Kubesploit

In this KubeFM episode, Hillai and Ronen, security researchers at Wiz, explore the intricacies of hacking Alibaba Cloud's Kubernetes cluster. They share their experiences and insights on identifying and exploiting vulnerabilities, mainly focusing on misconfigurations and their impact on cloud security. You will learn: - How Hillai and Ronen gained access to a Kubernetes cluster through a Postgres database. - How they moved laterally and managed to obtain push and pull rights to a private container registry. - Recommendations for securing multi-tenant Kubernetes clusters and maintaining environment hygiene. Watch (or listen to) it here: https://kube.fm/hacking-alibaba-ronen-hillai 🙏 Many thanks to Sysdig for supporting our work and sponsoring this episode. Make sure to check out their Kubernetes security checklist https://sysdig.com/content/c/sysdig-kubernetessec?x=o_J3ln&utm_source=kubefm&utm_medium=referral&utm_campaign=podcast With @Birthmarkb "🤌" Farrell

The article discusses a change in Kubernetes 1.29 , where the default admin.conf credential is no longer a member of the system:masters group and a new super-admin.conf credential has been introduced. More: https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin

What's the average salary for a Kubernetes engineer? Do you need a Kubernetes certification to apply for a job? We analyzed 332 Kubernetes job descriptions for the first three months of 2024 and found that: 💰 The average Kubernetes job pays from $147,203 to $205,149 in North America and from €58,691 to €78,161 in Europe. 👵 The majority of the job listings are for Senior Engineers. 🎟️ Certifications are not necessary unless you need to work with AWS. 🐍 If you need to learn a programming language, invest in Python! This and more insights in the State of Kubernetes Job Market report here: https://kube.careers/state-of-kubernetes-jobs-2024-q1

secretgen-controller provides CRDs to specify what secrets must be on the cluster (generated or not). Supports: - Generating certificates, passwords, RSA keys and SSH keys. - Generating secrets from data residing in other Kubernetes resources. More: https://github.com/carvel-dev/secretgen-controller

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next courses start in June (online & in Munich): https://learnk8s.io/training We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This article explains how malicious admission controllers can be used to deploy backdoors, emphasizing the importance of surveillance and tools like Falco for detecting such attacks. More: https://security.padok.fr/en/blog/kubernetes-webhook-attackers

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 DevSecOps Engineer with Relyance AI 💰 $170K to $200K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA, USA → https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55 👉 Browse all 426 Kubernetes jobs on Kube Careers https://kube.careers

OPA Image Scanner combines Sysdig Secure image scanner with OPA policy-based rego language to evaluate the scan results and the admission context, providing great flexibility on the admission decision. More: https://github.com/sysdiglabs/opa-image-scanner

This week on the Learn Kubernetes Weekly: 💥 Reaching the limitations of Linux with environment variables 🏎️ Faster startup times for Kubernetes workloads with Kube Startup CPU Boost ⚔️ Attacking and defending Kubernetes clusters 🧙‍♀️ A tale of two VLANs 💉 Troubleshooting containers Read it now: https://learnk8s.io/issues/80 🙏 Many thanks to Komodor for supporting our work and sponsoring this issue. Make sure to check out their Kubernetes troubleshooting platform https://komodor.com/?utm_source=lkw

The article discusses the use of advanced Gatekeeper policies in Kubernetes to reject a node assignment under specific conditions. The author explains the process of node assignment and how to effectively test the policy using a CLI tool called Gator. More: https://medium.com/nontechcompany/advanced-gatekeeper-policies-rejecting-a-node-assignment-11c9c3a8bb05

This article discusses securing front-end applications in Kubernetes with SSL/TLS. The article also provides a step-by-step guide on deploying a sample front-end application and requesting a certificate. More: https://semaphoreci.com/blog/kubernetes-ssl-tls

In this KubeFM episode, Faris shares his experience managing CoreDNS and scaling Kubernetes clusters with 900 nodes and 15k pods. He shares the challenges and solutions encountered during an incident, providing valuable insights into maintaining a robust Kubernetes environment. You will learn: - The importance of scaling the Kubernetes control plane for large clusters. - Strategies for optimizing CoreDNS to ensure efficient DNS resolution and prevent incidents. - The pros and cons of using VictoriaMetrics versus Prometheus for monitoring and observability. Watch (or listen to) it here: https://kube.fm/coredns-scaling-farris 🙏 Many thanks to Datadog for supporting our work and sponsoring this episode. Make sure to check out their platform for monitoring CoreDNS alongside the rest of your stack (try it free for 14 days and get a free t-shirt) https://datadoghq.com/kubefm With @Birthmarkb "Picasso" Farrell

This tutorial discusses how network policies can restrict pod communication, showcases examples of implementing policies with Calico, and highlights the importance of defining rules for pod communication within namespaces. More: https://sagarkrp.medium.com/calico-and-kubernetes-a-perfect-pair-for-robust-network-policy-2b91eb4eec44

This article explores Kubernetes clusters' vulnerabilities, demonstrating an attack using the MITRE att&ck matrix. It also discusses defense strategies, including contacting the GCP metadata api and implementing security best practices. More: https://medium.com/@ridhoadya/unveiling-the-battlefield-attacking-and-defending-kubernetes-clusters-9702cdbe941a

The tutorial discusses the importance of using signed and encrypted container images to enhance security in Kubernetes workloads. It uses Podman to create, sign, and verify container images on standalone systems and Kubernetes clusters. More: https://pradiptabanerjee.medium.com/securing-kubernetes-workloads-a-practical-approach-to-signed-and-encrypted-container-images-ff6e98b65bcd

Master Kubernetes with Learnk8s' Advanced Kubernetes workshops! What should you expect? - Learn how to architect and design clusters from the ground up (in the cloud or on-prem). - Explore the Kubernetes internal component and how the system is designed with resiliency in mind. - Deep-dive into the networking components and observe the packets flowing into the cluster. - Hands-on labs to test the theory with real-world scenarios! - And more. The next courses start in June (online & in Munich): https://learnk8s.io/training We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Applied Intuition 💰 $65K to $400K a year 🏠 From the office in Mountain View, CA, USA → https://kube.careers/t/c6291093-2e86-4446-aab7-7f34af1a3112?s=55 DevSecOps Engineer with Hyperscience 💰 $190K to $260K a year 👨‍💻 Remote from the United States → https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55 DevSecOps Engineer with Crusoe 💰 $210K to $240K a year 🏠 From the office in San Francisco, CA, USA → https://kube.careers/t/c82031a3-218d-4f6d-b5c1-86e76359cb90?s=55 DevSecOps Engineer with Opal Security 💰 $140K to $260K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA / New York, NY, USA → https://kube.careers/t/9c9a6c2c-c98e-436c-a859-f3c74396da66?s=55 DevSecOps Engineer with Relyance AI 💰 $170K to $200K a year 🏠🏃🏻‍♂️🌎 San Francisco, CA, USA → https://kube.careers/t/2941fe4e-c110-43b2-868e-a669d948b774?s=55 👉 Browse all 450 Kubernetes jobs on Kube Careers https://kube.careers

This article considers various techniques in offensive Kubernetes security related to RBAC, Kubelet, Etcd, EKS, and admission controllers. More: https://medium.com/@noah_h/top-offensive-techniques-for-kubernetes-a71399d133b2

This week on the Learn Kubernetes Weekly: 🐦‍⬛ The basics of observing Kubernetes 🔵 From blue to green: EKS upgrade 🤿 A deeper dive of kube-scheduler ⚒️ Writing custom kubectl commands 🪝 Helm Hooks for fun and profit Read it now: https://learnk8s.io/issues/79

The registry-creds operator propagates a single ImagePullSecret to all namespaces within your cluster so that images can be pulled using authentication. More: https://github.com/alexellis/registry-creds