エピソード

  • Why Kubernetes Pod Security Standards Still Leak

    Why Kubernetes Pod Security Standards Still Leak
    2026/06/08
    In this episode of DevOps Daily, Lucas and Luna tackle a persistent security blind spot in Kubernetes: Pod Security Standards (PSS) and why they still leak sensitive data. They walk through a real-world case where a team using PSS with the 'baseline' profile left a sidecar container unmonitored, exposing database credentials. Lucas breaks down how PSS policies only check admission time, not runtime behavior, and how attackers exploit gaps like init containers and ephemeral containers. Luna shares a story from a fintech startup that discovered their PSS implementation failed because they forgot to apply it to custom namespaces. Together, they explain why you need to layer runtime security tools like Falco or OPA Gatekeeper, and how to audit your PSS policies using kubectl to catch hidden leaks. This episode is for DevOps engineers who think PSS means their cluster is secure—but want to verify it actually is. #Kubernetes #PodSecurityStandards #CloudSecurity #DevOps #DevOpsDaily #CyberSecurity #ContainerSecurity #K8s #OPAGatekeeper #Falco #RuntimeSecurity #SidecarContainers #InitContainers #EphemeralContainers #AdmissionController #CloudNative #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    11 分
  • Why Your Kubernetes PersistentVolume Reclaim Policy Costs You Money

    Why Your Kubernetes PersistentVolume Reclaim Policy Costs You Money
    2026/06/08
    In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a costly Kubernetes misconfiguration that flies under the radar: the PersistentVolume reclaim policy. Most teams set it to 'Delete' and forget it, but that means every time a PersistentVolumeClaim is deleted, the underlying volume (like an EBS or GCE PD) gets wiped out too—along with any data. Lucas walks through a real example: a development environment where accidentally deleting a PVC nuked a week's worth of test data. The fix? Switching the reclaim policy to 'Retain' for critical volumes. They also discuss how to safely reuse volumes with manual reclamation, and why 'Recycle' is effectively deprecated. If your team is burning money on orphaned volumes or losing data from PVC deletions, this episode is for you. #Kubernetes #DevOps #PersistentVolume #StorageManagement #CloudCost #DataLoss #K8sConfig #VolumeReclaim #RetainPolicy #DeletePolicy #RecyclePolicy #EBS #GCEPersistentDisk #PVC #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    9 分
  • Why Kubernetes Pod Security Standards Still Leak

    Why Kubernetes Pod Security Standards Still Leak
    2026/06/07
    In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a subtle but dangerous gap in Kubernetes Pod Security Standards (PSS) — the admission controller that replaced PSPs. They walk through a real-world example: a team running a sidecar container with a privileged profile, bypassing the baseline policy because PSS applies to pods but not to init containers and ephemeral containers at the same granularity. Lucas explains how the 'restricted' profile doesn't block volume mounts that allow host-path writes from a non-root user, and how a compromised workload can pivot to the node without ever triggering a violation. Luna adds the operations perspective — how teams audit for this using Kyverno, and why the default PSS warnings don't fail closed. They close on the broader lesson: policy-as-code needs to cover the full pod lifecycle, not just admission time. #Kubernetes #PodSecurityStandards #DevOps #CloudNative #ContainerSecurity #KubernetesSecurity #Kyverno #AdmissionController #Sidecar #InitContainer #EphemeralContainer #SecurityPolicy #PSS #RBACGap #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    9 分
  • Why Kubernetes Image Pull Secrets Leak In Plain Sight

    Why Kubernetes Image Pull Secrets Leak In Plain Sight
    2026/06/07
    This episode of DevOps Daily with Fexingo dives into a common but overlooked security gap: how Kubernetes image pull secrets can be accidentally exposed through base image inheritance and registry mirror configurations. Lucas walks through a real-world case where a team at a mid-sized fintech left their private registry credentials embedded in a public Docker layer, allowing anyone who pulled the image to extract them via a simple `docker history` command. Luna challenges whether the default Kubernetes workflow encourages this carelessness, and they discuss practical mitigations like using image pull secrets only via kubelet node-level configuration, rotating credentials on a schedule, and scanning for secret leakage during CI/CD. The conversation also touches on how OPA Gatekeeper policies can catch these misconfigurations at admission time. No fear-mongering, just concrete steps to tighten one of the easiest-to-exploit gaps in your cluster. #KubernetesSecurity #ImagePullSecrets #SecretLeakage #DockerLayers #CI/CD #OPAGatekeeper #DevOps #CloudSecurity #ContainerSecurity #K8sBestPractices #RegistryCredentials #AdmissionControl #Technology #InfrastructureAsCode #FintechCase #SecretsManagement #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    8 分
  • Why Kubernetes Cost Allocation Is a Cloud Bill Surprise

    Why Kubernetes Cost Allocation Is a Cloud Bill Surprise
    2026/06/06
    Lucas and Luna dig into a specific problem that catches many DevOps teams off guard: how Kubernetes clusters quietly inflate cloud bills through shared resource allocation. They examine a real example from a mid-sized fintech startup that saw its monthly AWS spend jump 40 percent after moving to a multi-tenant cluster without proper cost tagging. Lucas explains the difference between resource requests, limits, and actual usage, and why standard Kubernetes tooling like kubectl top isn't enough. They discuss open-source solutions like KubeCost and how one team implemented namespace-level cost allocation to reduce waste by 30 percent. The episode ends with a practical checklist for setting up chargeback reporting before the next cloud bill arrives. #Kubernetes #CostAllocation #CloudBills #DevOps #FinOps #KubeCost #AWS #ResourceUsage #MultiTenantCluster #Namespace #Chargeback #CloudCostManagement #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #Podcast #TechOperations Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    7 分
  • Kubernetes Pod Resource Requests Are Costing You Twice

    Kubernetes Pod Resource Requests Are Costing You Twice
    2026/06/06
    In this episode of DevOps Daily, Lucas and Luna dig into a persistent Kubernetes pitfall: mismatched resource requests and limits. Using a real-world example from a mid-sized fintech company that saw 40% higher cloud bills and intermittent OOM kills, they explain why setting CPU and memory requests too high or too low creates a double penalty — wasteful reservation and unpredictable performance. They walk through the math of overprovisioning versus underprovisioning, share how to use the Vertical Pod Autoscaler in recommendation mode, and discuss why teams should treat resource requests as a budget, not a safety net. If you've ever blamed a noisy neighbor for latency or been surprised by a monthly AWS bill, this episode gives you one concrete diagnostic to run tomorrow. #Kubernetes #DevOps #PodResourceRequests #CPULimits #MemoryRequests #CloudCostOptimization #VerticalPodAutoscaler #FintechCaseStudy #NoisyNeighbor #OOMKills #ResourceOverprovisioning #SlackCluster #K8sBestPractices #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #PodPerformance Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    12 分
  • How Kubernetes RBAC Configurations Create Security Gaps

    How Kubernetes RBAC Configurations Create Security Gaps
    2026/06/05
    In this episode of DevOps Daily with Fexingo, Lucas and Luna explore a common but overlooked security risk in Kubernetes: overly permissive Role-Based Access Control (RBAC) configurations. They start with a real-world example from a mid-size fintech that suffered a breach because a service account had cluster-admin privileges. They break down why default roles like 'cluster-admin' and 'edit' are often too broad, how horizontal privilege escalation works in practice, and why many teams treat RBAC as a checkbox exercise. The hosts walk through the principle of least privilege, contrast Role vs ClusterRole, and explain what a proper RBAC audit looks like. They also discuss how to use tools like kubectl auth can-i and third-party scanners to identify overprivileged accounts. By the end, listeners understand why RBAC misconfigurations are a top attack vector and how to fix them before an audit or incident. #Kubernetes #RBAC #CloudSecurity #DevOps #K8sSecurity #PrivilegeEscalation #LeastPrivilege #ServiceAccount #ClusterAdmin #Kubectl #TechPodcast #Technology #FexingoBusiness #BusinessPodcast #SoftwareOperations #CICD #PodSecurity #AccessControl Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    7 分
  • Why Kubernetes Audit Logs Miss the Critical Second

    Why Kubernetes Audit Logs Miss the Critical Second
    2026/06/05
    Episode 32 of DevOps Daily with Fexingo. Lucas and Luna dive into the hidden gap between Kubernetes audit logs and actual attacker behavior. Using the real-world example of the 2024 Latacora breach — where a stolen kubeconfig allowed lateral movement for 47 minutes before any log entry fired — they explain why most audit policies are tuned to the wrong signals. Lucas breaks down the difference between Kubernetes audit stages (RequestReceived, ResponseComplete) and why the default logging level misses critical 'in-flight' actions. Luna shares a fix: staging audit policies to capture 'RequestReceived' for sensitive verbs like exec and port-forward. They also discuss how tools like Falco and Tetragon complement native audit logs, and why a simple 'audit log review' checklist can prevent the next supply-chain incident. A practical deep-dive for anyone running production clusters. #Kubernetes #AuditLogs #DevOps #Security #K8s #LatacoraBreach #Falco #Tetragon #SupplyChain #PodSecurity #CloudNative #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #CI/CD #Containers #Logging Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    10 分