Kubernetes Clusters: A Security Review | Wiz
A Kubernetes cluster consists of a group of node machines designed to run applications within containers.| wiz.io
Diffing Customization¶| argo-cd.readthedocs.io
Different ways to change the behavior of your Kubernetes cluster.| Kubernetes
Learn how to manage access entries for IAM principals to your Amazon EKS cluster, including creating, updating, and deleting access entries for fine-grained authentication and authorization.| docs.aws.amazon.com
A Kubernetes cluster consists of a group of node machines designed to run applications within containers.| wiz.io
The Kubernetes API is a resource-based (RESTful) programmatic interface provided via HTTP. It supports retrieving, creating, updating, and deleting primary resources via the standard HTTP verbs (POST, PUT, PATCH, DELETE, GET). For some resources, the API includes additional subresources that allow fine-grained authorization (such as separate views for Pod details and log retrievals), and can accept and serve those resources in different representations for convenience or efficiency. Kubernete...| Kubernetes
Container runtime security is the combination of measures and technology implemented to protect containerized applications at the runtime stage.| wiz.io
When several users or teams share a cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. Resource quotas are a tool for administrators to address this concern. A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per namespace. A ResourceQuota can also limit the quantity of objects that can be created in a namespace by API kind, as well as the total amount of infra...| Kubernetes
FEATURE STATE: Kubernetes v1.22 [stable] (enabled by default: true) Kubernetes supports multiple appliers collaborating to manage the fields of a single object. Server-Side Apply provides an optional mechanism for your cluster's control plane to track changes to an object's fields. At the level of a specific resource, Server-Side Apply records and tracks information about control over the fields of that object. Server-Side Apply helps users and controllers manage their resources through decla...| Kubernetes
Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server. A service account provides an identity for processes that run in a Pod, and maps to a ServiceAccount object. When you authenticate to the API server, you identify yourself as a particular user. Kubernetes recognises the concept of a user, however, Kubernetes itself does not have a User API.| Kubernetes
Make your HTTP (or HTTPS) network service available using a protocol-aware configuration mechanism, that understands web concepts like URIs, hostnames, paths, and more. The Ingress concept lets you map traffic to different backends based on rules you define via the Kubernetes API.| Kubernetes
In KubeEdge v1.19, we introduced a new version of the KubeEdge Dashboard. This version of KubeEdge Dashboard is built with the Next.js framework and the MUI component library to offer better performance. Meanwhile, we have optimized and enhanced several modules of the KubeEdge Dashboard, including the device management and device model management modules.| kubeedge.io
We’ll show you how to access any part of the Kubernetes API or a Custom Resource using a ServiceAccount and granular permissions.| OpenFaaS - Serverless Functions Made Simple
Configuration options for a Kyverno installation.| Kyverno
Tools such as Prometheus and OpenTelemetry help us monitor the health, performance, and availability of our complex distributed systems. Both are open source projects under the Cloud Native Computing Foundation (CNCF) umbrella – but what role does each play in observability? OpenTelemetry (OTel for short), is a vendor-neutral open standard for instrumenting, generating, collecting, and exporting telemetry data. Prometheus is a fixture of the observability landscape, widely relied upon for m...| OpenTelemetry
We recently talked with Federico Bongiovanni (Google) and David Eads (Red Hat), Chairs of SIG API Machinery, to know a bit more about this Kubernetes Special Interest Group. Introductions Frederico (FSM): Hello, and thank your for your time. To start with, could you tell us about yourselves and how you got involved in Kubernetes? David: I started working on OpenShift (the Red Hat distribution of Kubernetes) in the fall of 2014 and got involved pretty quickly in API Machinery.| www.kubernetes.dev
Core problems with the API make it a challenging to use in a secure, scalable manner.| blog.howardjohn.info
Zero trust architectures should not treat nodes as highly privileged components.| blog.howardjohn.info
Details of Kubernetes authorization mechanisms and supported authorization modes.| Kubernetes
Using kubeadm, you can create a minimum viable Kubernetes cluster that conforms to best practices. In fact, you can use kubeadm to set up a cluster that will pass the Kubernetes Conformance tests. kubeadm also supports other cluster lifecycle functions, such as bootstrap tokens and cluster upgrades. The kubeadm tool is good if you need: A simple way for you to try out Kubernetes, possibly for the first time. A way for existing users to automate setting up a cluster and test their application.| Kubernetes
8 no-brainer container security best practices for beginners + the key components of container architecture to secure| wiz.io
This document describes how to manage user permissions in Chaos Mesh, including creating user accounts with different roles, binding permissions to user accounts, managing tokens, and enabling or disabling permission authentication.| chaos-mesh.org
This page provides an overview of controlling access to the Kubernetes API. Users access the Kubernetes API using kubectl, client libraries, or by making REST requests. Both human users and Kubernetes service accounts can be authorized for API access. When a request reaches the API, it goes through several stages, illustrated in the following diagram: Transport security By default, the Kubernetes API server listens on port 6443 on the first non-localhost network interface, protected by TLS.| Kubernetes
This document describes the concept of a StorageClass in Kubernetes. Familiarity with volumes and persistent volumes is suggested. A StorageClass provides a way for administrators to describe the classes of storage they offer. Different classes might map to quality-of-service levels, or to backup policies, or to arbitrary policies determined by the cluster administrators. Kubernetes itself is unopinionated about what classes represent. The Kubernetes concept of a storage class is similar to ...| Kubernetes
Learn about AWS Fault Injection Service actions.| docs.aws.amazon.com
Production-Grade Container Orchestration| Kubernetes
We've Moved to the AWS Docs! 🚀| aws.github.io
Explains various advanced features for Helm power users| helm.sh
Explains how Helm interacts with Kubernetes' Role-Based Access Control.| helm.sh
The Traefik team developed a Custom Resource Definition (CRD) for an IngressRoute type, to provide a better way to configure access to a Kubernetes cluster.| doc.traefik.io
Sometimes I hear folks in the Crossplane community ask if they can just use Helm instead of opting into our package manager. The technical answer to this question is “yes”, but it typically represents a misinterpretation of what Crossplane is providing in a Kubernetes cluster. That being said, I completely understand why someone would ask this question, and quite frankly, I think the confusion is our fault. In Crossplane and across the Kubernetes community we lean in heavily to the idea t...| danielmangum.com
)
+ / / tl;dr - In order to test storage performance I set up a completely automated test bed for all the storage plugins, this article chronicles the installations of some of the plugins. It’s particularly long because I made lots of mistakes. Mostly useless sections are prefaced with a notice on why you can skip them, skim the ToC and click on anything you like. UPDATE (04/09/2020) The GitLab repository is up!| vadosware.io
