Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement.
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd.
More: https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd.
More: https://ku.bz/W4M7dx2xy
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 139:
🍯 Securing Kubernetes using honeypots to detect and prevent lateral movement attacks
💻 Goodbye Wasted Compute: How I Taught Kubernetes to Autoscale with My MacBook Screen Lock
💣 Our last Kubernetes ingress production incident — explained in 5 minutes
🙈 Stop Treating YAML Like a String
✅ Mastering complex workloads with Kubernetes JobSet and GKE metrics
Read it now: https://learnkube.com/issues/139
⭐️ This issue is brought to you by Densify — Slash costs, improve reliability and spend less time managing Kubernetes https://ku.bz/-Ml6l6kDy
🍯 Securing Kubernetes using honeypots to detect and prevent lateral movement attacks
💻 Goodbye Wasted Compute: How I Taught Kubernetes to Autoscale with My MacBook Screen Lock
💣 Our last Kubernetes ingress production incident — explained in 5 minutes
🙈 Stop Treating YAML Like a String
✅ Mastering complex workloads with Kubernetes JobSet and GKE metrics
Read it now: https://learnkube.com/issues/139
⭐️ This issue is brought to you by Densify — Slash costs, improve reliability and spend less time managing Kubernetes https://ku.bz/-Ml6l6kDy
k8s-aws-iam-controller automates trust policy management for IAM Roles used in IRSA setups.
It watches annotated ServiceAccounts, validates via RoleUsagePolicy, and updates the role trust statements.
More: https://ku.bz/tHgMnBf1s
It watches annotated ServiceAccounts, validates via RoleUsagePolicy, and updates the role trust statements.
More: https://ku.bz/tHgMnBf1s
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Yakir Kadkoda and Assaf Morag from Aqua Security highlight how even sectors known for their security, such as finance and insurance, are facing the challenge of leaked secrets.
They presented an example that involved contractors and engineers accidentally exposing sensitive information, like registry secrets or Docker Hub credentials, on platforms like GitHub (often using their personal accounts).
Watch the full episode: https://ku.bz/5RKVBGlQR
They presented an example that involved contractors and engineers accidentally exposing sensitive information, like registry secrets or Docker Hub credentials, on platforms like GitHub (often using their personal accounts).
Watch the full episode: https://ku.bz/5RKVBGlQR
Gatekeeper's
Attackers exploit prefix matching to pull images from fake subdomains like
More: https://ku.bz/fYQfsmHt-
k8sallowedrepos can be bypassed if repo entries lack a trailing /.Attackers exploit prefix matching to pull images from fake subdomains like
myrepo.io.attacker.com. Aqua shows real examples, a fixed v2 policy, and Trivy detection.More: https://ku.bz/fYQfsmHt-
Secrets Webhook is a tool that enables direct secret injection into Kubernetes Pods through a mutating webhook.
More: https://ku.bz/m4VHrfhL5
More: https://ku.bz/m4VHrfhL5
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Andy Suderman, CTO at Fairwinds, discusses three key areas he's tracking in the Kubernetes ecosystem.
He explains how mutating admission policy builds on the newly stable validating admission policy to provide native policy validation and mutation capabilities. Andy highlights dynamic resource allocation as a long-awaited feature that will transform cluster scheduling. He also covers emerging AI-focused Kubernetes tools, including Solo's recently open-sourced K-Gateway and K-Agent projects, plus Ray's machine learning capabilities.
Watch the full interview: https://ku.bz/ZQTRkMpz5
He explains how mutating admission policy builds on the newly stable validating admission policy to provide native policy validation and mutation capabilities. Andy highlights dynamic resource allocation as a long-awaited feature that will transform cluster scheduling. He also covers emerging AI-focused Kubernetes tools, including Solo's recently open-sourced K-Gateway and K-Agent projects, plus Ray's machine learning capabilities.
Watch the full interview: https://ku.bz/ZQTRkMpz5
This tutorial shows how to configure External Secrets Operator in EKS, AKS, GKE, and self-managed clusters using OIDC-based identity federation.
More: https://ku.bz/KHdPyTTRS
More: https://ku.bz/KHdPyTTRS
The article demonstrates how to disable anonymous Kubernetes API server authentication globally using a new AuthenticationConfiguration object while preserving health check endpoints.
More: https://ku.bz/1RmMnj0X2
More: https://ku.bz/1RmMnj0X2
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 140:
📕 The Kubernetes networking guide
♻️ Our Journey to GitOps: Migrating to ArgoCD with Zero Downtime
👍 Yoke is really cool
🆙 Automating Tooling Upgrades with Updatecli: A Scalable Solution for Platform Teams
🎳 Lessons from a Rollback Gameday
Read it now: https://learnkube.com/issues/140
⭐️ This issue is brought to you by StormForge — automate Kubernetes rightsizing with machine learning. Smarter limits, less waste, better performance https://ku.bz/WD-YdhrL0
📕 The Kubernetes networking guide
♻️ Our Journey to GitOps: Migrating to ArgoCD with Zero Downtime
👍 Yoke is really cool
🆙 Automating Tooling Upgrades with Updatecli: A Scalable Solution for Platform Teams
🎳 Lessons from a Rollback Gameday
Read it now: https://learnkube.com/issues/140
⭐️ This issue is brought to you by StormForge — automate Kubernetes rightsizing with machine learning. Smarter limits, less waste, better performance https://ku.bz/WD-YdhrL0
Sealed Secrets provides declarative Kubernetes Secret Management in a secure way.
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.
More: https://ku.bz/17NJS0d9k
Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.
More: https://ku.bz/17NJS0d9k
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the role of the shell in system interaction and security.
He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries.
From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries.
Watch the full episode: https://ku.bz/n_sJ04xMY
He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries.
From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries.
Watch the full episode: https://ku.bz/n_sJ04xMY
This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies.
More: https://ku.bz/4fkMXZ3R4
More: https://ku.bz/4fkMXZ3R4
This media is not supported in your browser
VIEW IN TELEGRAM
helmper is a Go program that reads Helm Charts from remote OCI registries and pushes the charts container images to your registries with optional OS-level vulnerability patching.
More: https://ku.bz/K9cKPh4gl
More: https://ku.bz/K9cKPh4gl
Kubernetes v1.33 introduces default user namespaces, enabling developers to enhance container security by isolating container user IDs from host systems with a simple opt-in, preventing privilege escalation and potential breakout attacks.
More: https://ku.bz/VcF4QPnv_
More: https://ku.bz/VcF4QPnv_
Ory Kratos is the developer-friendly, security-hardened and battle-tested Identity, User Management and Authentication system for the Cloud.
It is designed to run best on a Container Orchestration system such as Kubernetes.
More: https://ku.bz/PdzGBDwjh
It is designed to run best on a Container Orchestration system such as Kubernetes.
More: https://ku.bz/PdzGBDwjh
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 141:
💣 Kubernetes failure stories
👩🏫 YAML templating was a mistake
✍️ Defining and Implementing Effective SLOs and SLIs for ArgoCD
📈 Scaling to the future: Kubernetes reimagined with Graviton processors
🔎 Tracing Strategies For LLMs Running On Google Cloud Run
Read it now: https://learnkube.com/issues/141
⭐️ This newsletter is brought to you by Dynatrace - Transform complexity into your greatest asset AI-powered observability https://ku.bz/4KNlNJYz9
💣 Kubernetes failure stories
👩🏫 YAML templating was a mistake
✍️ Defining and Implementing Effective SLOs and SLIs for ArgoCD
📈 Scaling to the future: Kubernetes reimagined with Graviton processors
🔎 Tracing Strategies For LLMs Running On Google Cloud Run
Read it now: https://learnkube.com/issues/141
⭐️ This newsletter is brought to you by Dynatrace - Transform complexity into your greatest asset AI-powered observability https://ku.bz/4KNlNJYz9
The article explains how attackers can exploit Kubernetes clusters by leveraging pod vulnerabilities to gain filesystem access, execute shell commands, escape containers, and exfiltrate tokens for potential cluster-admin escalation.
More: https://ku.bz/L4Pl5-zHl
More: https://ku.bz/L4Pl5-zHl
k8s-remix is an operator to compose secrets with the same flexibility as a pod env spec field.
It monitors changes to configmaps and secrets mentioned in the dataFrom field, and triggers an update whenever these resources are updated.
More: https://ku.bz/vpTfmB6mP
It monitors changes to configmaps and secrets mentioned in the dataFrom field, and triggers an update whenever these resources are updated.
More: https://ku.bz/vpTfmB6mP
The tutorial explains how to securely integrate AWS Secrets Manager with Kubernetes using the External Secrets Operator (ESO), automating secret synchronization via YAML configurations and IAM credentials to eliminate hardcoded secrets.
More: https://ku.bz/TR1h6vSwl
More: https://ku.bz/TR1h6vSwl
The ClusterSecret operator keeps matching namespaces updated with secrets:
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/L452YC-Mp
- New matching namespaces receive the secret automatically. - Changes to the ClusterSecret update all related secrets, and deleting it also removes all cloned secrets.
More: https://ku.bz/L452YC-Mp