Cloud Custodian enables us to write simple YAML policies for creating well-managed cloud infrastructure which is secure and cost-optimized in real-time.



Read more https://infracloud.io/blogs/cloud-governance-code-cloud-custodian

In this post, you will learn how to simplify the process of setting up and running controlled fault injection experiments on Amazon EKS using pre-built templates as well as custom faults to find hidden weaknesses in your Amazon EKS workloads.

Read more https://aws.amazon.com/blogs/devops/chaos-engineering-on-amazon-eks-using-aws-fault-injection-simulator

Generally, operators of the cluster are assigned to the cluster-admin ClusterRole. This gives the user access and permission to do all operations on all resources in the cluster. But what if you need to block an action performed by cluster admins?


Read more https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions

A guide on how to stay safe when pushing Helm values files containing passwords and other sensitive data to the version control.

Read more https://dev-vibe.medium.com/encrypt-helm-sensitive-data-9d7622e41d00

Commonly, an application requires access to data and, usually, such access must be restricted. So, you need to provide your pod/deployment/replicaSet/DaemonSet with secrets.

Learn how you can do so in AKS.

Read more https://mehighlow.medium.com/hardened-aks-secrets-82351c43eac4

So you want to deploy an application to EKS that requires access to AWS resources like an S3 bucket or a Kinesis stream. What's the best way to allow that? Use OIDC!

Read more https://medium.com/@abhinav.ittekot/granting-iam-permissions-to-pods-in-eks-using-oidc-f2044c88a53

In this tutorial, you will create an Amazon EKS cluster, install LitmusChaos and deploy a demo application. Then, you will define chaos experiments to be run on it and observe the behaviour.

Read more https://aws.amazon.com/blogs/containers/chaos-engineering-with-litmuschaos-on-amazon-eks

What happens when you combine a Kubernetes RoleBinding to a ClusterRole?

Are you even allowed?

This article will explore the Kubernetes RBAC authorization model by rebuilding it from scratch.

You will also discover different (unusual but useful) configurations for your RBAC resources.

If you work in a large organization with many users and applications, you will find this article on limiting access to Kubernetes resources relevant.

https://learnk8s.io/rbac-kubernetes

This is a hands-on guide for using Dex identity provider with Google accounts and managing role-based access control in Kubernetes via OpenID Connect.

Read more https://elastisys.com/elastisys-engineering-how-to-use-dex-with-google-accounts-to-manage-access-in-kubernetes

In the article, you'll discover the findings of a YOYO attack on a Kubernetes cluster with autoscaling.

Read more https://medium.com/@15daniel10/yoyo-attack-on-a-k8s-cluster-102bc1d5ca3e

How can I run my workloads securely on top of Kubernetes?

In this post, we'll be taking a look at the CIS-Benchmark, breaking the concept down to simple terms, and in the end, deploying the CIS-Operator using Helm charts and custom values.

Read more https://aymen-abdelwahed.medium.com/k8s-operators-cis-benchmarks-8d7915d5cb2d

In this article, you will learn how the Kube-Prometheus project identified and mitigated security issues in their project using Kubescape.

Read more https://arthursens.medium.com/risk-analysis-and-security-compliance-in-kube-prometheus-10c8cfb180b8

In this blog post, you will verify cosigned container images in Amazon Elastic Container Service using Lambda, Golang, and EventBridge.

Read more https://blog.chainguard.dev/cosign-verify-ecs

The team at Learnk8s is happy to announce Kube Events — a curated list of Kubernetes-related events.

The website includes only what we think are the meetups, conferences, training & webinars that you will find interesting to attend (e.g. no vendor pitches, with a focus on Kubernetes).

You can discover the next upcoming events here: https://kube.events

You can also join the Telegram channel for daily updates here: https://news.1rj.ru/str/KubeEvents

HOUDINI is a curated list of Network Security related Docker Images for Network Intrusion purposes.

Read more https://github.com/cybersecsi/HOUDINI

Docker Security Playground is an application that allows you to:

- Create network and network security scenarios.
- Learn penetration testing techniques by simulating vulnerability labs scenarios.
- Manage a set of docker-compose projects.

Read more https://github.com/DockerSecPlay/DockerSecurityPlayground

Grype is a vulnerability scanner for container images and filesystems. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Read more https://github.com/anchore/grype

This post will show how Istio and OAuth2-Proxy can be used to force users to authenticate before accessing applications on Kubernetes.


Read more https://elastisys.com/istio-and-oauth2-proxy-in-kubernetes-for-microservice-authentication

The OWASP WrongSecrets p0wnable app is an app packed with various ways of how to not store your secrets. These can help you to realize whether your secret management is fine. The challenge is to find all the different secrets.

Read more https://github.com/commjoen/wrongsecrets

SimpleSecrets is a secure operator that allows you to create secrets on demand. You can commit the SimpleSecrets, which are references to a database secret, and the operator will create Kubernetes Secrets automatically for you.

Read more https://github.com/Michaelpalacce/SimpleSecrets

This repository aims to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with the client IP.

Read more https://github.com/fbonalair/traefik-crowdsec-bouncer