kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.

More: https://github.com/int128/kubelogin

Chaos Mesh brings various types of fault simulation to Kubernetes and can orchestrate fault scenarios.

It helps you simulate various abnormalities that might occur in reality during the development, testing, and production.

More: https://chaos-mesh.org

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

👉 Browse all 437 Kubernetes jobs on Kube Careers https://kube.careers

This article argues, and demonstrates that Distroless containers are not immune to unconventional hacking methods just because shell programs aren't included in the image.

More: https://medium.com/@hkoushik/abusing-a-distroless-container-afb74a6dc162

In this article, you'll learn how to secure EKS by intentionally attaching the wrong policies to pods and hacking the cluster.

You will misconfigure AWS Identity and Access Management (IAM) roles for the service accounts (IRSA) feature.

More: https://medium.com/@bingolbalihasan/hacking-kubernetes-in-aws-54f4681f1478

This article teaches how to use the Secrets Store CSI driver to mount secrets to Kubernetes pods and covers how to configure and simulate the CSI driver failover feature.

More: https://medium.com/@dksoni4530/how-to-use-the-secrets-store-csi-driver-to-mount-secrets-to-kubernetes-pods-e0e61b481d79

In this KubeFM episode, Alexander Block delves into the intricacies of Kubernetes templating and deployment tools, sharing his journey from frustration with existing solutions to creating his tool, kluctl.

Alex also discusses the challenges and solutions in Kubernetes templating and deployment, emphasizing the need for more adaptable tools in the Kubernetes ecosystem.

You will learn:

- The fundamental flaws of Helm and how they impact Kubernetes deployments and tools packaging.
- How tools such as Kustomize, CUE, jsonnet are only a partial solution to templating.
- Alternatives to Helm and the future of Kubernetes resource templating and distribution.

Watch (or listen to) it here: https://kube.fm/kluctl-templating-codablock

KBOM (Kubernetes Bill of Materials) is a CLI tool that can generate a software bill of materials for your Kubernetes cluster.

More: https://github.com/ksoclabs/kbom

This week on the Learn Kubernetes Weekly:

👆 Moving up the stack
✂️ Cut container startup time
😈 Abusing Distroless
🥷 Hacking Kubernetes in AWS
🤔 2vCPU app run faster in a VM than in a container

Read it now: https://learnk8s.io/issues/77

Container image hardening involves adhering to best practices, monitoring vulnerabilities, and enhancing container security.

This article provides guidelines to mitigate risks in running Docker containers in production.

More: https://medium.com/@SecurityArchitect/hardening-container-images-best-practices-and-examples-for-docker-e941263cab13

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55

DevSecOps Engineer with Plaid
💰 $215.3K to $322.9K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/82ecabe4-3ee3-408e-9e59-de3130fd3475?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

👉 Browse all 447 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you'll learn how to store secrets while ensuring multi-tenancy, local work and scalability with:

- SSM Parameter Store to store configs and secrets.
- IAM to restrict access.
- KMS to encrypt/decrypt secrets.
- External Secret Operator.

More: https://medium.com/@geoffrey.muselli/secret-management-in-eks-using-ssm-parameter-store-kms-and-eso-e00a8f63bb4a

Ascenda Loyalty's team encountered issues with pods stuck in ContainerCreating due to maxing out pod ENIs, a limitation when using security groups for pods.

The fix involved reducing ENI usage and addressing discrepancies caused by db migration jobs.

More: https://dev.to/hazmei/eks-pods-stuck-in-initcontainercreating-state-14ch

Kyverno and Gatekeeper are robust policy engines with similar features and use cases.

In this article, the author argues that Kyverno stands out for its ease of use and straightforward policy composition.

More: https://medium.com/@glen.yu/why-i-prefer-kyverno-over-gatekeeper-for-native-kubernetes-policy-management-35a05bb94964

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

DaemonSets in Kubernetes offer a convenient way for sysadmins to deploy system-level services across a cluster, but using them for privileged and non-isolated workloads raises security concerns.

Learn why in this article.

More: https://lobuhisec.medium.com/daemonsets-the-philosophers-stone-of-lazy-sysadmins-0183bae8a75d

With a passion for security and a knack for troubleshooting, Jennifer Luther Thomas, a Technical Marketing Engineer at Tigera, discusses the critical role of network policies in Kubernetes security, the complexities involved in their implementation, and the balance between security and manageability.

In this KubeFM episode, you will learn:

- The importance of observability in troubleshooting network policies and how it aids in debugging complex issues.
- The trade-offs between the complexity of network policies and the security benefits they provide.
- The skills, thought process and humility behind troubleshooting technologies you are unfamiliar with.

Watch (or listen to) it here: https://kube.fm/network-observability-jen

🙏 Many thanks to Otterize for supporting our work and sponsoring this episode. Make sure to check out their product for automating policies and zero-trust security! https://otterize.com

With 🎙Bart "La falsa modestia" Farrell

Restricting kubectl exec in Kubernetes is crucial for maintaining a secure and compliant environment.

In this article, you'll learn how to leverage Gatekeeper to safeguard your Kubernetes environment.

More: https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9

This week on the Learn Kubernetes Weekly:

🙅‍♀️ conntrack limiting your Gateway
👀 Lookup in Helm Charts
🐝 Cilium native routing
🛑 EKS pods stuck
🗿 DaemonSets: the Philosopher’s Stone of lazy sysadmins

Read it now: https://learnk8s.io/issues/78

Kubernetes Goat is a **Vulnerable by Design" cluster environment where you can learn and practice Kubernetes security using an interactive, hands-on playground.

More: https://github.com/madhuakula/kubernetes-goat

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers