https://devopstales.github.io/series/k8s-security/ Recent content in K8s-Security on DevOpsTales Hugo -- gohugo.io en Sun, 08 Mar 2026 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-cert/ Sun, 08 Mar 2026 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-cert/ In this post I will show you how you can rotate your Kubernetes Engine Certificates. https://devopstales.github.io/kubernetes/k8s-security/ Fri, 06 Mar 2026 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-security/ Kubernetes offers rich configuration options, but defaults are usually the least secure. Most sysadmins don’t know how to secure a Kubernetes cluster. So this is my Best Practice list for keeping Kubernetes Clusters Secure. https://devopstales.github.io/kubernetes/best-k8s-dashboards-2026/ Mon, 02 Mar 2026 00:00:00 +0000 https://devopstales.github.io/kubernetes/best-k8s-dashboards-2026/ With the official Kubernetes Dashboard being deprecated and moved to the retired projects, finding a reliable, feature-rich dashboard for your Kubernetes clusters has become more important than ever. In 2026, several excellent alternatives have emerged. This post reviews the top Kubernetes dashboards available today. https://devopstales.github.io/kubernetes/k8s-dmz-bgp-external-haproxy/ Thu, 26 Feb 2026 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-dmz-bgp-external-haproxy/ Learn how to deploy HAProxy Ingress Controller on AlmaLinux in a DMZ network outside your Kubernetes cluster—without Cilium’s deprecated external workload mode. This guide covers BGP peering with BIRD, Cilium’s Pod CIDR export, firewalld configuration, and production-ready setup for secure ingress traffic isolation. https://devopstales.github.io/kubernetes/kubernetes-resource-visibility/ Thu, 15 May 2025 00:00:00 +0000 https://devopstales.github.io/kubernetes/kubernetes-resource-visibility/ When you check resource usage inside a Kubernetes pod, you might be surprised to see the full host machine’s resources - even when you’ve set strict limits. Let’s explore why this happens and how to fix it. https://devopstales.github.io/kubernetes/automatic-k8s-certificate-renewal/ Fri, 20 Dec 2024 00:00:00 +0000 https://devopstales.github.io/kubernetes/automatic-k8s-certificate-renewal/ In this post I will show you how you can automate the Kubernetes Certificate renewal. https://devopstales.github.io/kubernetes/k8s-dmz-vxlan/ Wed, 10 Apr 2024 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-dmz-vxlan/ In this post I will show you how to nstall HAProxy Igress Controller on a separate VM instad of running it in the Kubernetes cluster as a pod. For this I will use cilium external-workload option. https://devopstales.github.io/kubernetes/k8s-dmz-bgp/ Sun, 03 Mar 2024 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-dmz-bgp/ In this post I will show you how to nstall HAProxy Igress Controller on a separate VM instad of running it in the Kubernetes cluster as a pod. For this I will use cilium BGP pod CIDR export option. https://devopstales.github.io/kubernetes/k8s-secure-install/ Sat, 20 Jan 2024 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-secure-install/ In this post I will show you how to install a Kubernetes cluster in a secure way with. https://devopstales.github.io/kubernetes/kubedash-1.0/ Mon, 20 Mar 2023 00:00:00 +0000 https://devopstales.github.io/kubernetes/kubedash-1.0/ Today I am happy to announce the release of KubeDash 1.0. This blog post focuses on the functionality provided by the KubeDash 1.0. https://devopstales.github.io/kubernetes/k8s-limits/ Tue, 08 Nov 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-limits/ In this post I will show you the usage of the Kubernetes limits and requests. https://devopstales.github.io/kubernetes/k8s-user-namespace/ Wed, 02 Nov 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-user-namespace/ In this blog post I will introduce user namespaces, then I will show you how you can use it in Kubernetes. https://devopstales.github.io/kubernetes/trivy-operator-2.5/ Sat, 15 Oct 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-2.5/ Today I am happy to announce the release of trivy-operator 2.5. This blog post focuses on the functionality provided by the trivy-operator 2.5 release. https://devopstales.github.io/kubernetes/k8s-migrate-from-psp/ Wed, 24 Aug 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-migrate-from-psp/ With the release of Kubernetes v1.25, Pod Security admission has now entered to stable and PodSecurityPolicy is removed. In this article, I will show you how you can migrate to the new Pod Security Admission. https://devopstales.github.io/kubernetes/k8s-ps/ Tue, 23 Aug 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-ps/ With the release of Kubernetes v1.25, Pod Security Admission has now entered to stable and PodSecurityPolicy is removed. In this article, we cover the key concepts of Pod Security Admission along with how to use it. https://devopstales.github.io/kubernetes/k8s-pod-security-standards-using-kyverno/ Wed, 10 Aug 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-pod-security-standards-using-kyverno/ In this post I will show you how you can use Kyverno instal of Pod Security Admission. https://devopstales.github.io/kubernetes/k8s-crowdsec-ids/ Fri, 08 Jul 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-crowdsec-ids/ In this post I will show you how you can install CrowdSec Intrusion Detection System (IDS) inside a Kubernetes cluster. https://devopstales.github.io/kubernetes/trivy-operator-2.4/ Thu, 30 Jun 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-2.4/ Today I am happy to announce the release of trivy-operator 2.4. This blog post focuses on the functionality provided by the trivy-operator 2.4 release. https://devopstales.github.io/kubernetes/k8s-pomerium-ingress-controller/ Tue, 14 Jun 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-pomerium-ingress-controller/ In this blog post, I will show you how you can install Pomerium Ingress Controller and use it to secure your application. https://devopstales.github.io/kubernetes/kube-openid-connect-1.0/ Fri, 25 Mar 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/kube-openid-connect-1.0/ Today I am happy to announce the release of kube-openid-connect 1.0 and assign the first ever stable release number. This blog post focuses on the functionality provided by the kube-openid-connect 1.0 release. https://devopstales.github.io/kubernetes/k8s-user-accounts/ Tue, 22 Mar 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-user-accounts/ I this post I will show you how you can create Users in Kubernetes the right way. https://devopstales.github.io/kubernetes/k8s-test-tools/ Wed, 02 Mar 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-test-tools/ I this blog post I will show you how you can validate your kubernetes objects, helm charts, images at CI/CD. https://devopstales.github.io/kubernetes/trivy-operator-2.3/ Fri, 04 Feb 2022 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-2.3/ Today I am happy to announce the release of trivy-operator 2.3. This blog post focuses on the functionality provided by the trivy-operator 2.3 release. https://devopstales.github.io/kubernetes/k8s-pinniped/ Wed, 29 Dec 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-pinniped/ In this tutorial I will setup Pinniped, a Single Sign-on solution from the VMware Tanzu project. https://devopstales.github.io/kubernetes/trivy-operator-2.2/ Mon, 27 Dec 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-2.2/ Today I am happy to announce the release of trivy-operator 2.2. This blog post focuses on the functionality provided by the trivy-operator 2.2 release. https://devopstales.github.io/kubernetes/trivy-operator-2.1/ Fri, 17 Dec 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-2.1/ Today I am happy to announce the release of trivy-operator 2.1. This blog post focuses on the functionality provided by the trivy-operator 2.1 release. https://devopstales.github.io/kubernetes/k8s-central-oauth/ Fri, 05 Nov 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-central-oauth/ In this post I will show you how to use one central OAuth2 Proxy for multiple services inside your Kubernetes Cluster. https://devopstales.github.io/kubernetes/k8s-rbac-gen/ Wed, 03 Nov 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-rbac-gen/ In this blog, I will show you how to create a kubeconfig file with limited access to kubernetes cluster using service account, secret token and RBAC https://devopstales.github.io/kubernetes/k8s-falco/ Tue, 02 Nov 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-falco/ In this blog post I will show you how how you can use Kubernetes the audit logs and Falco for detecting suspicious activities in you cluster. https://devopstales.github.io/kubernetes/k8s-cisa-install/ Fri, 15 Oct 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-cisa-install/ On August 3rd, 2021 the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released, Kubernetes Hardening Guidance, a cybersecurity technical report detailing the complexities of securely managing Kubernetes. This blog post will show you how you can harden your Kubernetes cluster based on CISA best practices. https://devopstales.github.io/kubernetes/trivy-operator-1.0/ Sat, 09 Oct 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/trivy-operator-1.0/ Today I am happy to announce the release of trivy-operator 1.0 and assign the first ever stable release number. This blog post focuses on the functionality provided by the trivy-operator 1.0 release. https://devopstales.github.io/kubernetes/k8s-seccomp/ Fri, 03 Sep 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-seccomp/ In this post I will attempt to demystify the relationship of seccomp and Kubernetes This first part will look at containers and pods. https://devopstales.github.io/kubernetes/k8s-git-backup/ Sat, 28 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-git-backup/ In this tutorial I will show you how you can backup the kubernetes object to git as yaml-s. https://devopstales.github.io/kubernetes/firecracker-cri-o/ Mon, 23 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/firecracker-cri-o/ In this post I will show you how you can install and use kata-container with Firecracker engine in kubernetes. https://devopstales.github.io/kubernetes/gvisor-cri-o/ Mon, 23 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/gvisor-cri-o/ In this post I will show you how you can install and use gvisor engine in kubernetes. https://devopstales.github.io/kubernetes/firecracker-containerd/ Sun, 22 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/firecracker-containerd/ In this post I will show you how you can install and use kata-container with Firecracker engine in kubernetes. https://devopstales.github.io/kubernetes/gvisor-containerd/ Sun, 22 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/gvisor-containerd/ In this post I will show you how you can install and use gvisor engine in kubernetes. https://devopstales.github.io/kubernetes/kata-container-containerd/ Fri, 20 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/kata-container-containerd/ In this post I will show you how you can install and use kata-container engine in kubernetes. https://devopstales.github.io/kubernetes/k8s-kyverno-cosign/ Wed, 18 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-kyverno-cosign/ In this post I will show you how you can use Kyverno and Cosign for Image Signature Verification in a Kubernetes cluster. https://devopstales.github.io/kubernetes/kyverno-image-mirror/ Mon, 16 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/kyverno-image-mirror/ In this post I will show you how you can automatically change the registry part in deployed pods in Kubernetes. https://devopstales.github.io/kubernetes/vcluster/ Tue, 03 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/vcluster/ In this post I will use vCluster to run virtual Kubernetes clusters inside a Kubernetes cluster. https://devopstales.github.io/kubernetes/k8s-connaisseur-v2/ Sun, 01 Aug 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-connaisseur-v2/ In this post I will show you how you can deploy Connaisseur 2.0 to Image Signature Verification into a Kubernetes cluster. https://devopstales.github.io/kubernetes/image-security-admission-controller-v3/ Mon, 21 Jun 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/image-security-admission-controller-v3/ In a previous posts we talked about the anchore-image-validator made by Banzaicloud and the admission-controller made by Anchore. In this post I will show you my own admission-controller for image scanning. https://devopstales.github.io/kubernetes/continuous-image-security/ Tue, 15 Jun 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/continuous-image-security/ In this post I will show you my tool to Continuously scann deployed images in your Kubernetes cluster. https://devopstales.github.io/kubernetes/k8s-prometheus-stack/ Tue, 15 Jun 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-prometheus-stack/ In this tutorial I will show you how to install a prometheus operator to monotor kubernetes and loki to gether logs. https://devopstales.github.io/kubernetes/k8s-vault-v2/ Sat, 05 Jun 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-vault-v2/ In this post I will show you how you can integrate an external HashiCorp Vault to Kubernetes. https://devopstales.github.io/kubernetes/rke2-calico/ Tue, 25 May 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/rke2-calico/ In this post I will show you how you can install a RKE2 with Calico and encripted VXLAN. https://devopstales.github.io/kubernetes/rke2-cilium/ Mon, 24 May 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/rke2-cilium/ In this post I will show you how you can install a RKE2 with cilium and encripted VXLAN. https://devopstales.github.io/kubernetes/gitops-flux2-sops/ Sat, 08 May 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/gitops-flux2-sops/ In this post I will show you how you can use Mozilla SOPS with Flux2 to protect secrets. https://devopstales.github.io/kubernetes/gitops-flux2-kubeseal/ Fri, 07 May 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/gitops-flux2-kubeseal/ In this post I will show you how you can use kubeseal and Mozilla SOPS with Flux2 to protect secrets. https://devopstales.github.io/kubernetes/k3s-gvisor/ Fri, 30 Apr 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k3s-gvisor/ In this post I will show you how you can secure k3s with gVisor. https://devopstales.github.io/kubernetes/argocd-image-updater/ Sun, 11 Apr 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/argocd-image-updater/ In this post I will show you how you can use Argo CD Image Updater to automate image update in Kubernetes. https://devopstales.github.io/kubernetes/argocd-kubeseal/ Sat, 10 Apr 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/argocd-kubeseal/ In this post I will show you how you can use kubeseal with ArgoCD to protect secrets. https://devopstales.github.io/kubernetes/k8s-vault/ Wed, 07 Apr 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-vault/ In this post I will show you how you can integrate HashiCorp Vault to Kubernetes easily thanks to Bank-Vaults made by Banzaicloud. https://devopstales.github.io/kubernetes/image-security-admission-controller-v2/ Wed, 31 Mar 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/image-security-admission-controller-v2/ In a previous post we talked about anchore-image-validator made by Banzaicloud. In this post I will show you how I updated that scenario for a real word solution. https://devopstales.github.io/kubernetes/k8s-backup/ Fri, 26 Mar 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-backup/ In this post I will show you how you can backup your Kubernetes cluster. https://devopstales.github.io/kubernetes/k8s-connaisseur/ Mon, 22 Feb 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-connaisseur/ In this post I will show you how you can deploy Connaisseur to Image Signature Verification into a Kubernetes cluster. https://devopstales.github.io/kubernetes/kubernetes-policy/ Fri, 15 Jan 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/kubernetes-policy/ In this post I will show you how you can enforce best practices on Kubernetes Clusters. https://devopstales.github.io/kubernetes/k8s-networkpolicy/ Sun, 10 Jan 2021 00:00:00 +0000 https://devopstales.github.io/kubernetes/k8s-networkpolicy/ In this post I will show you how you can use NetworkPolicys in K8S. https://devopstales.github.io/kubernetes/image-security-admission-controller/ Sun, 13 Dec 2020 00:00:00 +0000 https://devopstales.github.io/kubernetes/image-security-admission-controller/ In a previous post we talked about Admission Controllers. In this post I will show you how to use an Admission Controller to test image vulnerabilities. https://devopstales.github.io/kubernetes/rke2-pod-security-policy/ Thu, 10 Dec 2020 00:00:00 +0000 https://devopstales.github.io/kubernetes/rke2-pod-security-policy/ In this post I will show you how you can use Pod Security Policys in RKE2. https://devopstales.github.io/kubernetes/admission-controllers/ Mon, 07 Dec 2020 00:00:00 +0000 https://devopstales.github.io/kubernetes/admission-controllers/ In this post I will show you how you can use Admission Controllers. https://devopstales.github.io/kubernetes/rke2-airgap-install/ Wed, 25 Nov 2020 00:00:00 +0000 https://devopstales.github.io/kubernetes/rke2-airgap-install/ In this post I will show you how you can install a secure Kubernetes Engine variant called RKE2 in a Air-Gap environment. https://devopstales.github.io/sso/k8s-kuberos/ Tue, 07 Jan 2020 00:00:00 +0000 https://devopstales.github.io/sso/k8s-kuberos/ Kuberos is an OIDC authentication helper for kubectl login. https://devopstales.github.io/sso/k8s-gangway/ Mon, 06 Jan 2020 00:00:00 +0000 https://devopstales.github.io/sso/k8s-gangway/ Kuberos is an OIDC authentication helper for kubectl loin. VMware has depricated gangway at Jul 16, 2021. https://devopstales.github.io/sso/k8s-dasboard-auth/ Fri, 03 Jan 2020 00:00:00 +0000 https://devopstales.github.io/sso/k8s-dasboard-auth/ In this post I will show you how to add a keycloak gatekeeper authentication proxy for Kubernetes Dashboard. https://devopstales.github.io/kubernetes/helm3-loki/ Fri, 03 Jan 2020 00:00:00 +0000 https://devopstales.github.io/kubernetes/helm3-loki/ Helm is a template based package management system for kubernetes applications.