The OWASP WrongSecrets p0wnable app is an app packed with various ways of how to not store your secrets. These can help you to realize whether your secret management is fine. The challenge is to find all the different secrets.

Read more https://github.com/commjoen/wrongsecrets

SimpleSecrets is a secure operator that allows you to create secrets on demand. You can commit the SimpleSecrets, which are references to a database secret, and the operator will create Kubernetes Secrets automatically for you.

Read more https://github.com/Michaelpalacce/SimpleSecrets

This repository aims to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with the client IP.

Read more https://github.com/fbonalair/traefik-crowdsec-bouncer

In this blog post, you will

- Look at RBAC, what it is and how it can be used.
- Create a ServiceAccount with restricted rights in the cluster.
- Create a Role and ClusterRole to allow a user to access an application namespace.

Read more https://anaisurl.com/kubernetes-rbac

Using GitHub Actions, it's easy to improve the security of your containers by automating vulnerability scanning and digital signing. In this post, you'll go over how to set up and secure a CI/CD pipeline using GitHub Actions, Cosign, and Trivy.

Read more https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline

What does it take to get a job as a Kubernetes engineer?

Do you need a Kubernetes certification to apply for a job?

What's the average salary for a Kubernetes engineer?

We analyzed 97 Kubernetes jobs for the first three months of 2022 and found that:

- The average Kubernetes job pays €83,398 in Europe and $123,126 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- Only 1% of the total listings offer a position to Junior Engineers 😢
- As usual, AWS, Python, Terraform, Prometheus and Jenkins!!! are the top terms mentioned in any Kubernetes job denoscriptions.

You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q1

In this article you will compare five open-source tools for Kubernetes security scanning:

1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. kubeaudit.

Read more https://quesengmany.medium.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574

PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April 2021) and will be removed entirely in 1.25 (expected around April 2022). This article explains what PSPs are and their alternatives.

Read more https://appvia.io/blog/podsecuritypolicy-is-dead-long-live

Security researchers discovered a vulnerability where attackers could construct a malicious Helm chart to exfiltrate secrets, tokens, and other sensitive information from Argo CD which could then be potentially used for privilege escalation.

Read more https://blog.argoproj.io/argo-cd-deals-with-our-first-zero-day-cve-86e8fb158e8f

The kubelet uses startup, readiness, and liveness probes to verify whether a pod is booting, ready to accept traffic and still alive. It is the kubelet who actually executes the probes (and not the pod itself).

Learn how you can exploit them.

Read more https://xxradar.medium.com/exploiting-applications-using-livenessprobes-in-kubernetes-cdff6329d320

Radare2 is an open-source framework for reverse-engineering and binary analysis.
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes.

Read more https://archcloudlabs.com/projects/dumb_fuzzing

Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.

Learn how in this article.

Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.

➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648

In this article, you'll learn why you should avoid Sealed Secrets in your GitOps deployment:

1. The keys to which environment?
2. The secrets are … right there.
3. The key to secure all keys is still a key.
4. There are better solutions.


➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

In this article, you will find the log for the Insekube CTF. You will learn:

- How to enumerate ports on a cluster.
- Obtaining a reverse shell.
- Exploiting Grafana to access /etc/passwd.
- Gaining root access.

➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a

In this post, you will answer the following question: "how can we enforce security best practices at the cluster or namespace level?"

You will cover:

- Pod Security Policies.
- Pod Security Admission controller.
- Examples and demos.

➜ https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3

Learn how to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.

More: https://learnk8s.io/rbac-kubernetes

There are cases when you need to implement traffic encryption of services running within their Kubernetes cluster but a service mesh is an overkill. In this article, you'll achieve this using cert-manager and related tools in a simple and efficient way.

More: https://medium.com/@mikhail_advani/kubernetes-in-cluster-traffic-encryption-using-cert-manager-b70c2101a12d

This article aims to explain the architecture of Hashicorp Vault and how to install it in Kubernetes. Towards the end of the article, you will also discuss how an application can make use of Vault with a hands-on demo.

More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f

This article explores how the cert-manager can be used for on-premises Kubernetes applications to manage their certificate lifecycles.

More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object to obtain the credentials of the ingress-nginx controller.

More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ