Kubesploit

This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine. This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager. More: https://joachim8675309.medium.com/gke-with-certmanager-9bc00b086b73

With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated. This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens. More: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24

Admission controllers are a key component of the admission process performed by the Kubernetes API server. They enable fine-grained control over the object creation, update, and deletion process. Learn how they work in this article. More: https://pradeepl.com/blog/kubernetes/introduction-to-kubernetes-admission-controllers

In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes. To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin. More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault

The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters. More: https://github.com/kubernetes-sigs/security-profiles-operator

Kubeconform is a Kubernetes manifests validation tool. Similar to Kubeval, but with the following improvements: 1. High performance. 2. Remote or local schemas locations 3. Up-to-date schemas for all recent versions of Kubernetes. More: https://github.com/yannh/kubeconform

In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume. The script can be used as an init container to inject secrets into any pod. More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d

KSOPS is a kustomize exec plugin for SOPS encrypted resources. KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps. More: https://github.com/viaduct-ai/kustomize-sops

This article will teach you how to exploit a vulnerability in Linux containers by bypassing negative group permissions. More: https://benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation

This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would allow all the syscalls made and deny every other syscall. More: https://github.com/containers/oci-seccomp-bpf-hook

In this article, you will learn how to scan and discover publicly accessible Kubernetes clusters and how you can protect against it. More: https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet

Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources. RBAC is a security design that limits access to Kubernetes resources based on the user's role. Learn how to use RBAC in this tutorial. More: https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383

K8s-gatekeeper is an admission webhook that uses Casbin to apply arbitrary user-defined access control rules to help prevent any operation the administrator doesn't allow. More: https://github.com/casbin/k8s-gatekeeper

awesome-containerized-security is a collection of tools to improve your containerized apps security posture. More: https://github.com/koslib/awesome-containerized-security

KubePi allows administrators to import multiple Kubernetes clusters and assign permissions to different clusters and namespaces. More: https://github.com/KubeOperator/KubePi

Kubernetes doesn't load balance long-lived connections, and some pods might receive more requests than others. If you're using gRPC, AMQP or any other long-lived connection (e.g. database), you might want to consider client-side load balancing. More: https://learnk8s.io/kubernetes-long-lived-connections

This article focuses on configuring Kubernetes Audit Logs so you can have records of events happening in your cluster. More: https://signoz.io/blog/kubernetes-audit-logs

In this article, you will learn how to use the IAM Authenticator to authenticate to an EKS cluster. More: https://betterprogramming.pub/kubernetes-authentication-in-aws-eks-using-iam-authenticator-de3a586e885c

sKan is a tailor-made Kubernetes configuration files and resources scanner that enables developers and DevOps team members to check whether their work complies with security & ops best practices. More: https://github.com/alcideio/skan

In this article, you will discover the ins and outs of eBPF and why it is particularly exciting when it comes to observing your containers and Kubernetes clusters. More: https://groundcover.com/blog/what-is-ebpf