Kubesploit

In this article, you will learn how to combine External Secrets with managed identities in Azure to keep the secrets up-to-date in the Azure Key Vault, with automatic synchronization to the Kubernetes cluster. More: https://medium.com/@artem_lajko/unlocking-the-potential-external-secrets-and-azure-kubernetes-service-integration-f562c58d7472

Bitwarden CRD Operator is an operator that exposes secrets from Bitwarden as Kubernetes native secrets using Custom Resource Definitions. More: https://github.com/Lerentis/bitwarden-crd-operator

Ever wonder how AWS IRSA, GCP workload identity or Azure AD workload identity work in Kubernetes? This article explores how OIDC works in a Kubernetes cluster to trust external workloads. More: https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation

This week on the Learn Kubernetes Weekly: 🏗️ Kubernetes resources, capacity and allocatable ✅ AKS checklist 📦 Container security fundamentals: isolation & namespaces 🛜 Cluster networking 🆚 "helm template" over "helm install" Read it now: https://learnk8s.io/issues/38

In this article, you will learn how to combine Helm, Helmfile and SOPS to store your secrets (safely) in Git. More: https://blog.mariano.cloud/all-right-then-keep-your-secrets-in-git-with-sops

kube-lock sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts. It prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on. More: https://github.com/chaosinthecrd/kube-lock

In this article, you will discuss how to bypass container security scanners. You will also build a small proof of concept. More: https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners

Linux namespaces are foundational to how container runtimes like Docker work. In this article, you'll learn how they provide fine-grained isolation of a container's view of the host's resources. More: https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2

Kustomize SOPSGenerator is a Kustomize generator plugin that reads SOPS-encoded files and converts them to Kubernetes Secrets. More: https://github.com/omninonsense/kustomize-sopsgenerator

Managing authenticated image pulls to Docker Hub in a large cluster is difficult. In this article, you'll cover the tools to make it easier: 1. Image pull secrets. 2. imagepullsecret-patcher. 3. External Secrets Operator. 4. Red Hat's patch-operator. More: https://dev.to/iainmcgin/authenticated-docker-hub-image-pulls-in-kubernetes-k57

This week on the Learn Kubernetes Weekly: 📈 Understand container metrics 🔎 Tracing pod to pod network traffic 🔗 Envoy WASM extensions 📝 Docker networking models 📥 Kubernetes API server: the storage interface Read it now: https://learnk8s.io/issues/37

In this tutorial, you will learn how to use Zarf (a tool that enables continuous software delivery on air-gapped networks) to deploy Longhorn on a Kubernetes cluster. More: https://medium.com/defense-unicorns/getting-started-with-airgap-deployment-of-longhorn-block-storage-with-zarf-bdd6edfd65b7

In this article, you will learn how you can combine RuntimeClass, Kata containers and Kyverno to provide a more robust sandbox for workloads running in Kubernetes. More: https://itnext.io/enhancing-kubernetes-security-with-kyverno-runtimeclass-and-kata-containers-f513308c7a23

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs. More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency. In the process, you will uncover: - Usage of DaemonSets to utilize all nodes. - "Fake" pause containers. More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

This week on the Learn Kubernetes Weekly: 🆚 CPU requests & limits VS autoscaling 🤢 CoreDNS cache poisoning 🐣 What happens when you create a pod 🎭 Managing roles for PostgreSQL with Vault 💸 Price comparison of managed Kubernetes Read it now: https://learnk8s.io/issues/36

Netchecks is a set of tools for testing network conditions and asserting that they are as expected. There are two main components: 1. The operator that runs network checks and reports results. 2. Netcheck CLI and Python Library. More: https://github.com/hardbyte/netchecks

The Otterize Credentials Operator automatically resolves pods to dev-friendly service names, registers them with a SPIRE server or with Otterize Cloud, and optionally provisions credentials as Kubernetes secrets. More: https://github.com/otterize/credentials-operator

In this article, you will inspect the CoreDNS source code and learn how it is susceptible to cache poisoning. You will also learn how to mitigate such an attack. More: http://sbudella.altervista.org/blog/20230308-coredns-conjecture.html

mirrors is a custom Kubernetes controller that copies Kubernetes Secret to and from various locations. Currently, it supports the following sources and destinations: - Native Kubernetes Secret - HashiCorp Vault Secret More: https://github.com/ktsstudio/mirrors