs on Kube Careers https://kube.careers

Reflector is a Kubernetes addon designed to monitor changes to resources (Secrets and ConfigMaps) and reflect changes to mirror resources in the same or other namespaces.

More: https://github.com/emberstack/kubernetes-reflector

In this article, you will learn how envelope encryption works in EKS with KMS through illustrations.

More: https://teamoptimizers.hashnode.dev/envelope-encryption-in-eks

Kubernetes: 50 namespaces vs 50 control planes vs 50 clusters.

For the last episode of "Building Kubernetes platforms", we decided to run an experiment: how much does multi-tenancy cost?

We created three scenarios:

- 50 tenants using the Hierarchical Namespace Controller.
- 50 tenants using vCluster.
- 50 dedicated clusters managed via Karmada.

Which one was the most expensive?

Spoiler: the dedicated clusters are very expensive.

But is it worth the investment?

Chris will cover it live on Thursday!

📆 Thu, 14th Mar
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-3/

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs.

This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA.

More: https://github.com/cert-manager/aws-privateca-issuer

Service meshes and the community's opinion of them have changed drastically over the years.

From being perceived as unnecessary, complicated and bloated, they matured into security and observability powerhouses (while still retaining much of their complexity).

In this KubeFM episode, William deep dives into the world of service meshes and explains a few of the technical choices and trade-offs of service meshes in simple terms.

You will learn:

- What is a service mesh and its design (i.e. control plane and data plane).
- How Ambient mesh departs from the traditional sidecar model and how it affects reliability and security.
- Why there's more than just eBPF in sidecarless service meshes and the limitation of this technology.
- The direct costs (compute) and human factors involved in operating a service mesh.

Watch (or listen to) it here: https://kube.fm/service-mesh-william

In this article, you will take a comprehensive look at the OWASP Kubernetes Top 10, discuss each risk in detail, and provide recommendations for mitigating it.

Finally, you'll look at tools and techniques for auditing your configuration.

More: https://medium.com/@seifeddinerajhi/owasp-kubernetes-top-10-a-comprehensive-guide-f03af6fd66ed

This week on the Learn Kubernetes Weekly:

✍️ Signing container images: sigstore, Notary, and Docker content trust
✉️ Envelope encryption in EKS
🏅 OWASP Kubernetes top 10
🗃️ imgpkg
🛜 webmesh-cni

Read it now: https://learnk8s.io/issues/70

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store and mount them into Kubernetes pods.

More: https://github.com/aws/secrets-store-csi-driver-provider-aws

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hinge Health
💰 $189K to $283K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/7848823a-5edb-406f-86f8-a505220dc8e4?s=55

DevSecOps Engineer with PagerDuty
💰 $176K to $277K a year
🏠 From the office in Atlanta, GA, USA
→ https://kube.careers/t/f7204480-93a6-477a-996f-eee9e4c5f9bd?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

👉 Browse all 456 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you'll find instructions for setting up and installing Pod Security Admission (PSA), step-by-step migration guides to transition from Pod Security Policies (PSP) to PSA, and precise commands for transferring existing PSP rules to PSA.

More: https://hackernoon.com/migrating-from-pod-security-policies-a-comprehensive-guide-part-1-transitioning-to-psa

Learn to auto-update Kubernetes secrets via External Secrets Operator and secret managers like GCP secret manager.

The guide covers secret rotation, syncing, Helm installation, and TLS management.

More: https://medium.com/linux-shots/sync-kubernetes-secrets-with-cloud-native-secret-managers-e24095472a24

Validating Admission Policies makes it easy to write, enforce and use policies in Kubernetes without needing a third-party tool.

Learn how to use them in this article.

More: https://eminalemdar.medium.com/policy-management-in-kubernetes-is-changing-9d4808f548a0

Ensuring the repeatability of your infrastructure is a crucial aspect of managing Kubernetes clusters.

This allows you to swiftly tear down and set up a new one, a practice that is quite handy.

However, there are exceptional circumstances when your cluster becomes more than a disposable tool.

Dan shared, "A Kubernetes cluster will be treated as disposable until you deploy ingress, and then it becomes a pet."

In this episode, you will delve into the concept of 'disposable' and 'pet' Kubernetes clusters and learn:

- How you can use GitOps to create a repeatable infrastructure that syncs.
- How resources such as the Ingress and external-dns require careful maintenance and monitoring to make your cluster special.
- How Crossplane and vCluster help you define repeatable environments that are disposable.
- All the flavours for Argo: Workflows, Autopilot, CD, etc., and "Project" a newer abstraction to manage apps across environments.

Watch (or listen to) it here: https://kube.fm/ingress-gitops-dan

In this tutorial, you will learn how to set up OAuth2 Proxy to pass authentication headers to Kubernetes Dashboard, which doesn't provide its authentication but instead relies on Kubernetes' own RBAC auth.

More: https://geek-cookbook.funkypenguin.co.nz/recipes/kubernetes/oauth2-proxy

This week on the Learn Kubernetes Weekly:

💨 Airflow on Kubernetes for 2 years
📝 Learning apple/pkl
👋 Migrating from Pod Security Policies
👷🏻‍♂️ Build a Lightweight Internal Developer Platform with Argo CD and Kubernetes Labels

Read it now: https://learnk8s.io/issues/71

In this article, you'll examine the Node authorization mode and the NodeRestriction admission controller.

These components play a crucial role in granting Kubelets the rights and privileges to access the essential resources required for their operation.

More: https://medium.com/@seifeddinerajhi/kubernetes-node-security-the-role-of-kubelet-authorization-366220051cb

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Hinge Health
💰 $189K to $283K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/7848823a-5edb-406f-86f8-a505220dc8e4?s=55

DevSecOps Engineer with PagerDuty
💰 $176K to $277K a year
🏠 From the office in Atlanta, GA, USA
→ https://kube.careers/t/f7204480-93a6-477a-996f-eee9e4c5f9bd?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

Security Architect with Apollo
💰 $190K to $250K a year
🏠🏃🏻‍♂️🌎 Alhambra, CA, USA
→ https://kube.careers/t/8a1ea5dc-5d25-4ab0-95c8-d893bdb6249b?s=55

👉 Browse all 448 Kubernetes jobs on Kube Careers https://kube.careers