Kubesploit

In this post, you will answer the following question: "how can we enforce security best practices at the cluster or namespace level?" You will cover: - Pod Security Policies. - Pod Security Admission controller. - Examples and demos. ➜ https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3

In this article, you will find the log for the Insekube CTF. You will learn: - How to enumerate ports on a cluster. - Obtaining a reverse shell. - Exploiting Grafana to access /etc/passwd. - Gaining root access. ➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a

In this article, you'll learn why you should avoid Sealed Secrets in your GitOps deployment: 1. The keys to which environment? 2. The secrets are … right there. 3. The key to secure all keys is still a key. 4. There are better solutions. ➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. ➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648

Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed. Learn how in this article. Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

Radare2 is an open-source framework for reverse-engineering and binary analysis. In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes. Read more https://archcloudlabs.com/projects/dumb_fuzzing

The kubelet uses startup, readiness, and liveness probes to verify whether a pod is booting, ready to accept traffic and still alive. It is the kubelet who actually executes the probes (and not the pod itself). Learn how you can exploit them. Read more https://xxradar.medium.com/exploiting-applications-using-livenessprobes-in-kubernetes-cdff6329d320

Security researchers discovered a vulnerability where attackers could construct a malicious Helm chart to exfiltrate secrets, tokens, and other sensitive information from Argo CD which could then be potentially used for privilege escalation. Read more https://blog.argoproj.io/argo-cd-deals-with-our-first-zero-day-cve-86e8fb158e8f

PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April 2021) and will be removed entirely in 1.25 (expected around April 2022). This article explains what PSPs are and their alternatives. Read more https://appvia.io/blog/podsecuritypolicy-is-dead-long-live

In this article you will compare five open-source tools for Kubernetes security scanning: 1. Grype. 2. Trivy. 3. Kubesec. 4. Kube-bench. 5. kubeaudit. Read more https://quesengmany.medium.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574

What does it take to get a job as a Kubernetes engineer? Do you need a Kubernetes certification to apply for a job? What's the average salary for a Kubernetes engineer? We analyzed 97 Kubernetes jobs for the first three months of 2022 and found that: - The average Kubernetes job pays €83,398 in Europe and $123,126 in North America. - The majority of the job listings are for Senior DevOps Engineers. - Only 1% of the total listings offer a position to Junior Engineers 😢 - As usual, AWS, Python, Terraform, Prometheus and Jenkins!!! are the top terms mentioned in any Kubernetes job descriptions. You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q1

Using GitHub Actions, it's easy to improve the security of your containers by automating vulnerability scanning and digital signing. In this post, you'll go over how to set up and secure a CI/CD pipeline using GitHub Actions, Cosign, and Trivy. Read more https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline

In this blog post, you will - Look at RBAC, what it is and how it can be used. - Create a ServiceAccount with restricted rights in the cluster. - Create a Role and ClusterRole to allow a user to access an application namespace. Read more https://anaisurl.com/kubernetes-rbac

This repository aims to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with the client IP. Read more https://github.com/fbonalair/traefik-crowdsec-bouncer

SimpleSecrets is a secure operator that allows you to create secrets on demand. You can commit the SimpleSecrets, which are references to a database secret, and the operator will create Kubernetes Secrets automatically for you. Read more https://github.com/Michaelpalacce/SimpleSecrets

The OWASP WrongSecrets p0wnable app is an app packed with various ways of how to not store your secrets. These can help you to realize whether your secret management is fine. The challenge is to find all the different secrets. Read more https://github.com/commjoen/wrongsecrets

This post will show how Istio and OAuth2-Proxy can be used to force users to authenticate before accessing applications on Kubernetes. Read more https://elastisys.com/istio-and-oauth2-proxy-in-kubernetes-for-microservice-authentication

Grype is a vulnerability scanner for container images and filesystems. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems. Read more https://github.com/anchore/grype

Docker Security Playground is an application that allows you to: - Create network and network security scenarios. - Learn penetration testing techniques by simulating vulnerability labs scenarios. - Manage a set of docker-compose projects. Read more https://github.com/DockerSecPlay/DockerSecurityPlayground

HOUDINI is a curated list of Network Security related Docker Images for Network Intrusion purposes. Read more https://github.com/cybersecsi/HOUDINI