Kubesploit

In this article, you will learn how your Kubernetes deployment can access a database with random roles and passwords (and eventually restricted privileges) that are rotated every hour and deleted after expiration. More: https://itsufficient.me/blog/postgres-vault

This week on the Learn Kubernetes Weekly: 💦 Mitigating memory leak in Kubernetes with a one-liner commit 🐾 Tracing the path of network traffic 🍼 My first experience with Kyverno 📕 Kustomize best practices ⚙️ WebAssembly on Kubernetes Read it now: https://learnk8s.io/issues/35

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs. This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA. More: https://github.com/cert-manager/aws-privateca-issuer

Kyverno is a Kubernetes policy engine that can enforce policies like required labels, container image signing, resource existence, etc. It has a library of ready-to-use policies and allows for easy evaluation with its CLI. Learn more in this post. More: https://medium.com/@mabenoit/kyverno-kubernetes-native-policy-management-7ca01fa372a3

In this tutorial, you'll look at how to configure EKS to use secrets and parameters from Amazon Secrets Manager and AWS Systems Manager Parameter Store. More: https://blog.bootlabstech.com/aws-secrets-manager-in-kubernetes-secret-rotation-and-reloader

OWASP Kubernetes is aimed at helping security practitioners, sysadmins, and software developers prioritize risks around the Kubernetes ecosystem. In this article, you will find the top 10 risks you should consider and mitigations you could adopt. More: https://sysdig.com/blog/top-owasp-kubernetes

In this tutorial, you will explore the Evaluating Validating Admission Policy feature paired with a Custom Resource Definition (CRD) as input for easy customisation of policies. More: https://github.com/tommy-dk/validating-admission-policy

The sixth annual Sysdig Cloud-Native Security and Usage Report digs into how Sysdig customers of all sizes and industries are using, securing, and paying for cloud and container environments. More: https://sysdig.com/blog/2023-cloud-native-security-usage-report

You can use Calico and WireGuard to encrypt data in transit in a Kubernetes cluster without mTLS or IPsec. Encryption is supported for pod-to-pod traffic on different hosts and host-to-host traffic. Learn how in this article. More: https://medium.com/@dhawalsaini.devops_50274/wireguard-with-calico-in-k8s-8608fb8192b5

This week on the Learn Kubernetes Weekly: 🏠 Load balancer architecture on-premises ⚖️ Pod rebalancing and allocations 👮‍♀️ Mitigating RBAC-based privilege escalation ☁️ De-cloud and de-k8s 👍 Promoting releases in GitOps Read it now: https://learnk8s.io/issues/33

Should you have more than one team using the same Kubernetes cluster? Can you run untrusted workloads safely from untrusted users? Does Kubernetes do multi-tenancy? This article will explore the challenges of running a cluster with multiple tenants. More: https://community.ops.io/danielepolencic/multi-tenancy-in-kubernetes-366n

This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies. More: https://github.com/kubescape/cel-admission-library

The External Secrets Operator allows the fetching of secret data from external secret management providers. But a less known feature is that you can push Kubernetes secrets to third parties. You can use this feature to migrate secrets between providers. More: https://eminalemdar.medium.com/reversing-the-workflow-with-external-secrets-operators-push-secret-feature-f2a64f3db748

KubeCSR is a lightweight REST service written in Go leveraging the Gin framework that automates the toil of creating Kubernetes x509 certificates for users. More: https://github.com/tonedefdev/kubecsr

In this article, you will look into the different mitigations implemented to address privilege escalation and powerful permissions in Kubernetes. More: https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation

This week on the Learn Kubernetes Weekly: 🚗 Reacting faster to node failures 🏗 IP and pod allocations in EKS 👮‍♂️ Let's talk about kubelet authorization 🤕 Abusing etcd to inject resources 💘 Cilium: why we use it and why we ♥️ it Read it now: https://learnk8s.io/issues/32

In this article, you will learn how to use the Open Policy Agent to enforce security and governance policies to have fine-grain control on the services running in a Kubernetes cluster. More: https://awstip.com/enforce-security-and-governance-in-kubernetes-using-opa-gatekeeper-2fd5b55f91d1

In this post, you will look at the Node authorization mode and NodeRestriction admission controller, which are used to provide rights to Kubelets to access the resources they need to function. More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization

In this tutorial, you will learn how to sign container images with Cloud KMS and Google Artifact Registry and then only allow those signed images to run in a GKE cluster. More: https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea

In this article, you'll learn how to manually inject resources without restrictions from RBAC or Admission Controllers by replicating the target infrastructure or by exporting and importing ETCD entries while maintaining the byte length of each value. More: https://lobuhisec.medium.com/using-etcd-to-inject-resources-and-bypass-rbac-and-admission-controller-restrictions-f240ae31e7f0