In this blog post, you will verify cosigned container images in Amazon Elastic Container Service using Lambda, Golang, and EventBridge.

Read more https://blog.chainguard.dev/cosign-verify-ecs

The team at Learnk8s is happy to announce Kube Events — a curated list of Kubernetes-related events.

The website includes only what we think are the meetups, conferences, training & webinars that you will find interesting to attend (e.g. no vendor pitches, with a focus on Kubernetes).

You can discover the next upcoming events here: https://kube.events

You can also join the Telegram channel for daily updates here: https://news.1rj.ru/str/KubeEvents

HOUDINI is a curated list of Network Security related Docker Images for Network Intrusion purposes.

Read more https://github.com/cybersecsi/HOUDINI

Docker Security Playground is an application that allows you to:

- Create network and network security scenarios.
- Learn penetration testing techniques by simulating vulnerability labs scenarios.
- Manage a set of docker-compose projects.

Read more https://github.com/DockerSecPlay/DockerSecurityPlayground

Grype is a vulnerability scanner for container images and filesystems. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Read more https://github.com/anchore/grype

This post will show how Istio and OAuth2-Proxy can be used to force users to authenticate before accessing applications on Kubernetes.


Read more https://elastisys.com/istio-and-oauth2-proxy-in-kubernetes-for-microservice-authentication

The OWASP WrongSecrets p0wnable app is an app packed with various ways of how to not store your secrets. These can help you to realize whether your secret management is fine. The challenge is to find all the different secrets.

Read more https://github.com/commjoen/wrongsecrets

SimpleSecrets is a secure operator that allows you to create secrets on demand. You can commit the SimpleSecrets, which are references to a database secret, and the operator will create Kubernetes Secrets automatically for you.

Read more https://github.com/Michaelpalacce/SimpleSecrets

This repository aims to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with the client IP.

Read more https://github.com/fbonalair/traefik-crowdsec-bouncer

In this blog post, you will

- Look at RBAC, what it is and how it can be used.
- Create a ServiceAccount with restricted rights in the cluster.
- Create a Role and ClusterRole to allow a user to access an application namespace.

Read more https://anaisurl.com/kubernetes-rbac

Using GitHub Actions, it's easy to improve the security of your containers by automating vulnerability scanning and digital signing. In this post, you'll go over how to set up and secure a CI/CD pipeline using GitHub Actions, Cosign, and Trivy.

Read more https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline

What does it take to get a job as a Kubernetes engineer?

Do you need a Kubernetes certification to apply for a job?

What's the average salary for a Kubernetes engineer?

We analyzed 97 Kubernetes jobs for the first three months of 2022 and found that:

- The average Kubernetes job pays €83,398 in Europe and $123,126 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- Only 1% of the total listings offer a position to Junior Engineers 😢
- As usual, AWS, Python, Terraform, Prometheus and Jenkins!!! are the top terms mentioned in any Kubernetes job denoscriptions.

You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q1

In this article you will compare five open-source tools for Kubernetes security scanning:

1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. kubeaudit.

Read more https://quesengmany.medium.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574

PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April 2021) and will be removed entirely in 1.25 (expected around April 2022). This article explains what PSPs are and their alternatives.

Read more https://appvia.io/blog/podsecuritypolicy-is-dead-long-live

Security researchers discovered a vulnerability where attackers could construct a malicious Helm chart to exfiltrate secrets, tokens, and other sensitive information from Argo CD which could then be potentially used for privilege escalation.

Read more https://blog.argoproj.io/argo-cd-deals-with-our-first-zero-day-cve-86e8fb158e8f

The kubelet uses startup, readiness, and liveness probes to verify whether a pod is booting, ready to accept traffic and still alive. It is the kubelet who actually executes the probes (and not the pod itself).

Learn how you can exploit them.

Read more https://xxradar.medium.com/exploiting-applications-using-livenessprobes-in-kubernetes-cdff6329d320

Radare2 is an open-source framework for reverse-engineering and binary analysis.
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes.

Read more https://archcloudlabs.com/projects/dumb_fuzzing

Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.

Learn how in this article.

Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.

➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648

In this article, you'll learn why you should avoid Sealed Secrets in your GitOps deployment:

1. The keys to which environment?
2. The secrets are … right there.
3. The key to secure all keys is still a key.
4. There are better solutions.


➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

In this article, you will find the log for the Insekube CTF. You will learn:

- How to enumerate ports on a cluster.
- Obtaining a reverse shell.
- Exploiting Grafana to access /etc/passwd.
- Gaining root access.

➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a