Kubesploit

In this tutorial, you'll learn how to install, configure and devise custom rules and alerts for Falco. With this, you can monitor your infrastructure and receive real-time alerts on critical security events. More: https://itnext.io/getting-started-with-falco-48e8631b6f86

In this article, you will learn about RBAC Buster. This new Kubernetes attack exploits the API servers to create a ClusterRoleBinding and gain full access to the cluster with persistence after the misconfiguration is fixed. More: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

This week on the Learn Kubernetes Weekly: ⚖️ Distributed and auto-scalable websocket server architecture 🏎️ Demystifying CPU limits 🙅‍♀️ Pod topology spread constraint pitfalls 🤔 When is a CPU not a CPU? 🛑 Never use alpine Linux ever again Read it now: https://learnk8s.io/issues/39

This tutorial will teach you how to use the Secrets Store CSI Driver to integrate your app with HashiCorp Vault on Kubernetes. More: https://piotrminkowski.com/2023/03/20/vault-with-secrets-store-csi-driver-on-kubernetes

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster. More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions. More: https://github.com/Lerentis/bitwarden-crd-operator

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes? This article explores how OIDC works in a Kubernetes cluster to trust external workloads. More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

This week on the Learn Kubernetes Weekly: 🏗️ Kubernetes resources, capacity and allocatable ✅ AKS checklist 📦 Container security fundamentals: isolation & namespaces 🛜 Cluster networking 🆚 "helm template" over "helm install" Read it now: https://learnk8s.io/issues/38

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git. More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts. It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on. More: https://github.com/chaosinthecrd/kube-lock

In this article, you will discuss how to bypass container security scanners. You will also build a small proof of concept. More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

Linux namespaces are foundational to how container runtimes like Docker work. In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources. More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets. More: https://github.com/omninonsense/kustomize-sopsgenerator

Managing authenticated image pulls to Docker Hub in a large cluster is difficult. In this article, you'll cover the tools to make it easier: 1. Image pull secrets. 2. imagepullsecret-patcher. 3. External Secrets Operator. 4. Red Hat's patch-operator. More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

This week on the Learn Kubernetes Weekly: 📈 Understand container metrics 🔎 Tracing pod to pod network traffic 🔗 Envoy WASM extensions 📝 Docker networking models 📥 Kubernetes API server: the storage interface Read it now: https://learnk8s.io/issues/37

In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster. More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

In this article, you will learn how you can combine RuntimeClass, Kata containers and Kyverno to provide a more robust sandbox for workloads running in Kubernetes. More: https://itnext.io/enhancing-kubernetes-security-with-kyverno-runtimeclass-and-kata-containers-f513308c7a23

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs. More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency. In the process, you will uncover: - Usage of DaemonSets to utilize all nodes. - "Fake" pause containers. More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

This week on the Learn Kubernetes Weekly: 🆚 CPU requests & limits VS autoscaling 🤢 CoreDNS cache poisoning 🐣 What happens when you create a pod 🎭 Managing roles for PostgreSQL with Vault 💸 Price comparison of managed Kubernetes Read it now: https://learnk8s.io/issues/36