Ascenda Loyalty's team encountered issues with pods stuck in ContainerCreating due to maxing out pod ENIs, a limitation when using security groups for pods.

The fix involved reducing ENI usage and addressing discrepancies caused by db migration jobs.

More: https://dev.to/hazmei/eks-pods-stuck-in-initcontainercreating-state-14ch

Kyverno and Gatekeeper are robust policy engines with similar features and use cases.

In this article, the author argues that Kyverno stands out for its ease of use and straightforward policy composition.

More: https://medium.com/@glen.yu/why-i-prefer-kyverno-over-gatekeeper-for-native-kubernetes-policy-management-35a05bb94964

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

DaemonSets in Kubernetes offer a convenient way for sysadmins to deploy system-level services across a cluster, but using them for privileged and non-isolated workloads raises security concerns.

Learn why in this article.

More: https://lobuhisec.medium.com/daemonsets-the-philosophers-stone-of-lazy-sysadmins-0183bae8a75d

With a passion for security and a knack for troubleshooting, Jennifer Luther Thomas, a Technical Marketing Engineer at Tigera, discusses the critical role of network policies in Kubernetes security, the complexities involved in their implementation, and the balance between security and manageability.

In this KubeFM episode, you will learn:

- The importance of observability in troubleshooting network policies and how it aids in debugging complex issues.
- The trade-offs between the complexity of network policies and the security benefits they provide.
- The skills, thought process and humility behind troubleshooting technologies you are unfamiliar with.

Watch (or listen to) it here: https://kube.fm/network-observability-jen

🙏 Many thanks to Otterize for supporting our work and sponsoring this episode. Make sure to check out their product for automating policies and zero-trust security! https://otterize.com

With 🎙Bart "La falsa modestia" Farrell

Restricting kubectl exec in Kubernetes is crucial for maintaining a secure and compliant environment.

In this article, you'll learn how to leverage Gatekeeper to safeguard your Kubernetes environment.

More: https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9

This week on the Learn Kubernetes Weekly:

🙅‍♀️ conntrack limiting your Gateway
👀 Lookup in Helm Charts
🐝 Cilium native routing
🛑 EKS pods stuck
🗿 DaemonSets: the Philosopher’s Stone of lazy sysadmins

Read it now: https://learnk8s.io/issues/78

Kubernetes Goat is a **Vulnerable by Design" cluster environment where you can learn and practice Kubernetes security using an interactive, hands-on playground.

More: https://github.com/madhuakula/kubernetes-goat

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers

This article explores browsing websites through a Kubernetes pod by setting up a tunnel for traffic, encountering challenges with CSRF protection, and finding workarounds like modifying headers or using an MITM proxy.

More: https://medium.com/@marius94/browsing-websites-through-a-kubernetes-pod-7daea324c8b7

netfetch is a tool designed to scan Kubernetes namespaces for network policies and check whether a network policy targets your workloads.

More: https://github.com/deggja/netfetch

The article discusses Trivy, a tool for security scanning in CI/CD pipelines and Kubernetes clusters.

It highlights the shift-left paradigm in identifying potential issues early in development.

More: https://moshe0076.hashnode.dev/trivy-shifting-security-from-right-to-left-and-then-right-again

In this KubeFM episode, Mircea shares his journey of migrating a home lab to Kubernetes, specifically choosing Talos over other operating systems like Ubuntu, Flatcar, or Bottlerocket.

Mircea also discusses his decision-making process and experiences in setting up and optimizing his Kubernetes home lab. You will learn:

- What is Talos Linux and how it compares to other operating systems.
- The challenges and considerations involved in migrating to Kubernetes, including selecting network plugins and GitOps.
- Insights into managing and securing Kubernetes clusters, focusing on the advantages of immutable operating systems.

Watch (or listen to) it here: https://kube.fm/talos-mircea

🙏 Many thanks to DigitalOcean for supporting our work and sponsoring this episode. Make sure to check out their managed Kubernetes service (and enjoy $200 free credits) https://do.co/kubefm

With @Birthmarkb "Crazy Rich Asian" Farrell

The registry-creds operator propagates a single ImagePullSecret to all namespaces within your cluster so that images can be pulled using authentication.

More: https://github.com/alexellis/registry-creds

This week on the Learn Kubernetes Weekly:

🐦‍⬛ The basics of observing Kubernetes
🔵 From blue to green: EKS upgrade
🤿 A deeper dive of kube-scheduler
⚒️ Writing custom kubectl commands
🪝 Helm Hooks for fun and profit

Read it now: https://learnk8s.io/issues/79

This article considers various techniques in offensive Kubernetes security related to RBAC, Kubelet, Etcd, EKS, and admission controllers.

More: https://medium.com/@noah_h/top-offensive-techniques-for-kubernetes-a71399d133b2

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55

👉 Browse all 450 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads.

It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters.

More: https://pradiptabanerjee.medium.com/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

This article explores Kubernetes clusters' vulnerabilities, demonstrating an attack using the MITRE att&ck matrix.

It also discusses defense strategies, including contacting the GCP metadata api and implementing security best practices.

More: https://medium.com/@ridhoadya/unveiling-the-battlefield-attacking-and-defending-kubernetes-clusters-9702cdbe941a

This tutorial discusses how network policies can restrict pod communication, showcases examples of implementing policies with Calico, and highlights the importance of defining rules for pod communication within namespaces.

More: https://sagarkrp.medium.com/calico-and-kubernetes-a-perfect-pair-for-robust-network-policy-2b91eb4eec44