Kubesploit
Открыть в Telegram
News and links on Kubernetes security curated by the @Learnk8s team Website: https://kubesploit.io/
Больше2 076
Подписчики
+124 часа
+97 дней
+1730 день
Архив постов
2 076
Repost from LearnKube news
In this article, you will learn the thought process, design decision and code that led to writing a custom controller to copy secrets from Hashicorp Vault to Kubernetes.
More: https://medium.com/kts-digital-services-integrator/why-we-developed-own-kubernetes-controller-to-copy-secrets-e46368ae6db9
2 076
A researcher gained root access to the host and was able to execute commands on other pods in GCP.
Mitigations include blocking network connections, removing unnecessary capabilities, and using a different IP address for the node.
More: https://medium.com/@chenshiri/taking-over-google-cloud-shell-by-utilizing-capabilities-and-kubelet-fd5e2417f286
2 076
In this tutorial, you will learn how to use oauth2-proxy as a sidecar container to authorize requests to your Identity Provider of choice.
More: https://dev.to/gabrielbiasi/automatic-sso-in-kubernetes-workloads-using-a-sidecar-container-3752
2 076
Securing Kubernetes with open-source tools has become increasingly prevalent.
Read all you need to know about this shift in this detailed report.
More: https://landing.armosec.io/state-of-kubernetes-open-source-security-2022
2 076
Repost from LearnKube news
This week on the Learn Kubernetes Weekly:
🚦 Service communication monitoring
🕵️♀️ The life of a DNS query
🗺 Network mapping in Grafana
± Preview and diff Argo CD deployments
☁️ Istio multicluster deployment with Terraform
Read it now: https://learnk8s.io/learn-kubernetes-weekly
2 076
Repost from LearnKube news
In this article, you will learn how to map all the pods in the cluster and correlate IP with workloads, facilitating the management of cluster network status and speeding up debugging.
More: https://betterprogramming.pub/improve-cluster-monitoring-with-network-mapping-in-grafana-fa8bb479fd47
2 076
Trivy is a comprehensive and versatile security scanner.
What Trivy can scan:
- Container Images.
- Filesystem.
- Git Repository (remote).
- Virtual Machine Image.
- Kubernetes.
- AWS.
More: https://github.com/aquasecurity/trivy
2 076
With Seccomp, you can restrict processes' calls from userspace into kernel space.
In this article, you will learn how Kubernetes can automatically apply Seccomp profiles to Pods and containers.
More: https://levelup.gitconnected.com/seccomp-secure-computing-mode-kubernetes-docker-97130516662c
2 076
Konstraint is a CLI tool to assist with the creation and management of templates and constraints when using Gatekeeper.
More: https://github.com/plexsystems/konstraint
2 076
Repost from LearnKube news
Master Kubernetes with Learnk8s' Advanced Kubernetes workshops!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course is in June and you can sign up here: https://learnk8s.io/online-advanced-june-2023
2 076
This article has a few tips for hardening your GKE setup:
1. Network policies.
2. Custom service accounts.
3. Workload identities.
4. Pod Security admissions and admission controllers.
5. GKE sandbox.
More: https://medium.com/@pbijjala/considerations-for-hardening-your-gke-a-workload-perceptive-943be26949d2
2 076
Repost from LearnKube news
This week on the Learn Kubernetes Weekly:
🙅♀️ Ingress controller in bash
🧐 Pods health checks mystery
8️⃣ Comparing 8 managed Kubernetes providers
🚦 Advancements in traffic engineering
🔗 The problem of state
Read it now: https://learnk8s.io/learn-kubernetes-weekly
2 076
The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
More: https://github.com/aws/secrets-store-csi-driver-provider-aws
2 076
open-appsec provides preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks.
It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways.
More: https://github.com/openappsec/openappsec
2 076
authentik is an open-source Identity Provider focused on flexibility and versatility.
More: https://github.com/goauthentik/authentik
2 076
This blog post describes an attempt to assess the security posture of Kubernetes clusters scattered across the internet, detailing our research methodology, findings and analysis.
More: https://redhuntlabs.com/blog/unsecured-kubernetes-clusters-exposed.html
2 076
Repost from Kube Architect
In this article, you will learn how to manage secrets securely on Kubernetes in the GitOps approach using Sealed Secrets, ArgoCD, and Terraform.
More: https://piotrminkowski.com/2022/12/14/sealed-secrets-on-kubernetes-with-argocd-and-terraform
2 076
In this tutorial, you will deploy a vulnerable app to SQL and XSS injections in Kubernetes and learn how to protect it using Pipy and sidecar containers.
More: https://dev.to/flomesh/pipy-protecting-kubernetes-apps-from-sql-injection-xss-attacks-dol
2 076
This post discusses using SSO authentication and authorization to secure apps in Kubernetes.
The tutorial uses Dex and Traefik Forward Auth (or Oauth2-Proxy) to add additional security to ingresses or apps that do not support built-in OIDC.
More: https://allanjohn909.medium.com/sso-authentication-for-applications-in-kubernetes-aedc3c189d89
2 076
In this article, you will learn how to prevent a Denial-of-Service (DoS) attack in Kubernetes, and how to use cloud-native tools such as Calico and Falco to detect it.
More: https://sysdig.com/blog/denial-of-service-kubernetes-calico-falco
