Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how batch authorization significantly improves Open Policy Agent (OPA) performance in Kubernetes environments. He shares how packing multiple authorization requests into a single HTTP call dramatically reduces network latency overhead.
The performance gains are substantial - batch requests process approximately 18 times faster than individual requests. Nicholaos explains that while adding requests to an existing batch is "negligible and basically free," teams should carefully consider dependencies between authorization requests.
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
The performance gains are substantial - batch requests process approximately 18 times faster than individual requests. Nicholaos explains that while adding requests to an existing batch is "negligible and basically free," teams should carefully consider dependencies between authorization requests.
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
This tutorial explains how Amazon EKS Pod Identity session policies let teams restrict pod IAM permissions with inline policies.
More: https://ku.bz/NtVpLWQ60
More: https://ku.bz/NtVpLWQ60
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 183:
π₯ Autoscaling Hid Our LLM Cost Regression (85% β 4% Cache Hit Rate)
π₯ Mount Mayhem at Netflix: Scaling Containers on Modern CPUs
ποΈ DocumentDB on Kubernetes: Resilient, Highly Available Databases with Automatic Failover
π‘οΈ We Brought Skew Protection to Your Kubernetes
π Keeping Your Security Model Intact When Running VMs in Kubernetes
Read it now: https://kube.today/issues/183
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
π₯ Autoscaling Hid Our LLM Cost Regression (85% β 4% Cache Hit Rate)
π₯ Mount Mayhem at Netflix: Scaling Containers on Modern CPUs
ποΈ DocumentDB on Kubernetes: Resilient, Highly Available Databases with Automatic Failover
π‘οΈ We Brought Skew Protection to Your Kubernetes
π Keeping Your Security Model Intact When Running VMs in Kubernetes
Read it now: https://kube.today/issues/183
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
This tutorial teaches how to deploy Crossview on Kubernetes with Helm and secure it for enterprise use with session auth, SSO, proxy header auth, RBAC, TLS, and high-availability settings.
More: https://ku.bz/hwQDK693G
More: https://ku.bz/hwQDK693G
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Many teams still treat Kubernetes as secure by default, and that assumption creates risk fast.
Glen Messenger argues that Kubernetes was built for orchestration, not security. His point is that platforms like GKE have to add strong defaults, least privilege, and opinionated controls so teams do not build insecure systems accidentally.
Watch the full interview: https://ku.bz/N5njxPHdY
Glen Messenger argues that Kubernetes was built for orchestration, not security. His point is that platforms like GKE have to add strong defaults, least privilege, and opinionated controls so teams do not build insecure systems accidentally.
Watch the full interview: https://ku.bz/N5njxPHdY
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
For regulated environments, open source can be a strength rather than a liability.
Devin Allen explains that visibility into the codebase is what makes open source workable in secure environments. More eyes on the code means problems can be found, understood, and fixed faster, which changes the conversation from blind trust to transparent verification.
Watch the full interview: https://ku.bz/8lKHj1C5d
Devin Allen explains that visibility into the codebase is what makes open source workable in secure environments. More eyes on the code means problems can be found, understood, and fixed faster, which changes the conversation from blind trust to transparent verification.
Watch the full interview: https://ku.bz/8lKHj1C5d
This tutorial explains how to prevent, detect, and clean up leaked secrets in Git repositories using .env files, Kubernetes Secrets, Gitleaks, GitGuardian, and git-filter-repo.
More: https://ku.bz/PZjTtq9v8
More: https://ku.bz/PZjTtq9v8
This tutorial shows how to secure an ArgoCD based EKS GitOps workflow with External Secrets Operator, IRSA, and AWS SSM Parameter Store so secrets stay out of Git and sync safely into Kubernetes.
More: https://ku.bz/1qJT8SG1s
More: https://ku.bz/1qJT8SG1s
Forwarded from LearnKube news
π New on LearnKube: "Kubelet Metrics: How cAdvisor and CRI Collect Kubernetes Stats."
Kubernetes metrics often look like a Prometheus topic, but the data originates much lower in the stack.
This guide explains how kubelet collects and exposes pod, container, node, and resource metrics, and how that path changes when stats move from cAdvisor to the container runtime through CRI.
You will learn:
- how Linux cgroups provide the raw counters behind container metrics
- where cAdvisor fits inside kubelet
- what kubelet exposes through /metrics, /metrics/cadvisor, /metrics/resource, and /stats/summary
- how containerd and CRI-O can return pod and container stats through CRI
- why the same kubelet endpoint can hide a different internal collection path
Read the full article:
https://learnkube.com/kubernetes-metrics-cadvisor-kubelet-cri
Kubernetes metrics often look like a Prometheus topic, but the data originates much lower in the stack.
This guide explains how kubelet collects and exposes pod, container, node, and resource metrics, and how that path changes when stats move from cAdvisor to the container runtime through CRI.
You will learn:
- how Linux cgroups provide the raw counters behind container metrics
- where cAdvisor fits inside kubelet
- what kubelet exposes through /metrics, /metrics/cadvisor, /metrics/resource, and /stats/summary
- how containerd and CRI-O can return pod and container stats through CRI
- why the same kubelet endpoint can hide a different internal collection path
Read the full article:
https://learnkube.com/kubernetes-metrics-cadvisor-kubelet-cri
Forwarded from Kube Builders
Node Healthcheck Operator automatically detects unhealthy nodes and triggers pluggable remediators like BMC, ClusterAPI, or software reboots to recover workloads without manual intervention.
More: https://ku.bz/8Y52rJ74q
More: https://ku.bz/8Y52rJ74q
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Using AI to generate YAML is one thing. Letting it touch production operations is another.
YongKang He says the safest starting point is low-risk, high-volume work like anomaly detection, correlation, and remediation suggestions. He is not ready to hand over costly scaling decisions or sensitive policy changes without stronger guardrails.
The practical lesson is that AI should act like a co-pilot for SRE, not a fully autonomous operator.
Watch the full interview: https://ku.bz/8Q7Vy60P7
YongKang He says the safest starting point is low-risk, high-volume work like anomaly detection, correlation, and remediation suggestions. He is not ready to hand over costly scaling decisions or sensitive policy changes without stronger guardrails.
The practical lesson is that AI should act like a co-pilot for SRE, not a fully autonomous operator.
Watch the full interview: https://ku.bz/8Q7Vy60P7
This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors.
More: https://ku.bz/z-30r6w-V
More: https://ku.bz/z-30r6w-V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
John Ford from Scout24 SE explains how Scout24 turned a forced OS migration into a chance to rethink Kubernetes autoscaling, node provisioning, and infrastructure efficiency.
You will learn:
- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads
Watch (or listen to) it here: https://ku.bz/DdmVC2_7v
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads
Watch (or listen to) it here: https://ku.bz/DdmVC2_7v
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars.
More: https://ku.bz/Fl4tzq2J2
More: https://ku.bz/Fl4tzq2J2
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 184:
π₯ Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See
β οΈ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know
π Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work
π Migrating Ingress NGINX Controller to Istio in Kubernetes
π Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide
Read it now: https://kube.today/issues/184
βοΈ This newsletter is brought to you by WeAreDevelopers World Congress β The Worldβs Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2
π₯ Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See
β οΈ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know
π Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work
π Migrating Ingress NGINX Controller to Istio in Kubernetes
π Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide
Read it now: https://kube.today/issues/184
βοΈ This newsletter is brought to you by WeAreDevelopers World Congress β The Worldβs Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2
Kubeconform is a Kubernetes manifests validation tool.
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/l0kD6R0TS
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/l0kD6R0TS
Harbor is a CNCF-graduated open source container registry that stores, signs, and scans images, with built-in RBAC, LDAP/OIDC support, vulnerability scanning, policy-based replication, and a full REST API.
More: https://ku.bz/GjjZhkvSD
More: https://ku.bz/GjjZhkvSD
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Agent workloads push Kubernetes beyond the assumptions of the standard container model.
Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload.
Watch the full interview: https://ku.bz/QXKc1tBFY
Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload.
Watch the full interview: https://ku.bz/QXKc1tBFY
This article explains why vanilla Kubernetes has no real login event and shows a practical session-tracking workaround using credential-id fingerprints from audit logs, with a side-by-side comparison against OpenShift OAuth behavior.
More: https://ku.bz/DxYlmDBjQ
More: https://ku.bz/DxYlmDBjQ
Forwarded from LearnKube news
π New on LearnKube: βUser and workload identities in Kubernetes.β
The Kubernetes API server must identify the caller before it can check permissions.
The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation.
You will learn:
- how authentication differs from authorization
- why human users usually come from OIDC, certificates, webhooks, proxies, or static token files
- how pods authenticate with service accounts
- why TokenRequest and projected volumes replaced automatic long-lived token secrets
- what
- how EKS IRSA uses projected tokens to federate with AWS IAM
- how TokenReview validates Kubernetes-issued tokens inside the cluster
Read the full article:
https://learnkube.com/authentication-kubernetes
The Kubernetes API server must identify the caller before it can check permissions.
The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation.
You will learn:
- how authentication differs from authorization
- why human users usually come from OIDC, certificates, webhooks, proxies, or static token files
- how pods authenticate with service accounts
- why TokenRequest and projected volumes replaced automatic long-lived token secrets
- what
sub, aud, iss, and exp tell you inside a JWT- how EKS IRSA uses projected tokens to federate with AWS IAM
- how TokenReview validates Kubernetes-issued tokens inside the cluster
Read the full article:
https://learnkube.com/authentication-kubernetes
This tutorial shows how to set up TLS-terminated ingress on EKS Auto Mode using ACM and an ALB, skipping the traditional AWS Load Balancer Controller installation and OIDC setup.
More: https://ku.bz/sbhYbmWNb
More: https://ku.bz/sbhYbmWNb