The article explains the concept of Network Policies in AKS, their importance in securing clusters, and how to create basic network policies.

More: https://medium.com/@siddiquimohammad0807/getting-started-with-aks-network-policies-dbb72520c0ae

In this KubeFM episode, Yakir and Assaf from Aqua Security explore how a robust Kubernetes secrets strategy is necessary to prevent leaks and maintain a strong security posture.

You will learn:

- How Kubernetes secrets are leaked, and what tools can you use to prevent that (Hint: Yakir and Assaf suggested using more than one.)
- How shadow IT is a more significant threat you might think and why companies should monitor personal Github repositories.
- What happens when a secret is leaked and how attackers exploit your resources (or further gain access to more).

Watch (or listen to) it here: https://kube.fm/exposed-secrets-yakir-assaf

🙏 Many thanks to Isovalent for supporting our work and sponsoring this episode. Make sure to watch the top Kubernetes security use cases that Tetragon and eBPF cover for platform teams https://isovalent.com/events/2024-04-18-tetragon-webinar/?utm_source=KubeFM-Podcast

With @Birthmarkb "The vivacious riddler" Farrell

This article demonstrates how to centralize application access management through Single Sign-On (SSO) using OAuth2 Proxy sidecar containers.

More: https://cloudchirp.medium.com/sso-authentication-with-oauth2-proxy-sidecar-containers-in-kubernetes-7717fb3ef881

This week on the Learn Kubernetes Weekly:

🤔 Choosing an orchestrator for multi-tenant code execution system
🪳 KEDA + Kafka: improve performance by 62.15% at peak loads
5️⃣ 5 shortcomings of Helm
🩹 AWS extended EKS support: a costly band-aid for Kubernetes clusters
🚦 A/B testing with Linkerd and Flagger using dynamic routing

Read it now: https://learnk8s.io/issues/84

🙏 Many thanks to Otterize for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://bit.ly/3Jjz7D9

Is it right to give GitLab admin permission to run kubectl commands in pipelines?

This article explores RBAC permissions in the context of a GitLab pipeline.

More: https://medium.com/@tarikyegen35/k8s-creating-a-dedicated-user-serviceaccount-with-restricted-permissions-for-gitlab-ff91c3daa3ce

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 421 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next courses start next week in June in Munich 🇩🇪: https://kube.events/t/f80476ea-7cd1-4619-999c-e422a1ef3b1b

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

The article discusses the risks associated with long-lived Kubernetes service account tokens.

It also explores mitigation strategies and the benefits of using short-lived tokens.

More: https://dev.to/gitguardian/understanding-the-risks-of-long-lived-kubernetes-service-account-tokens-dok

This article covers 2023 Kubernetes vulnerabilities, categorizing them based on CVSS, weakness types, impact types, and other relevant factors.

More: https://www.armosec.io/blog/kubernetes-vulnerabilities-2023

The article discusses the importance of securing Kubernetes clusters using CIS Benchmarks and kube-bench.

More: https://itnext.io/fortifying-kubernetes-mastering-security-with-cis-benchmarks-904064d7a3d9

This article discusses the evolution of declarative image builds, from distroless images to tools like Bazel, ko, and apko.

It highlights the challenges and innovations in creating reproducible Docker build rules and the "Images as Code" concept.

More: https://chainguard.dev/unchained/images-as-code-the-pursuit-of-declarative-image-builds

This week on the Learn Kubernetes Weekly:

🧓 Understanding the risks of long-lived Kubernetes Service Account tokens
🖖 The impact of numerous GIT branches and tags on Argo CD and cloud budgets
🏥 Surviving OOM in Kubernetes: Java applications
🥷 2023 Kubernetes vulnerability roundup
🚦 Network traffic shaping in Kubernetes: topology aware routing

Read it now: https://learnk8s.io/issues/85

🙏 Many thanks to StormForge for supporting our work and sponsoring this issue. Make sure to check out their intent-based access control platform (and related open-source projects) https://bit.ly/3Jjz7D9

This article discusses a critical vulnerability (CVE-2024-23652) in Docker Buildkit = v0.12.4, which allows arbitrary file deletion in the host OS.

Mitigation involves updating to Buildkit v0.12.5 or later.

More: https://dev.to/snyk/buildkit-build-time-container-teardown-arbitrary-delete-cve-2024-23652-2kkh

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Applied Intuition
💰 $65K to $400K a year
🏠 From the office in Mountain View, CA, USA
→ https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55

DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55

DevSecOps Engineer with Crusoe
💰 $210K to $240K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55

DevSecOps Engineer with Opal Security
💰 $140K to $260K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA
→ https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55

👉 Browse all 432 Kubernetes jobs on Kube Careers https://kube.careers

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online courses start on Jul 25: https://kube.events/t/1ebfa298-b5c6-4e42-8399-e43e6834683c

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This article discusses a critical vulnerability in all versions of Docker Buildkit <=v0.12.4 that can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e. when using FROM).

More: https://dev.to/snyk/buildkit-mount-cache-race-build-time-race-condition-container-breakout-cve-2024-23651-7k0

This article explains how to use mirrord to debug apps in a cluster and isolate the network to prevent unwanted traffic from reaching specific pods (e.g. a database).

More: https://dev.to/meowchinist/the-traffic-police-controlling-outgoing-traffic-with-mirrord-216

This article discusses a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes, that can result in container escape to the underlying host OS.

More: https://dev.to/snyk/vulnerability-runc-processcwd-and-leaked-fds-container-breakout-cve-2024-21626-2oko

♻️ How do you roll back a failed deployment in Kubernetes?

In this article, learn how Deployments, Replica Sets, and Pods are connected and how you can use kubectl to revert a deployment

You can read it here: https://learnk8s.io/kubernetes-rollbacks

"Kubernetes Security for Dummies" is a comprehensive guide to mastering Kubernetes security.

More: https://www.datocms-assets.com/75231/1704995046-kubernetes-security-for-dummies_wiz_final.pdf

This week on the Learn Kubernetes Weekly:

♻️ Extending GitOps: effortless continuous integration and deployment on Kubernetes
🦈 Optimizing Wireshark in Kubernetes
👝 How I reduced the size of my very first published Docker image by 40%
💰 Overcoming the deployment challenges of H100 GPUs in AKS
🚤 Loxilb cluster networking: elevating Kubernetes networking capabilities
🙊 The future is not Docker

Read it now: https://learnk8s.io/issues/86

🙏 Many thanks to Sysdig for supporting our work and sponsoring this issue. Make sure to check out their checklist to guide your security strategy as you escalate the use of containers and Kubernetes https://bit.ly/3W65Kvw