This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors.
More: https://ku.bz/z-30r6w-V
More: https://ku.bz/z-30r6w-V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
John Ford from Scout24 SE explains how Scout24 turned a forced OS migration into a chance to rethink Kubernetes autoscaling, node provisioning, and infrastructure efficiency.
You will learn:
- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads
Watch (or listen to) it here: https://ku.bz/DdmVC2_7v
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads
Watch (or listen to) it here: https://ku.bz/DdmVC2_7v
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars.
More: https://ku.bz/Fl4tzq2J2
More: https://ku.bz/Fl4tzq2J2
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 184:
π₯ Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See
β οΈ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know
π Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work
π Migrating Ingress NGINX Controller to Istio in Kubernetes
π Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide
Read it now: https://kube.today/issues/184
βοΈ This newsletter is brought to you by WeAreDevelopers World Congress β The Worldβs Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2
π₯ Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See
β οΈ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know
π Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work
π Migrating Ingress NGINX Controller to Istio in Kubernetes
π Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide
Read it now: https://kube.today/issues/184
βοΈ This newsletter is brought to you by WeAreDevelopers World Congress β The Worldβs Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2
Kubeconform is a Kubernetes manifests validation tool.
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/l0kD6R0TS
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://ku.bz/l0kD6R0TS
Harbor is a CNCF-graduated open source container registry that stores, signs, and scans images, with built-in RBAC, LDAP/OIDC support, vulnerability scanning, policy-based replication, and a full REST API.
More: https://ku.bz/GjjZhkvSD
More: https://ku.bz/GjjZhkvSD
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Agent workloads push Kubernetes beyond the assumptions of the standard container model.
Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload.
Watch the full interview: https://ku.bz/QXKc1tBFY
Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload.
Watch the full interview: https://ku.bz/QXKc1tBFY
This article explains why vanilla Kubernetes has no real login event and shows a practical session-tracking workaround using credential-id fingerprints from audit logs, with a side-by-side comparison against OpenShift OAuth behavior.
More: https://ku.bz/DxYlmDBjQ
More: https://ku.bz/DxYlmDBjQ
Forwarded from LearnKube news
π New on LearnKube: βUser and workload identities in Kubernetes.β
The Kubernetes API server must identify the caller before it can check permissions.
The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation.
You will learn:
- how authentication differs from authorization
- why human users usually come from OIDC, certificates, webhooks, proxies, or static token files
- how pods authenticate with service accounts
- why TokenRequest and projected volumes replaced automatic long-lived token secrets
- what
- how EKS IRSA uses projected tokens to federate with AWS IAM
- how TokenReview validates Kubernetes-issued tokens inside the cluster
Read the full article:
https://learnkube.com/authentication-kubernetes
The Kubernetes API server must identify the caller before it can check permissions.
The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation.
You will learn:
- how authentication differs from authorization
- why human users usually come from OIDC, certificates, webhooks, proxies, or static token files
- how pods authenticate with service accounts
- why TokenRequest and projected volumes replaced automatic long-lived token secrets
- what
sub, aud, iss, and exp tell you inside a JWT- how EKS IRSA uses projected tokens to federate with AWS IAM
- how TokenReview validates Kubernetes-issued tokens inside the cluster
Read the full article:
https://learnkube.com/authentication-kubernetes
This tutorial shows how to set up TLS-terminated ingress on EKS Auto Mode using ACM and an ALB, skipping the traditional AWS Load Balancer Controller installation and OIDC setup.
More: https://ku.bz/sbhYbmWNb
More: https://ku.bz/sbhYbmWNb
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Alessandro Pomponio, Research Software Engineer @ IBM Research, explains his team's strategic approach to selecting open source tools from the CNCF landscape for their research computing platform.
Alessandro details their decision-making process for policy enforcement, comparing Kyverno and Gatekeeper. They ultimately chose Kyverno because it uses YAML and "truly speaks Kubernetes," making it more accessible for researchers who manage clusters as a secondary responsibility rather than their primary job.
Watch the full episode: https://ku.bz/5sK7BFZ-8
Alessandro details their decision-making process for policy enforcement, comparing Kyverno and Gatekeeper. They ultimately chose Kyverno because it uses YAML and "truly speaks Kubernetes," making it more accessible for researchers who manage clusters as a secondary responsibility rather than their primary job.
Watch the full episode: https://ku.bz/5sK7BFZ-8
This article explains Kubernetes secrets management from an SRE angle by comparing:
- Sealed Secrets,
- External Secrets Operator,
- and Vault-based approaches with examples.
More: https://ku.bz/l5fy3crYf
- Sealed Secrets,
- External Secrets Operator,
- and Vault-based approaches with examples.
More: https://ku.bz/l5fy3crYf
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
The right AI governance pattern for Kubernetes is not one agent doing everything. It is multiple agents doing specific work well.
Henrik Rexed of Dynatrace says teams should think in terms of specialized review lanes: one AI system for infrastructure-heavy changes, another for observability concerns, and a human reviewer to confirm the final result. That reduces the chance of subtle platform-specific issues being missed by a generic review pass.
Watch the full interview: https://ku.bz/KGQ_b20nQ
Henrik Rexed of Dynatrace says teams should think in terms of specialized review lanes: one AI system for infrastructure-heavy changes, another for observability concerns, and a human reviewer to confirm the final result. That reduces the chance of subtle platform-specific issues being missed by a generic review pass.
Watch the full interview: https://ku.bz/KGQ_b20nQ
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 185:
π₯ A One-Line Kubernetes Fix That Saved 600 Hours a Year
π Why Kubernetes Has No Login β And How We Solved It for AuditRadar
βοΈ Durable Workflows Beyond Vercel: Version-Safe Orchestration for Kubernetes
𧩠The Missing Layers in Your Kubernetes Operator
π¨ Why Your KServe InferenceService Won't Become Ready: Four Production Failures and Fixes
Read it now: https://kube.today/issues/185
βοΈ This issue is brought to you by Qodo, the AI code integrity platform helping teams review, test, and ship reliable infrastructure code faster https://ku.bz/NvLHsnl-6
π₯ A One-Line Kubernetes Fix That Saved 600 Hours a Year
π Why Kubernetes Has No Login β And How We Solved It for AuditRadar
βοΈ Durable Workflows Beyond Vercel: Version-Safe Orchestration for Kubernetes
𧩠The Missing Layers in Your Kubernetes Operator
π¨ Why Your KServe InferenceService Won't Become Ready: Four Production Failures and Fixes
Read it now: https://kube.today/issues/185
βοΈ This issue is brought to you by Qodo, the AI code integrity platform helping teams review, test, and ship reliable infrastructure code faster https://ku.bz/NvLHsnl-6
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
ποΈ What is Brandt Keller bringing to KCD New York?
A practical session on software assurance at scale, why verification material becomes harder to manage across organizational boundaries, and why runtime is where trust and verification matter most.
If you're interested in supply chain security, cloud-native platform engineering, observability, AI-enabled infrastructure, and practical Kubernetes operations, KCD New York is the place to be.
We also have 10 free tickets available. Email hello@kube.events to claim one before they are gone.
Register for KCD New York and claim your spot.
π https://ku.bz/JkjmffBzw
A practical session on software assurance at scale, why verification material becomes harder to manage across organizational boundaries, and why runtime is where trust and verification matter most.
If you're interested in supply chain security, cloud-native platform engineering, observability, AI-enabled infrastructure, and practical Kubernetes operations, KCD New York is the place to be.
We also have 10 free tickets available. Email hello@kube.events to claim one before they are gone.
Register for KCD New York and claim your spot.
π https://ku.bz/JkjmffBzw
This article shows how to sign every container image using Cosign keyless signing in GitHub Actions and enforce signatures at pod admission with Kyverno, using the chalk/debug npm attack as the real-world motivation.
More: https://ku.bz/7WkPPBjwH
More: https://ku.bz/7WkPPBjwH
This article reviews Kubermatic SecureGuard (KubeSG), a Kubernetes-native open source secrets manager built on OpenBao and the External Secrets Operator that automates secret rotation and delivery without app rewrites or proprietary SDKs.
More: https://ku.bz/wD-DcVMBD
More: https://ku.bz/wD-DcVMBD
This tutorial shows how to run Cloudflare Tunnels as a DaemonSet to expose services with zero open inbound ports, using liveness probes, Kubernetes Secrets, and GitOps with ArgoCD.
More: https://ku.bz/RYlKnctWf
More: https://ku.bz/RYlKnctWf
Forwarded from LearnKube news
π£ New on LearnKube: "The mechanics of Kubernetes RBAC and how it connects users to permissions."
Kubernetes RBAC can feel confusing because the object names sound broader than the scope they actually grant.
A ClusterRole does not always mean cluster-wide access.
If you bind a ClusterRole with a RoleBinding, the permissions apply only in the namespace where the RoleBinding lives.
The article walks through:
- Why direct user-to-permission mappings do not scale
- how Roles and ClusterRoles group permissions into reusable sets
- how RoleBindings and ClusterRoleBindings connect identities to permissions
- How to test access with
Read the full guide:
https://learnkube.com/rbac-kubernetes
Kubernetes RBAC can feel confusing because the object names sound broader than the scope they actually grant.
A ClusterRole does not always mean cluster-wide access.
If you bind a ClusterRole with a RoleBinding, the permissions apply only in the namespace where the RoleBinding lives.
The article walks through:
- Why direct user-to-permission mappings do not scale
- how Roles and ClusterRoles group permissions into reusable sets
- how RoleBindings and ClusterRoleBindings connect identities to permissions
- How to test access with
kubectl auth can-iRead the full guide:
https://learnkube.com/rbac-kubernetes
This article explains how to build a highly available GKE architecture using Multi-Cluster Services and Multi-Cluster Gateway.
It covers subnet naming requirement for cross-regional internal ALBs, cluster setup via Fleet, demo app with request routing.
More: https://ku.bz/7kBX1rFD4
It covers subnet naming requirement for cross-regional internal ALBs, cluster setup via Fleet, demo app with request routing.
More: https://ku.bz/7kBX1rFD4
This tutorial teaches Kubernetes security testing from an offensive perspective, covering:
- pod compromise detection,
- service account token exploitation,
- RBAC privilege escalation,
- and tools like kubeletctl and peirates.
More: https://ku.bz/gh_lvlX5t
- pod compromise detection,
- service account token exploitation,
- RBAC privilege escalation,
- and tools like kubeletctl and peirates.
More: https://ku.bz/gh_lvlX5t