In this article you’ll learn how an attacker with access to a Kubernetes cluster can escape from a container and:
1. run a pod to gain root privileges
2. escape to the host
3. persist the attack with invisible pods and fileless executions
Read more https://isovalent.com/blog/post/2021-11-container-escape
1. run a pod to gain root privileges
2. escape to the host
3. persist the attack with invisible pods and fileless executions
Read more https://isovalent.com/blog/post/2021-11-container-escape
Getting rid of passwords (or connection strings) while accessing Azure services and instead making use of Managed Identities is a way to increase the security of your workloads.
Learn how to use Managed Identities in this article.
Read more https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda
Learn how to use Managed Identities in this article.
Read more https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda
Forwarded from LearnKube news
Learnk8s and NGINX are launching a month-long, free educational program on Kubernetes networking.
The course is divided into four parts:
- Unit 1: Architecting Kubernetes clusters for high-traffic websites (the 7th of March)
- Unit 2: Exposing APIs in Kubernetes (the 14th of March)
- Unit 3: Microservices Security Patterns (the 21st of March)
- Unit 4: Advanced Kubernetes Deployment Strategies (the 28th of March)
Each part has:
- A live webinar (Chris, Salman & Andrea will present those). The event is recorded, and you can catch up later too.
- A self-paced lab for experimenting with Kubernetes technologies. Nginx will provide interactive labs via Instruqt.
- A step-by-step tutorial where you can try everything on your computer too (and maybe copy and reuse the code).
- Extra links and resources to help you understand and dig deeper into the subjects.
You can read the full agenda here: https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
The course is divided into four parts:
- Unit 1: Architecting Kubernetes clusters for high-traffic websites (the 7th of March)
- Unit 2: Exposing APIs in Kubernetes (the 14th of March)
- Unit 3: Microservices Security Patterns (the 21st of March)
- Unit 4: Advanced Kubernetes Deployment Strategies (the 28th of March)
Each part has:
- A live webinar (Chris, Salman & Andrea will present those). The event is recorded, and you can catch up later too.
- A self-paced lab for experimenting with Kubernetes technologies. Nginx will provide interactive labs via Instruqt.
- A step-by-step tutorial where you can try everything on your computer too (and maybe copy and reuse the code).
- Extra links and resources to help you understand and dig deeper into the subjects.
You can read the full agenda here: https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
Why am I able to bind a privileged port in my container without the NET_BIND_SERVICE capability?
Read more https://medium.com/@olivier.gaumond/why-am-i-able-to-bind-a-privileged-port-in-my-container-without-the-net-bind-service-capability-60972a4d5496
Read more https://medium.com/@olivier.gaumond/why-am-i-able-to-bind-a-privileged-port-in-my-container-without-the-net-bind-service-capability-60972a4d5496
Medium
Why am I able to bind a privileged port in my container without the NET_BIND_SERVICE capability?
Recently I was experimenting with different features for container hardening and I stumbled on something that surprised me. I had to dig…
In this article you will learn how to detect anomalies in your cluster using Kubernetes Audit logs and Anomalies Detection Engineering
Read more https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters
Read more https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters
In this tutorial, we present three tools to validate and secure your Kubernetes deployments:
1. Kubeval
2. Kubeconform
3. Kubescore
Read more https://semaphoreci.com/blog/kubernetes-deployments
1. Kubeval
2. Kubeconform
3. Kubescore
Read more https://semaphoreci.com/blog/kubernetes-deployments
Container security best practices a comprehensive guide
Read more https://sysdig.com/blog/container-security-best-practices
Read more https://sysdig.com/blog/container-security-best-practices
ElastAlert 2 is a standalone software tool for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch and OpenSearch.
ElastAlert 2 is backwards compatible with the original ElastAlert rules.
Read more https://github.com/jertel/elastalert2
ElastAlert 2 is backwards compatible with the original ElastAlert rules.
Read more https://github.com/jertel/elastalert2
GitHub
GitHub - jertel/elastalert2: ElastAlert 2 is a continuation of the original yelp/elastalert project. Pull requests are appreciated!
ElastAlert 2 is a continuation of the original yelp/elastalert project. Pull requests are appreciated! - jertel/elastalert2
How do you restrict network traffic between namespaces in a Kubernetes cluster? In this guide, you'll learn how to prevent traffic between namespaces using Linkerd's traffic policies.
Read more https://buoyant.io/2021/12/14/locking-down-network-traffic-between-kubernetes-namespaces
Read more https://buoyant.io/2021/12/14/locking-down-network-traffic-between-kubernetes-namespaces
NCC Group has found many attack paths through different security assessments that could have led to a compromised CI/CD pipeline in enterprises large and small.
In this post they will share 10 real-world stories.
Read more https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines
In this post they will share 10 real-world stories.
Read more https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines
Netshoot is a Docker + Kubernetes network troubleshooting swiss-army container.
Read more https://github.com/nicolaka/netshoot
Read more https://github.com/nicolaka/netshoot
Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Pinniped provides identity services to Kubernetes.
Read more https://github.com/vmware-tanzu/pinniped
Pinniped provides identity services to Kubernetes.
Read more https://github.com/vmware-tanzu/pinniped
GitHub
GitHub - vmware/pinniped: Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Pinniped is the easy, secure way to log in to your Kubernetes clusters. - vmware/pinniped
In this article, you will learn how to enable IAM users and roles access on Amazon EKS.
Read more https://medium.com/@radha.sable25/enabling-iam-users-roles-access-on-amazon-eks-cluster-f69b485c674f
Read more https://medium.com/@radha.sable25/enabling-iam-users-roles-access-on-amazon-eks-cluster-f69b485c674f
After reading this article, you will learn:
- How not to run pods as root.
- How to use immutable root fs (lock the root filesystem).
- How to do Docker image scan locally and with your CI pipelines.
- How to use PSP.
Read more https://blog.gitguardian.com/kubernetes-tutorial-part-1-pods
- How not to run pods as root.
- How to use immutable root fs (lock the root filesystem).
- How to do Docker image scan locally and with your CI pipelines.
- How to use PSP.
Read more https://blog.gitguardian.com/kubernetes-tutorial-part-1-pods
GitGuardian Blog - Take Control of Your Secrets Security
Kubernetes Security Tutorial: Pods
Get a deeper understanding of Kubernetes Pods security with this first tutorial.
In this repository, you will find a curated list of awesome Kubernetes security resources.
Read more https://github.com/ksoclabs/awesome-kubernetes-security
Read more https://github.com/ksoclabs/awesome-kubernetes-security
GitHub
GitHub - ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources
A curated list of awesome Kubernetes security resources - ksoclabs/awesome-kubernetes-security
This article discusses two Open Source tools for auditing cluster security: kube-bench and kube-hunter.
Read more https://blog.flant.com/kubernetes-security-with-kube-bench-and-kube-hunter
Read more https://blog.flant.com/kubernetes-security-with-kube-bench-and-kube-hunter
Kubernetes 1.23 includes security features to enhance cluster security:
- Support for ephemeral containers
- HostProcess containers for Windows
- PodSecurity admission controller
And more.
Read more https://blog.aquasec.com/kubernetes-version-1.23-security-features
- Support for ephemeral containers
- HostProcess containers for Windows
- PodSecurity admission controller
And more.
Read more https://blog.aquasec.com/kubernetes-version-1.23-security-features
Aquasec
Kubernetes Version 1.23: What's New for Security?
Kubernetes 1.23 includes security features to enhance cluster security; support for ephemeral containers, HostProcess containers for Windows, PodSecurity admission controller, & more
Learn how to use eBPF and the Security Profiles Operator to automatically generate seccomp profiles, a Linux kernel security feature for Kubernetes.
Read more https://developers.redhat.com/articles/2021/12/16/secure-your-kubernetes-deployments-ebpf#what_is_the_security_profiles_operator_
Read more https://developers.redhat.com/articles/2021/12/16/secure-your-kubernetes-deployments-ebpf#what_is_the_security_profiles_operator_
Learn how to run Regula on a Kubernetes manifest to detect an insecure pod, and then learn how to secure it.
Read more https://fugue.co/blog/securing-a-kubernetes-pod-with-regula-and-open-policy-agent
Read more https://fugue.co/blog/securing-a-kubernetes-pod-with-regula-and-open-policy-agent
Forwarded from LearnKube news
A typical web application responds to requests from bots, health checks, and various attempts to circumvent security and gain unauthorized access.
Examples include:
- SQL injections.
- XSS attacks.
So, how can you filter out those malicious attempts in Kubernetes?
You have at least 2 solid options:
1. You can filter the traffic before it reaches the container.
2. You can filter the traffic at the Ingress.
Chris Nesbitt-Smith will dive into the details this coming Monday at 8am PT / 4pm CET in a live webinar.
After the session, you will have access to the code, a step-by-step tutorial and interactive labs to test the configuration (provided by NGINX).
You can register here (it's free): https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
Examples include:
- SQL injections.
- XSS attacks.
So, how can you filter out those malicious attempts in Kubernetes?
You have at least 2 solid options:
1. You can filter the traffic before it reaches the container.
2. You can filter the traffic at the Ingress.
Chris Nesbitt-Smith will dive into the details this coming Monday at 8am PT / 4pm CET in a live webinar.
After the session, you will have access to the code, a step-by-step tutorial and interactive labs to test the configuration (provided by NGINX).
You can register here (it's free): https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
A high-severity CVE was released that affects the Linux kernel, allowing unprivileged users to escalate those rights to root and escape from the container.
Learn how you can protect your cluster with a seccomp filter.
Read more https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes
Learn how you can protect your cluster with a seccomp filter.
Read more https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes
Aqua
CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes
A high-severity CVE was released that affects the Linux kernel, allowing unprivileged users to escalate those rights to root and escape from the container