2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild.

More: https://blog.aquasec.com/2022-cloud-native-threat-report-cyber-attacks

It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state.

But is it *really* an issue?

Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up.

More: https://macchaffee.com/blog/2022/k8s-secrets

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!


You can sign up here: https://learnk8s.io/online-advanced-june-2022

Starting with Envoy 1.17, authentication and authorization to Istio clusters don't require setting up external services if you decide to use OAuth2.
Learn how it works in this hands-on tutorial.

More: https://medium.com/getindata-blog/oauth2-based-authentication-on-istio-powered-kubernetes-clusters-2bd0999b7332

In this article, you will explore several scenarios on how to attack etcd in Kubernetes to gain access to its data. You will cover:

- Etcd localhost port access due to SSRF vulnerability.
- Etcd Credential Stealing.
- Kube API server command execution.

More: https://tutorialboy24.medium.com/a-detailed-brief-about-offence-and-defence-on-cloud-security-etcd-risks-9fb6ab0704a1

In this guide, you'll learn how to configure Vault to exchange service accounts for a scoped client Vault token. This can be useful for apps deployed in Kubernetes that want to self authenticate against Vault and avoid passing vault credentials around.

More: https://ddymko.medium.com/vault-using-kubernetes-auth-c67cfcdc8d6e

keepass-secret is a command-line tool that converts entries from a KeePass 2.3 file into Kubernetes secrets.

This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters.

More: https://github.com/rene6502/keepass-secret

Learn how to design a Kafka cluster to achieve high availability using standard kubernetes resources and test how it tolerates maintenance and total node failures.

More: https://learnk8s.io/kafka-ha-kubernetes

Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster.



More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper

In this article, you'll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods.

By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.



More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d

This article shows the core strategies for securing an Argo CD deployment and keeping you ahead of potential exposures.

1. Use a dedicated project for the control plane.
2. Argo resources are for Argo admins only.
...
6. Have a CVE response plan ready.

More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb

In this article you will learn how you can use the ambassador, adapter, sidecar and init containers to extend yours apps in Kubernetes without changing their code.

More: https://learnk8s.io/sidecar-containers-patterns

You're probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to point at a different image.

Learn how to use kbld with Argo CD to increase the security of your delivery pipeline.

More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!


You can sign up here: https://learnk8s.io/online-advanced-june-2022

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

More: https://github.com/stackrox/stackrox

The recently discovered vulnerability CVE-2022-23648 in containerd allows crafted containers to gain read-only access to files from the host machine.

More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes

in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.

More: https://github.com/in-toto/in-toto

In this post, you will learn about Bitnami Sealed Secrets, a way of storing secrets in a Git repository securely.
You will also learn how to monitor the Sealed Secrets controller with Prometheus + Grafana.

More: https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7

See Datadog's proof of concept exploit for breaking out from unprivileged containers using the Dirty Pipe vulnerability.

More: https://datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!


You can sign up here: https://learnk8s.io/online-advanced-june-2022

In this article, you'll cover the basic best practices to perform Digital Forensics and Incident Response (DFIR) in a Kubernetes cluster. You will also simulate how to inspect and respond to a breach.

More: https://sysdig.com/blog/guide-kubernetes-forensics-dfir