The article discusses a change in Kubernetes 1.29 , where the default admin.conf credential is no longer a member of the system:masters group and a new super-admin.conf credential has been introduced.

More: https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin

In this KubeFM episode, Hillai and Ronen, security researchers at Wiz, explore the intricacies of hacking Alibaba Cloud's Kubernetes cluster.

They share their experiences and insights on identifying and exploiting vulnerabilities, mainly focusing on misconfigurations and their impact on cloud security.

You will learn:

- How Hillai and Ronen gained access to a Kubernetes cluster through a Postgres database.
- How they moved laterally and managed to obtain push and pull rights to a private container registry.
- Recommendations for securing multi-tenant Kubernetes clusters and maintaining environment hygiene.

Watch (or listen to) it here: https://kube.fm/hacking-alibaba-ronen-hillai

🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast

With @Birthmarkb "🤌" Farrell

Tetragon enables powerful real-time, eBPF-based security observability and runtime enforcement.

It is Kubernetes-aware and understands identities so that security event detection can be configured to individual workloads.

More: https://tetragon.io

This week on the Learn Kubernetes Weekly:

🥷 Kubernetes webhook used by attackers
👨🏻‍💼 When is admin not admin? When it's super-admin!
📆 Kubernetes HPA based on events in Google Calendar
🔀 Seamless data exchange with Kafka Connect and Strimzi on Kubernetes at Decathlon
🛑 Database in Kubernetes: is that a good idea?

Read it now: https://learnk8s.io/issues/81

🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://otterize.com?utm_source=lkw

Learn how Snyk security researchers uncovered the Leaky Vessels container breakout Docker vulnerabilities that allow a malicious attacker to break out of a container environment with a controlled Dockerfile under docker build and docker run.

More: https://dev.to/snyk/leaky-vessels-deep-dive-escaping-from-docker-one-syscall-at-a-time-4479

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

DevSecOps Engineer with iHerb
💰 $162.19K to $221.17K a year
🏠 From the office in Irvine, CA, USA
→ https://kube.careers/t/ae334c71-c968-4ed7-93b2-a1a7d13fe4d8?s=55

👉 Browse all 442 Kubernetes jobs on Kube Careers https://kube.careers

The article discusses automating the building, signing, and verifying of Docker images using tools like Kaniko, Cosign, and Kyverno.

It explains how these tools can be integrated into a GitLab CI/CD pipeline to improve efficiency and security.

More: https://medium.com/@nizepart/automation-of-building-signing-and-verifying-docker-images-kaniko-cosign-kyverno-769d4ccccf3d

Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.

This automated process ensures robust network segmentation, closely aligning with zero-trust principles.

Watch the full interview: https://kube.fm/network-security-ben

This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori

In this article, you will learn about Istio AuthorizationPolicies and how they function, as well as use an alternative approach to declare them using IBAC (Intent-Based Access Control)

More: https://otterize.com/blog/Istio-authz-and-ingress-authn

Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.

He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.

Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.

Watch the full interview: https://kube.fm/secure-policy-frenchie

This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex

Otterize integrates with GitHub repositories to automatically generate pull requests as application access requirements change in the cluster. This enables platform administrators to continuously align security requirements with code updates.

More: https://docs.otterize.com/features/github/tutorials/automated-pull-requests

In this KubeFM episode, Hans, a Principal Cloud engineer, shares his experiences empowering teams to use, build and manage platforms built on Kubernetes.

You will learn:

- How OpenTelemetry and Prometheus shape cluster management and observability.
- The role of tools like ArgoCD and Flux in enabling GitOps and streamlining deployment processes.
- The significance of governance tools such as Gatekeeper and OPA for secure and validated resource creation.
- The benefits of Custom Resource Definitions (CRDs) and operators in automating processes and enhancing the developer experience.

Watch (or listen to) it here: https://kube.fm/platform-engineering-hans

🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast

With @Birthmarkb "Zero certified" Farrell

The "TunnelVision" attacks reinforce the need for a new security paradigm.

In this article, you will explore how this type of attack can be mitigated in the future and what tools you need.

More: https://otterize.com/blog/moving-beyond-perimeter-security

This week on the Learn Kubernetes Weekly:

🚉 How we are managing a container platform
💧 Leaky Vessels deep dive: escaping from Docker one syscall at a time
🕵️‍♀️ How to inspect Kubernetes networking
🔧 Removing specific images from all Kubernetes nodes
🌎 Kubernetes resiliency (RTO/RPO) in multi-cluster deployments

Read it now: https://learnk8s.io/issues/82

🙏 Many thanks to StormForgeIO for supporting our work and sponsoring this issue. Make sure to check out their platform to optimise resources and save on your cloud spend https://www.stormforge.io/?utm_campaign=LearnK8s-Q2-24

MKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments.

More: https://github.com/DataDog/managed-kubernetes-auditing-toolkit

The article discusses the importance of secure secret management in Kubernetes deployments, highlighting challenges with native secrets.

It explores the use of External-Secrets Operator and Config-Reloader to automate secret synchronization

More: https://medium.com/squareops/transforming-kubernetes-secret-management-d6c25f776bca

This project aims to quickly set up kubernetes deployments with somewhat realistic/controllable traffic and attacks to test load balancing, WAF, and other security solutions in the cluster.

More: https://github.com/kellyjonbrazil/microsim

Kubernetes doesn't load balance long-lived connections, and some Pods might receive more requests than others.

In this article, you will learn why and how to fix it with client-side load balancing or a proxy.

👉 https://learnk8s.io/kubernetes-long-lived-connections

The article discusses developing a Kubernetes Admission Controller with Kotlin to address an issue with the Application Routing add-on and Flux on AKS.

More: https://eggboy.medium.com/developing-kubernetes-admission-controller-with-kotlin-fixing-aks-add-on-issue-in-udr-23418ab21d56

This article explores how Zero-Trust with automated IAM can streamline secure access, leveraging Intent-Based Access Control (IBAC) for policy generation and the Otterize OSS credentials and Intents Operator for end-to-end automation.

More: https://otterize.com/blog/iam-automation-for-eks-and-ack

In this KubeFM episode, Stéphane shares his journey of migrating, optimizing and scaling Jenkins on Kubernetes.

He discusses the technical challenges, solutions, and strategies employed.

You will learn:

- How Jenkins on Kubernetes was scaled to handle 10,000 weekly builds.
- How they started their journey in 2015 and how the cluster has evolved in the past nine years.
- The challenges of managing builds in Jenkins: Docker in Docker, Docker out of Docker and KubeVirt.
- The lessons learned in created ephemeral environments.

Watch (or listen to) it here: https://kube.fm/10k-builds-jenkins-stephane

🙏 Many thanks to CloudBees for supporting our work and sponsoring this episode. Make sure to check out their video on how to use pods as Jenkins agents https://www.youtube.com/watch?v=ZXaorni-icg?utm_source=kubefm

With @Birthmarkb "The barbarian" Farrell