This tutorial teaches how to implement Kubernetes egress control using Squid proxy and NetworkPolicy for visibility and enforcement of outbound traffic without service mesh complexity.
More: https://ku.bz/XyLs9nnzh
More: https://ku.bz/XyLs9nnzh
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Karpenter can rotate your nodes for three reasons: they're underutilized, they're empty, or the AMI has drifted from what you specified.
You can set a disruption budget for each reason to control how many nodes rotate at once. But here's the catch: if you only set budgets for two reasons and skip the third, Karpenter doesn't disable it. It silently applies a default 10% budget to any reason you didn't mention.
Adhi Sutandi's team found this the hard way — drift events fired during maintenance windows they thought were locked down. The fix? Set a single budget of one node with no reason qualifier, so it applies to everything.
New episode out now: https://ku.bz/XyVfsSQPr
You can set a disruption budget for each reason to control how many nodes rotate at once. But here's the catch: if you only set budgets for two reasons and skip the third, Karpenter doesn't disable it. It silently applies a default 10% budget to any reason you didn't mention.
Adhi Sutandi's team found this the hard way — drift events fired during maintenance windows they thought were locked down. The fix? Set a single budget of one node with no reason qualifier, so it applies to everything.
New episode out now: https://ku.bz/XyVfsSQPr
Chainloop is an evidence store and policy engine for Software Supply Chain attestations, SBOMs, VEX, SARIF, and QA reports, with contract-based workflows, Rego policy evaluation, and third-party integrations such as Dependency-Track and Guac.
More: https://ku.bz/_wQslV4bc
More: https://ku.bz/_wQslV4bc
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 173:
🔥 Kubernetes Egress Control with Squid Proxy
💪 How We Turned a Forced OS Migration into a 30% Infrastructure Reduction
⚡ Auto-scaling and Load-based Scaling in Kubernetes
🎯 Smart Scheduler: Intelligent Pod Placement for Kubernetes Cost Optimization
🤖 Using Claude Code to Pilot Kubernetes on Autodock
Read it now: https://kube.today/issues/173
⭐️ This newsletter is brought to you by Hadron, the new lightweight secure Linux OS from the Kairos team https://ku.bz/mMZytrj-z
🔥 Kubernetes Egress Control with Squid Proxy
💪 How We Turned a Forced OS Migration into a 30% Infrastructure Reduction
⚡ Auto-scaling and Load-based Scaling in Kubernetes
🎯 Smart Scheduler: Intelligent Pod Placement for Kubernetes Cost Optimization
🤖 Using Claude Code to Pilot Kubernetes on Autodock
Read it now: https://kube.today/issues/173
⭐️ This newsletter is brought to you by Hadron, the new lightweight secure Linux OS from the Kairos team https://ku.bz/mMZytrj-z
Forwarded from Kube Builders
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.
It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.
More: https://ku.bz/Q3X1ngZGC
It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.
More: https://ku.bz/Q3X1ngZGC
This article demonstrates how to exploit Kubernetes PKI and kubelet credentials after gaining node access to escalate from pod compromise to full cluster control.
More: https://ku.bz/NxVxjKtt0
More: https://ku.bz/NxVxjKtt0
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with Tailscale
💰 $15.96M to $19.97M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨💻 Remote from
→ https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/Lt703grhh
👉 Browse 2459 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with Tailscale
💰 $15.96M to $19.97M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨💻 Remote from
→ https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/Lt703grhh
👉 Browse 2459 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, breaks down the common deployment patterns for Open Policy Agent (OPA) in Kubernetes environments. He explains the tradeoffs between individual pods, auto-scaling groups, daemon sets, sidecars, and WASM modules.
He outlines critical considerations for selecting the right deployment option:
- Latency requirements
- Bandwidth constraints
- Development overhead
- Feature compatibility (noting WASM modules lack full standard library support)
- Cloud costs and policy size implications
He notes that co-located pods typically achieve a few milliseconds of latency, and suggests WASM modules for those requiring even better performance.
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
He outlines critical considerations for selecting the right deployment option:
- Latency requirements
- Bandwidth constraints
- Development overhead
- Feature compatibility (noting WASM modules lack full standard library support)
- Cloud costs and policy size implications
He notes that co-located pods typically achieve a few milliseconds of latency, and suggests WASM modules for those requiring even better performance.
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
cek is a command-line tool for exploring OCI container image filesystems, reading file contents, and inspecting layer mechanics without running containers by connecting to container daemons or pulling from registries.
More: https://ku.bz/VWLLdYCbb
More: https://ku.bz/VWLLdYCbb
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Spectro Cloud just announced Hadron Linux — a brand new Linux distribution engineered from scratch by the Kairos team.
Ettore Di Giacinto explains: Hadron is purpose-built as a minimal, immutable base layer for edge infrastructure. Unlike retrofitted general-purpose distributions, it is specifically designed to eliminate common friction points when deploying Kubernetes at scale.
The goal: a Linux foundation that treats edge as a first-class target, not an afterthought.
Watch the announcement: https://ku.bz/wMhKpZ5bQ
Read the announcement: https://ku.bz/_9RmXnjDJ
Ettore Di Giacinto explains: Hadron is purpose-built as a minimal, immutable base layer for edge infrastructure. Unlike retrofitted general-purpose distributions, it is specifically designed to eliminate common friction points when deploying Kubernetes at scale.
The goal: a Linux foundation that treats edge as a first-class target, not an afterthought.
Watch the announcement: https://ku.bz/wMhKpZ5bQ
Read the announcement: https://ku.bz/_9RmXnjDJ
This article solves automated certificate distribution for EAP-TLS WiFi authentication using nginx-proxy on Kubernetes with step-ca, avoiding traditional MDM by hosting mobileconfig files at an HTTPS endpoint with mTLS authentication.
More: https://ku.bz/spclMhjDz
More: https://ku.bz/spclMhjDz