Kubesploit

Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208

In this tutorial, you will learn the authentication, authorization, logging, and auditing of a Kubernetes cluster. Specifically, you will discuss some of the best practices in AWS EKS. More: https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec

In this post, you'll cover: - High-level best practices you should know to secure your workflows. - The various components that make up Argo, and how to secure those components. - Dive into operating and using Argo securely. More: https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce

A vulnerability in CRI-O could allow for attackers who are able to create pods in a Kubernetes or OpenShift cluster to break out to the underlying cluster node, effectively escalating their privileges. More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability

In this article, you will learn how to escape from a privileged container using the cgroup_release_agent escape trick (CVE-2022-0492). More: https://pwning.systems/posts/escaping-containers-for-fun

Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting.​​ In this article, you'll walk through the triage of a malicious image. More: https://sysdig.com/blog/triaging-malicious-docker-container

Argo CD is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, in the way it parsed kubeconfig files. Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM). More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759

In this article, you will learn how to store your credentials in the Secrets Manager and automatically retrieve them for creating Kubernetes Secrets using External Secrets. More: https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02

ThreatMapper hunts for vulnerabilities in your production platforms and ranks these vulnerabilities based on their risk of exploitation. You can then prioritize the issues that present the greatest risk to the security of your applications More: https://github.com/deepfence/ThreatMapper

In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – 1.1. Here are the most important points addressed in this new version More: https://armosec.io/blog/nsa-cisa-kubernetes-hardening-guide

In this article, you'll cover the basic best practices to perform Digital Forensics and Incident Response (DFIR) in a Kubernetes cluster. You will also simulate how to inspect and respond to a breach. More: https://sysdig.com/blog/guide-kubernetes-forensics-dfir

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! You can sign up here: https://learnk8s.io/online-advanced-june-2022

See Datadog's proof of concept exploit for breaking out from unprivileged containers using the Dirty Pipe vulnerability. More: https://datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc

In this post, you will learn about Bitnami Sealed Secrets, a way of storing secrets in a Git repository securely. You will also learn how to monitor the Sealed Secrets controller with Prometheus + Grafana. More: https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7

in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit. More: https://github.com/in-toto/in-toto

The recently discovered vulnerability CVE-2022-23648 in containerd allows crafted containers to gain read-only access to files from the host machine. More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment. More: https://github.com/stackrox/stackrox

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! You can sign up here: https://learnk8s.io/online-advanced-june-2022

You're probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to point at a different image. Learn how to use kbld with Argo CD to increase the security of your delivery pipeline. More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963