A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, in the way it parsed kubeconfig files.
Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759
Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759
cve.mitre.org
CVE -
CVE-2022-0759
CVE-2022-0759
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Argo CD is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server.
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730
cve.mitre.org
CVE -
CVE-2022-24730
CVE-2022-24730
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, you'll walk through the triage of a malicious image.
More: https://sysdig.com/blog/triaging-malicious-docker-container
More: https://sysdig.com/blog/triaging-malicious-docker-container
In this article, you will learn how to escape from a privileged container using the cgroup_release_agent escape trick (CVE-2022-0492).
More: https://pwning.systems/posts/escaping-containers-for-fun
More: https://pwning.systems/posts/escaping-containers-for-fun
pwning.systems
Escaping privileged containers for fun
Despite the fact that it is not a 'real' vulnerability, escaping privileged Docker containers is nevertheless pretty funny. And because there will always be people who will come up with reasons or excuses to run a privileged container (even though you really…
A vulnerability in CRI-O could allow for attackers who are able to create pods in a Kubernetes or OpenShift cluster to break out to the underlying cluster node, effectively escalating their privileges.
More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability
More: https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability
Forwarded from Kube Architect
In this post, you'll cover:
- High-level best practices you should know to secure your workflows.
- The various components that make up Argo, and how to secure those components.
- Dive into operating and using Argo securely.
More: https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce
- High-level best practices you should know to secure your workflows.
- The various components that make up Argo, and how to secure those components.
- Dive into operating and using Argo securely.
More: https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce
In this tutorial, you will learn the authentication, authorization, logging, and auditing of a Kubernetes cluster. Specifically, you will discuss some of the best practices in AWS EKS.
More: https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec
More: https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec
DEV Community
Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing
In the first two parts of this tutorial, we discussed: How to enhance your Pod security in your...
Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208
cve.mitre.org
CVE -
CVE-2022-27208
CVE-2022-27208
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
In this article, you will learn how the tools in the OpenShift Platform Plus bundle help an organization maintain and secure network traffic flows in multi cluster OpenShift environments.
More: https://michaelkotelnikov.medium.com/maintaining-network-traffic-compliance-in-multi-cluster-openshift-environments-with-openshift-54fe369aa346
More: https://michaelkotelnikov.medium.com/maintaining-network-traffic-compliance-in-multi-cluster-openshift-environments-with-openshift-54fe369aa346
Kubernetes audit logs are powerful, but only if enabled and correctly configured. This article will help you get started using audit logs, and show you how to get the most out of them.
More: https://containiq.com/post/kubernetes-audit-logs
More: https://containiq.com/post/kubernetes-audit-logs
Forwarded from LearnKube news
The Kubernetes API server exposes an HTTP API that lets end-users, different parts of your cluster, and external components communicate with one another.
But how is access to the API restricted only to authorized users?
In this article, you will cover:
1. The difference between externally managed and internal identities.
2. How the Kubernetes API server implements different authentication plugins to authenticate users, such as static token, bearer token, X509 certificate, OIDC, etc.
3. How Kubernetes assigns identities for internal users with Service Accounts.
4. The difference between tokens created through Secrets and Service Account tokens created by the Kubelet.
5. How Federated OIDC works and how it can be integrated with a cloud provider such as Amazon Web Services.
6. How to use the Token Review API to verify Service Account tokens' validity within the cluster.
Full article here: https://learnk8s.io/authentication-kubernetes
But how is access to the API restricted only to authorized users?
In this article, you will cover:
1. The difference between externally managed and internal identities.
2. How the Kubernetes API server implements different authentication plugins to authenticate users, such as static token, bearer token, X509 certificate, OIDC, etc.
3. How Kubernetes assigns identities for internal users with Service Accounts.
4. The difference between tokens created through Secrets and Service Account tokens created by the Kubelet.
5. How Federated OIDC works and how it can be integrated with a cloud provider such as Amazon Web Services.
6. How to use the Token Review API to verify Service Account tokens' validity within the cluster.
Full article here: https://learnk8s.io/authentication-kubernetes
In this post, you will learn how easily a limited user (such as a developer) can escalate their privileges and become an admin of a cluster which has been set up using kubeadm.
More: https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac
More: https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac
The Seccomp Agent is receiving seccomp file denoscriptors from container runtimes and handling system calls on behalf of the containers. Its goal is to support different use cases:
- Unprivileged container builds.
- Support of safe mknod.
More: https://github.com/kinvolk/seccompagent
- Unprivileged container builds.
- Support of safe mknod.
More: https://github.com/kinvolk/seccompagent
GitHub
GitHub - kinvolk/seccompagent: agent for handling seccomp denoscriptors for container runtimes
agent for handling seccomp denoscriptors for container runtimes - kinvolk/seccompagent
ovn-kubernetes has a flaw that allows a system administrator or privileged attacker to create an egress network policy that bypasses existing ingress policies of other pods, allowing network traffic to access pods that should not be reachable.
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0567
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0567
cve.mitre.org
CVE -
CVE-2022-0567
CVE-2022-0567
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
This article will discuss two architectural approaches to managing secrets with GitOps: encrypted secrets stored in Git and storing a reference to secrets in Git.
More: https://cloud.redhat.com/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes
More: https://cloud.redhat.com/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes
Redhat
A Guide to Secrets Management with GitOps and Kubernetes
Storing confidential data in Git represents a security vulnerability and should not be allowed, even when the Git repository is considered private and implements access controls to limit the audience. How can we overcome this limitation?
Ephemeral containers are temp containers that can be attached after a Pod is created.
But what happens when you use them on a hardened cluster?
The answer is not so obvious as OPA, Kyverno, PSPs, etc. will do their best to (rightly) prevent execution.
More: https://xenitab.github.io/blog/2022/04/12/ephemeral-container-security
But what happens when you use them on a hardened cluster?
The answer is not so obvious as OPA, Kyverno, PSPs, etc. will do their best to (rightly) prevent execution.
More: https://xenitab.github.io/blog/2022/04/12/ephemeral-container-security
xenitab.github.io
Kubernetes Ephemeral Container Security | Xenit
Ephemeral containers is a new concept in Kubernetes which allows attaching containers to already running Pods. It also introduces new security concerns which have to be resolved before it can be enabled.
In Kubernetes, there are two aspects to security: cluster security and application security. In this post, you'll explore how to secure Kubernetes deployments and applications in general.
More: https://armosec.io/blog/secure-kubernetes-deployment
More: https://armosec.io/blog/secure-kubernetes-deployment
ARMO
How to secure Kubernetes Deployment? | ARMO
In this blog post, we’ll explore how to secure Kubernetes deployments and applications in general
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously.
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24829
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24829
cve.mitre.org
CVE -
CVE-2022-24829
CVE-2022-24829
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Forwarded from LearnKube news
There are several ways to create a data fetching mechanism for the Open Policy Agent - each of them has its pros and cons.
In this guide, you will compare and decide which one is the best for you.
More: https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc
In this guide, you will compare and decide which one is the best for you.
More: https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc
Vulnscan is a suite of reporting and analysis tools built on top of Anchore's syft utility (to create software bills of material) and Grype utility (to scan those SBOMs for vulnerabilities). This suite is designed to be run on a kubernetes cluster.
More: https://github.com/davideshay/vulnscan#readme
More: https://github.com/davideshay/vulnscan#readme
Forwarded from LearnKube news