Kubeletmein is a simple penetration testing tool which takes advantage of public cloud provider approaches to providing kubelet credentials to nodes in order to gain privileged access to the k8s API
Read more https://github.com/4ARMED/kubeletmein

Cosign keyless Kubernetes admission webhook is a Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect
Read more https://github.com/appvia/cosign-keyless-admission-webhook

Rego library for detecting miss-configurations in Kubernetes manifests
Read more https://github.com/armosec/regolibrary

AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory.

Using Kubernetes primitives, administrators configure identities and bindings to match pods
Read more https://github.com/Azure/aad-pod-identity

This repository contains a proof of concept that uses cosign and GitHub's in built OIDC to sign container images. It proves that what is in the registry came from your GitHub action
Read more https://github.com/chrisns/cosign-keyless-demo

Kubelogin is a kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Read more https://github.com/int128/kubelogin

Cloud Secret Resolvers is a set of tools to help your applications (on Kubernetes) to retrieve any credentials from cloud managed vaults without the needed to write additional boilerplate code in your applications
Read more https://github.com/kubeopsskills/cloud-secret-resolvers

aws-auth-manager is a kuberneres controller to manage the aws-auth configmap in EKS using a new AWSAuthItem CRD.
Read more https://github.com/maruina/aws-auth-manager

This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules
Read more https://github.com/redhat-cop/dynamic-rbac-operator

In this article you’ll learn how an attacker with access to a Kubernetes cluster can escape from a container and:
1. run a pod to gain root privileges
2. escape to the host
3. persist the attack with invisible pods and fileless executions
Read more https://isovalent.com/blog/post/2021-11-container-escape

Getting rid of passwords (or connection strings) while accessing Azure services and instead making use of Managed Identities is a way to increase the security of your workloads.
Learn how to use Managed Identities in this article.
Read more https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda

Learnk8s and NGINX are launching a month-long, free educational program on Kubernetes networking.

The course is divided into four parts:

- Unit 1: Architecting Kubernetes clusters for high-traffic websites (the 7th of March)
- Unit 2: Exposing APIs in Kubernetes (the 14th of March)
- Unit 3: Microservices Security Patterns (the 21st of March)
- Unit 4: Advanced Kubernetes Deployment Strategies (the 28th of March)

Each part has:

- A live webinar (Chris, Salman & Andrea will present those). The event is recorded, and you can catch up later too.
- A self-paced lab for experimenting with Kubernetes technologies. Nginx will provide interactive labs via Instruqt.
- A step-by-step tutorial where you can try everything on your computer too (and maybe copy and reuse the code).
- Extra links and resources to help you understand and dig deeper into the subjects.

You can read the full agenda here: https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/

Why am I able to bind a privileged port in my container without the NET_BIND_SERVICE capability?
Read more https://medium.com/@olivier.gaumond/why-am-i-able-to-bind-a-privileged-port-in-my-container-without-the-net-bind-service-capability-60972a4d5496

In this article you will learn how to detect anomalies in your cluster using Kubernetes Audit logs and Anomalies Detection Engineering
Read more https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters

In this tutorial, we present three tools to validate and secure your Kubernetes deployments:
1. Kubeval
2. Kubeconform
3. Kubescore
Read more https://semaphoreci.com/blog/kubernetes-deployments

Container security best practices a comprehensive guide
Read more https://sysdig.com/blog/container-security-best-practices

ElastAlert 2 is a standalone software tool for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch and OpenSearch.

ElastAlert 2 is backwards compatible with the original ElastAlert rules.
Read more https://github.com/jertel/elastalert2

How do you restrict network traffic between namespaces in a Kubernetes cluster? In this guide, you'll learn how to prevent traffic between namespaces using Linkerd's traffic policies.
Read more https://buoyant.io/2021/12/14/locking-down-network-traffic-between-kubernetes-namespaces

NCC Group has found many attack paths through different security assessments that could have led to a compromised CI/CD pipeline in enterprises large and small.
In this post they will share 10 real-world stories.
Read more https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines

Netshoot is a Docker + Kubernetes network troubleshooting swiss-army container.
Read more https://github.com/nicolaka/netshoot

Pinniped is the easy, secure way to log in to your Kubernetes clusters.

Pinniped provides identity services to Kubernetes.
Read more https://github.com/vmware-tanzu/pinniped