Learn Kubernetes Weekly issue 115 · 22 Jan 2025
Backdoor a Kubernetes in silence, GitOps secrets with Argo CD, running as root dangerous?, Linux runtime visibility meets Wireshark
Articles
Kubernetes has its "ADCS" how to backdoor a Kubernetes in silence
wgpsec.medium.com
Learn how to utilize Kubernetes' certificate system for post-exploitation, including techniques for backdooring a Kubernetes cluster, exploiting ETCD certificates, and forging service account JWT tokens to gain persistent control over cluster resources.
GitOps secrets with Argo CD, Hashicorp Vault and the External Secret Operator
medium.com
In this article, you'll learn how to manage secrets using the External Secret Operator, Hashicorp Vault, and Argo CD, and discover how to avoid saving secrets in Git and automatically refresh secrets without pod restarts or application deployments.
Why is running as root in kubernetes containers dangerous?
medium.com
In this article, you will learn about the security implications of running containers as root in Kubernetes, and how using non-root users can mitigate common attack vectors and enhance overall security.
Go deeper: linux runtime visibility meets wireshark
blog.aquasec.com
In this article, you will learn about Traceeshark, a plugin for Wireshark that enables visual and interactive analysis of Tracee events, and discover how it simplifies the investigation of Linux runtime security issues and malware analysis.
Securing secrets in confidential containers: usage patterns to avoid
pradiptabanerjee.medium.com
In this article, you'll learn how to secure sensitive data in confidential containers, including best practices for avoiding common usage patterns that compromise security and restricting Kubernetes APIs to protect your secrets.
Scaling environments with OpenTelemetry and service mesh
dev.to
In this article, you will learn how to scale environments with OpenTelemetry and service meshes and discover a different approach to creating highly scalable dev, preview, and test environments.
Articles worth checking out:
Tutorials
Kubernetes operator: create the one with kubebuilder
fenyuk.medium.com
In this article, you will learn how to create a Kubernetes Operator using Kubebuilder to automate memory limit adjustments for a Golang web service.
In this episode, William Morgan, CEO of Buoyant, explores the complex trade-offs between cost optimization and reliability in Kubernetes networking. The discussion focuses on Topology-aware routing and why its implementation might not be the silver bullet for managing cross-zone traffic costs.
William shares practical insights from real-world implementations and explains why understanding these trade-offs is crucial for platform teams managing multi-zone Kubernetes clusters.
You will learn:
- How Topology-aware routing attempts to reduce cross-zone traffic costs but can compromise reliability by limiting inter-zone communication
- Why Layer 7 load balancing offers better traffic management through protocol awareness compared to topology-aware routing's Layer 4 approach
- How HAZL (High Availability Zonal Load Balancing) provides a more nuanced solution by balancing cost savings with reliability guarantees through intelligent traffic routing
Kubernetes jobs
Platform Engineer with Vosyn
Salary: $51.2K a year
Location: remote from Canada
Tech stack: Kubernetes, AWS, Azure, GCP, Python, Terraform
Solution Engineer with Tailscale
Salary: $150K to $200K a year
Location: remote from the United States
Tech stack: Kubernetes, Kustomize, Helm, Go, Shell, Typescript, Grafana, Prometheus, Fluentd
Software Engineer with LITIT
Salary: €36K to €60K a year
Location: remote from Lithuania
Tech stack: Kubernetes, Docker, Javascript, C#
DevSecOps Engineer with Auria
Salary: $93K to $160K a year
Location: based in the office (and remote from home) in Herndon, VA, USA
Tech stack: Kubernetes, AWS, Azure, On-premise, Docker, Shell, Python, Powershell, Terraform, Jenkins
Software Engineer with One
Salary: $100K to $170K a year
Location: remote from the United States
Tech stack: Kubernetes, AWS, Javascript, Typescript
Discover more Kubernetes jobs on Kube Careers →
Code & tools
encoder-run: source code embeddings operator
github.com/encoder-run
encoder-run is a Kubernetes operator designed to automate the lifecycle of source code embeddings. It also manages the underlying storage and model infrastructure.
github.com/rajatjindal
kubectl-modify-secret is a tool that allows users to modify Kubernetes secrets without having to worry about base64 encoding/decoding.
github.com/sbstp
Kubie is a tool that provides an alternative to
kubectx,kubens, and thek onprompt modification script, offering context switching, namespace switching, and prompt customization.github.com/gardener
Gardener implements the automated management and operation of Kubernetes clusters as a service and provides a fully validated extensibility framework that can be adjusted to any programmatic cloud or infrastructure provider.
github.com/democratic-csi
democratic-csi implements the CSI spec providing storage for various container orchestration systems such as Kubernetes.
The current focus is providing storage via iscsi/nfs from zfs-based storage systems predominantly FreeNAS/TrueNAS and ZoL on Ubuntu.
Other interesting projects:
Upcoming Kubernetes events
Jan
23
Online workshop organized by Learnk8s.
This is a virtual event
This event requires an entrance fee
Jan
28
Securely access your Kubernetes control plane
Online meetup organized by The Platformers Community London.
This is a virtual event
This is a free event.
Jan
29
In-person conference organized by Cybersec Asia.
Location: Bangkok, TH
This event requires an entrance fee
Jan
25
In-person conference organized by Bitbash.
Location: Veenendaal, NL
This event requires an entrance fee
Jan
23
Kubernetes networking & security at scale: from troubleshooting to collaboration
Online workshop organized by Tigera.
This is a virtual event
This is a free event.
Kubernetes call for papers
expired
The Call For Paper was open until 31 January 2025 at UTC. More info →
Location: Bucharest, RO
In-person conference organized by Cloud Native Romania.
The conference starts on the 6 May 2025.
- Apply here
expired
KubeCon + CloudNativeCon Japan 2025
The Call For Paper was open until 2 February 2025 at UTC. More info →
Location: Tokyo, JP
In-person conference organized by Linux Foundation.
The conference starts on the 17 June 2025.
- Apply here
expired
KubeCon + CloudNativeCon China 2025
The Call For Paper was open until 2 February 2025 at UTC. More info →
Location: Hong Kong, HK
In-person conference organized by Linux Foundation.
The conference starts on the 11 June 2025.
- Apply here
expired
Kubernetes Community Days Costa Rica 2025
The Call For Paper was open until 10 February 2025 at UTC. More info →
Location: Heredia, CR
In-person conference organized by KCD Costa Rica.
The conference starts on the 3 May 2025.
- Apply here
expired
Kubernetes Community Days Texas Austin 2025
The Call For Paper was open until 13 February 2025 at UTC. More info →
Location: Austin, TX, USA
In-person conference organized by KCD Texas.
The conference starts on the 15 May 2025.
- Apply here
expired
The Call For Paper was open until 31 March 2025 at UTC. More info →
Location: Hamburg, DE
In-person conference organized by Looevent.
The conference starts on the 9 September 2025.
- Apply here
expired
Kubernetes Community Days Helsinki 2025
The Call For Paper was open until 8 February 2025 at UTC. More info →
Location: Helsinki, FI
In-person conference organized by KCD Helsinki.
The conference starts on the 6 May 2025.
- Apply here
expired
Kubernetes Community Days Beijing 2025
The Call For Paper was open until 5 February 2025 at UTC. More info →
Location: Beijing, CN
In-person conference organized by KCD Beijing.
The conference starts on the 15 March 2025.
- Apply here
expired
Kubernetes Community Days Czech & Slovak 2025
The Call For Paper was open until 15 March 2025 at UTC. More info →
Location: Prague, CZ
In-person conference organized by KCD Czech & Slovak.
The conference starts on the 5 June 2025.
- Apply here
Until next time!
— Dan