The article discusses Trivy, a tool for security scanning in CI/CD pipelines and Kubernetes clusters.

It highlights the shift-left paradigm in identifying potential issues early in development.

More: https://moshe0076.hashnode.dev/trivy-shifting-security-from-right-to-left-and-then-right-again

In this KubeFM episode, Mircea shares his journey of migrating a home lab to Kubernetes, specifically choosing Talos over other operating systems like Ubuntu, Flatcar, or Bottlerocket.

Mircea also discusses his decision-making process and experiences in setting up and optimizing his Kubernetes home lab. You will learn:

- What is Talos Linux and how it compares to other operating systems.
- The challenges and considerations involved in migrating to Kubernetes, including selecting network plugins and GitOps.
- Insights into managing and securing Kubernetes clusters, focusing on the advantages of immutable operating systems.

Watch (or listen to) it here: https://kube.fm/talos-mircea

🙏 Many thanks to DigitalOcean for supporting our work and sponsoring this episode. Make sure to check out their managed Kubernetes service (and enjoy $200 free credits) https://do.co/kubefm

With @Birthmarkb "Crazy Rich Asian" Farrell

The registry-creds operator propagates a single ImagePullSecret to all namespaces within your cluster so that images can be pulled using authentication.

More: https://github.com/alexellis/registry-creds

This week on the Learn Kubernetes Weekly:

🐦‍⬛ The basics of observing Kubernetes
🔵 From blue to green: EKS upgrade
🤿 A deeper dive of kube-scheduler
⚒️ Writing custom kubectl commands
🪝 Helm Hooks for fun and profit

Read it now: https://learnk8s.io/issues/79

This article considers various techniques in offensive Kubernetes security related to RBAC, Kubelet, Etcd, EKS, and admission controllers.

More: https://medium.com/@noah_h/top-offensive-techniques-for-kubernetes-a71399d133b2

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55

👉 Browse all 450 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads.

It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters.

More: https://pradiptabanerjee.medium.com/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

This article explores Kubernetes clusters' vulnerabilities, demonstrating an attack using the MITRE att&ck matrix.

It also discusses defense strategies, including contacting the GCP metadata api and implementing security best practices.

More: https://medium.com/@ridhoadya/unveiling-the-battlefield-attacking-and-defending-kubernetes-clusters-9702cdbe941a

This tutorial discusses how network policies can restrict pod communication, showcases examples of implementing policies with Calico, and highlights the importance of defining rules for pod communication within namespaces.

More: https://sagarkrp.medium.com/calico-and-kubernetes-a-perfect-pair-for-robust-network-policy-2b91eb4eec44

In this KubeFM episode, Faris shares his experience managing CoreDNS and scaling Kubernetes clusters with 900 nodes and 15k pods.

He shares the challenges and solutions encountered during an incident, providing valuable insights into maintaining a robust Kubernetes environment.

You will learn:

- The importance of scaling the Kubernetes control plane for large clusters.
- Strategies for optimizing CoreDNS to ensure efficient DNS resolution and prevent incidents.
- The pros and cons of using VictoriaMetrics versus Prometheus for monitoring and observability.

Watch (or listen to) it here: https://kube.fm/coredns-scaling-farris

🙏 Many thanks to Datadog for supporting our work and sponsoring this episode. Make sure to check out their platform for monitoring CoreDNS alongside the rest of your stack (try it free for 14 days and get a free t-shirt) https://datadoghq.com/kubefm

With @Birthmarkb "Picasso" Farrell

This article discusses securing front-end applications in Kubernetes with SSL/TLS.

The article also provides a step-by-step guide on deploying a sample front-end application and requesting a certificate.

More: https://semaphoreci.com/blog/kubernetes-ssl-tls

The article discusses the use of advanced Gatekeeper policies in Kubernetes to reject a node assignment under specific conditions.

The author explains the process of node assignment and how to effectively test the policy using a CLI tool called Gator.

More: https://medium.com/nontechcompany/advanced-gatekeeper-policies-rejecting-a-node-assignment-11c9c3a8bb05

This week on the Learn Kubernetes Weekly:

💥 Reaching the limitations of Linux with environment variables
🏎️ Faster startup times for Kubernetes workloads with Kube Startup CPU Boost
⚔️ Attacking and defending Kubernetes clusters
🧙‍♀️ A tale of two VLANs
💉 Troubleshooting containers

Read it now: https://learnk8s.io/issues/80

🙏 Many thanks to Komodor for supporting our work and sponsoring this issue. Make sure to check out their Kubernetes troubleshooting platform https://komodor.com/?utm_source=lkw

OPA Image Scanner combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.

More: https://github.com/sysdiglabs/opa-image-scanner

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55

👉 Browse all 426 Kubernetes jobs on Kube Careers https://kube.careers

This article explains how malicious admission controllers can be used to deploy backdoors, emphasizing the importance of surveillance and tools like Falco for detecting such attacks.

More: https://security.padok.fr/en/blog/kubernetes-webhook-attackers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June (online & in Munich): https://learnk8s.io/training

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

secretgen-controller provides CRDs to specify what secrets must be on the cluster (generated or not). Supports:

- Generating certificates, passwords, RSA keys and SSH keys.
- Generating secrets from data residing in other Kubernetes resources.

More: https://github.com/carvel-dev/secretgen-controller

What's the average salary for a Kubernetes engineer?

Do you need a Kubernetes certification to apply for a job?

We analyzed 332 Kubernetes job denoscriptions for the first three months of 2024 and found that:

💰 The average Kubernetes job pays from $147,203 to $205,149 in North America and from €58,691 to €78,161 in Europe.
👵 The majority of the job listings are for Senior Engineers.
🎟️ Certifications are not necessary unless you need to work with AWS.
🐍 If you need to learn a programming language, invest in Python!

This and more insights in the State of Kubernetes Job Market report here: https://kube.careers/state-of-kubernetes-jobs-2024-q1

The article discusses a change in Kubernetes 1.29 , where the default admin.conf credential is no longer a member of the system:masters group and a new super-admin.conf credential has been introduced.

More: https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin