This article contains a collection of best practices and tips regarding securing containerized environments.
More: https://medium.com/technology-hits/incomplete-guide-for-securing-containerized-environment-78b57fc3238
More: https://medium.com/technology-hits/incomplete-guide-for-securing-containerized-environment-78b57fc3238
Medium
Incomplete Guide for Securing Containerized Environment
And Understanding How Containers Present Unique Security Challenges
kconnect is a CLI utility that can be used to discover and securely access Kubernetes clusters across multiple operating environments.
More: https://github.com/fidelity/kconnect
More: https://github.com/fidelity/kconnect
GitHub
GitHub - fidelity/kconnect: Kubernetes Connection Manager CLI
Kubernetes Connection Manager CLI. Contribute to fidelity/kconnect development by creating an account on GitHub.
Forwarded from Kube Careers
What does it take to get a job as a Kubernetes engineer?
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 93 Kubernetes jobs for the first three months of 2022 and found that:
- The average Kubernetes job pays €83,722 in Europe and $143,684 in North America.
- The majority of the job listings are for Senior DevOps Engineers (no junior roles, unfortunately).
- 64% of the jobs mention remote working!
- As usual, AWS, Python, Terraform, Prometheus and Jenkins are the top mentions in any Kubernetes job denoscriptions.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q2
Do you need a Kubernetes certification to apply for a job?
What's the average salary for a Kubernetes engineer?
We analyzed 93 Kubernetes jobs for the first three months of 2022 and found that:
- The average Kubernetes job pays €83,722 in Europe and $143,684 in North America.
- The majority of the job listings are for Senior DevOps Engineers (no junior roles, unfortunately).
- 64% of the jobs mention remote working!
- As usual, AWS, Python, Terraform, Prometheus and Jenkins are the top mentions in any Kubernetes job denoscriptions.
You can read the full report here: https://kube.careers/kubernetes-trend-report-2022-q2
Azure Key Vault Provider for Secrets Store CSI Driver maps a Kubernetes resource called SecretProviderClass to an Azure Key Vault and lets you select which secrets, keys, and/or certificates you'd like to expose.
Learn more in this article.
More: https://medium.com/dzerolabs/kubernetes-saved-today-f-cked-tomorrow-a-rant-azure-key-vault-secrets-%C3%A0-la-kubernetes-fc3be5e65d18
Learn more in this article.
More: https://medium.com/dzerolabs/kubernetes-saved-today-f-cked-tomorrow-a-rant-azure-key-vault-secrets-%C3%A0-la-kubernetes-fc3be5e65d18
A short and visual thread on how Kubernetes RBAC works in Kubernetes.
More: https://medium.com/@danielepolencic/how-does-rbac-work-in-kubernetes-d50dd34771ca
More: https://medium.com/@danielepolencic/how-does-rbac-work-in-kubernetes-d50dd34771ca
RBAC-police is a CLI tool that lets you evaluate the RBAC permissions of service accounts, pods and nodes in Kubernetes clusters through policies written in Rego.
More: https://github.com/PaloAltoNetworks/rbac-police
More: https://github.com/PaloAltoNetworks/rbac-police
GitHub
GitHub - PaloAltoNetworks/rbac-police: Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego - PaloAltoNetworks/rbac-police
This article summarizes a list of recommendations for hardening Kubernetes clusters (both on-prem and cloud) with Admission and Mutation webhooks using the open-source tool Gatekeeper.
More: https://faun.pub/gatekeeper-k8-hardening-backlog-956d1b6860b6
More: https://faun.pub/gatekeeper-k8-hardening-backlog-956d1b6860b6
In this tutorial, you will learn how to write Kubernetes policies using JavaScript/Typenoscript with the help of jsPolicy and deploy them via GitOps using Flux.
More: https://blog.ediri.io/writing-kubernetes-policies-with-jspolicy
More: https://blog.ediri.io/writing-kubernetes-policies-with-jspolicy
In this article, you will learn about man-in-the-middle attacks related to downloading container images and how you can prevent them using Connaisseur — an admission controller that integrates Container Image Signature Verification.
More: https://medium.com/linkbynet/trust-but-verify-3a4852d2420
More: https://medium.com/linkbynet/trust-but-verify-3a4852d2420
In this article, you will compare the External Secrets Operator with Secret Storage CSI for using external secrets in a Kubernetes cluster. You will compare:
- Architecture.
- Authorization management.
- Resource usage.
- GitOps friendliness.
More: https://mixi-developers.mixi.co.jp/compare-eso-with-secret-csi-402bf37f20bc
- Architecture.
- Authorization management.
- Resource usage.
- GitOps friendliness.
More: https://mixi-developers.mixi.co.jp/compare-eso-with-secret-csi-402bf37f20bc
This repository contains a reading list for software supply-chain security.
More: https://github.com/chainguard-dev/ssc-reading-list
More: https://github.com/chainguard-dev/ssc-reading-list
GitHub
GitHub - chainguard-dev/ssc-reading-list: A reading list for software supply-chain security.
A reading list for software supply-chain security. - chainguard-dev/ssc-reading-list
Learn how Cilium can be configured to provide sidecar-free mTLS-based authentication with excellent security and performance characteristics (without the overhead of traditional service meshes).
More: https://isovalent.com/blog/post/2022-05-03-servicemesh-security
More: https://isovalent.com/blog/post/2022-05-03-servicemesh-security
The External Secrets Operator provides an alternative to the Kubernetes Secret object.
It does this by providing Custom Resources, which define where secrets live and how to synchronize them.
Learn how to use it with the AWS secrets manager.
More: https://ptuladhar3.medium.com/getting-started-with-external-secrets-operator-on-kubernetes-using-aws-secrets-manager-6dc403d9630c
It does this by providing Custom Resources, which define where secrets live and how to synchronize them.
Learn how to use it with the AWS secrets manager.
More: https://ptuladhar3.medium.com/getting-started-with-external-secrets-operator-on-kubernetes-using-aws-secrets-manager-6dc403d9630c
dexter is an OIDC (OpenId Connect) helper designed to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider.
All you need is a properly configured Google or Azure client ID & secret.
More: https://github.com/gini/dexter
All you need is a properly configured Google or Azure client ID & secret.
More: https://github.com/gini/dexter
Kubelogin is a Kubernetes credential (exec) plugin implementing the Azure authentication methods such as:
- Device code login.
- Non-interactive service principal login.
- Non-interactive workload identity login.
- OIDC provider for Azure AD.
And more.
More: https://github.com/Azure/kubelogin
- Device code login.
- Non-interactive service principal login.
- Non-interactive workload identity login.
- OIDC provider for Azure AD.
And more.
More: https://github.com/Azure/kubelogin
GitHub
GitHub - Azure/kubelogin: A Kubernetes credential (exec) plugin implementing azure authentication
A Kubernetes credential (exec) plugin implementing azure authentication - Azure/kubelogin
In this article, you will learn why PodSecurityPolicies never made it as a GA feature, why they had to be replaced and what you should consider going forward.
More: https://macchaffee.com/blog/2022/psp-deprecation
More: https://macchaffee.com/blog/2022/psp-deprecation
Macchaffee
The Fumbled Deprecation of PodSecurityPolicies
Mac's Tech Blog
In this post, you'll learn how to achieve continuous Runtime-Security monitoring for container-based workloads running on Kubernetes through custom integration between Falco, Falco-SideKick, WebUI, and AWS CloudWatch/PagerDuty.
More: https://aymen-abdelwahed.medium.com/falco-security-at-runtime-for-kubernetes-d9176cc76020
More: https://aymen-abdelwahed.medium.com/falco-security-at-runtime-for-kubernetes-d9176cc76020
This article will cover Istio and:
- What is the sidecar pattern and what advantages does it have?
- How are the sidecar injections done in Istio?
- How does the sidecar proxy do transparent traffic hijacking?
- How is the traffic routed upstream?
More: https://jimmysong.io/en/blog/sidecar-injection-iptables-and-traffic-routing
- What is the sidecar pattern and what advantages does it have?
- How are the sidecar injections done in Istio?
- How does the sidecar proxy do transparent traffic hijacking?
- How is the traffic routed upstream?
More: https://jimmysong.io/en/blog/sidecar-injection-iptables-and-traffic-routing
Kubernetes is neither secure by default, nor by itself.
You absolutely can, and must, harden its configuration.
This article summarises the NSA/CISA guidelines on security hardening Kubernetes.
More: https://elastisys.com/nsa-cisa-kubernetes-security-hardening-guide-and-beyond-for-2022
You absolutely can, and must, harden its configuration.
This article summarises the NSA/CISA guidelines on security hardening Kubernetes.
More: https://elastisys.com/nsa-cisa-kubernetes-security-hardening-guide-and-beyond-for-2022
elastisys
Free Guide: How to Security Harden Kubernetes in 2022
How to security harden Kubernetes in 2022. The NSA/CISA guidelines summarized, with Elastisys hands-on advice and real-world recommendations.
Forwarded from LearnKube news
Learnk8s and Linode are launching a three-part, free educational program on Kubernetes scaling.
Each session comes with a webinar, code samples and a step-by-step article:
- Unit 1: "Request-based autoscaling in Kubernetes: scaling to zero and back" (21st of Sept)
- Unit 2: "Proactive cluster autoscaling in Kubernetes" (28th of Sept)
- Unit 3: "Scaling Kubernetes to multiple clusters and regions" (5th of Oct)
What you can expect:
- A live webinar (Chris, Salman & Daniele will present them). The event is recorded, and you can watch it later too.
- A step-by-step tutorial on Linode's blog where you can try everything we demo live.
- A collection of noscripts and resources helpful to understand and (if you want) extend our code.
You can sign up here: bit.ly/k8s-scale
Each session comes with a webinar, code samples and a step-by-step article:
- Unit 1: "Request-based autoscaling in Kubernetes: scaling to zero and back" (21st of Sept)
- Unit 2: "Proactive cluster autoscaling in Kubernetes" (28th of Sept)
- Unit 3: "Scaling Kubernetes to multiple clusters and regions" (5th of Oct)
What you can expect:
- A live webinar (Chris, Salman & Daniele will present them). The event is recorded, and you can watch it later too.
- A step-by-step tutorial on Linode's blog where you can try everything we demo live.
- A collection of noscripts and resources helpful to understand and (if you want) extend our code.
You can sign up here: bit.ly/k8s-scale
Permission Manager is an application that enables a super-easy and user-friendly RBAC management for Kubernetes.
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI.
More: https://github.com/sighupio/permission-manager
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice & easy web UI.
More: https://github.com/sighupio/permission-manager