[PDF] In this whitepaper, you will discuss the security aspects of different base images for containers.

In other words, the same container (i.e. python) could have more or fewer issues depending on the underlying OS (i.e. Alpine, Debian, etc.)

More: https://chainguard.dev/blog-static/chainguard-all-about-that-base-image.pdf

Tales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that withstood the attack attempts.

More: https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d

Learn how the team at Xendit found an issue with Linkerd and TLS on Kubernetes and how they did (not) fix it.

More: https://blog.xendit.engineer/debugging-k8s-issues-intermittent-outbound-tls-issues-with-linkerd-7476f02f3cea

kubeval is a tool for validating a Kubernetes YAML or JSON configuration file. It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes.

More: https://github.com/instrumenta/kubeval

Infra enables you to discover and access infrastructure (e.g. Kubernetes, databases).

It helps you connect an identity provider such as Okta or Azure active directory, and map users/groups with the permissions you set to your infrastructure.

More: https://github.com/infrahq/infra

This article shows how to enable secure HTTPS on Kubernetes for Spring Boot applications using Istio and Cert Manager.

More: https://piotrminkowski.com/2022/06/01/https-on-kubernetes-with-spring-boot-istio-and-cert-manager

The best way to know if something works is to test it.

In this article, you will cover how to install and run the Atomic Red Team environment on Kubernetes to generate suspicious events based on ATT&CK techniques and see how Falco triggers alerts.

More: https://sysdig.com/blog/atomic-red-team-falco

This article contains a collection of best practices and tips regarding securing containerized environments.

More: https://medium.com/technology-hits/incomplete-guide-for-securing-containerized-environment-78b57fc3238

kconnect is a CLI utility that can be used to discover and securely access Kubernetes clusters across multiple operating environments.

More: https://github.com/fidelity/kconnect

What does it take to get a job as a Kubernetes engineer?

Do you need a Kubernetes certification to apply for a job?

What's the average salary for a Kubernetes engineer?

We analyzed 93 Kubernetes jobs for the first three months of 2022 and found that:

- The average Kubernetes job pays €83,722 in Europe and $143,684 in North America.
- The majority of the job listings are for Senior DevOps Engineers (no junior roles, unfortunately).
- 64% of the jobs mention remote working!
- As usual, AWS, Python, Terraform, Prometheus and Jenkins are the top mentions in any Kubernetes job denoscriptions.

You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q2

Azure Key Vault Provider for Secrets Store CSI Driver maps a Kubernetes resource called SecretProviderClass to an Azure Key Vault and lets you select which secrets, keys, and/or certificates you'd like to expose.

Learn more in this article.

More: https://medium.com/dzerolabs/kubernetes-saved-today-f-cked-tomorrow-a-rant-azure-key-vault-secrets-%C3%A0-la-kubernetes-fc3be5e65d18

A short and visual thread on how Kubernetes RBAC works in Kubernetes.

More: https://medium.com/@danielepolencic/how-does-rbac-work-in-kubernetes-d50dd34771ca

RBAC-police is a CLI tool that lets you evaluate the RBAC permissions of service accounts, pods and nodes in Kubernetes clusters through policies written in Rego.

More: https://github.com/PaloAltoNetworks/rbac-police

This article summarizes a list of recommendations for hardening Kubernetes clusters (both on-prem and cloud) with Admission and Mutation webhooks using the open-source tool Gatekeeper.

More: https://faun.pub/gatekeeper-k8-hardening-backlog-956d1b6860b6

In this tutorial, you will learn how to write Kubernetes policies using JavaScript/Typenoscript with the help of jsPolicy and deploy them via GitOps using Flux.

More: https://blog.ediri.io/writing-kubernetes-policies-with-jspolicy

In this article, you will learn about man-in-the-middle attacks related to downloading container images and how you can prevent them using Connaisseur — an admission controller that integrates Container Image Signature Verification.

More: https://medium.com/linkbynet/trust-but-verify-3a4852d2420

In this article, you will compare the External Secrets Operator with Secret Storage CSI for using external secrets in a Kubernetes cluster. You will compare:

- Architecture.
- Authorization management.
- Resource usage.
- GitOps friendliness.

More: https://mixi-developers.mixi.co.jp/compare-eso-with-secret-csi-402bf37f20bc

This repository contains a reading list for software supply-chain security.

More: https://github.com/chainguard-dev/ssc-reading-list

Learn how Cilium can be configured to provide sidecar-free mTLS-based authentication with excellent security and performance characteristics (without the overhead of traditional service meshes).

More: https://isovalent.com/blog/post/2022-05-03-servicemesh-security

The External Secrets Operator provides an alternative to the Kubernetes Secret object.

It does this by providing Custom Resources, which define where secrets live and how to synchronize them.

Learn how to use it with the AWS secrets manager.

More: https://ptuladhar3.medium.com/getting-started-with-external-secrets-operator-on-kubernetes-using-aws-secrets-manager-6dc403d9630c

dexter is an OIDC (OpenId Connect) helper designed to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider.

All you need is a properly configured Google or Azure client ID & secret.

More: https://github.com/gini/dexter