KubeFM KubeFM

By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
How to define a threat model to inform your security posture and mitigations.
How Kubernetes Secrets offer sufficient guarantees for most common threat models.
If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Find all the links and info for this episode here: https://kube.fm/kubernetes-secrets-mac
Links
Plain Kubernetes secrets are fine
FluxCD
kube-prometheus-stack
Prometheus Operator
Alert Manager
Prometheus
Grafana
Gatekeeper
Helm charts
Gatekeeper policy for privilege pods
Gatekeeper policy for Ingresses with wildcard hostnames
Argo CD
Kubernetes secrets
etcd
Base64
Threat model
Formal methods to threat modeling
Bitnami Sealed Secrets
Hashicrop Vault
Vault Shamir secret sharing
Vault auto-unsealing
HSM backed Vault
Vault HA configuration
"keep it secret, keep it safe." — Gandalf
SWOT analysis
Chaos Engineering by Kelly Shortridge

What does it take to build a Kubernetes cluster on bare metal?
In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.
You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:
Identify dependencies and priorities between components to avoid incidents in the future.
Leverage FluxCD to have a predictable and documented setup.
Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
Use Talos to have a self-contained Kubernetes operating system.
Mathias also shared tips and advice for other engineers embarking on the same process.
Find all the links and info for this episode here: https://kube.fm/bare-metal-kubernetes-mathias
Links
8-part series: Kubernetes on bare-metal
Argo CD
Flux CD
cert-manager
external-dns
Habbo Hotel
AutoIt
K3S
K0S
Talos
Hetzner
Cal Newport
Harbor
Flatcar Linux
KubeVirt
kube-ovn
Cilium
Flannel
Cilium cluster-wide network policies
CiliumCon in Amsterdam
Cilium: policy audit mode
r/kubernetes
Datavirke

Should every project start with Kubernetes?
And if not, when is the right time to switch without incurring (unbearable) technical debt?
In this episode of KubeFM, you will learn how the team at Loovatech designed an app from scratch and decided to use Docker Compose to host their infrastructure cheaply and effectively in a single virtual machine.
As the project grew, the team had to make the difficult choice to rearchitect their infrastructure and plan for scalability and fault tolerance.
Follow their journey and learn:
How to migrate from a single Docker Compose file with 24 containers to Kubernetes.
How to verify that your apps are stateless and what changes are necessary to deploy them into Kubernetes.
How to manage expectations and explain the value of a complex migration to your boss or (non-tech-savvy) customers.
Vasily and Ronald also shared how they integrated ArgoCD and their existing CI/CD to leverage push and pull-based GitOps and their plans to incorporate multi-tenancy and custom metrics.
Find all the links and info for this episode here: https://kube.fm/docker-compose-migration-vasily-ronald
Links
Loovatech
Docker Compose
ArgoCD
Prometheus
Grafana
KEDA
Ansible
Terraform
Kubernetes documentation
Application migration from Docker Compose to Kubernetes. How, why, and what problems we’ve encountered
Using Docker Compose
Picvario
Docker Swarm
Uploading and copying objects using multipart upload in AWS S3
Celery
FFMPG
Amazon Elastic File System
KubeSpray
AWS EKS
Azure AKS
AWS EKS changelog
Helm charts
TeamCity
ArgoCD user guide: Helm
GitOps: Push-based vs. Pull-based Deployments
Flux CD
How to autoscale apps on Kubernetes with custom metrics
CloudFormation
TerraGrant
CapCut
Ian Coldwater

How do you upgrade a Kubernetes cluster to the latest release without breaking anything?
And what if you had to upgrade hundreds of clusters simultaneously?
In this episode, Pierre explains the process, tooling and testing strategy in upgrading clusters at scale.
You will learn:
How the team at Qovery keeps updated with the latest (vanilla) Kubernetes changes and managed services changelogs.
How to upgrade Helm charts gradually and safely. Pierre has some tips for Custom Resource Definitions (CRDs).
How to test API deprecations with end-to-end testing.
How to automate the process of upgrading clusters.
You will also learn from Pierre's experience in managing stateful applications in Kubernetes with 4500 nodes on bare metal.
Find all the links and info for this episode here: https://kube.fm/upgrading-100s-clusters-pierre
Links
The cost of upgrading hundreds of Kubernetes clusters
K9s
External DNS
cert-manager
ingress-nginx
Prometheus
Metric server
Prometheus adapter
Qovery
KubeSpray
Kubernetes the hard way
Pod Distruption Budget
StatefulSet
Vertical Pod Autoscaler
Cluster Autoscaler
Horizontal Pod Autoscaler
Kubernetes changelog
Kubent
Popeye
kdave
Pluto
Loki
helm-freeze
Testing Helm charts
helm install --atomic
helm install --wait
KubeCon EU 2024

Are logs enough to troubleshoot your deployment and infrastructure?
Perhaps, but there's a better way to observe, monitor and debug your stack: embracing observability.
In this episode, Adriana explains how she learned to love Open Telemetry and:
How you can combine Traces, Metrics and logs to really understand the root cause of your production issues.
What the Open Telemetry Collector is, and how it can simplify the ingestion of traces, logs and metrics without tying you into a particular vendor?
How to convince colleagues and the business to adopt new technologies.
In this episode, Bart also invited a special guest, Hannah (Adriana's daughter), to ensure that Adriana tells the truth and nothing but the truth.
Hannah shared some great tips on public speaking and… baking!
Find all the links and info for this episode here: https://kube.fm/adriana-hannah-unpacking-o11y
Links
Argo CD
GitOps
OpenTelemetry operator
OpenTelemetry
CNCF landscape
ServiceNow Cloud Observability
Red Hat Openshift
Geeking Out podcast
On Call Me Maybe podcast
Charity Majors
Adriana's Medium blog
ELK stack
SLA vs SLO vs SLI
Open Telemetry signals: traces, metrics, logs
Open Telemetry instrumentation
OpenTelemetry Q&A Feat. Hazel Weakly
KubeCon North America 2023
Open Telemtry End User Working Group
OpenTelemetry Community End User Surveys
OpenTelemetry collector
Prometheus receiver
Prometheus metrics
Liz Fong-Jones
Ted Young
Toronto CNCF meetup
Observability Day 2023
All Things Open 2023

Follow Gazal's journey as he shares the lessons learned in adopting, rolling out and scaling EKS clusters at Target Australia over seven years.
You will learn:
What is Bottlerocket OS.
How Bottlerocket helps with securing your workloads.
Karpenter as an alternative to the Cluster Autoscaler.
How Karpenter can efficiently schedule and de-provision workloads.
Gazal hinted at a 40% reduction in compute capacity when combining Bottlerocket OS and Karpenter (and 30% lower response times).
Find all the links and info for this episode here: https://kube.fm/gazal-eks-bottlerocket-karpenter
Links
Bolstering Security & Automating Management of Target Australia’s EKS clusters
Karpenter
Metrics Server
Cluster Autoscaler
OpenTelemetry
OSGi
Apache Mesos
Jenkins X
Tekton
Prow
Kubernetes Slack
kOps
Terraform AWS EKS
IAM Roles for Service Accounts
AWS EBS CSI driver
AWS CNI
Amazon VPC CNI now supports Kubernetes Network Policies
Server-side apply
AWS Controllers for Kubernetes (ACK)
AWS Load Balancer Controller
Bottlerocket OS
Amazon Linux 2
CIS benchmarks
Deprovisioning in Karpenter
AWS Node Termination Handler
Scheduling in Karpenter
Karpenter Provisioner CRD