Kubesploit
@kubesploit.io
News and links on Kubernetes security curated by the @Learnk8s.io team
More K8s news, events, jobs → https://kube.today
More K8s news, events, jobs → https://kube.today
This tutorial teaches how to securely manage and dynamically update Kubernetes secrets using AWS Secrets Manager, External-Secrets Operator, and Config-Reloader
➤ https://ku.bz/Cx_nsGFC1
➤ https://ku.bz/Cx_nsGFC1
February 7, 2026 at 6:16 PM
This tutorial teaches how to securely manage and dynamically update Kubernetes secrets using AWS Secrets Manager, External-Secrets Operator, and Config-Reloader
➤ https://ku.bz/Cx_nsGFC1
➤ https://ku.bz/Cx_nsGFC1
This tool runs inside Kubernetes and automatically decrypts secrets encrypted with Mozilla SOPS, and then creates standard Kubernetes Secret objects from them
➤ https://ku.bz/H3KWGSwl9
➤ https://ku.bz/H3KWGSwl9
February 6, 2026 at 6:56 PM
This tool runs inside Kubernetes and automatically decrypts secrets encrypted with Mozilla SOPS, and then creates standard Kubernetes Secret objects from them
➤ https://ku.bz/H3KWGSwl9
➤ https://ku.bz/H3KWGSwl9
Synapse is a high-performance reverse proxy and firewall built with Rust, using XDP-based packet filtering for ultra-low latency protection at kernel level
➜ https://ku.bz/w2PFxxfN8
➜ https://ku.bz/w2PFxxfN8
February 6, 2026 at 6:41 PM
Synapse is a high-performance reverse proxy and firewall built with Rust, using XDP-based packet filtering for ultra-low latency protection at kernel level
➜ https://ku.bz/w2PFxxfN8
➜ https://ku.bz/w2PFxxfN8
This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts
➜ https://ku.bz/F6-Xr10Yv
➜ https://ku.bz/F6-Xr10Yv
February 5, 2026 at 6:51 PM
This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts
➜ https://ku.bz/F6-Xr10Yv
➜ https://ku.bz/F6-Xr10Yv
This article explains how Kubernetes user namespaces work for container isolation and covers the security benefits of mapping container root users to unprivileged host users, thereby reducing privilege escalation risks
➤ https://ku.bz/1kmpsFXbB
➤ https://ku.bz/1kmpsFXbB
February 5, 2026 at 6:26 PM
This article explains how Kubernetes user namespaces work for container isolation and covers the security benefits of mapping container root users to unprivileged host users, thereby reducing privilege escalation risks
➤ https://ku.bz/1kmpsFXbB
➤ https://ku.bz/1kmpsFXbB
External Secrets Operator syncs secrets from AWS, Vault, GCP, Azure, and others via their APIs and injects them as native Kubernetes Secrets using CRDs
➤ https://ku.bz/P9-BCNT1L
➤ https://ku.bz/P9-BCNT1L
February 5, 2026 at 4:16 AM
External Secrets Operator syncs secrets from AWS, Vault, GCP, Azure, and others via their APIs and injects them as native Kubernetes Secrets using CRDs
➤ https://ku.bz/P9-BCNT1L
➤ https://ku.bz/P9-BCNT1L
Reposted by Kubesploit
kubectl-rexec is a kubectl plugin that provides full audit logging for kubectl exec sessions, addressing the security gap where standard exec commands leave no trace of what happens inside containers
➜ https://ku.bz/yRQZ9Jrml
➜ https://ku.bz/yRQZ9Jrml
February 4, 2026 at 6:26 PM
kubectl-rexec is a kubectl plugin that provides full audit logging for kubectl exec sessions, addressing the security gap where standard exec commands leave no trace of what happens inside containers
➜ https://ku.bz/yRQZ9Jrml
➜ https://ku.bz/yRQZ9Jrml
Reposted by Kubesploit
"Self-service without governance leads to 3 AM outages." Zain Malik explains how mature platforms balance empowerment with reliability
📺: https://ku.bz/rwttMCncv
📺: https://ku.bz/rwttMCncv
February 4, 2026 at 4:51 PM
"Self-service without governance leads to 3 AM outages." Zain Malik explains how mature platforms balance empowerment with reliability
📺: https://ku.bz/rwttMCncv
📺: https://ku.bz/rwttMCncv
Reposted by Kubesploit
🗣️ Nicholaos Mouzourakis explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization, highlighting its versatility and performance
Watch the full episode: https://ku.bz/S-2vQ_j-4
Watch the full episode: https://ku.bz/S-2vQ_j-4
February 4, 2026 at 2:56 PM
🗣️ Nicholaos Mouzourakis explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization, highlighting its versatility and performance
Watch the full episode: https://ku.bz/S-2vQ_j-4
Watch the full episode: https://ku.bz/S-2vQ_j-4
Reposted by Kubesploit
This week on the Learn Kubernetes Weekly:
🔥 When HA Brings Downtime
🔄 Upgrade AWS CSI Drivers
🤖 AI/ML Models at Scale in SAP AI Core
✅ Readiness Checks for Spring Boot
🌐 CoreDNS in OpenShift
⭐️ LearnKube
Read it now: https://kube.today/issues/169
🔥 When HA Brings Downtime
🔄 Upgrade AWS CSI Drivers
🤖 AI/ML Models at Scale in SAP AI Core
✅ Readiness Checks for Spring Boot
🌐 CoreDNS in OpenShift
⭐️ LearnKube
Read it now: https://kube.today/issues/169
February 4, 2026 at 11:46 AM
This week on the Learn Kubernetes Weekly:
🔥 When HA Brings Downtime
🔄 Upgrade AWS CSI Drivers
🤖 AI/ML Models at Scale in SAP AI Core
✅ Readiness Checks for Spring Boot
🌐 CoreDNS in OpenShift
⭐️ LearnKube
Read it now: https://kube.today/issues/169
🔥 When HA Brings Downtime
🔄 Upgrade AWS CSI Drivers
🤖 AI/ML Models at Scale in SAP AI Core
✅ Readiness Checks for Spring Boot
🌐 CoreDNS in OpenShift
⭐️ LearnKube
Read it now: https://kube.today/issues/169
This tutorial teaches how to deploy HashiCorp Vault Secrets Operator on Google Kubernetes Engine to synchronize Vault secrets into Kubernetes Secret resources automatically
➜ https://ku.bz/QnvFmQp8h
➜ https://ku.bz/QnvFmQp8h
February 3, 2026 at 6:26 PM
This tutorial teaches how to deploy HashiCorp Vault Secrets Operator on Google Kubernetes Engine to synchronize Vault secrets into Kubernetes Secret resources automatically
➜ https://ku.bz/QnvFmQp8h
➜ https://ku.bz/QnvFmQp8h
Reposted by Kubesploit
🗣️ Ziv manages 600+ Postgres clusters in a closed network environment with no public cloud
After existing backup solutions proved unreliable, they built a new architecture using pgBackRest + ArgoCD
https://ku.bz/Rg_sQYSmw
🌟 LearnKube
🎙 🎙Bart
After existing backup solutions proved unreliable, they built a new architecture using pgBackRest + ArgoCD
https://ku.bz/Rg_sQYSmw
🌟 LearnKube
🎙 🎙Bart
February 3, 2026 at 12:51 PM
🗣️ Ziv manages 600+ Postgres clusters in a closed network environment with no public cloud
After existing backup solutions proved unreliable, they built a new architecture using pgBackRest + ArgoCD
https://ku.bz/Rg_sQYSmw
🌟 LearnKube
🎙 🎙Bart
After existing backup solutions proved unreliable, they built a new architecture using pgBackRest + ArgoCD
https://ku.bz/Rg_sQYSmw
🌟 LearnKube
🎙 🎙Bart
Kaniop is a Kubernetes operator written in Rust for managing Kanidm identity management clusters, providing declarative identity management through GitOps workflows
➜ https://ku.bz/D1JBBy0B3
➜ https://ku.bz/D1JBBy0B3
February 2, 2026 at 6:36 PM
Kaniop is a Kubernetes operator written in Rust for managing Kanidm identity management clusters, providing declarative identity management through GitOps workflows
➜ https://ku.bz/D1JBBy0B3
➜ https://ku.bz/D1JBBy0B3
This tutorial walks you through setting up Google Cloud IAP for Kubernetes services, using CDKTF (TypeScript) to configure OAuth, BackendConfig, and service annotations so your internal tools are protected behind identity checks
➤ https://ku.bz/f7PqfWlby
➤ https://ku.bz/f7PqfWlby
January 30, 2026 at 6:56 PM
This tutorial walks you through setting up Google Cloud IAP for Kubernetes services, using CDKTF (TypeScript) to configure OAuth, BackendConfig, and service annotations so your internal tools are protected behind identity checks
➤ https://ku.bz/f7PqfWlby
➤ https://ku.bz/f7PqfWlby
This article explains a critical security issue where AWS CSI drivers gave DaemonSet service accounts the ability to patch nodes, completely breaking node isolation in multi-tenant clusters
➜ https://ku.bz/xGP7ymMvW
➜ https://ku.bz/xGP7ymMvW
January 30, 2026 at 6:41 PM
This article explains a critical security issue where AWS CSI drivers gave DaemonSet service accounts the ability to patch nodes, completely breaking node isolation in multi-tenant clusters
➜ https://ku.bz/xGP7ymMvW
➜ https://ku.bz/xGP7ymMvW
PodCertificateSigner lets your Kubernetes cluster automatically issue TLS certificates for pods by handling `PodCertificateRequest` resources with a custom signer controller
➤ https://ku.bz/rbMcq48rD
➤ https://ku.bz/rbMcq48rD
January 29, 2026 at 7:16 PM
PodCertificateSigner lets your Kubernetes cluster automatically issue TLS certificates for pods by handling `PodCertificateRequest` resources with a custom signer controller
➤ https://ku.bz/rbMcq48rD
➤ https://ku.bz/rbMcq48rD
Dockadvisor is a lightweight Dockerfile linter built in Go that validates your Dockerfiles with over 60 rules covering syntax, security, and best practices
➜ https://ku.bz/2DT4TqRRk
➜ https://ku.bz/2DT4TqRRk
January 29, 2026 at 6:56 PM
Dockadvisor is a lightweight Dockerfile linter built in Go that validates your Dockerfiles with over 60 rules covering syntax, security, and best practices
➜ https://ku.bz/2DT4TqRRk
➜ https://ku.bz/2DT4TqRRk
cert-manager-mcp-server provides cert-manager resource management through Model Context Protocol (MCP), letting AI assistants like Claude inspect certificates, issuers, and certificate requests directly in Kubernetes clusters
➤ https://ku.bz/RwfN0Qz5g
➤ https://ku.bz/RwfN0Qz5g
January 29, 2026 at 6:26 AM
cert-manager-mcp-server provides cert-manager resource management through Model Context Protocol (MCP), letting AI assistants like Claude inspect certificates, issuers, and certificate requests directly in Kubernetes clusters
➤ https://ku.bz/RwfN0Qz5g
➤ https://ku.bz/RwfN0Qz5g
Reposted by Kubesploit
This tutorial teaches how to deploy KubeArmor runtime security on Huawei Cloud Container Engine (CCE) using BPF-LSM for dynamic kernel-level policy enforcement without static profiles or reboots
➜ https://ku.bz/vnqpX_3yc
➜ https://ku.bz/vnqpX_3yc
January 28, 2026 at 6:26 PM
This tutorial teaches how to deploy KubeArmor runtime security on Huawei Cloud Container Engine (CCE) using BPF-LSM for dynamic kernel-level policy enforcement without static profiles or reboots
➜ https://ku.bz/vnqpX_3yc
➜ https://ku.bz/vnqpX_3yc
Reposted by Kubesploit
This week on the Learn Kubernetes Weekly:
🗑️ Deleting a CRD
🌱 Carbon-Aware ML Training
⚡ vLLM Setups for Spiky Traffic
🛡️ Preventing Resource Deletion in Argo
🔄 Reproducible Infra with NixOS
⭐️ Kubex
Read it now: https://kube.today/issues/168
🗑️ Deleting a CRD
🌱 Carbon-Aware ML Training
⚡ vLLM Setups for Spiky Traffic
🛡️ Preventing Resource Deletion in Argo
🔄 Reproducible Infra with NixOS
⭐️ Kubex
Read it now: https://kube.today/issues/168
January 28, 2026 at 11:46 AM
This week on the Learn Kubernetes Weekly:
🗑️ Deleting a CRD
🌱 Carbon-Aware ML Training
⚡ vLLM Setups for Spiky Traffic
🛡️ Preventing Resource Deletion in Argo
🔄 Reproducible Infra with NixOS
⭐️ Kubex
Read it now: https://kube.today/issues/168
🗑️ Deleting a CRD
🌱 Carbon-Aware ML Training
⚡ vLLM Setups for Spiky Traffic
🛡️ Preventing Resource Deletion in Argo
🔄 Reproducible Infra with NixOS
⭐️ Kubex
Read it now: https://kube.today/issues/168
traefik-oidc-auth is a Traefik plugin that secures upstream services using OpenID Connect authentication acting as a relying party for identity providers like ZITADEL, Keycloak, Microsoft EntraID, and Authentik
➜ https://ku.bz/18rD29Nlh
➜ https://ku.bz/18rD29Nlh
January 27, 2026 at 6:26 PM
traefik-oidc-auth is a Traefik plugin that secures upstream services using OpenID Connect authentication acting as a relying party for identity providers like ZITADEL, Keycloak, Microsoft EntraID, and Authentik
➜ https://ku.bz/18rD29Nlh
➜ https://ku.bz/18rD29Nlh
Reposted by Kubesploit
🗣️ Most developers assume Kubernetes requires an enterprise budget. Varnit Goyal proves otherwise — he built a full three-node Kubernetes cluster for $2.16/month using Rackspace Spot Instances
https://ku.bz/HpVyQMVv0
🌟 LearnKube
🎙 🎙Bart
https://ku.bz/HpVyQMVv0
🌟 LearnKube
🎙 🎙Bart
January 27, 2026 at 12:26 PM
🗣️ Most developers assume Kubernetes requires an enterprise budget. Varnit Goyal proves otherwise — he built a full three-node Kubernetes cluster for $2.16/month using Rackspace Spot Instances
https://ku.bz/HpVyQMVv0
🌟 LearnKube
🎙 🎙Bart
https://ku.bz/HpVyQMVv0
🌟 LearnKube
🎙 🎙Bart
Pinniped provides identity services to Kubernetes by integrating external identity providers (OIDC, LDAP, Active Directory) with clusters for secure, unified login across on-premises and cloud environments
➜ https://ku.bz/Zb8ms9RlY
➜ https://ku.bz/Zb8ms9RlY
January 27, 2026 at 3:31 AM
Pinniped provides identity services to Kubernetes by integrating external identity providers (OIDC, LDAP, Active Directory) with clusters for secure, unified login across on-premises and cloud environments
➜ https://ku.bz/Zb8ms9RlY
➜ https://ku.bz/Zb8ms9RlY