Radare2 is an open-source framework for reverse-engineering and binary analysis.
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes.

Read more https://archcloudlabs.com/projects/dumb_fuzzing

Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.

Learn how in this article.

Read more https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.

➜ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648

In this article, you'll learn why you should avoid Sealed Secrets in your GitOps deployment:

1. The keys to which environment?
2. The secrets are … right there.
3. The key to secure all keys is still a key.
4. There are better solutions.


➜ https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

In this article, you will find the log for the Insekube CTF. You will learn:

- How to enumerate ports on a cluster.
- Obtaining a reverse shell.
- Exploiting Grafana to access /etc/passwd.
- Gaining root access.

➜ https://arrowa.medium.com/insekube-ctf-tryhackme-8b3f26556e0a

In this post, you will answer the following question: "how can we enforce security best practices at the cluster or namespace level?"

You will cover:

- Pod Security Policies.
- Pod Security Admission controller.
- Examples and demos.

➜ https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3

Learn how to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.

More: https://learnk8s.io/rbac-kubernetes

There are cases when you need to implement traffic encryption of services running within their Kubernetes cluster but a service mesh is an overkill. In this article, you'll achieve this using cert-manager and related tools in a simple and efficient way.

More: https://medium.com/@mikhail_advani/kubernetes-in-cluster-traffic-encryption-using-cert-manager-b70c2101a12d

This article aims to explain the architecture of Hashicorp Vault and how to install it in Kubernetes. Towards the end of the article, you will also discuss how an application can make use of Vault with a hands-on demo.

More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f

This article explores how the cert-manager can be used for on-premises Kubernetes applications to manage their certificate lifecycles.

More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object to obtain the credentials of the ingress-nginx controller.

More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ

Kubernetes has a pluggable mechanism for enforcing granular policies on its resources.

This gets even easier when you add Open Policy Agent and Gatekeeper.

In this article, you will learn how to use Gatekeeper to keep your Deployments in check.

More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent

🗓 Kubernetes events starting in the next 24 hours:

16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference

16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference

16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference

16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference

→ See all Kubernetes events

2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild.

More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks

It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state.

But is it *really* an issue?

Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.

More: https://macchaffee.com/blog/2022/k8s-secrets

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!


You can sign up here: https://learnk8s.io/online-advanced-june-2022

Starting with Envoy 1.17, authentication and authorization to Istio clusters don't require setting up external services if you decide to use OAuth2.
Learn how it works in this hands-on tutorial.

More: https://medium.com/getindata-blog/oauth2-based-authentication-on-istio-powered-kubernetes-clusters-2bd0999b7332

In this article, you will explore several scenarios on how to attack etcd in Kubernetes to gain access to its data. You will cover:

- Etcd localhost port access due to SSRF vulnerability.
- Etcd Credential Stealing.
- Kube API server command execution.

More: https://tutorialboy24.medium.com/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-9fb6ab0704a1

In this guide, you'll learn how to configure Vault to exchange service accounts for a scoped client Vault token. This can be useful for apps deployed in Kubernetes that want to self authenticate against Vault and avoid passing vault credentials around.

More: https://ddymko.medium.com/vault-using-kubernetes-auth-c67cfcdc8d6e

keepass-secret is a command-line tool that converts entries from a KeePass 2.3 file into Kubernetes secrets.

This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters.

More: https://github.com/rene6502/keepass-secret

Learn how to design a Kafka cluster to achieve high availability using standard kubernetes resources and test how it tolerates maintenance and total node failures.

More: https://learnk8s.io/kafka-ha-kubernetes