In this post, you will learn about Bitnami Sealed Secrets, a way of storing secrets in a Git repository securely.
You will also learn how to monitor the Sealed Secrets controller with Prometheus + Grafana.

More: https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7

See Datadog's proof of concept exploit for breaking out from unprivileged containers using the Dirty Pipe vulnerability.

More: https://datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc

Master Kubernetes with this a 4-day Advanced Kubernetes workshop on the 9th of June (next week)!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!


You can sign up here: https://learnk8s.io/online-advanced-june-2022

In this article, you'll cover the basic best practices to perform Digital Forensics and Incident Response (DFIR) in a Kubernetes cluster. You will also simulate how to inspect and respond to a breach.

More: https://sysdig.com/blog/guide-kubernetes-forensics-dfir

In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – 1.1. Here are the most important points addressed in this new version

More: https://armosec.io/blog/nsa-cisa-kubernetes-hardening-guide

ThreatMapper hunts for vulnerabilities in your production platforms and ranks these vulnerabilities based on their risk of exploitation. You can then prioritize the issues that present the greatest risk to the security of your applications

More: https://github.com/deepfence/ThreatMapper

In this article, you will learn how to store your credentials in the Secrets Manager and automatically retrieve them for creating Kubernetes Secrets using External Secrets.

More: https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, in the way it parsed kubeconfig files.
Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759

Argo CD is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730

Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting.​​ In this article, you'll walk through the triage of a malicious image.

More: https://sysdig.com/blog/triaging-malicious-docker-container

In this article, you will learn how to escape from a privileged container using the cgroup_release_agent escape trick (CVE-2022-0492).

More: https://pwning.systems/posts/escaping-containers-for-fun

A vulnerability in CRI-O could allow for attackers who are able to create pods in a Kubernetes or OpenShift cluster to break out to the underlying cluster node, effectively escalating their privileges.

More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability

In this post, you'll cover:

- High-level best practices you should know to secure your workflows.
- The various components that make up Argo, and how to secure those components.
- Dive into operating and using Argo securely.

More: https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce

In this tutorial, you will learn the authentication, authorization, logging, and auditing of a Kubernetes cluster. Specifically, you will discuss some of the best practices in AWS EKS.

More: https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec

Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208

In this article, you will learn how the tools in the OpenShift Platform Plus bundle help an organization maintain and secure network traffic flows in multi cluster OpenShift environments.

More: https://michaelkotelnikov.medium.com/maintaining-network-traffic-compliance-in-multi-cluster-openshift-environments-with-openshift-54fe369aa346

Kubernetes audit logs are powerful, but only if enabled and correctly configured. This article will help you get started using audit logs, and show you how to get the most out of them.

More: https://containiq.com/post/kubernetes-audit-logs

The Kubernetes API server exposes an HTTP API that lets end-users, different parts of your cluster, and external components communicate with one another.

But how is access to the API restricted only to authorized users?

In this article, you will cover:

1. The difference between externally managed and internal identities.
2. How the Kubernetes API server implements different authentication plugins to authenticate users, such as static token, bearer token, X509 certificate, OIDC, etc.
3. How Kubernetes assigns identities for internal users with Service Accounts.
4. The difference between tokens created through Secrets and Service Account tokens created by the Kubelet.
5. How Federated OIDC works and how it can be integrated with a cloud provider such as Amazon Web Services.
6. How to use the Token Review API to verify Service Account tokens' validity within the cluster.

Full article here: https://learnk8s.io/authentication-kubernetes

In this post, you will learn how easily a limited user (such as a developer) can escalate their privileges and become an admin of a cluster which has been set up using kubeadm.

More: https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac

The Seccomp Agent is receiving seccomp file denoscriptors from container runtimes and handling system calls on behalf of the containers. Its goal is to support different use cases:

- Unprivileged container builds.
- Support of safe mknod.

More: https://github.com/kinvolk/seccompagent

ovn-kubernetes has a flaw that allows a system administrator or privileged attacker to create an egress network policy that bypasses existing ingress policies of other pods, allowing network traffic to access pods that should not be reachable.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0567