Kubesploit

In this article you’ll learn how an attacker with access to a Kubernetes cluster can escape from a container and: 1. run a pod to gain root privileges 2. escape to the host 3. persist the attack with invisible pods and fileless executions Read more https://isovalent.com/blog/post/2021-11-container-escape

This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules Read more https://github.com/redhat-cop/dynamic-rbac-operator

aws-auth-manager is a kuberneres controller to manage the aws-auth configmap in EKS using a new AWSAuthItem CRD. Read more https://github.com/maruina/aws-auth-manager

Cloud Secret Resolvers is a set of tools to help your applications (on Kubernetes) to retrieve any credentials from cloud managed vaults without the needed to write additional boilerplate code in your applications Read more https://github.com/kubeopsskills/cloud-secret-resolvers

Kubelogin is a kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login) Read more https://github.com/int128/kubelogin

This repository contains a proof of concept that uses cosign and GitHub's in built OIDC to sign container images. It proves that what is in the registry came from your GitHub action Read more https://github.com/chrisns/cosign-keyless-demo

AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory. Using Kubernetes primitives, administrators configure identities and bindings to match pods Read more https://github.com/Azure/aad-pod-identity

Rego library for detecting miss-configurations in Kubernetes manifests Read more https://github.com/armosec/regolibrary

Cosign keyless Kubernetes admission webhook is a Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect Read more https://github.com/appvia/cosign-keyless-admission-webhook

Kubeletmein is a simple penetration testing tool which takes advantage of public cloud provider approaches to providing kubelet credentials to nodes in order to gain privileged access to the k8s API Read more https://github.com/4ARMED/kubeletmein

What's the average salary for a Kubernetes engineer? Do you need a Kubernetes certification to apply for a job? What technologies and cloud providers are often used with Kubernetes? We analyzed 276 Kubernetes jobs from 2021 and found that: - If you know AWS and Python, the world is your oyster. - CKA is the top Kubernetes certification. But only a few employers require one. - Jenkins is more alive than ever. Gitlab CI/CD is a very distant second. - Prometheus is synonymous with monitoring. No one comes close. You can read the full report here: https://kube.careers/report-2021-q4

How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC Read more https://dev.to/oktadev/how-to-secure-your-kubernetes-cluster-with-openid-connect-and-rbac-5hic

Securing LDAP with TLS certificates using ClusterIssuer in Tanzu Kubernetes Grid Read more https://cormachogan.com/2021/11/24/securing-ldap-with-tls-certificates-in-tkg-v1-4

How do packets flow inside and outside a Kubernetes cluster? In this article, you will learn to trace the traffic in your cluster, starting from the initial web request and down to the container hosting the application. You will learn: 1. How containers in the same pod behave as if they are on the same host. 2. How pods reach other pods in the cluster. 3. How pods reach Services and how Services load balance requests. https://learnk8s.io/kubernetes-network-packets

An overview of Fulcio — a community-driven code signing Certificate Authority. Read more https://chainguard.dev/posts/2021-11-12-fulcio-deep-dive

Learn Kubernetes on the 20th of January! Learnk8s is running the first 4-day Advanced Kubernetes course of 2022 next week. If you're looking to get your hands dirty with Kubernetes, join us for a session packed with labs and demos! Sign up here: https://learnk8s.io/training

Guidelines for hardening your kubernetes cluster Read more https://blog.gitguardian.com/hardening-your-k8s-pt-2

This article explains how to deploy Keycloak with Infinispan, the in-memory data store for caching user metadata, on a Kubernetes cluster Read more https://blog.flant.com/ha-keycloak-infinispan-kubernetes

Database security best practices on Kubernetes Read more https://blog.crunchydata.com/blog/multifactor-sso-authentication-for-postgres-on-kubernetes

Explore how Kubernetes dashboard can be exploited to gain access to a Kubernetes cluster Read more https://blog.aquasec.com/kubernetes-ui-tools-security-threat