All posts
13 posts · Kubernetes
Kubernetes network policies: default-deny, keep DNS upLock down pod-to-pod traffic with a default-deny NetworkPolicy, then re-allow DNS and the flows your apps actually need.Jul 3, 2026 · 11 minAdvancedkubernetesnetworkpolicyPod Security Standards: enforce restricted without breakageRoll out the restricted profile namespace by namespace, find violators with audit mode first, and carve exceptions that expire.Apr 28, 2026 · 12 minAdvancedkubernetespsaKubernetes RBAC least privilege: from admin to scoped rolesReplace blanket cluster-admin with namespaced Roles, audit who can do what, and test access with kubectl auth can-i.Apr 14, 2026 · 10 minIntermediatekubernetesrbacSign and verify images with Cosign and KyvernoKeyless image signing with cosign in CI and signature verification at the admission controller, so unsigned or tampered images simply stop scheduling.Feb 24, 2026 · 10 minAdvancedcosignkyvernoEncrypting Kubernetes Secrets at rest in etcdKubernetes Secrets are only base64 by default. Turn on an EncryptionConfiguration and rotate the key without downtime.Feb 4, 2026 · 10 minAdvancedkubernetesetcdOPA Gatekeeper: writing constraint templates from scratchEnforce org-wide Kubernetes policy with Rego — required labels, blocked images, and audit of existing violations.Dec 3, 2025 · 12 minAdvancedopagatekeeperKubernetes requests and limits: stop OOMKills, noisy podsSet CPU and memory requests and limits that keep the scheduler honest, stop one pod from starving the node, and avoid needless OOMKills under load.Sep 9, 2025 · 7 minBeginnerkubernetesresourcesKubernetes liveness, readiness, startup probes done rightStop routing traffic to pods that aren't ready and restarts that make outages worse — the three probes explained.Jun 24, 2025 · 8 minIntermediatekubernetesprobesKubernetes Ingress TLS with cert-manager and Let's EncryptIssue and auto-renew TLS certificates for Ingress with cert-manager, ACME, and a ClusterIssuer, and debug stuck orders before ACME rate-limits you.Mar 25, 2025 · 9 minIntermediatekubernetescert-managerHow container escapes happen — and how to prevent themPrivileged flags, host mounts, and leaked sockets are the usual doors. Close them before an attacker finds them.Jan 28, 2025 · 12 minAdvancedcontainerssecurityKubernetes autoscaling with the Horizontal Pod AutoscalerScale on CPU, memory, or custom Prometheus metrics, and tune stabilization windows so the HorizontalPodAutoscaler won't flap under spiky, bursty load.Dec 3, 2024 · 9 minIntermediatekuberneteshpaTurn on the Kubernetes audit log and actually read itWrite a Kubernetes audit policy that captures the right events at the right level, then query the log to find exactly who deleted that deployment at 2am.Sep 24, 2024 · 11 minAdvancedkubernetesauditDebugging Pending pods: the five usual causesInsufficient resources, taints, affinity, PVCs, and quotas — how to read the events and fix each one fast.Jul 16, 2024 · 7 minBeginnerkubernetestroubleshooting