#48: Kubernetes Container Security

🎧 PODCAST/WEBINAR OF THE WEEK

In this episode Rich speaks with Celeste Horgan from Stripe. Topics include: How developers can get better at writing docs, what makes a good concept doc, “blank is a blank that does blank,” the difficulty with making big changes in the Kubernetes documentation, the Dockershim deprecation, inclusive naming, and many others 🔥

📖 POSTS OF THE WEEK

ArgoCD best practices you should know
In this article, you'll explore some of the best practices of Argo and learn how you can validate your custom resources against these best practices.
Read more »

"How to secure Deployments in Kubernetes?" - Security is crucial ‌for containerized applications that run on a shared infrastructure. In this post, you'll learn how to secure ‌Kubernetes deployments and applications in general - Read more »

"Build Preview Environments on AWS for CI/CD workflows with Terraform CDK" - In this tutorial, you will build preview environments on AWS using Terraform CDK and deploy a React application - Read more »

"Kubernetes ephemeral container security" - Ephemeral containers is a new concept in Kubernetes which allows attaching containers to already running Pods. It also introduces new security concerns which have to be resolved before it can be enabled - Read more »

"You probably don’t need AWS and are better off without it" - While I'm not particularly fond of AWS but I find the provided arguments baffling - you would be better off without AWS because you might forget to turn off $80k of instances? - Read more »

"Take the pain out of git conflict resolution: use diff3" - The diff3 conflict resolution strategy is a hidden gem in git that can save you an uncountable conflict-resolution headaches and turn git conflict resolution into something of a joy - Read more »

"Monitoring a garage door with a Raspberry Pi, Rust, and a 13Mb Linux system" - For geeks like me, this is a super fun project. It sends an alert via Mattermost when the garage door has been left open for more than 5 minutes - Read more »

"Codespaces for multi-repository and monorepo scenarios" - Codespaces are instant cloud-powered development environments. Now, it supports multi-repository projects and monorepos - Read more »

"AWS's Log4Shell hot patch vulnerable to container escape and privilege escalation" - Great post that identifies severe security issues within AWS Log4Shell hot patch solutions. It provides as well the root cause analysis and overview of fixes and mitigations - Read more »

📕 BOOK OF THE WEEK

This book includes stories of many different companies. Some were successful, and others were not. One key concept from the book that hit home with me was that when you have a strong Why you will naturally attract individuals to your business who share that Why. A strong Why will allow you to market based on these beliefs instead of using manipulative tactics like price, features, and benefits.
If you’ve thought about starting or are running your own business, do you know your Why? If not, I would urge you to take some time to read Start With Why and to get clear on your Why.

🛠 PROJECTS OF THE WEEK

If you manage AWS Cloud accounts you might be interested in forwarding all your EC2 logs with ease to 3rd parties through Kinesis Firehose from one centralized place – if this is the case – check out this Rsyslog Server product made by 0x4447. The company 0x4447 builds products to increase standardization and security in AWS Organizations. They do this with automated pipelines that use well structured projects to create secure, easy to maintain and fail tolerant solutions - Read more »

Shell-operator is a tool for running event-driven scripts in a Kubernetes cluster. Shell-operator provides an integration layer between Kubernetes cluster events and shell scripts by treating scripts as hooks triggered by events. Think of it as an operator-sdk but for scripts - Read more »

The helm-docs tool auto-generates documentation from helm charts into markdown files. The resulting files contain metadata about their respective chart and a table with each of the chart's values, their defaults, and an optional description parsed from comments - Read more »

Secrets is a command-line tool to prevent committing secret keys into your source code. secrets has a few features that distinguish it from other secret scanning tools like being extremely fast, focused on pre-commit, single binary with no dependencies and low rate of false positives - Read more »

Cog is an open-source tool that lets you package machine learning models in a standard, production-ready container. With Cog, you define your environment with a simple configuration file and it generates a Docker image with all the best practices: Nvidia base images, efficient caching of dependencies, installing specific Python versions, sensible environment variable defaults, and so on - Read more »

Describe a situation in which you may or may not have been the one at fault. The AI will tell you who's in the right, and why. The project is a collection of 3 unique AI text generation models trained on posts and comments from r/AmITheAsshole and answers the questions that you've been asking on reddit for years: was my response to this reasonable, or am I the asshole in this situation? - Read more »

💼 OPEN JOBS OF THE WEEK