Spotlight
Laxman Patel
This article explains how to use Gatekeeper to enforce in-cluster admission policies, such as rejecting :latest images, mandating labels, and disallowing privileged workloads.
Gyasmine
This tutorial shows how to run OWASP ZAP scans inside GitHub Actions using SecureCodeBox on a Kubernetes kind cluster.
Matthieu Vlad
This guide walks through deploying Istio via Terraform and Helm to secure service-to-service and external communication with mTLS, automatic sidecar injection, and encrypted ingress via Istio Gateway.
Rory McCune
This article covers network security fundamentals in Kubernetes, explaining how clusters default to a flat pod network, how network policies enforce segmentation, and best practices like “default deny” and restricting host networking.
Tools and utilities
Kogaro continuously validates Kubernetes config with 60+ checks across reference, resource, security, image, and network domains, catching silent failures before they impact production.
Netfence runs as a daemon, injecting eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates IP allowlists, and connecting to a central control plane to synchronize network rules.
Hortator lets AI agents spawn sub-agents at runtime, with each agent running in its own pod with budget caps, network policies, PII redaction, and capability inheritance so children can never escalate beyond their parent's permissions.
Sealed Secrets Web is a tool that provides a web interface for managing and encrypting sensitive data in Kubernetes using the Sealed Secrets service by Bitnami.
ESP Kubernetes Reference Implementation runs compliance scanning in Kubernetes using ESP policies with pull-based agents that execute NIST, CIS, and STIG controls and produce CUI-free attestations forwarded to SIEM or cloud functions.
Events starting soon
July 1, 2026
Location: Amsterdam, NL
This is a free event.
July 1, 2026
Location: Springfield, MI, USA
This is a free event.
July 2, 2026
Location: Mannheim, DE
This event requires an entrance fee
July 2, 2026
This is a virtual event
This is a free event.
July 2, 2026
Location: Bunnik, NL
This is a free event.
July 2, 2026
Location: San Francisco, CA, USA
This event requires an entrance fee
Learn from production
Matt Camp
This case study shows how Unitary built Osmia, an open-source orchestration layer on EKS to run autonomous AI coding agents safely at scale using pod isolation, Karpenter, IRSA-based secrets, and real-time trajectory scoring.
Fabián Sellés Rosa
This case study shows how upgrading to Kubernetes 1.34 caused KIAM pods to fail due to service account token expiration changes, revealing that legacy clients using long-lived tokens now expire after 24 hours instead of 90 days.
Renato Vassão
This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts.
BioCatch Tech Blog
This case study explains how BioCatch migrated their Vault environment from costly external storage to Raft, enabling high availability, easy disaster recovery, and lower operational costs in Kubernetes.
Matching jobs
DevOps Engineer with Miratech
Salary: $81K to $297K a year
Location: remote from
Tech stack: Kubernetes, AWS, ArgoCD, Flux, Docker, Python, Cloudformation, Terraform, GitHub Actions, Jenkins
Engineering Manager with FIRY
Salary: $259K a year
Location: based in the office (and remote from home) in San Francisco, CA, USA
Tech stack: Kubernetes, AWS, Docker, Go, Java, Javascript, Python, Ruby
Head of Site Reliability Engineering with FIRY
Salary: $58.5K to $3.29L a year
Location: based in the office (and remote from home) in Bengaluru, IN
Tech stack: Kubernetes, AWS, ArgoCD, Go, Java, Python, GitHub Actions, Datadog, Prometheus, Jaeger
Head of Site Reliability Engineering with Kontakt.io
Salary: $196.2K to $357.5K a year
Location: based in the office in New York, NY, USA
Tech stack: Kubernetes, AWS, Docker, Terraform, Datadog, Grafana, Prometheus
Platform Engineer with Inversion
Salary: $139K to $201K a year
Location: based in the office in Playa Vista, CA, USA
Tech stack: Kubernetes, AWS, GCP, Docker, Python, Shell, Terraform, GitHub Actions, Jenkins, Grafana
Build something
This tutorial teaches how to extend EKS with hybrid nodes using IAM Roles Anywhere and HashiCorp Vault for secure authentication of on-premises or edge workloads.
DV Engineering
This tutorial teaches how to collect Prometheus metrics from Kubernetes clusters and securely route them to remote Prometheus instances using Vector with mTLS encryption.
Juanma Barea Martinez
This tutorial teaches how to secure LLM inference services on Kubernetes using Authorino and Envoy for authentication and authorization.
Matt Brown
This tutorial teaches how to implement container image signature verification in Kubernetes using Cosign for signing, Kyverno for policy enforcement, and Sigstore Policy Controller for admission control.
More articles
David Nguyen
This article shows how to configure Role-Based Access Control (RBAC) in Kubernetes Engine (GKE), create roles, role bindings, and enforce least privilege across namespaces and cluster APIs.
Siva Bankapalli
This article shows a Zero Trust blueprint using mutual TLS (mTLS) and Istio security policies to make internal and external APIs secure by default, with step-by-step configs and lessons from real systems.
Daniel Ullrich
This article reviews Kubermatic SecureGuard (KubeSG), a Kubernetes-native open source secrets manager built on OpenBao and the External Secrets Operator that automates secret rotation and delivery without app rewrites or proprietary SDKs.
Samarth
This article shows how to sign every container image using Cosign keyless signing in GitHub Actions and enforce signatures at pod admission with Kyverno, using the chalk/debug npm attack as the real-world motivation.