Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster.
More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper
More: https://justinpolidori.it/posts/20220116_sign_images_with_cosign_and_verify_with_gatekeeper
In this article, you'll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods.
By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.
More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d
By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.
More: https://medium.com/nerd-for-tech/pki-certs-injection-to-k8s-pods-with-vault-agent-injector-d97482b48f3d
This article shows the core strategies for securing an Argo CD deployment and keeping you ahead of potential exposures.
1. Use a dedicated project for the control plane.
2. Argo resources are for Argo admins only.
...
6. Have a CVE response plan ready.
More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb
1. Use a dedicated project for the control plane.
2. Argo resources are for Argo admins only.
...
6. Have a CVE response plan ready.
More: https://dnastacio.medium.com/gitops-argocd-security-cbb6fb6378bb
Forwarded from Kube Builders
In this article you will learn how you can use the ambassador, adapter, sidecar and init containers to extend yours apps in Kubernetes without changing their code.
More: https://learnk8s.io/sidecar-containers-patterns
More: https://learnk8s.io/sidecar-containers-patterns
You're probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to point at a different image.
Learn how to use kbld with Argo CD to increase the security of your delivery pipeline.
More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963
Learn how to use kbld with Argo CD to increase the security of your delivery pipeline.
More: https://blog.argoproj.io/preventing-tag-mutation-with-kbld-and-argo-cd-19cecd65963
Medium
Preventing Tag Mutation With kbld And Argo CD
You’re probably aware that it is best practice not to use the latest tag when deploying to Kubernetes because that tag can be changed to…
Forwarded from LearnKube news
Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
More: https://github.com/stackrox/stackrox
More: https://github.com/stackrox/stackrox
GitHub
GitHub - stackrox/stackrox: The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers…
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security...
The recently discovered vulnerability CVE-2022-23648 in containerd allows crafted containers to gain read-only access to files from the host machine.
More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes
More: https://armosec.io/blog/cve-2022-23648-containerd-cri-plugin-kubernetes
in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
More: https://github.com/in-toto/in-toto
More: https://github.com/in-toto/in-toto
GitHub
GitHub - in-toto/in-toto: in-toto is a framework to protect supply chain integrity.
in-toto is a framework to protect supply chain integrity. - in-toto/in-toto
Forwarded from Kube Architect
In this post, you will learn about Bitnami Sealed Secrets, a way of storing secrets in a Git repository securely.
You will also learn how to monitor the Sealed Secrets controller with Prometheus + Grafana.
More: https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7
You will also learn how to monitor the Sealed Secrets controller with Prometheus + Grafana.
More: https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7
See Datadog's proof of concept exploit for breaking out from unprivileged containers using the Dirty Pipe vulnerability.
More: https://datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc
More: https://datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc
Datadog
Using the Dirty Pipe vulnerability to break out from containers | Datadog
See Datadog's proof of concept exploit for breaking out from unprivileged containers using the Dirty Pipe vulnerability.
Forwarded from LearnKube news
Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-june-2022
In this article, you'll cover the basic best practices to perform Digital Forensics and Incident Response (DFIR) in a Kubernetes cluster. You will also simulate how to inspect and respond to a breach.
More: https://sysdig.com/blog/guide-kubernetes-forensics-dfir
More: https://sysdig.com/blog/guide-kubernetes-forensics-dfir
In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – 1.1. Here are the most important points addressed in this new version
More: https://armosec.io/blog/nsa-cisa-kubernetes-hardening-guide
More: https://armosec.io/blog/nsa-cisa-kubernetes-hardening-guide
ARMO
NSA & CISA Kubernetes Hardening Guide Version 1.1 | ARMO
In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – 1.1. Here are the most important points addressed in this new version
ThreatMapper hunts for vulnerabilities in your production platforms and ranks these vulnerabilities based on their risk of exploitation. You can then prioritize the issues that present the greatest risk to the security of your applications
More: https://github.com/deepfence/ThreatMapper
More: https://github.com/deepfence/ThreatMapper
In this article, you will learn how to store your credentials in the Secrets Manager and automatically retrieve them for creating Kubernetes Secrets using External Secrets.
More: https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02
More: https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02
A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, in the way it parsed kubeconfig files.
Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759
Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759
cve.mitre.org
CVE -
CVE-2022-0759
CVE-2022-0759
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Argo CD is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server.
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730
cve.mitre.org
CVE -
CVE-2022-24730
CVE-2022-24730
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, you'll walk through the triage of a malicious image.
More: https://sysdig.com/blog/triaging-malicious-docker-container
More: https://sysdig.com/blog/triaging-malicious-docker-container
In this article, you will learn how to escape from a privileged container using the cgroup_release_agent escape trick (CVE-2022-0492).
More: https://pwning.systems/posts/escaping-containers-for-fun
More: https://pwning.systems/posts/escaping-containers-for-fun
pwning.systems
Escaping privileged containers for fun
Despite the fact that it is not a 'real' vulnerability, escaping privileged Docker containers is nevertheless pretty funny. And because there will always be people who will come up with reasons or excuses to run a privileged container (even though you really…
A vulnerability in CRI-O could allow for attackers who are able to create pods in a Kubernetes or OpenShift cluster to break out to the underlying cluster node, effectively escalating their privileges.
More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability
More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability