Forwarded from Kube Architect
This article discusses securing front-end applications in Kubernetes with SSL/TLS.
The article also provides a step-by-step guide on deploying a sample front-end application and requesting a certificate.
More: https://semaphoreci.com/blog/kubernetes-ssl-tls
The article also provides a step-by-step guide on deploying a sample front-end application and requesting a certificate.
More: https://semaphoreci.com/blog/kubernetes-ssl-tls
The article discusses the use of advanced Gatekeeper policies in Kubernetes to reject a node assignment under specific conditions.
The author explains the process of node assignment and how to effectively test the policy using a CLI tool called Gator.
More: https://medium.com/nontechcompany/advanced-gatekeeper-policies-rejecting-a-node-assignment-11c9c3a8bb05
The author explains the process of node assignment and how to effectively test the policy using a CLI tool called Gator.
More: https://medium.com/nontechcompany/advanced-gatekeeper-policies-rejecting-a-node-assignment-11c9c3a8bb05
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
💥 Reaching the limitations of Linux with environment variables
🏎️ Faster startup times for Kubernetes workloads with Kube Startup CPU Boost
⚔️ Attacking and defending Kubernetes clusters
🧙♀️ A tale of two VLANs
💉 Troubleshooting containers
Read it now: https://learnk8s.io/issues/80
🙏 Many thanks to Komodor for supporting our work and sponsoring this issue. Make sure to check out their Kubernetes troubleshooting platform https://komodor.com/?utm_source=lkw
💥 Reaching the limitations of Linux with environment variables
🏎️ Faster startup times for Kubernetes workloads with Kube Startup CPU Boost
⚔️ Attacking and defending Kubernetes clusters
🧙♀️ A tale of two VLANs
💉 Troubleshooting containers
Read it now: https://learnk8s.io/issues/80
🙏 Many thanks to Komodor for supporting our work and sponsoring this issue. Make sure to check out their Kubernetes troubleshooting platform https://komodor.com/?utm_source=lkw
OPA Image Scanner combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
More: https://github.com/sysdiglabs/opa-image-scanner
More: https://github.com/sysdiglabs/opa-image-scanner
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55
DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55
DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55
👉 Browse all 426 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55
DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55
DevSecOps Engineer with Relyance AI
💰 $170K to $200K a year
🏠🏃🏻♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55
👉 Browse all 426 Kubernetes jobs on Kube Careers https://kube.careers
This article explains how malicious admission controllers can be used to deploy backdoors, emphasizing the importance of surveillance and tools like Falco for detecting such attacks.
More: https://security.padok.fr/en/blog/kubernetes-webhook-attackers
More: https://security.padok.fr/en/blog/kubernetes-webhook-attackers
Forwarded from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next courses start in June (online & in Munich): https://learnk8s.io/training
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next courses start in June (online & in Munich): https://learnk8s.io/training
We also run in-person courses and corporate training: https://learnk8s.io/corporate-training
secretgen-controller provides CRDs to specify what secrets must be on the cluster (generated or not). Supports:
- Generating certificates, passwords, RSA keys and SSH keys.
- Generating secrets from data residing in other Kubernetes resources.
More: https://github.com/carvel-dev/secretgen-controller
- Generating certificates, passwords, RSA keys and SSH keys.
- Generating secrets from data residing in other Kubernetes resources.
More: https://github.com/carvel-dev/secretgen-controller
Forwarded from Kube Careers
What's the average salary for a Kubernetes engineer?
Do you need a Kubernetes certification to apply for a job?
We analyzed 332 Kubernetes job denoscriptions for the first three months of 2024 and found that:
💰 The average Kubernetes job pays from $147,203 to $205,149 in North America and from €58,691 to €78,161 in Europe.
👵 The majority of the job listings are for Senior Engineers.
🎟️ Certifications are not necessary unless you need to work with AWS.
🐍 If you need to learn a programming language, invest in Python!
This and more insights in the State of Kubernetes Job Market report here: https://kube.careers/state-of-kubernetes-jobs-2024-q1
Do you need a Kubernetes certification to apply for a job?
We analyzed 332 Kubernetes job denoscriptions for the first three months of 2024 and found that:
💰 The average Kubernetes job pays from $147,203 to $205,149 in North America and from €58,691 to €78,161 in Europe.
👵 The majority of the job listings are for Senior Engineers.
🎟️ Certifications are not necessary unless you need to work with AWS.
🐍 If you need to learn a programming language, invest in Python!
This and more insights in the State of Kubernetes Job Market report here: https://kube.careers/state-of-kubernetes-jobs-2024-q1
The article discusses a change in Kubernetes 1.29 , where the default
More: https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin
admin.conf credential is no longer a member of the system:masters group and a new super-admin.conf credential has been introduced.More: https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
In this KubeFM episode, Hillai and Ronen, security researchers at Wiz, explore the intricacies of hacking Alibaba Cloud's Kubernetes cluster.
They share their experiences and insights on identifying and exploiting vulnerabilities, mainly focusing on misconfigurations and their impact on cloud security.
You will learn:
- How Hillai and Ronen gained access to a Kubernetes cluster through a Postgres database.
- How they moved laterally and managed to obtain push and pull rights to a private container registry.
- Recommendations for securing multi-tenant Kubernetes clusters and maintaining environment hygiene.
Watch (or listen to) it here: https://kube.fm/hacking-alibaba-ronen-hillai
🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast
With @Birthmarkb "🤌" Farrell
They share their experiences and insights on identifying and exploiting vulnerabilities, mainly focusing on misconfigurations and their impact on cloud security.
You will learn:
- How Hillai and Ronen gained access to a Kubernetes cluster through a Postgres database.
- How they moved laterally and managed to obtain push and pull rights to a private container registry.
- Recommendations for securing multi-tenant Kubernetes clusters and maintaining environment hygiene.
Watch (or listen to) it here: https://kube.fm/hacking-alibaba-ronen-hillai
🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast
With @Birthmarkb "🤌" Farrell
Tetragon enables powerful real-time, eBPF-based security observability and runtime enforcement.
It is Kubernetes-aware and understands identities so that security event detection can be configured to individual workloads.
More: https://tetragon.io
It is Kubernetes-aware and understands identities so that security event detection can be configured to individual workloads.
More: https://tetragon.io
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🥷 Kubernetes webhook used by attackers
👨🏻💼 When is admin not admin? When it's super-admin!
📆 Kubernetes HPA based on events in Google Calendar
🔀 Seamless data exchange with Kafka Connect and Strimzi on Kubernetes at Decathlon
🛑 Database in Kubernetes: is that a good idea?
Read it now: https://learnk8s.io/issues/81
🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://otterize.com?utm_source=lkw
🥷 Kubernetes webhook used by attackers
👨🏻💼 When is admin not admin? When it's super-admin!
📆 Kubernetes HPA based on events in Google Calendar
🔀 Seamless data exchange with Kafka Connect and Strimzi on Kubernetes at Decathlon
🛑 Database in Kubernetes: is that a good idea?
Read it now: https://learnk8s.io/issues/81
🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://otterize.com?utm_source=lkw
Learn how Snyk security researchers uncovered the Leaky Vessels container breakout Docker vulnerabilities that allow a malicious attacker to break out of a container environment with a controlled Dockerfile under
More: https://dev.to/snyk/leaky-vessels-deep-dive-escaping-from-docker-one-syscall-at-a-time-4479
docker build and docker run.More: https://dev.to/snyk/leaky-vessels-deep-dive-escaping-from-docker-one-syscall-at-a-time-4479
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55
DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55
DevSecOps Engineer with iHerb
💰 $162.19K to $221.17K a year
🏠 From the office in Irvine, CA, USA
→ https://kube.careers/t/ae334c71-c968-4ed7-93b2-a1a7d13fe4d8?s=55
👉 Browse all 442 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55
DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55
DevSecOps Engineer with iHerb
💰 $162.19K to $221.17K a year
🏠 From the office in Irvine, CA, USA
→ https://kube.careers/t/ae334c71-c968-4ed7-93b2-a1a7d13fe4d8?s=55
👉 Browse all 442 Kubernetes jobs on Kube Careers https://kube.careers
The article discusses automating the building, signing, and verifying of Docker images using tools like Kaniko, Cosign, and Kyverno.
It explains how these tools can be integrated into a GitLab CI/CD pipeline to improve efficiency and security.
More: https://medium.com/@nizepart/automation-of-building-signing-and-verifying-docker-images-kaniko-cosign-kyverno-769d4ccccf3d
It explains how these tools can be integrated into a GitLab CI/CD pipeline to improve efficiency and security.
More: https://medium.com/@nizepart/automation-of-building-signing-and-verifying-docker-images-kaniko-cosign-kyverno-769d4ccccf3d
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
This automated process ensures robust network segmentation, closely aligning with zero-trust principles.
Watch the full interview: https://kube.fm/network-security-ben
This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori
In this article, you will learn about Istio AuthorizationPolicies and how they function, as well as use an alternative approach to declare them using IBAC (Intent-Based Access Control)
More: https://otterize.com/blog/Istio-authz-and-ingress-authn
More: https://otterize.com/blog/Istio-authz-and-ingress-authn
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.
Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.
Watch the full interview: https://kube.fm/secure-policy-frenchie
This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex
Otterize integrates with GitHub repositories to automatically generate pull requests as application access requirements change in the cluster. This enables platform administrators to continuously align security requirements with code updates.
More: https://docs.otterize.com/features/github/tutorials/automated-pull-requests
More: https://docs.otterize.com/features/github/tutorials/automated-pull-requests
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
In this KubeFM episode, Hans, a Principal Cloud engineer, shares his experiences empowering teams to use, build and manage platforms built on Kubernetes.
You will learn:
- How OpenTelemetry and Prometheus shape cluster management and observability.
- The role of tools like ArgoCD and Flux in enabling GitOps and streamlining deployment processes.
- The significance of governance tools such as Gatekeeper and OPA for secure and validated resource creation.
- The benefits of Custom Resource Definitions (CRDs) and operators in automating processes and enhancing the developer experience.
Watch (or listen to) it here: https://kube.fm/platform-engineering-hans
🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast
With @Birthmarkb "Zero certified" Farrell
You will learn:
- How OpenTelemetry and Prometheus shape cluster management and observability.
- The role of tools like ArgoCD and Flux in enabling GitOps and streamlining deployment processes.
- The significance of governance tools such as Gatekeeper and OPA for secure and validated resource creation.
- The benefits of Custom Resource Definitions (CRDs) and operators in automating processes and enhancing the developer experience.
Watch (or listen to) it here: https://kube.fm/platform-engineering-hans
🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast
With @Birthmarkb "Zero certified" Farrell