Kubesploit

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! You can sign up here: https://learnk8s.io/online-advanced-june-2022

You're probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to point at a different image. Learn how to use kbld with Argo CD to increase the security of your delivery pipeline. More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963

In this article you will learn how you can use the ambassador, adapter, sidecar and init containers to extend yours apps in Kubernetes without changing their code. More: https://learnk8s.io/sidecar-containers-patterns

This article shows the core strategies for securing an Argo CD deployment and keeping you ahead of potential exposures. 1. Use a dedicated project for the control plane. 2. Argo resources are for Argo admins only. ... 6. Have a CVE response plan ready. More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb

In this article, you'll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods. By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware. More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d

Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster. More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper

Learn how to design a Kafka cluster to achieve high availability using standard kubernetes resources and test how it tolerates maintenance and total node failures. More: https://learnk8s.io/kafka-ha-kubernetes

keepass-secret is a command-line tool that converts entries from a KeePass 2.3 file into Kubernetes secrets. This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters. More: https://github.com/rene6502/keepass-secret

In this guide, you'll learn how to configure Vault to exchange service accounts for a scoped client Vault token. This can be useful for apps deployed in Kubernetes that want to self authenticate against Vault and avoid passing vault credentials around. More: https://ddymko.medium.com/vault-using-kubernetes-auth-c67cfcdc8d6e

In this article, you will explore several scenarios on how to attack etcd in Kubernetes to gain access to its data. You will cover: - Etcd localhost port access due to SSRF vulnerability. - Etcd Credential Stealing. - Kube API server command execution. More: https://tutorialboy24.medium.com/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-9fb6ab0704a1

Starting with Envoy 1.17, authentication and authorization to Istio clusters don't require setting up external services if you decide to use OAuth2. Learn how it works in this hands-on tutorial. More: https://medium.com/getindata-blog/oauth2-based-authentication-on-istio-powered-kubernetes-clusters-2bd0999b7332

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! You can sign up here: https://learnk8s.io/online-advanced-june-2022

It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state. But is it *really* an issue? Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up. More: https://macchaffee.com/blog/2022/k8s-secrets

2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild. More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks

🗓 Kubernetes events starting in the next 24 hours: 16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference 16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference 16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference 16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference → See all Kubernetes events

Kubernetes has a pluggable mechanism for enforcing granular policies on its resources. This gets even easier when you add Open Policy Agent and Gatekeeper. In this article, you will learn how to use Gatekeeper to keep your Deployments in check. More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object to obtain the credentials of the ingress-nginx controller. More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ

This article explores how the cert-manager can be used for on-premises Kubernetes applications to manage their certificate lifecycles. More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405

This article aims to explain the architecture of Hashicorp Vault and how to install it in Kubernetes. Towards the end of the article, you will also discuss how an application can make use of Vault with a hands-on demo. More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f

There are cases when you need to implement traffic encryption of services running within their Kubernetes cluster but a service mesh is an overkill. In this article, you'll achieve this using cert-manager and related tools in a simple and efficient way. More: https://medium.com/@mikhail_advani/kubernetes-in-cluster-traffic-encryption-using-cert-manager-b70c2101a12d