Kubesploit

This repository contains a set of over 1200 AppArmor profiles that can be used to confine most Linux base applications and processes. More: https://github.com/roddhjav/apparmor.d

There is no standardized method for providing IAM group access to an EKS cluster or namespace. In this article, you will learn how you can use an IAM role to authenticate the user group automatically and transparently when kubectl is being used. More: https://eng.grip.security/enabling-aws-iam-group-access-to-an-eks-cluster-using-rbac

This report outlines a security engagement of the CRI-O project. The assessment includes four high-level tasks: 1. Threat model formalisation of CRI-O. 2. Fuzzing integration of CRI-O into OSS-Fuzz. 3. Manual code auditing. 4. Documentation/testing review More: https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf

In this article, you will learn how to attack and defend a Kubernetes cluster by solving the challenges of Kubernetes goat — an intentionally vulnerable cluster environment to learn and practice Kubernetes security. More: https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42

During penetration tests and red team engagements, eBPF-based security tools can make detect and block most attacks. In this article, you'll learn some of the limitations and bypass techniques. More: https://form3.tech/engineering/content/bypassing-ebpf-tools

vals-operator syncs secrets from any secrets store supported by vals into Kubernetes. It works similarly to secrets-manager, but it supports more secret stores other than HashiCorp Vault. More: https://github.com/digitalis-io/vals-operator

Kubernetes security scanners are tools that can be used to detect vulnerabilities and security issues in your applications. In this article you will find: 1. Grype. 2. Trivy. 3. Kubesec. 4. Kube-bench. 5. Kubeaudit. More: https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574

This tutorial will walk through how Kubernetes Certificate Signing Requests can be utilized to distribute certificates that associate a user with a unique identity that can then be assigned access to a Kubernetes cluster with RBAC. More: https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd

Since Kubescape's launch in August 2021, it has scanned more than 10,000 Kubernetes clusters. In this report, you will find the aggregated data and analysis to highlight the essential stats on the state of Kubernetes security, risk, and compliance. More: https://armosec.io/blog/what-we-learned-from-scanning-over-10k-kubernetes-clusters

🗓 Kubernetes events starting in the next 24 hours: 03 Oct 8:00 am GMT - 🔥 GOTO Copenhagen | Trifork - 📍 In-person conference 03 Oct 10:00 am GMT - KubeHuddle | KubeHuddle - 📍 In-person conference → See all Kubernetes events

In this tutorial, you will learn how to evaluate wasm-compiled rego policies for the Open Policy Agent with Rust and the burrego crate. More: https://inspektor.cloud/blog/evaluating-open-policy-agent-in-rust-using-wasm

k8s-manifest-sigstore is a kubectl plugin that enables developers to sign and verify Kubernetes YAML files. Also, the integrity of deployed manifests can be confirmed on a Kubernetes cluster. More: https://github.com/sigstore/k8s-manifest-sigstore

In this tutorial, you'll learn how to use Kyverno to automatically configure annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket for a service of type LoadBalancer. More: https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0

One interesting challenge with Kubernetes is deploying workloads across several regions. While you can technically have a cluster with several nodes located in different regions, this is generally regarded as something you should avoid due to the extra latency. Another popular alternative is to deploy a cluster for each region and find a way to orchestrate them. In this webinar, Daniele will demo live how to create, connect and operate three Kubernetes clusters in different regions. You can register here (it's free): https://kube.events/t/a35a3a6f-2d32-458b-aca4-61bb9d8bb1ce

This article focuses on how Teleport can be used to give developers secure access to a Kubernetes cluster. More: https://edidiongasikpo.com/how-to-give-developers-secure-access-to-kubernetes-clusters

Paralus is a tool that enables controlled, audited access to Kubernetes infrastructure. It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO. Ships as a GUI, API, and CLI. More: https://github.com/paralus/paralus

In this article, you will explore how OpenShift provides a powerful mechanism to enhance the security of your AWS account by using short-lived credentials through STS, instead of static User credentials (Access Keys). More: https://dev.to/mtulio/deep-dive-into-aws-oidc-identity-provider-when-installing-openshift-with-iam-sts-manual-sts-support-1bo7

In an affected version of KubeEdge a malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31076

In this article, you will learn why PodSecurityPolicies never made it as a GA feature, why they had to be replaced and what you should consider going forward. More: https://macchaffee.com/blog/2022/psp-deprecation

All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31035