Kubesploit

This article explains the purpose of the Kubernetes service in the default namespace and how to access the Kubernetes API server from a pod.

It also explains how to configure service accounts, roles, and bindings to control access and permissions.

More: https://medium.com/@jinha4ever/accessing-the-kubernetes-service-in-the-default-namespace-from-your-pods-976d60326fbd

Sealed Secrets Web is a tool that provides a web interface for managing and encrypting sensitive data in Kubernetes using the Sealed Secrets service by Bitnami.

More: https://github.com/bakito/sealed-secrets-web

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online courses start in November: https://kube.events/t/3ae8e890-0f78-40e8-854e-849964bb8aee?s=16

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Gemini
💰 $248K to $310K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/03598248-6bcb-4117-85b1-ecba6edb3070?s=55

DevSecOps Engineer with Uniswap Labs
💰 $264K to $294K a year
🏠 From the office in New York, NY, USA
→ https://kube.careers/t/3d7c0bd7-abd8-4526-a376-458f65018709?s=55

DevSecOps Engineer with CoreWeave
💰 $240K to $275K a year
🏠🏃🏻‍♂️🌎 Roseland, NJ / Brooklyn, NY / Sunnyvale, CA / Bellevue, WA, USA
→ https://kube.careers/t/e9f1791e-bf17-4013-af2a-c52e93b6beaf?s=55

👉 Browse all 1370 Kubernetes jobs on Kube Careers https://kube.careers

In this article, you will learn how seccomp provides an additional security layer by restricting system calls that containers can execute.

This reduces the attack surface and minimizes potential damage from compromised processes.

More: https://www.armosec.io/blog/kubernetes-workloads-seccomp

This week on Learn Kubernetes Weekly 101:

💯 How we made self-hosting plane a breeze for 100k Docker and 44k Kubernetes deploys
⚔️ Building resilient applications on Kubernetes
📦 Stateful apps in Kubernetes: from history and fundamentals to operators
📉 Reducing EKS Windows node 5 min start time to ~90s

Read it now: https://learnk8s.io/issues/101

⭐️ Looking for cost-effective GPU-powered Kubernetes clusters?
GPU-enabled worker nodes are now available for DigitalOcean Kubernetes https://www.digitalocean.com/products/kubernetes?utm_medium=newsletter&utm_source=learnk8s&utm_campaign=global_gpu-doks_k8s_en&utm_content=product

The Secrets Store CSI Driver allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume.

Once the Volume is attached, its data is mounted into the container's file system.

More: https://github.com/kubernetes-sigs/secrets-store-csi-driver

Brian Grant, CTO of ConfigHub and former tech lead on Google's Borg team discusses the Kubernetes Resource Model (KRM) and its profound impact on the Kubernetes ecosystem.

You will learn:

- How the Kubernetes API evolved from inconsistency to a uniform structure, enabling support for thousands of resource types.
- Why Kubernetes' self-describing resources and Server-side Apply simplify client implementations and configuration management.
- The evolution of Kubernetes configuration tools like Helm, Kustomize, and GitOps solutions.

Watch (or listen to) it here: https://kube.fm/krm-brian

🌟 This episode is sponsored by StormForge. Double your Kubernetes resource utilization and unburden developers from sizing complexity with the first HPA-compatible vertical pod rightsizing solution. https://stormforge.io/optimize-live/?utm_source=Learnk8s&utm_medium=podcast&utm_campaign=learnk8s-sow2-2024

In this article, you will explore Kyverno: a Kubernetes policy engine that receives admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return the result of executing the admission policy or denying the request.

More: https://aws.plainenglish.io/kubernetes-policy-management-engine-kyverno-b255ec9d9bf1?sk=9b8b9970bc2681dc22cd89d8bfe4b1f1

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way.

Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.

More: https://github.com/bitnami-labs/sealed-secrets

This article introduces network policies in Kubernetes.

You will learn how labels are used to identify pods and apply network policies.

You will also see how network policies are applied to traffic between pods.

More: https://jamali.hashnode.dev/cilium-network-policies

Why can't you ping a Kubernetes service?

Learnk8s runs a 4-day Advanced Kubernetes course on Oct 21, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:

- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.

This (and much more) is covered on the third day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://kube.events/t/3aa0148a-d54a-471c-adbc-cc5cabb86d23

Are you training your team?
Customize the workshop in full with corporate training https://learnk8s.io/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Worldcoin
💰 $236K to $323K a year
🏠 From the office in San Francisco, CA, USA
→ https://kube.careers/t/e824f971-4831-4329-8dfd-2edcce0c9ed5?s=55

DevSecOps Engineer with Jobs for Humanity
💰 $189.1K to $317.69K a year
🏠 From the office in Bellevue, WA, USA
→ https://kube.careers/t/47e00ae5-bef2-4118-9059-c45081d02892?s=55

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://kube.careers/t/b9a90583-a0e8-4f13-b776-839c8b1d6275?s=55

DevSecOps Engineer with Alchemy
💰 $135K to $350K a year
👨‍💻 Remote from the United States
→ https://kube.careers/t/1f5bb0f9-8812-4cfe-968d-cd2e1d1cbeaa?s=55

DevSecOps Engineer with Crusoe
💰 $180K to $300K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA, USA
→ https://kube.careers/t/cc2ab37b-4b47-4dc0-9199-04269d9e3607?s=55

👉 Browse all 1326 Kubernetes jobs on Kube Careers https://kube.careers

This article guides you through the process of signing and verifying container images using Cosign and Kyverno.

It covers the installation of Kyverno and Cosign and provides a step-by-step guide on securing CI/CD pipelines for production deployment.

More: https://vinayakpandey-7997.medium.com/signing-and-verifying-ecr-images-using-cosign-and-kyverno-d3c84e2d8a00

This week on Learn Kubernetes Weekly 100:

👩‍🚒 Rescue my OpenShift cluster from loss of 2 masters
📸 Optimize Kubernetes pods' startup time using VolumeSnapshots
📞 5 solutions for multi-cluster communication in Kubernetes
1️⃣ Streamlining Microservices Management: A Unified Helm Chart Approach
🙋‍♂️ Argo Events: conditional triggers

Read it now: https://learnk8s.io/issues/100

🌟 Are you still securing your Kubernetes control plane with an SSH bastion?
That's probably valid but a bit dated. The sponsor of this issue is Tailscale — connect and secure your Kubernetes clusters with anything, anywhere https://tailscale.com/use-cases/kubernetes?utm_source=LearnK8s&utm_medium=paid-email&utm_campaign=LearnK8s-Q3-25

This article explains how to use iptables to enhance security in a Kubernetes network.

It covers the default policy, managing rules, and keeping configurations after reboots.

More: https://itnext.io/shielding-your-kubernetes-network-mastering-iptables-for-enhanced-security-7286540b2f17

This tutorial explores how to use cert-manager to manage Kubernetes Gateway certificates automatically.

More: https://addozhang.medium.com/automated-kubernetes-gateway-certificates-management-with-cert-manager-b6b43bb6c5ea

This article discusses the validating admission webhook bypass vulnerability, which allows node updates to bypass a validating admission webhook.

You will learn how to detect this type of event by enabling Kubernetes Audit Logging in the cluster.

More: https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass

Bank-Vaults is an umbrella project which provides various tools for Cloud Native secret management, including:

- Bank-Vaults CLI to configure Hashicorp Vault.
- Vault operator.
- Vault secrets webhook to inject secrets.
- Vault SDK

More: https://github.com/bank-vaults/bank-vaults

Kubernetes in action: from pods to production-ready clusters!

📆 Learnk8s runs a 4-day Advanced Kubernetes course in 🇺🇸 San Francisco on Oct 21!

You will learn how to:

1️⃣ Architect and design resilient clusters (in the cloud or on-prem).
2️⃣ Master deployment strategies and resource management.
3️⃣ Wire the cluster network and trace packets flowing through it.
4️⃣ Secure your cluster with the latest best practices.
5️⃣ Autoscale, manage data and stateful workloads, monitoring and more.

What you need to know:

✅ 40% lecture, 60% hands-on labs.
✅ Small groups for personalized learning.
✅ Progresses from basics to advanced topics.
✅ Lifetime access to course materials and Slack community.

Ticket and info: https://kube.events/t/3aa0148a-d54a-471c-adbc-cc5cabb86d23

Corporate training: https://learnk8s.io/corporate-training