Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208

In this article, you will learn how the tools in the OpenShift Platform Plus bundle help an organization maintain and secure network traffic flows in multi cluster OpenShift environments.

More: https://michaelkotelnikov.medium.com/maintaining-network-traffic-compliance-in-multi-cluster-openshift-environments-with-openshift-54fe369aa346

Kubernetes audit logs are powerful, but only if enabled and correctly configured. This article will help you get started using audit logs, and show you how to get the most out of them.

More: https://containiq.com/post/kubernetes-audit-logs

The Kubernetes API server exposes an HTTP API that lets end-users, different parts of your cluster, and external components communicate with one another.

But how is access to the API restricted only to authorized users?

In this article, you will cover:

1. The difference between externally managed and internal identities.
2. How the Kubernetes API server implements different authentication plugins to authenticate users, such as static token, bearer token, X509 certificate, OIDC, etc.
3. How Kubernetes assigns identities for internal users with Service Accounts.
4. The difference between tokens created through Secrets and Service Account tokens created by the Kubelet.
5. How Federated OIDC works and how it can be integrated with a cloud provider such as Amazon Web Services.
6. How to use the Token Review API to verify Service Account tokens' validity within the cluster.

Full article here: https://learnk8s.io/authentication-kubernetes

In this post, you will learn how easily a limited user (such as a developer) can escalate their privileges and become an admin of a cluster which has been set up using kubeadm.

More: https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac

The Seccomp Agent is receiving seccomp file denoscriptors from container runtimes and handling system calls on behalf of the containers. Its goal is to support different use cases:

- Unprivileged container builds.
- Support of safe mknod.

More: https://github.com/kinvolk/seccompagent

ovn-kubernetes has a flaw that allows a system administrator or privileged attacker to create an egress network policy that bypasses existing ingress policies of other pods, allowing network traffic to access pods that should not be reachable.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0567

This article will discuss two architectural approaches to managing secrets with GitOps: encrypted secrets stored in Git and storing a reference to secrets in Git.

More: https://cloud.redhat.com/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes

Ephemeral containers are temp containers that can be attached after a Pod is created.

But what happens when you use them on a hardened cluster?

The answer is not so obvious as OPA, Kyverno, PSPs, etc. will do their best to (rightly) prevent execution.

More: https://xenitab.github.io/blog/2022/04/12/ephemeral-container-security

In Kubernetes, there are two aspects to security: cluster security and application security. In this post, you'll explore how to secure ‌Kubernetes deployments and applications in general.

More: https://armosec.io/blog/secure-kubernetes-deployment

Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously.

More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24829

There are several ways to create a data fetching mechanism for the Open Policy Agent - each of them has its pros and cons.
In this guide, you will compare and decide which one is the best for you.

More: https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc

Vulnscan is a suite of reporting and analysis tools built on top of Anchore's syft utility (to create software bills of material) and Grype utility (to scan those SBOMs for vulnerabilities). This suite is designed to be run on a kubernetes cluster.

More: https://github.com/davideshay/vulnscan#readme

undefined

You can sign up here: https://learnk8s.io/online-advanced-july-2022

Starboard integrates security tools by incorporating their outputs into Kubernetes CRDs (Custom Resource Definitions) and making security reports accessible through the Kubernetes API.

More: https://github.com/aquasecurity/starboard

Trousseau uses the Kubernetes KMS provider framework to provide an envelope encryption scheme to encrypt secrets on the fly before they reach etcd.

The project is modular and you can plug your own KMS tool (e.g. Vault).

More: https://github.com/ondat/trousseau

This operator scans all SBOMs from a git-repository for vulnerabilities using Grype. The result-list can be emitted as JSON-file served via an endpoint and/or as Prometheus metrics.

More: https://github.com/ckotzbauer/vulnerability-operator

[PDF] In this whitepaper, you will discuss the security aspects of different base images for containers.

In other words, the same container (i.e. python) could have more or fewer issues depending on the underlying OS (i.e. Alpine, Debian, etc.)

More: https://chainguard.dev/blog-static/chainguard-all-about-that-base-image.pdf

Tales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that withstood the attack attempts.

More: https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d

Learn how the team at Xendit found an issue with Linkerd and TLS on Kubernetes and how they did (not) fix it.

More: https://blog.xendit.engineer/debugging-k8s-issues-intermittent-outbound-tls-issues-with-linkerd-7476f02f3cea

kubeval is a tool for validating a Kubernetes YAML or JSON configuration file. It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes.

More: https://github.com/instrumenta/kubeval