Using GitHub Actions, it's easy to improve the security of your containers by automating vulnerability scanning and digital signing. In this post, you'll go over how to set up and secure a CI/CD pipeline using GitHub Actions, Cosign, and Trivy.
Read more https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline
Read more https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline
Forwarded from Kube Careers
What does it take to get a job as a Kubernetes engineer?
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 97 Kubernetes jobs for the first three months of 2022 and found that:
- The average Kubernetes job pays €83,398 in Europe and $123,126 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- Only 1% of the total listings offer a position to Junior Engineers 😢
- As usual, AWS, Python, Terraform, Prometheus and Jenkins!!! are the top terms mentioned in any Kubernetes job denoscriptions.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q1
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 97 Kubernetes jobs for the first three months of 2022 and found that:
- The average Kubernetes job pays €83,398 in Europe and $123,126 in North America.
- The majority of the job listings are for Senior DevOps Engineers.
- Only 1% of the total listings offer a position to Junior Engineers 😢
- As usual, AWS, Python, Terraform, Prometheus and Jenkins!!! are the top terms mentioned in any Kubernetes job denoscriptions.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q1
In this article you will compare five open-source tools for Kubernetes security scanning:
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. kubeaudit.
Read more https://quesengmany.medium.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. kubeaudit.
Read more https://quesengmany.medium.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April 2021) and will be removed entirely in 1.25 (expected around April 2022). This article explains what PSPs are and their alternatives.
Read more https://appvia.io/blog/podsecuritypolicy-is-dead-long-live
Read more https://appvia.io/blog/podsecuritypolicy-is-dead-long-live
Security researchers discovered a vulnerability where attackers could construct a malicious Helm chart to exfiltrate secrets, tokens, and other sensitive information from Argo CD which could then be potentially used for privilege escalation.
Read more https://blog.argoproj.io/argo-cd-deals-with-our-first-zero-day-cve-86e8fb158e8f
Read more https://blog.argoproj.io/argo-cd-deals-with-our-first-zero-day-cve-86e8fb158e8f
Medium
Argo CD Deals With Our First Zero-Day CVE
Over the past 18 months, the Argo Project has really focused on improving security across the platform. In addition to completing a…
The kubelet uses startup, readiness, and liveness probes to verify whether a pod is booting, ready to accept traffic and still alive. It is the kubelet who actually executes the probes (and not the pod itself).
Learn how you can exploit them.
Read more https://xxradar.medium.com/exploiting-applications-using-livenessprobes-in-kubernetes-cdff6329d320
Learn how you can exploit them.
Read more https://xxradar.medium.com/exploiting-applications-using-livenessprobes-in-kubernetes-cdff6329d320
Radare2 is an open-source framework for reverse-engineering and binary analysis.
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes.
Read more https://archcloudlabs.com/projects/dumb_fuzzing
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes.
Read more https://archcloudlabs.com/projects/dumb_fuzzing
Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.
Learn how in this article.
Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac
Learn how in this article.
Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac
Aqua
Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC
Recent research with NCC group focuses on Kubernetes RBAC and why it’s important to take a least-privilege approach to granting users rights to use it
A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.
➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648
➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648
cve.mitre.org
CVE -
CVE-2022-23648
CVE-2022-23648
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Forwarded from Kube Architect
In this article, you'll learn why you should avoid Sealed Secrets in your GitOps deployment:
1. The keys to which environment?
2. The secrets are … right there.
3. The key to secure all keys is still a key.
4. There are better solutions.
➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd
1. The keys to which environment?
2. The secrets are … right there.
3. The key to secure all keys is still a key.
4. There are better solutions.
➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd
Medium
Why you should avoid Sealed Secrets in your GitOps deployment
(Update on 5/23: If you like this topic, I wrote a new story including a couple of other things to avoid.)
In this article, you will find the log for the Insekube CTF. You will learn:
- How to enumerate ports on a cluster.
- Obtaining a reverse shell.
- Exploiting Grafana to access /etc/passwd.
- Gaining root access.
➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a
- How to enumerate ports on a cluster.
- Obtaining a reverse shell.
- Exploiting Grafana to access /etc/passwd.
- Gaining root access.
➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a
In this post, you will answer the following question: "how can we enforce security best practices at the cluster or namespace level?"
You will cover:
- Pod Security Policies.
- Pod Security Admission controller.
- Examples and demos.
➜ https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3
You will cover:
- Pod Security Policies.
- Pod Security Admission controller.
- Examples and demos.
➜ https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3
Learn how to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.
More: https://learnk8s.io/rbac-kubernetes
More: https://learnk8s.io/rbac-kubernetes
There are cases when you need to implement traffic encryption of services running within their Kubernetes cluster but a service mesh is an overkill. In this article, you'll achieve this using cert-manager and related tools in a simple and efficient way.
More: https://medium.com/@mikhail_advani/kubernetes-in-cluster-traffic-encryption-using-cert-manager-b70c2101a12d
More: https://medium.com/@mikhail_advani/kubernetes-in-cluster-traffic-encryption-using-cert-manager-b70c2101a12d
Medium
Kubernetes in-cluster traffic encryption using cert-manager
There are several cases when people need to implement traffic encryption of services running within their Kubernetes cluster but a service…
This article aims to explain the architecture of Hashicorp Vault and how to install it in Kubernetes. Towards the end of the article, you will also discuss how an application can make use of Vault with a hands-on demo.
More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f
More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f
This article explores how the cert-manager can be used for on-premises Kubernetes applications to manage their certificate lifecycles.
More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405
More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object to obtain the credentials of the ingress-nginx controller.
More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ
More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ
Kubernetes has a pluggable mechanism for enforcing granular policies on its resources.
This gets even easier when you add Open Policy Agent and Gatekeeper.
In this article, you will learn how to use Gatekeeper to keep your Deployments in check.
More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent
This gets even easier when you add Open Policy Agent and Gatekeeper.
In this article, you will learn how to use Gatekeeper to keep your Deployments in check.
More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent
asankov.dev
Securing Kubernetes with Open Policy Agent
Build-in Kubernetes security is not enough for most organizations to enforce granular rules and policies to the workloads running in their clusters. That is why projects like OPA and Gatekeeper exist to help you achieve a higher level of Kubernetes security
Forwarded from Kube Events
🗓 Kubernetes events starting in the next 24 hours:
16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference
16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference
16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference
16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference
→ See all Kubernetes events
16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference
16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference
16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference
16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference
→ See all Kubernetes events
2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild.
More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks
More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks
It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state.
But is it *really* an issue?
Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.
More: https://macchaffee.com/blog/2022/k8s-secrets
But is it *really* an issue?
Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.
More: https://macchaffee.com/blog/2022/k8s-secrets
Macchaffee
Plain Kubernetes Secrets are fine
Mac's Tech Blog