This article aims to explain the architecture of Hashicorp Vault and how to install it in Kubernetes. Towards the end of the article, you will also discuss how an application can make use of Vault with a hands-on demo.
More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f
More: https://devopslearners.com/comprehensive-guide-to-setup-hasicorp-vault-in-kubernetes-8543e9912e3f
This article explores how the cert-manager can be used for on-premises Kubernetes applications to manage their certificate lifecycles.
More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405
More: https://itnext.io/certificate-management-for-on-premises-cloud-native-apps-dbca82e3c405
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object to obtain the credentials of the ingress-nginx controller.
More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ
More: https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ
Kubernetes has a pluggable mechanism for enforcing granular policies on its resources.
This gets even easier when you add Open Policy Agent and Gatekeeper.
In this article, you will learn how to use Gatekeeper to keep your Deployments in check.
More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent
This gets even easier when you add Open Policy Agent and Gatekeeper.
In this article, you will learn how to use Gatekeeper to keep your Deployments in check.
More: https://asankov.dev/blog/2022/04/21/securing-kubernetes-with-open-policy-agent
asankov.dev
Securing Kubernetes with Open Policy Agent
Build-in Kubernetes security is not enough for most organizations to enforce granular rules and policies to the workloads running in their clusters. That is why projects like OPA and Gatekeeper exist to help you achieve a higher level of Kubernetes security
Forwarded from Kube Events
🗓 Kubernetes events starting in the next 24 hours:
16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference
16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference
16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference
16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference
→ See all Kubernetes events
16 May 7:45 am GMT - DoK day 2022 (Data on Kubernetes) - 📍 In-person conference
16 May 12:00 pm GMT - Operator Day KubeCon EU (Canonical) - 📍 Online & in-person conference
16 May 1:00 pm GMT - KubeCon + CloudNativeCon Europe (Linux Foundation) - 📍 Online & in-person conference
16 May 1:00 pm GMT - Kubernetes AI day Europe (Linux Foundation) - 📍 In-person conference
→ See all Kubernetes events
2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild.
More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks
More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks
It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state.
But is it *really* an issue?
Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.
More: https://macchaffee.com/blog/2022/k8s-secrets
But is it *really* an issue?
Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.
More: https://macchaffee.com/blog/2022/k8s-secrets
Macchaffee
Plain Kubernetes Secrets are fine
Mac's Tech Blog
Forwarded from LearnKube news
Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
Forwarded from Kube Architect
Starting with Envoy 1.17, authentication and authorization to Istio clusters don't require setting up external services if you decide to use OAuth2.
Learn how it works in this hands-on tutorial.
More: https://medium.com/getindata-blog/oauth2-based-authentication-on-istio-powered-kubernetes-clusters-2bd0999b7332
Learn how it works in this hands-on tutorial.
More: https://medium.com/getindata-blog/oauth2-based-authentication-on-istio-powered-kubernetes-clusters-2bd0999b7332
Medium
OAuth2-based authentication on Istio-powered Kubernetes clusters
You have just installed your first Kubernetes cluster and installed Istio to get the full advantage of Service Mesh. Thanks to really…
In this article, you will explore several scenarios on how to attack etcd in Kubernetes to gain access to its data. You will cover:
- Etcd localhost port access due to SSRF vulnerability.
- Etcd Credential Stealing.
- Kube API server command execution.
More: https://tutorialboy24.medium.com/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-9fb6ab0704a1
- Etcd localhost port access due to SSRF vulnerability.
- Etcd Credential Stealing.
- Kube API server command execution.
More: https://tutorialboy24.medium.com/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-9fb6ab0704a1
In this guide, you'll learn how to configure Vault to exchange service accounts for a scoped client Vault token. This can be useful for apps deployed in Kubernetes that want to self authenticate against Vault and avoid passing vault credentials around.
More: https://ddymko.medium.com/vault-using-kubernetes-auth-c67cfcdc8d6e
More: https://ddymko.medium.com/vault-using-kubernetes-auth-c67cfcdc8d6e
Medium
Vault using Kubernetes auth
This guide will walk you through how to configure Vault running on a Kubernetes cluster to exchange service accounts for a scoped client vault token. This can be useful when you want your services…
keepass-secret is a command-line tool that converts entries from a KeePass 2.3 file into Kubernetes secrets.
This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters.
More: https://github.com/rene6502/keepass-secret
This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters.
More: https://github.com/rene6502/keepass-secret
Forwarded from Kube Architect
Learn how to design a Kafka cluster to achieve high availability using standard kubernetes resources and test how it tolerates maintenance and total node failures.
More: https://learnk8s.io/kafka-ha-kubernetes
More: https://learnk8s.io/kafka-ha-kubernetes
Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster.
More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper
More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper
In this article, you'll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods.
By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.
More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d
By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.
More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d
This article shows the core strategies for securing an Argo CD deployment and keeping you ahead of potential exposures.
1. Use a dedicated project for the control plane.
2. Argo resources are for Argo admins only.
...
6. Have a CVE response plan ready.
More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb
1. Use a dedicated project for the control plane.
2. Argo resources are for Argo admins only.
...
6. Have a CVE response plan ready.
More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb
Forwarded from Kube Builders
In this article you will learn how you can use the ambassador, adapter, sidecar and init containers to extend yours apps in Kubernetes without changing their code.
More: https://learnk8s.io/sidecar-containers-patterns
More: https://learnk8s.io/sidecar-containers-patterns
You're probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to point at a different image.
Learn how to use kbld with Argo CD to increase the security of your delivery pipeline.
More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963
Learn how to use kbld with Argo CD to increase the security of your delivery pipeline.
More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963
Medium
Preventing Tag Mutation With kbld And Argo CD
You’re probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to…
Forwarded from LearnKube news
Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
More: https://github.com/stackrox/stackrox
More: https://github.com/stackrox/stackrox
GitHub
GitHub - stackrox/stackrox: The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers…
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security...
The recently discovered vulnerability CVE-2022-23648 in containerd allows crafted containers to gain read-only access to files from the host machine.
More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes
More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes