Kubesploit

A typical web application responds to requests from bots, health checks, and various attempts to circumvent security and gain unauthorized access. Examples include: - SQL injections. - XSS attacks. So, how can you filter out those malicious attempts in Kubernetes? You have at least 2 solid options: 1. You can filter the traffic before it reaches the container. 2. You can filter the traffic at the Ingress. Chris Nesbitt-Smith will dive into the details this coming Monday at 8am PT / 4pm CET in a live webinar. After the session, you will have access to the code, a step-by-step tutorial and interactive labs to test the configuration (provided by NGINX). You can register here (it's free): https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/

Learn how to run Regula on a Kubernetes manifest to detect an insecure pod, and then learn how to secure it. Read more https://fugue.co/blog/securing-a-kubernetes-pod-with-regula-and-open-policy-agent

Learn how to use eBPF and the Security Profiles Operator to automatically generate seccomp profiles, a Linux kernel security feature for Kubernetes. Read more https://developers.redhat.com/articles/2021/12/16/secure-your-kubernetes-deployments-ebpf#what_is_the_security_profiles_operator_

Kubernetes 1.23 includes security features to enhance cluster security: - Support for ephemeral containers - HostProcess containers for Windows - PodSecurity admission controller And more. Read more https://blog.aquasec.com/kubernetes-version-1.23-security-features

This article discusses two Open Source tools for auditing cluster security: kube-bench and kube-hunter. Read more https://blog.flant.com/kubernetes-security-with-kube-bench-and-kube-hunter

In this repository, you will find a curated list of awesome Kubernetes security resources. Read more https://github.com/ksoclabs/awesome-kubernetes-security

After reading this article, you will learn: - How not to run pods as root. - How to use immutable root fs (lock the root filesystem). - How to do Docker image scan locally and with your CI pipelines. - How to use PSP. Read more https://blog.gitguardian.com/kubernetes-tutorial-part-1-pods

In this article, you will learn how to enable IAM users and roles access on Amazon EKS. Read more https://medium.com/@radha.sable25/enabling-iam-users-roles-access-on-amazon-eks-cluster-f69b485c674f

Pinniped is the easy, secure way to log in to your Kubernetes clusters. Pinniped provides identity services to Kubernetes. Read more https://github.com/vmware-tanzu/pinniped

Netshoot is a Docker + Kubernetes network troubleshooting swiss-army container. Read more https://github.com/nicolaka/netshoot

NCC Group has found many attack paths through different security assessments that could have led to a compromised CI/CD pipeline in enterprises large and small. In this post they will share 10 real-world stories. Read more https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines

How do you restrict network traffic between namespaces in a Kubernetes cluster? In this guide, you'll learn how to prevent traffic between namespaces using Linkerd's traffic policies. Read more https://buoyant.io/2021/12/14/locking-down-network-traffic-between-kubernetes-namespaces

ElastAlert 2 is a standalone software tool for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch and OpenSearch. ElastAlert 2 is backwards compatible with the original ElastAlert rules. Read more https://github.com/jertel/elastalert2

Container security best practices a comprehensive guide Read more https://sysdig.com/blog/container-security-best-practices

In this tutorial, we present three tools to validate and secure your Kubernetes deployments: 1. Kubeval 2. Kubeconform 3. Kubescore Read more https://semaphoreci.com/blog/kubernetes-deployments

In this article you will learn how to detect anomalies in your cluster using Kubernetes Audit logs and Anomalies Detection Engineering Read more https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters

Why am I able to bind a privileged port in my container without the NET_BIND_SERVICE capability? Read more https://medium.com/@olivier.gaumond/why-am-i-able-to-bind-a-privileged-port-in-my-container-without-the-net-bind-service-capability-60972a4d5496

Learnk8s and NGINX are launching a month-long, free educational program on Kubernetes networking. The course is divided into four parts: - Unit 1: Architecting Kubernetes clusters for high-traffic websites (the 7th of March) - Unit 2: Exposing APIs in Kubernetes (the 14th of March) - Unit 3: Microservices Security Patterns (the 21st of March) - Unit 4: Advanced Kubernetes Deployment Strategies (the 28th of March) Each part has: - A live webinar (Chris, Salman & Andrea will present those). The event is recorded, and you can catch up later too. - A self-paced lab for experimenting with Kubernetes technologies. Nginx will provide interactive labs via Instruqt. - A step-by-step tutorial where you can try everything on your computer too (and maybe copy and reuse the code). - Extra links and resources to help you understand and dig deeper into the subjects. You can read the full agenda here: https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/

Getting rid of passwords (or connection strings) while accessing Azure services and instead making use of Managed Identities is a way to increase the security of your workloads. Learn how to use Managed Identities in this article. Read more https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda

In this article you’ll learn how an attacker with access to a Kubernetes cluster can escape from a container and: 1. run a pod to gain root privileges 2. escape to the host 3. persist the attack with invisible pods and fileless executions Read more https://isovalent.com/blog/post/2021-11-container-escape