Thousands of startups use Notion as a connected workspace to create and share docs, take notes, manage projects, and organize knowledge—all in one place.

We’re offering 6 months of new Plus plans, including unlimited Notion AI so you can try it all for free!

Redemption Instructions

To redeem the Notion for Startups offer:

1. Submit an application using our custom link and select Packt on the partner list.

2. Include our partner key, STARTUP4110P19151.

Next month, Packt is hosting an AI conference. 3 days of LIVE sessions with 20+ top experts and unlock the full potential of Generative AI. If this sounds interesting, check out the conference here.

Today we will talk about:

⭐Masterclass

A guide to modern Kubernetes network policies

Kubernetes 1.31: Pod Failure Policy for Jobs Goes GA

Hot Reloading in Kubernetes

Running application on Docker Swarm with Docker Secrets

Why is Browser Observability Hard

🔍Secret Knowledge

Telemetry in Go 1.23 and beyond

Nginx Logging - A Comprehensive Guide

My Methodology to AWS Detection Engineering (Part 2: Risk Assignment)

Comparison of Serverless Development and Hosting Platforms

Making sense of secrets management on Amazon EKS for regulated institutions

⚡Techwave

Kubecost 2.4 Release Highlights

Amazon S3 Express One Zone now supports AWS KMS with customer managed keys

Amazon RDS for MySQL zero-ETL integration with Amazon Redshift, now generally available, enables near real-time analytics

🛠️Hackhub

Path Traversal vulnerability found in Grafana versions 8.x

K4all: A Kubernetes installer 4 ALL

Validate-aws-policies: Python CLI to validate aws policies using boto3 and Access Analyzer API

Boxxy: boxxy puts bad Linux applications in a box with only their files

Runcvm: experimental open-source Docker container runtime, for launching standard container workloads

Cheers,

Shreyans Singh

Editor-in-Chief

Here’s a handy resource you’ll want with you as you map out your plan:

Orchestrating the Symphony of Cloud Data Security.

You’ll learn how to:
-Overcome the challenges of securing data in the cloud
-Navigate multi cloud data security
-Balance data security with cloud economics

Click below to download your complimentary copy.

A guide to modern Kubernetes network policies

Kubernetes network policies are essential for controlling traffic in a cluster, ensuring security and communication management. They allow administrators to define which traffic is allowed to enter (ingress), exit (egress), or move between pods. Network policies are divided into two main types: Layer 4 (L4) and Layer 7 (L7). L4 policies operate at the transport layer, focusing on IP addresses and ports, while L7 policies offer more granular control at the application layer, managing protocols like HTTP and gRPC.

Kubernetes 1.31: Pod Failure Policy for Jobs Goes GA

Kubernetes 1.31 introduces the Pod failure policy for Jobs, which helps manage pod failures more efficiently. This policy allows users to differentiate between retriable and non-retriable pod failures, providing more control over how Jobs handle failures. It complements the existing backoffLimit by letting users ignore transient errors or fail Jobs immediately upon serious errors. Users can define rules based on pod conditions or exit codes and specify actions like ignoring the failure or terminating the entire Job.

Hot Reloading in Kubernetes

Hot reloading in Kubernetes allows developers to instantly see changes in their code without restarting or rebuilding the application, enhancing productivity. Tools like Tilt enable this by streamlining the deployment process, making it easier to update Kubernetes applications in real time. Using Tilt with tools like K3d (for lightweight Kubernetes clusters) and ttl.sh (for ephemeral Docker image storage), developers can efficiently test changes in a cloud-native environment. This setup is especially useful for complex microservices architectures, where hot reloading minimizes the need for extensive test code or mocks.

Running application on Docker Swarm with Docker Secrets

This article explains how to run an application on Docker Swarm using Docker Secrets to securely manage sensitive information such as database credentials. Docker Swarm is a container orchestration tool that manages multiple Docker nodes (servers) as a single system. The article demonstrates how to create a Docker Swarm cluster, define services in a `docker-compose.yml` file, and use Docker Secrets to manage sensitive data like usernames and passwords securely.

Why is Browser Observability Hard

Browser observability is challenging because the asynchronous, event-driven nature of front-end systems doesn't fit well with OpenTelemetry’s linear lifecycle model, which works best for synchronous, short-lived processes. React adds complexity by extending component lifetimes unpredictably and lacking lifecycle hooks to track spans effectively. Additionally, browsers face issues like no gRPC support, data loss, and limitations in efficiently handling telemetry data without increasing page load or draining user resources.

Telemetry in Go 1.23 and beyond

Go 1.23 introduces a new feature allowing users to enable telemetry, which helps the Go team collect data about toolchain usage to improve performance and fix bugs. By default, telemetry data is only stored locally, but users can choose to upload it by enabling the option. This feature started with Go's language server and has already helped identify and fix bugs.

Nginx Logging - A Comprehensive Guide

Nginx logging involves recording crucial information such as client requests and errors to help monitor and manage a web server's performance. Logs are stored in two main files: the access log (records requests and their details) and the error log (captures issues encountered during operations). Nginx logs can be customized for clarity or to capture specific details using the `log_format` directive, and can be stored locally or managed through Docker for ease of access. Structured logging with JSON format can also be implemented to streamline the analysis, making it easier to debug or monitor Nginx's performance efficiently.

My Methodology to AWS Detection Engineering (Part 2: Risk Assignment)

In Part 2 of his AWS Detection Engineering series, the author explains how to assign risk scores to AWS-specific alerts using Splunk's Risk-Based Alerting (RBA). The methodology involves filtering AWS detections, assigning default severity and fidelity scores, and expanding the risk object to cover multiple data fields (like instance IDs or IPs). A base risk score is then calculated by multiplying the severity score with fidelity. The collected data is sent to a risk index for analysis. The author also shares alternative risk assignment methods and emphasizes the importance of tuning detection rules to prevent score inflation.

Comparison of Serverless Development and Hosting Platforms

The post outlines a typical workflow for deploying an application using services like AWS Amplify, which integrates CI/CD processes, secret management, and connections to other AWS resources. Additionally, the author provides a comparison of various serverless platforms regarding supported programming languages, frameworks, and security features, ultimately recommending serverless solutions for simplifying the development lifecycle of cloud-native applications.

Making sense of secrets management on Amazon EKS for regulated institutions

AWS provides tools like Kubernetes Secrets, AWS Secrets Manager, and open-source solutions (e.g., Sealed Secrets) to safeguard sensitive data like passwords and API keys. However, Kubernetes' native secrets management has limitations, as secrets are only base64-encoded, not encrypted. To meet regulatory requirements (e.g., PCI DSS, HIPAA), regulated industries often use enhanced solutions like the External Secrets Operator (ESO), AWS Secrets Store CSI Driver, and Sealed Secrets to encrypt and securely manage secrets, ensuring compliance and operational security.

Kubecost 2.4 Release Highlights

Kubecost 2.4 introduces several key features, including new tools for GPU cost monitoring and efficiency, helping teams optimize their spending on AI/ML hardware. It adds support for Oracle Cloud, allowing users to monitor costs across multiple cloud providers in one place. The release also brings enhanced cost aggregation and filtering options, as well as the ability to include idle costs in budgeting reports. Additional updates include more granular cluster rightsizing recommendations and various enhancements to improve Kubernetes cost tracking and management.

Amazon S3 Express One Zone now supports AWS KMS with customer managed keys

Amazon S3 Express One Zone now supports AWS KMS for server-side encryption using customer-managed keys. This feature allows users to encrypt data at rest with their own keys, offering an additional layer of security and compliance without impacting performance. It ensures high-performance, single-digit millisecond data access while reducing AWS KMS requests by up to 99%, thanks to the automatic use of S3 Bucket Keys.

Amazon RDS for MySQL zero-ETL integration with Amazon Redshift, now generally available, enables near real-time analytics

Amazon RDS for MySQL now offers a zero-ETL integration with Amazon Redshift, allowing near real-time data replication for analytics without the need to manually build and manage ETL pipelines. This integration makes it easy to move data from MySQL databases to Amazon Redshift within seconds, enabling quick analysis of transactional data. New features include data filtering, support for multiple integrations, and the ability to configure these integrations in AWS CloudFormation. This simplifies operations, reduces costs, and helps businesses get insights faster with minimal setup and maintenance.

Path Traversal vulnerability found in Grafana versions 8.x

CVE-2021-43798 is a path traversal vulnerability found in Grafana versions 8.x that allows attackers to access files on the server without authentication. This is due to improper sanitization of file paths provided by users in the Grafana public API. Attackers can exploit this vulnerability by manipulating the file path to access sensitive files, such as configuration files or databases, on the server. They can use HTTP requests or scripts like the one in the repository to dump critical data, potentially leading to further attacks such as database extraction or password decryption.

K4all: A Kubernetes installer 4 ALL

The k4all project provides a pre-configured Fedora CoreOS ISO designed for setting up Kubernetes clusters, particularly for home servers or virtual machines. It includes essential Kubernetes tools like the Calico networking solution, a metrics server, NGINX as an Ingress controller, and the Logical Volume Manager (LVM) for managing persistent storage.

Validate-aws-policies: Python CLI to validate aws policies using boto3 and Access Analyzer API

The "validate-aws-policies" project is a Python command-line tool designed to scan and validate AWS Service Control Policies (SCPs) using the AWS IAM Access Analyzer API. It generates reports in both HTML and PDF formats, allowing users to review the compliance and structure of their AWS policies.

Boxxy: boxxy puts bad Linux applications in a box with only their files

Boxxy is a Linux-only tool that helps organize misbehaving applications by redirecting where they store their files and directories, without using symlinks. It uses Linux namespaces to control this behavior, allowing users to specify custom rules for file locations. For example, you can force AWS CLI to store its configuration in a different directory than the default. Boxxy is particularly useful for keeping home directories tidy by redirecting application data to more appropriate locations.

Runcvm: experimental open-source Docker container runtime, for launching standard container workloads

RunCVM allows users to run containerized applications inside lightweight virtual machines (VMs) using Docker. It simplifies the process of launching both standard container workloads and system-level tasks (like Systemd and Docker) in VMs, making it as easy as running a regular container. With RunCVM, you can use commands like `docker run` to start VMs directly from container images.

📢 If your company is interested in reaching an audience of developers and, technical professionals, and decision makers, you may want toadvertise with us.

If you have any comments or feedback, just reply back to this email.

Thanks for reading and have a great day!