Secret Scanning in CI: Stop AWS Keys Leaking to GitHub

Secret Scanning in CI: Stop AWS Keys Leaking to GitHub

Secret scanning with Gitleaks and pre-commit hooks is your last line of defence before AWS credentials hit a public GitHub repo — here's how to set it up properly in CI. You'll learn: * How to install and configure Gitleaks to scan for AWS keys, tokens, and other secrets before a commit lands * Why pre-commit hooks catch leaks that CI pipeline scans miss — and how to wire both together * What to do when a secret has already been pushed: rotation steps, git history scrubbing with git filter-repo, and GitHub secret scanning alerts * How interviewers expect you to reason about defence-in-depth: pre-commit → CI gate → repo-level scanning as layered controls * Common gotchas: hooks that only run locally, bypassing with --no-verify, and enforcing server-side rules Keywords: secret scanning CI/CD, Gitleaks pre-commit hook, prevent AWS keys GitHub, DevOps security interview, credentials leaking git 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud [https://DevOpsInterview.Cloud/?utm_source=podbean&utm_medium=podcast&utm_campaign=shownotes]

VPC Flow Log Anomaly Detection: Amazon Detective + Athena ML

Learn how to implement VPC flow log anomaly detection by combining Amazon Detective's graph-based investigation with Athena ML queries to surface real network threats. You'll learn: * How Amazon Detective ingests VPC flow logs and builds behavior baselines using machine learning automatically * Writing Athena ML USING FUNCTION queries against flow log data in S3 to flag statistical outliers in traffic volume or destination ports * How to tie Detective findings back to specific ENIs, IAM roles, and EC2 instances for faster blast-radius assessment * Where Athena ML ends and Detective begins — and why using both beats either alone for senior-level interviews * Common gotchas: log format versions, partition projection in Athena, and Detective's 48-hour data warm-up window Keywords: VPC flow logs anomaly detection, Amazon Detective interview, Athena ML queries AWS, cloud security monitoring interview, AWS network threat detection 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud [https://DevOpsInterview.Cloud/?utm_source=podbean&utm_medium=podcast&utm_campaign=shownotes]

Karpenter Multi-Team Clusters: NodePools, Weights & Isolation

Architecting a single Karpenter cluster for ML, Backend, and Batch teams means getting NodePool weights and taint-based isolation right — or pods land somewhere expensive and wrong. You'll learn: * How to define separate NodePools per team — ml-gpu (p3/p4 instances), backend (m5/m6), and batch-spot (Spot, any family) * How Karpenter's spec.weight field drives pool selection: higher weight wins, ties break randomly * The exact selection sequence — Karpenter first finds every pool that can satisfy the pod, then ranks by weight * Why taints alone aren't enough: pairing gpu=true:NoSchedule and spot=true:NoSchedule with matching tolerations gives you hard isolation * Senior gotcha: labels control scheduling preference, taints enforce it — you need both for airtight multi-team separation Keywords: Karpenter NodePool weights, multi-team Kubernetes cluster, Karpenter GPU NodePool, Karpenter spot instances, Kubernetes taint isolation 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud [https://DevOpsInterview.Cloud/?utm_source=podbean&utm_medium=podcast&utm_campaign=shownotes]

Karpenter EC2NodeClass: AMI, Subnets, and EBS Config

When your security team mandates a specific AMI, private subnets, custom security groups, and encrypted EBS, Karpenter's EC2NodeClass is exactly where all of that infrastructure detail lives. You'll learn: * The core separation of concerns: NodePool defines what to provision (requirements, constraints); EC2NodeClass defines how (the cloud-provider infrastructure details) * How to pin a specific AMI using amiSelectorTerms and lock nodes to private subnets via tag-based subnetSelectorTerms * Configuring securityGroupSelectorTerms and enforcing EBS encryption through blockDeviceMappings in the EC2NodeClass spec * How nodeClassRef wires a NodePool to a NodeClass — and why one NodeClass can back many NodePools, making AMI rotation straightforward Keywords: Karpenter EC2NodeClass, Karpenter NodePool vs NodeClass, Karpenter AMI selection, Karpenter private subnets, Kubernetes node provisioning security 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud [https://DevOpsInterview.Cloud/?utm_source=podbean&utm_medium=podcast&utm_campaign=shownotes]

Karpenter Consolidation & Drift: 2 AM Node Cleanup

Your cluster is burning 50 nodes at 10% utilization at 2 AM with a stale AMI — here's exactly how Karpenter's disruption engine handles both problems automatically. You'll learn: * Setting consolidationPolicy: WhenEmptyOrUnderutilized with a consolidateAfter: 30s window to drain and terminate underutilized nodes * How Karpenter's drift detection compares live node spec against the current NodeClass — and marks nodes drifted when the AMI changes * Using expireAfter: 720h to force a rolling node refresh every 30 days as a TTL safety net * Why consolidation, drift, and expiration are all forms of the same primitive: Karpenter's disruption mechanism Keywords: Karpenter consolidation, Karpenter drift detection, node expiration TTL, Kubernetes node lifecycle, Karpenter NodePool disruption 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud [https://DevOpsInterview.Cloud/?utm_source=podbean&utm_medium=podcast&utm_campaign=shownotes]