Forwarded from LearnKube news
A typical web application responds to requests from bots, health checks, and various attempts to circumvent security and gain unauthorized access.
Examples include:
- SQL injections.
- XSS attacks.
So, how can you filter out those malicious attempts in Kubernetes?
You have at least 2 solid options:
1. You can filter the traffic before it reaches the container.
2. You can filter the traffic at the Ingress.
Chris Nesbitt-Smith will dive into the details this coming Monday at 8am PT / 4pm CET in a live webinar.
After the session, you will have access to the code, a step-by-step tutorial and interactive labs to test the configuration (provided by NGINX).
You can register here (it's free): https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
Examples include:
- SQL injections.
- XSS attacks.
So, how can you filter out those malicious attempts in Kubernetes?
You have at least 2 solid options:
1. You can filter the traffic before it reaches the container.
2. You can filter the traffic at the Ingress.
Chris Nesbitt-Smith will dive into the details this coming Monday at 8am PT / 4pm CET in a live webinar.
After the session, you will have access to the code, a step-by-step tutorial and interactive labs to test the configuration (provided by NGINX).
You can register here (it's free): https://www.nginx.com/c/microservices-march-2022-kubernetes-networking-agenda/
A high-severity CVE was released that affects the Linux kernel, allowing unprivileged users to escalate those rights to root and escape from the container.
Learn how you can protect your cluster with a seccomp filter.
Read more https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes
Learn how you can protect your cluster with a seccomp filter.
Read more https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes
Aqua
CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes
A high-severity CVE was released that affects the Linux kernel, allowing unprivileged users to escalate those rights to root and escape from the container
In this post, you will learn how to incorporate the Kong Ingress Controller, KeyCloak and Kubernetes to have an initial OIDC flow to front our external services (API or web endpoints).
Read more https://dev.to/robincher/securing-your-site-via-oidc-powered-by-kong-and-keycloak-2ccc
Read more https://dev.to/robincher/securing-your-site-via-oidc-powered-by-kong-and-keycloak-2ccc
ArgoCD-Vault-plugin is an Argo CD plugin to retrieve secrets from various Secret Management tools (HashiCorp Vault, IBM Cloud Secrets Manager, AWS Secrets Manager, etc.) and inject them into Kubernetes resources.
Read more https://github.com/argoproj-labs/argocd-vault-plugin
Read more https://github.com/argoproj-labs/argocd-vault-plugin
GitHub
GitHub - argoproj-labs/argocd-vault-plugin: An Argo CD plugin to retrieve secrets from Secret Management tools and inject them…
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets - argoproj-labs/argocd-vault-plugin
In this post, you will explore the different methods of integrating HashiCorp Vault with Kubernetes and learn how to choose the best solution for your use case.
Read more https://www.hashicorp.com/blog/kubernetes-vault-integration-via-sidecar-agent-injector-vs-csi-provider
Read more https://www.hashicorp.com/blog/kubernetes-vault-integration-via-sidecar-agent-injector-vs-csi-provider
In this 2 part article, you will explore Kubernetes RBAC with a few hands-on demo labs.
Read more https://medium.com/@badawekoo/using-rbac-in-kubernetes-for-authorization-complete-demo-part-1-83f0a1fb8f
Read more https://medium.com/@badawekoo/using-rbac-in-kubernetes-for-authorization-complete-demo-part-1-83f0a1fb8f
In this article, you learn how to exploit the Log4j vulnerability (log4shell) in an application deployed on Kubernetes
Read more https://ankur-katiyar.medium.com/cve-2021-44228-proof-of-concept-on-kubernetes-34c7337e8a89
Read more https://ankur-katiyar.medium.com/cve-2021-44228-proof-of-concept-on-kubernetes-34c7337e8a89
Cloud Custodian enables us to write simple YAML policies for creating well-managed cloud infrastructure which is secure and cost-optimized in real-time.
Read more https://infracloud.io/blogs/cloud-governance-code-cloud-custodian
Read more https://infracloud.io/blogs/cloud-governance-code-cloud-custodian
In this post, you will learn how to simplify the process of setting up and running controlled fault injection experiments on Amazon EKS using pre-built templates as well as custom faults to find hidden weaknesses in your Amazon EKS workloads.
Read more https://aws.amazon.com/blogs/devops/chaos-engineering-on-amazon-eks-using-aws-fault-injection-simulator
Read more https://aws.amazon.com/blogs/devops/chaos-engineering-on-amazon-eks-using-aws-fault-injection-simulator
Generally, operators of the cluster are assigned to the cluster-admin ClusterRole. This gives the user access and permission to do all operations on all resources in the cluster. But what if you need to block an action performed by cluster admins?
Read more https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions
Read more https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions
Marcus Noble
Restricting cluster-admin Permissions
Generally, and by default, operators of the cluster are assigned to the cluster-admin ClusterRole. This gives the user access and permission to do all operations on all resources in the cluster. There's very good reason for this, an admin generally needs…
A guide on how to stay safe when pushing Helm values files containing passwords and other sensitive data to the version control.
Read more https://dev-vibe.medium.com/encrypt-helm-sensitive-data-9d7622e41d00
Read more https://dev-vibe.medium.com/encrypt-helm-sensitive-data-9d7622e41d00
Medium
Encrypt Helm sensitive data
A guide on how to stay safe when pushing helm values files containing Your passwords and other sensitive data to the version control tool.
Commonly, an application requires access to data and, usually, such access must be restricted. So, you need to provide your pod/deployment/replicaSet/DaemonSet with secrets.
Learn how you can do so in AKS.
Read more https://mehighlow.medium.com/hardened-aks-secrets-82351c43eac4
Learn how you can do so in AKS.
Read more https://mehighlow.medium.com/hardened-aks-secrets-82351c43eac4
So you want to deploy an application to EKS that requires access to AWS resources like an S3 bucket or a Kinesis stream. What's the best way to allow that? Use OIDC!
Read more https://medium.com/@abhinav.ittekot/granting-iam-permissions-to-pods-in-eks-using-oidc-f2044c88a53
Read more https://medium.com/@abhinav.ittekot/granting-iam-permissions-to-pods-in-eks-using-oidc-f2044c88a53
Medium
Granting IAM permissions to pods in EKS using OIDC
Say you're using AWS’s managed Kubernetes platform(EKS) and want to deploy an application that requires access to AWS resources like an S3…
In this tutorial, you will create an Amazon EKS cluster, install LitmusChaos and deploy a demo application. Then, you will define chaos experiments to be run on it and observe the behaviour.
Read more https://aws.amazon.com/blogs/containers/chaos-engineering-with-litmuschaos-on-amazon-eks
Read more https://aws.amazon.com/blogs/containers/chaos-engineering-with-litmuschaos-on-amazon-eks
Forwarded from LearnKube news
What happens when you combine a Kubernetes RoleBinding to a ClusterRole?
Are you even allowed?
This article will explore the Kubernetes RBAC authorization model by rebuilding it from scratch.
You will also discover different (unusual but useful) configurations for your RBAC resources.
If you work in a large organization with many users and applications, you will find this article on limiting access to Kubernetes resources relevant.
https://learnk8s.io/rbac-kubernetes
Are you even allowed?
This article will explore the Kubernetes RBAC authorization model by rebuilding it from scratch.
You will also discover different (unusual but useful) configurations for your RBAC resources.
If you work in a large organization with many users and applications, you will find this article on limiting access to Kubernetes resources relevant.
https://learnk8s.io/rbac-kubernetes
This is a hands-on guide for using Dex identity provider with Google accounts and managing role-based access control in Kubernetes via OpenID Connect.
Read more https://elastisys.com/elastisys-engineering-how-to-use-dex-with-google-accounts-to-manage-access-in-kubernetes
Read more https://elastisys.com/elastisys-engineering-how-to-use-dex-with-google-accounts-to-manage-access-in-kubernetes
In the article, you'll discover the findings of a YOYO attack on a Kubernetes cluster with autoscaling.
Read more https://medium.com/@15daniel10/yoyo-attack-on-a-k8s-cluster-102bc1d5ca3e
Read more https://medium.com/@15daniel10/yoyo-attack-on-a-k8s-cluster-102bc1d5ca3e
How can I run my workloads securely on top of Kubernetes?
In this post, we'll be taking a look at the CIS-Benchmark, breaking the concept down to simple terms, and in the end, deploying the CIS-Operator using Helm charts and custom values.
Read more https://aymen-abdelwahed.medium.com/k8s-operators-cis-benchmarks-8d7915d5cb2d
In this post, we'll be taking a look at the CIS-Benchmark, breaking the concept down to simple terms, and in the end, deploying the CIS-Operator using Helm charts and custom values.
Read more https://aymen-abdelwahed.medium.com/k8s-operators-cis-benchmarks-8d7915d5cb2d
In this article, you will learn how the Kube-Prometheus project identified and mitigated security issues in their project using Kubescape.
Read more https://arthursens.medium.com/risk-analysis-and-security-compliance-in-kube-prometheus-10c8cfb180b8
Read more https://arthursens.medium.com/risk-analysis-and-security-compliance-in-kube-prometheus-10c8cfb180b8
In this blog post, you will verify cosigned container images in Amazon Elastic Container Service using Lambda, Golang, and EventBridge.
Read more https://blog.chainguard.dev/cosign-verify-ecs
Read more https://blog.chainguard.dev/cosign-verify-ecs
Forwarded from LearnKube news
The team at Learnk8s is happy to announce Kube Events — a curated list of Kubernetes-related events.
The website includes only what we think are the meetups, conferences, training & webinars that you will find interesting to attend (e.g. no vendor pitches, with a focus on Kubernetes).
You can discover the next upcoming events here: https://kube.events
You can also join the Telegram channel for daily updates here: https://news.1rj.ru/str/KubeEvents
The website includes only what we think are the meetups, conferences, training & webinars that you will find interesting to attend (e.g. no vendor pitches, with a focus on Kubernetes).
You can discover the next upcoming events here: https://kube.events
You can also join the Telegram channel for daily updates here: https://news.1rj.ru/str/KubeEvents