With a passion for security and a knack for troubleshooting, Jennifer Luther Thomas, a Technical Marketing Engineer at Tigera, discusses the critical role of network policies in Kubernetes security, the complexities involved in their implementation, and the balance between security and manageability.

In this KubeFM episode, you will learn:

- The importance of observability in troubleshooting network policies and how it aids in debugging complex issues.
- The trade-offs between the complexity of network policies and the security benefits they provide.
- The skills, thought process and humility behind troubleshooting technologies you are unfamiliar with.

Watch (or listen to) it here: https://kube.fm/network-observability-jen

🙏 Many thanks to Otterize for supporting our work and sponsoring this episode. Make sure to check out their product for automating policies and zero-trust security! https://otterize.com

With 🎙Bart "La falsa modestia" Farrell

Restricting kubectl exec in Kubernetes is crucial for maintaining a secure and compliant environment.

In this article, you'll learn how to leverage Gatekeeper to safeguard your Kubernetes environment.

More: https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9

This week on the Learn Kubernetes Weekly:

🙅‍♀️ conntrack limiting your Gateway
👀 Lookup in Helm Charts
🐝 Cilium native routing
🛑 EKS pods stuck
🗿 DaemonSets: the Philosopher’s Stone of lazy sysadmins

Read it now: https://learnk8s.io/issues/78

Kubernetes Goat is a **Vulnerable by Design" cluster environment where you can learn and practice Kubernetes security using an interactive, hands-on playground.

More: https://github.com/madhuakula/kubernetes-goat

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/6a4b5616-64d0-4855-9e10-a0c2b7cefcca?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 459 Kubernetes jobs on Kube Careers https://kube.careers

This article explores browsing websites through a Kubernetes pod by setting up a tunnel for traffic, encountering challenges with CSRF protection, and finding workarounds like modifying headers or using an MITM proxy.

More: https://medium.com/@marius94/browsing-websites-through-a-kubernetes-pod-7daea324c8b7

netfetch is a tool designed to scan Kubernetes namespaces for network policies and check whether a network policy targets your workloads.

More: https://github.com/deggja/netfetch

The article discusses Trivy, a tool for security scanning in CI/CD pipelines and Kubernetes clusters.

It highlights the shift-left paradigm in identifying potential issues early in development.

More: https://moshe0076.hashnode.dev/trivy-shifting-security-from-right-to-left-and-then-right-again

In this KubeFM episode, Mircea shares his journey of migrating a home lab to Kubernetes, specifically choosing Talos over other operating systems like Ubuntu, Flatcar, or Bottlerocket.

Mircea also discusses his decision-making process and experiences in setting up and optimizing his Kubernetes home lab. You will learn:

- What is Talos Linux and how it compares to other operating systems.
- The challenges and considerations involved in migrating to Kubernetes, including selecting network plugins and GitOps.
- Insights into managing and securing Kubernetes clusters, focusing on the advantages of immutable operating systems.

Watch (or listen to) it here: https://kube.fm/talos-mircea

🙏 Many thanks to DigitalOcean for supporting our work and sponsoring this episode. Make sure to check out their managed Kubernetes service (and enjoy $200 free credits) https://do.co/kubefm

With @Birthmarkb "Crazy Rich Asian" Farrell

The registry-creds operator propagates a single ImagePullSecret to all namespaces within your cluster so that images can be pulled using authentication.

More: https://github.com/alexellis/registry-creds

This week on the Learn Kubernetes Weekly:

🐦‍⬛ The basics of observing Kubernetes
🔵 From blue to green: EKS upgrade
🤿 A deeper dive of kube-scheduler
⚒️ Writing custom kubectl commands
🪝 Helm Hooks for fun and profit

Read it now: https://learnk8s.io/issues/79

This article considers various techniques in offensive Kubernetes security related to RBAC, Kubelet, Etcd, EKS, and admission controllers.

More: https://medium.com/@noah_h/top-offensive-techniques-for-kubernetes-a71399d133b2

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55

👉 Browse all 450 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads.

It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters.

More: https://pradiptabanerjee.medium.com/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

This article explores Kubernetes clusters' vulnerabilities, demonstrating an attack using the MITRE att&ck matrix.

It also discusses defense strategies, including contacting the GCP metadata api and implementing security best practices.

More: https://medium.com/@ridhoadya/unveiling-the-battlefield-attacking-and-defending-kubernetes-clusters-9702cdbe941a

This tutorial discusses how network policies can restrict pod communication, showcases examples of implementing policies with Calico, and highlights the importance of defining rules for pod communication within namespaces.

More: https://sagarkrp.medium.com/calico-and-kubernetes-a-perfect-pair-for-robust-network-policy-2b91eb4eec44

In this KubeFM episode, Faris shares his experience managing CoreDNS and scaling Kubernetes clusters with 900 nodes and 15k pods.

He shares the challenges and solutions encountered during an incident, providing valuable insights into maintaining a robust Kubernetes environment.

You will learn:

- The importance of scaling the Kubernetes control plane for large clusters.
- Strategies for optimizing CoreDNS to ensure efficient DNS resolution and prevent incidents.
- The pros and cons of using VictoriaMetrics versus Prometheus for monitoring and observability.

Watch (or listen to) it here: https://kube.fm/coredns-scaling-farris

🙏 Many thanks to Datadog for supporting our work and sponsoring this episode. Make sure to check out their platform for monitoring CoreDNS alongside the rest of your stack (try it free for 14 days and get a free t-shirt) https://datadoghq.com/kubefm

With @Birthmarkb "Picasso" Farrell

This article discusses securing front-end applications in Kubernetes with SSL/TLS.

The article also provides a step-by-step guide on deploying a sample front-end application and requesting a certificate.

More: https://semaphoreci.com/blog/kubernetes-ssl-tls

The article discusses the use of advanced Gatekeeper policies in Kubernetes to reject a node assignment under specific conditions.

The author explains the process of node assignment and how to effectively test the policy using a CLI tool called Gator.

More: https://medium.com/nontechcompany/advanced-gatekeeper-policies-rejecting-a-node-assignment-11c9c3a8bb05

This week on the Learn Kubernetes Weekly:

💥 Reaching the limitations of Linux with environment variables
🏎️ Faster startup times for Kubernetes workloads with Kube Startup CPU Boost
⚔️ Attacking and defending Kubernetes clusters
🧙‍♀️ A tale of two VLANs
💉 Troubleshooting containers

Read it now: https://learnk8s.io/issues/80

🙏 Many thanks to Komodor for supporting our work and sponsoring this issue. Make sure to check out their Kubernetes troubleshooting platform https://komodor.com/?utm_source=lkw