https://github.com/enix/x509-certificate-exporter/raw/main/docs/grafana-dashboard.jpg
X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire
➜ https://ku.bz/BPXM_D-v2
Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them — so you stop writing policies by hand in default-deny Cilium clusters
➜ https://ku.bz/hZYF4XgL_
https://res.cloudinary.com/learnk8s/image/upload/v1776345696/23apr_eau8hr.png
Become an expert in Kubernetes!
LearnKube runs its iconic 4-day Advanced Kubernetes course next week!
If you want to get your hands dirty with Kubernetes, join us for a workshop packed with hands-on labs!
Sign up here: https://learnkube.com/training
https://kube.careers/image-gen/digest?companies=Anthropic&companies=OpenAI&companies=Faire¤cy=USD&salaryFrom=130000&salaryTo=500000&subtitle=Selected+by+the+Kube+Careers+team&title=6+Kubernetes+security+jobs
https://assets.learnk8s.io/linkedin-179.png
This week on the Learn Kubernetes Weekly:
☁️ Event-Driven Architecture Missing Standards
🔥 Sandboxes for AI
🔐 Securing East-West Traffic
💥 Chaos Engineering Best Practices
📊 AWS Monitoring Platform
⭐️ Portworx
Read it now: https://kube.today/issues/179
https://res.cloudinary.com/learnk8s/image/upload/v1776067746/controller-manager-explained-2026/thread-slide-1.png
Delete a Pod from a Deployment and a new one appears.
The API server didn't create it. The scheduler didn't schedule it yet. A controller inside the controller manager noticed the count was wrong and created a replacement before anything else happened.
https://miro.medium.com/v2/1*h0ab2tqC4DCRPUpultMHow.png
This article shows how to use tofu-controller to manage Terraform resources with GitOps for external systems like Grafana dashboards and HashiCorp Vault policies with continuous reconciliation and automatic drift detection
➤ https://ku.bz/B3y_Zflr7
🗣️ Nicholaos Mouzourakis explains how Go's default thread management clashed with Kubernetes CPU limits, causing performance issues. The solution? Reducing GOMAXPROCS
Watch: https://ku.bz/S-2vQ_j-4
Linnix is an eBPF + PSI-powered Kubernetes observability agent written in Rust that identifies which pod is actually stalling your services, not just consuming CPU
➤ https://ku.bz/x-VQLHwSW
https://kube.careers/image-gen/digest?companies=Anthropic&companies=OpenAI&companies=Faire¤cy=USD&salaryFrom=172400&salaryTo=490000&subtitle=Selected+by+the+Kube+Careers+team&title=6+Kubernetes+security+jobs
https://assets.learnk8s.io/linkedin-178.png
This week on the Learn Kubernetes Weekly:
🔥 RCE via Nodes/Proxy
🦅 Chaos to Engineering Excellence
☸️ Extended Toleration Operators
🔄 K8S to ECS Fargate
🗄️ SQL Server on AKS with GitOps
⭐️ StormForge
Read it now: https://kube.today/issues/178
KubeProxy routes once per connection, not per request. For gRPC, some pods burn at 80% CPU while others sit idle
Rohit Agrawal from Databricks on replacing it with proxy-less, client-side load balancing
https://ku.bz/y803JMhBk
https://miro.medium.com/v2/1*2TKNP35wyrp4EjXsO3z29A.png
This article solves automated certificate distribution for EAP-TLS WiFi authentication using nginx-proxy on Kubernetes with step-ca, avoiding traditional MDM by hosting mobileconfig files at an HTTPS endpoint with mTLS authentication
➤ https://ku.bz/spclMhjDz
cek is a command-line tool for exploring OCI container image filesystems, reading file contents, and inspecting layer mechanics without running containers by connecting to container daemons or pulling from registries
➤ https://ku.bz/VWLLdYCbb
https://miro.medium.com/v2/1*h9lBLocbdJX2Lfc-b73cnA.png
This article demonstrates how to exploit Kubernetes PKI and kubelet credentials after gaining node access to escalate from pod compromise to full cluster control
➤ https://ku.bz/NxVxjKtt0
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities
It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues
➤ https://ku.bz/Q3X1ngZGC
https://github.com/chainloop-dev/chainloop/raw/main/docs/img/overview-3.png
Chainloop is an evidence store and policy engine for Software Supply Chain attestations, SBOMs, VEX, SARIF, and QA reports, with contract-based workflows, Rego policy evaluation, and third-party integrations such as Dependency-Track and Guac
➤ https://ku.bz/_wQslV4bc
https://interlaye.red/images/horizons-datastar.png
This tutorial teaches how to implement Kubernetes egress control using Squid proxy and NetworkPolicy for visibility and enforcement of outbound traffic without service mesh complexity
➤ https://ku.bz/XyLs9nnzh
https://kube.careers/image-gen/digest?companies=Anthropic&companies=OpenAI&companies=Faire¤cy=USD&salaryFrom=172400&salaryTo=490000&subtitle=Selected+by+the+Kube+Careers+team&title=6+Kubernetes+security+jobs
https://assets.learnk8s.io/linkedin-177.png
This week on the Learn Kubernetes Weekly:
☕ Running Java at Scale
🚀 Push to Production with Argo CD
⚡ Eliminating Image Pull Delays
🏕️ Nomad on OpenShift
🔬 The Linkerd Destination Service
⭐️ Spectro Cloud
Read it now: https://kube.today/issues/177
Kubernetes secrets are base64-encoded, not encrypted. Store them externally and mount as volumes — then even shell access won't expose credentials
Rodrigo Bersa on secrets management in production
#Kubernetes #Security
📺: https://ku.bz/dB7PDNt0v
🗣️ Paul Butler shares how his team minimizes RBAC in Kubernetes
Watch the full episode: https://ku.bz/Dmn93dd7M
👆 Vincent von Büren from ipt found a ServiceAccount token in production logs. One-year expiry. No audience restrictions. "The tokens work. Until they don't. And by then you're the incident."
https://ku.bz/LTnB_Ntbc
🌟 LearnKube
🎙️ 🎙Bart
cert-manager-webhook-pdns is a PowerDNS webhook for cert-manager that enables automated Let's Encrypt certificate issuance using DNS-01 challenges by integrating with PowerDNS API for DNS record management
➤ https://ku.bz/x3vxd7ZpJ
https://miro.medium.com/v2/1*d1qe8usmJulbGNB1CbBdYQ.png
This tutorial teaches how to implement layered security in Kubernetes using Kyverno for admission control and KubeArmor for runtime protection to enforce guardrails
➤ https://ku.bz/SnYRwQhFR
This case study shows how upgrading to Kubernetes 1.34 caused KIAM pods to fail due to service account token expiration changes, revealing that legacy clients using long-lived tokens now expire after 24 hours instead of 90 days
➜ https://ku.bz/73CpNdNtb
AgentDiscover Scanner detects autonomous AI agents and Shadow AI in codebases using static analysis for Python and JavaScript, network monitoring for active LLM traffic, and Kubernetes runtime detection via Cilium Tetragon eBPF
➜ https://ku.bz/lCqClc_3w
https://kube.careers/image-gen/digest?companies=Anthropic&companies=OpenAI&companies=Faire¤cy=USD&salaryFrom=172400&salaryTo=490000&subtitle=Selected+by+the+Kube+Careers+team&title=6+Kubernetes+security+jobs
🗣️ Amine Hilaly, Software Development Engineer at Amazon Web Services (AWS), explores whether to expose multiple Kubernetes resources through a single API or manage them individually
Watch the full interview: https://ku.bz/Gq1-34ZN0
Guardon is a browser extension that catches Kubernetes security misconfigurations during GitHub/GitLab code reviews, providing instant feedback, actionable YAML fixes, a custom rule engine, and Kyverno policy import, with no CI setup required
➤ https://ku.bz/1dwsMRc7S
