The article discusses automating the building, signing, and verifying of Docker images using tools like Kaniko, Cosign, and Kyverno.

It explains how these tools can be integrated into a GitLab CI/CD pipeline to improve efficiency and security.

More: https://medium.com/@nizepart/automation-of-building-signing-and-verifying-docker-images-kaniko-cosign-kyverno-769d4ccccf3d

Ben Hirschberg, ARMO's CTO, discusses managing network policies at scale By monitoring development and staging clusters and analyzing application behaviour.

This automated process ensures robust network segmentation, closely aligning with zero-trust principles.

Watch the full interview: https://kube.fm/network-security-ben

This interview is a reaction to Ori's episode https://kube.fm/network-policies-ori

In this article, you will learn about Istio AuthorizationPolicies and how they function, as well as use an alternative approach to declare them using IBAC (Intent-Based Access Control)

More: https://otterize.com/blog/Istio-authz-and-ingress-authn

Sam "Frenchie" Stewart, CEO at Ensignia, discusses the importance of admission control in managing policies and protecting against malicious behaviour.

He reflects on his experience with K-Rail, an open-source admission control tool, and recommends modern tools like OPA and Kyverno.

Frenchie emphasizes the need for stringent RBAC configurations to prevent misuse, noting that while these tools are powerful for enforcing security, they can also be exploited if not properly managed.

Watch the full interview: https://kube.fm/secure-policy-frenchie

This interview is a reaction to Alex's episode https://kube.fm/troubleshooting-kernel-alex

Otterize integrates with GitHub repositories to automatically generate pull requests as application access requirements change in the cluster. This enables platform administrators to continuously align security requirements with code updates.

More: https://docs.otterize.com/features/github/tutorials/automated-pull-requests

In this KubeFM episode, Hans, a Principal Cloud engineer, shares his experiences empowering teams to use, build and manage platforms built on Kubernetes.

You will learn:

- How OpenTelemetry and Prometheus shape cluster management and observability.
- The role of tools like ArgoCD and Flux in enabling GitOps and streamlining deployment processes.
- The significance of governance tools such as Gatekeeper and OPA for secure and validated resource creation.
- The benefits of Custom Resource Definitions (CRDs) and operators in automating processes and enhancing the developer experience.

Watch (or listen to) it here: https://kube.fm/platform-engineering-hans

🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast

With @Birthmarkb "Zero certified" Farrell

The "TunnelVision" attacks reinforce the need for a new security paradigm.

In this article, you will explore how this type of attack can be mitigated in the future and what tools you need.

More: https://otterize.com/blog/moving-beyond-perimeter-security

This week on the Learn Kubernetes Weekly:

🚉 How we are managing a container platform
💧 Leaky Vessels deep dive: escaping from Docker one syscall at a time
🕵️‍♀️ How to inspect Kubernetes networking
🔧 Removing specific images from all Kubernetes nodes
🌎 Kubernetes resiliency (RTO/RPO) in multi-cluster deployments

Read it now: https://learnk8s.io/issues/82

🙏 Many thanks to StormForgeIO for supporting our work and sponsoring this issue. Make sure to check out their platform to optimise resources and save on your cloud spend https://www.stormforge.io/?utm_campaign=LearnK8s-Q2-24

MKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments.

More: https://github.com/DataDog/managed-kubernetes-auditing-toolkit

The article discusses the importance of secure secret management in Kubernetes deployments, highlighting challenges with native secrets.

It explores the use of External-Secrets Operator and Config-Reloader to automate secret synchronization

More: https://medium.com/squareops/transforming-kubernetes-secret-management-d6c25f776bca

This project aims to quickly set up kubernetes deployments with somewhat realistic/controllable traffic and attacks to test load balancing, WAF, and other security solutions in the cluster.

More: https://github.com/kellyjonbrazil/microsim

Kubernetes doesn't load balance long-lived connections, and some Pods might receive more requests than others.

In this article, you will learn why and how to fix it with client-side load balancing or a proxy.

👉 https://learnk8s.io/kubernetes-long-lived-connections

The article discusses developing a Kubernetes Admission Controller with Kotlin to address an issue with the Application Routing add-on and Flux on AKS.

More: https://eggboy.medium.com/developing-kubernetes-admission-controller-with-kotlin-fixing-aks-add-on-issue-in-udr-23418ab21d56

This article explores how Zero-Trust with automated IAM can streamline secure access, leveraging Intent-Based Access Control (IBAC) for policy generation and the Otterize OSS credentials and Intents Operator for end-to-end automation.

More: https://otterize.com/blog/iam-automation-for-eks-and-ack

In this KubeFM episode, Stéphane shares his journey of migrating, optimizing and scaling Jenkins on Kubernetes.

He discusses the technical challenges, solutions, and strategies employed.

You will learn:

- How Jenkins on Kubernetes was scaled to handle 10,000 weekly builds.
- How they started their journey in 2015 and how the cluster has evolved in the past nine years.
- The challenges of managing builds in Jenkins: Docker in Docker, Docker out of Docker and KubeVirt.
- The lessons learned in created ephemeral environments.

Watch (or listen to) it here: https://kube.fm/10k-builds-jenkins-stephane

🙏 Many thanks to CloudBees for supporting our work and sponsoring this episode. Make sure to check out their video on how to use pods as Jenkins agents https://www.youtube.com/watch?v=ZXaorni-icg?utm_source=kubefm

With @Birthmarkb "The barbarian" Farrell

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads.

It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters.

More: https://itnext.io/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

This week on the Learn Kubernetes Weekly:

🏎️ 98% faster data imports in deployment previews
0️⃣ (Zero-cost) Kubernetes resource tuning in your GitOps pipelines
⚒️ Simplifying Kubernetes development: your go-to tools guide
🔗 How to achieve real zero downtime in Kubernetes rolling deployments: avoiding broken client connections
💦 Plumbing of spawning container with runc

Read it now: https://learnk8s.io/issues/83

🙏 Many thanks to Komodor for supporting our work and sponsoring this newsletter issue. Make sure to check out their Kubernetes troubleshooting platform: https://komodor.com/?utm_source=lkw

This introduction to Kubernetes security discusses authentication, authorization, admission controllers, pod security policies, control plane hardening, logging and network security.

More: https://medium.com/@noah_h/an-intro-to-kubernetes-hardening-c8efd7853f27

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 399 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start in June in Munich 🇩🇪: https://kube.events/t/f80476ea-7cd1-4619-999c-e422a1ef3b1b

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

In this tutorial, you will learn how to use eBPF and bcc to detect incidents in Kubernetes.

More: https://faun.pub/detecting-specific-incidents-within-your-kubernetes-cluster-using-ebpf-5165771ec9a7