エピソード

  • How Kubernetes RBAC Configurations Create Security Gaps

    How Kubernetes RBAC Configurations Create Security Gaps
    2026/06/05
    In this episode of DevOps Daily with Fexingo, Lucas and Luna explore a common but overlooked security risk in Kubernetes: overly permissive Role-Based Access Control (RBAC) configurations. They start with a real-world example from a mid-size fintech that suffered a breach because a service account had cluster-admin privileges. They break down why default roles like 'cluster-admin' and 'edit' are often too broad, how horizontal privilege escalation works in practice, and why many teams treat RBAC as a checkbox exercise. The hosts walk through the principle of least privilege, contrast Role vs ClusterRole, and explain what a proper RBAC audit looks like. They also discuss how to use tools like kubectl auth can-i and third-party scanners to identify overprivileged accounts. By the end, listeners understand why RBAC misconfigurations are a top attack vector and how to fix them before an audit or incident. #Kubernetes #RBAC #CloudSecurity #DevOps #K8sSecurity #PrivilegeEscalation #LeastPrivilege #ServiceAccount #ClusterAdmin #Kubectl #TechPodcast #Technology #FexingoBusiness #BusinessPodcast #SoftwareOperations #CICD #PodSecurity #AccessControl Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    7 分
  • Why Kubernetes Audit Logs Miss the Critical Second

    Why Kubernetes Audit Logs Miss the Critical Second
    2026/06/05
    Episode 32 of DevOps Daily with Fexingo. Lucas and Luna dive into the hidden gap between Kubernetes audit logs and actual attacker behavior. Using the real-world example of the 2024 Latacora breach — where a stolen kubeconfig allowed lateral movement for 47 minutes before any log entry fired — they explain why most audit policies are tuned to the wrong signals. Lucas breaks down the difference between Kubernetes audit stages (RequestReceived, ResponseComplete) and why the default logging level misses critical 'in-flight' actions. Luna shares a fix: staging audit policies to capture 'RequestReceived' for sensitive verbs like exec and port-forward. They also discuss how tools like Falco and Tetragon complement native audit logs, and why a simple 'audit log review' checklist can prevent the next supply-chain incident. A practical deep-dive for anyone running production clusters. #Kubernetes #AuditLogs #DevOps #Security #K8s #LatacoraBreach #Falco #Tetragon #SupplyChain #PodSecurity #CloudNative #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #CI/CD #Containers #Logging Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    10 分
  • Why Kubernetes Network Policies Are Often Worse Than Nothing

    Why Kubernetes Network Policies Are Often Worse Than Nothing
    2026/06/04
    Lucas and Luna dive into a silent threat in Kubernetes security: network policies that are incomplete, misconfigured, or poorly maintained. They walk through a real incident where a supposedly secure cluster had a default-deny policy that was accidentally bypassed by an allow-all rule on a single namespace, exposing a database to the internet. They explain why network policies give a false sense of security, how to audit them effectively, and the one practice that prevents policy drift. No clickbait, just a sharp, specific conversation about a gap most teams overlook until it's too late. #Kubernetes #NetworkPolicy #CloudSecurity #DevOps #Technology #PodSecurity #ZeroTrust #K8sNetworking #SecurityAudit #PolicyAsCode #Cilium #Calico #CNI #InfrastructureAsCode #FexingoBusiness #BusinessPodcast #TechPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    11 分
  • Why Kubernetes Health Checks Are a False Sense of Security

    Why Kubernetes Health Checks Are a False Sense of Security
    2026/06/04
    Episode 30 of DevOps Daily with Fexingo: Lucas and Luna dig into why standard Kubernetes liveness and readiness probes often give teams a false sense of security. They walk through a real-world case where a service passed health checks but crashed under load because probes only tested a single endpoint. They break down the difference between basic TCP probes, HTTP probes, and deep dependency-aware probes, and explain why teams need to instrument startup probes and custom readiness gates. They also cover how Inc's 2025 postmortem on a multi-hour payment outage traced back to a stale readiness probe. By the end, listeners understand why a health check is only as good as the dependencies it actually tests. #Kubernetes #HealthChecks #LivenessProbes #ReadinessProbes #SiteReliabilityEngineering #CloudNative #DevOps #IncidentResponse #PodLifecycle #StartupProbes #DependencyManagement #ContainerOrchestration #TechOps #Observability #ProductionDebugging #ReliabilityEngineering #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    10 分
  • How Kubernetes Service Meshes Add Latency You Cant Ignore

    How Kubernetes Service Meshes Add Latency You Cant Ignore
    2026/06/03
    Lucas and Luna dive into the hidden performance cost of running a service mesh in Kubernetes. Using Istio and Linkerd as examples, they unpack how sidecar proxies add 2-5 milliseconds of latency per hop, and how mesh overhead compounds in deep call chains. They walk through a real-world scenario where a 12-microservice transaction saw tail latency spike from 50ms to 210ms after enabling mutual TLS and traffic policies. The hosts discuss tuning strategies: reducing proxy CPU limits, disabling unused features, and choosing between Istio's Envoy and Linkerd's Rust-based proxy. They also cover when a service mesh is premature — and when it's worth the cost. This episode assumes you already know what a service mesh does; it's about the tradeoffs you rarely see in vendor docs. #Kubernetes #ServiceMesh #Istio #Linkerd #EnvoyProxy #Latency #Microservices #SidecarProxy #MutualTLS #Performance #DevOps #CloudNative #CNCF #K8sNetworking #Technology #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    10 分
  • Why Kubernetes Persistent Volume Claims Are a Performance Trap

    Why Kubernetes Persistent Volume Claims Are a Performance Trap
    2026/06/02
    Episode 27 of DevOps Daily with Fexingo: Lucas and Luna dive into a silent performance killer in Kubernetes clusters—how Persistent Volume Claims with default storage classes can cause latency spikes and throughput bottlenecks. Using a real-world case from a fintech startup running Cassandra on AWS EBS gp2 volumes, Lucas explains why their 99th percentile read latency jumped from 5ms to 120ms under moderate load. The episode covers storage class tuning, volume binding modes, and why your CSI driver configuration matters more than you think. No fluff—just actionable insights for DevOps engineers managing stateful workloads in production. #Kubernetes #PersistentVolumeClaims #StorageClass #Performance #DevOps #StatefulWorkloads #Cassandra #AWSEBS #CSI #Latency #Throughput #Fintech #Infrastructure #Technology #CloudNative #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    9 分
  • Why Your Kubernetes Rollbacks Are a Roll of the Dice

    Why Your Kubernetes Rollbacks Are a Roll of the Dice
    2026/06/02
    Episode 26 of DevOps Daily with Fexingo. Lucas and Luna dive into why Kubernetes rollbacks are riskier than most teams realize. They examine a case where a simple image tag rollback silently reverted a critical security fix, breaking compliance for days. They discuss why declarative state doesn't protect you from bad rollouts, how Helm and Argo CD handle (or fail to handle) rollback semantics, and what a safer rollback strategy looks like — including version pinning and canary analysis gates. Specific examples from a real-world incident involving a fintech startup's production outage in April 2026. #Kubernetes #DevOps #Rollbacks #Helm #ArgoCD #CI/CD #IncidentResponse #ReleaseManagement #DeclarativeState #VersionPinning #CanaryDeployments #SiteReliabilityEngineering #Compliance #Technology #CloudNative #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    9 分
  • Why Kubernetes Pod Disruption Budgets Fail Under Node Drains

    Why Kubernetes Pod Disruption Budgets Fail Under Node Drains
    2026/06/01
    Episode 25 of DevOps Daily with Fexingo dives into a specific Kubernetes failure mode: Pod Disruption Budgets (PDBs) that prevent node drains during planned maintenance. Lucas and Luna break down a real incident where a cluster's PDBs blocked critical node updates, causing a multi-hour outage. They explain how PDBs work, why common configurations like minAvailable: 100% can lock you into a deadlock, and the practical fix: using percentage-based budgets with a small tolerance. The episode includes a concrete simulation using a three-replica deployment and two-node cluster. No fluff, just the one angle that will save your next maintenance window. #Kubernetes #PodDisruptionBudget #NodeDrain #DevOps #SiteReliabilityEngineering #CloudNative #ContainerOrchestration #HighAvailability #MaintenanceWindow #ClusterOperations #K8sFailureMode #ProductionIncident #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #ResilienceEngineering #RollingUpdate Keep every episode free: buymeacoffee.com/fexingo
    続きを読む 一部表示
    11 分