This post describes how to improve cert-manager self-check speed, by pointing the cluster to Google nameservers, and disabling DNS caching
→ https://usepine.com/blog/en/improving-cert-manager-self-check-speed-when-issuing-certificates
→ https://usepine.com/blog/en/improving-cert-manager-self-check-speed-when-issuing-certificates
In this tutorial you'll learn how to how to integrate Kubernetes with Dex + LDAP
More https://brightzheng100.medium.com/kubernetes-dex-ldap-integration-f305292a16b9
More https://brightzheng100.medium.com/kubernetes-dex-ldap-integration-f305292a16b9
In this tutorial, you'll learn how to run Linkerd and Cilium together and how to use Cilium to apply L3 and L4 network policies to a cluster running Linkerd
👉 https://buoyant.io/2020/12/23/kubernetes-network-policies-with-cilium-and-linkerd
👉 https://buoyant.io/2020/12/23/kubernetes-network-policies-with-cilium-and-linkerd
buoyant.io
Kubernetes network policies with Cilium and Linkerd
Applying L4 network policies with a service mesh. In this tutorial, you’ll learn how to run Linkerd and Cilium together and how to use Cilium to apply L3 and L4 network policies to a cluster running Linkerd. Linkerd is an ultralight, open source service mesh.…
Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller
Read on: https://github.com/cloudflare/lockbox
Read on: https://github.com/cloudflare/lockbox
GitHub
GitHub - cloudflare/lockbox: Offline encryption of Kubernetes Secrets
Offline encryption of Kubernetes Secrets. Contribute to cloudflare/lockbox development by creating an account on GitHub.
Secrets injection at runtime from external Vault into Kubernetes
More https://itnext.io/secrets-injection-from-external-vault-into-kubernetes-poc-83a52c8cf5cb?source=friends_link
More https://itnext.io/secrets-injection-from-external-vault-into-kubernetes-poc-83a52c8cf5cb?source=friends_link
Medium
Secrets injection at runtime from external Vault into Kubernetes — POC
When you work in a multi cloud environment, you can't always use AWS secrets manager for storing all your secrets. Hashicorp Vault is an…
Kubernetes Single Sign On - A detailed guide in 9 parts
Read more: http://talkingquickly.co.uk/kubernetes-sso-a-detailed-guide
Read more: http://talkingquickly.co.uk/kubernetes-sso-a-detailed-guide
www.talkingquickly.co.uk
Kubernetes Single Sign On - A detailed guide
Blog by Ben Dixon, Ruby on Rails Developer, about rails, kubernetes, docker, climbing and startups
Choosing the right policy-as-code solution for your Kubernetes cluster:
- OPA
- Gatekeeper
- Kyverno
- k-rail
- MagTape
More: https://aws.amazon.com/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1
- OPA
- Gatekeeper
- Kyverno
- k-rail
- MagTape
More: https://aws.amazon.com/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1
How monero miners target and exploit cloud native dev environments
Read more: https://blog.aquasec.com/monero-miners-target-bitbucket-dockerhub
Read more: https://blog.aquasec.com/monero-miners-target-bitbucket-dockerhub
In this article you will learn how to protect Secrets in your Kubernetes cluster
More https://cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets
More https://cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets
CNCF
Revealing the secrets of Kubernetes secrets
Guest post by Ben Hirschberg, VP R&D and Co-Founder of ARMO Can you keep a secret? Hope so, because in this blog, I reveal the secrets of Kubernetes secrets. First, I dive into the mechanics of…
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent dedicated for containerized environments written in Golang and built on top of Merlin project
More: https://github.com/cyberark/kubesploit
More: https://github.com/cyberark/kubesploit
GitHub
GitHub - cyberark/kubesploit: Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written…
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments. - cyberark/kubesploit
In this article you will learn what can be done to make a Kubernetes-based environment comply with the PCI DSS
Read more https://elastisys.com/pci-dss-compliance-in-kubernetes-based-platforms
Read more https://elastisys.com/pci-dss-compliance-in-kubernetes-based-platforms
elastisys
PCI DSS compliance in Kubernetes-based platforms - elastisys
Kubernetes alone does not help achieve PCI DSS compliance. We cover the 12 requirements of how fintech businesses can make it more compliant.
An interesting way to protect your Kubernetes config file on your computer against accidental or malicious change or reading
Read on https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb
Read on https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb
Gist
How to protect your ~/.kube/ configuration
How to protect your ~/.kube/ configuration. GitHub Gist: instantly share code, notes, and snippets.
Trivy is a Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
Read more https://github.com/aquasecurity/trivy
Read more https://github.com/aquasecurity/trivy
Kube-secret-syncer is a Kubernetes operator developed using the Kubebuilder framework that keeps the values of Kubernetes Secrets synchronised to secrets in AWS Secrets Manager
Read on: https://github.com/contentful-labs/kube-secret-syncer
Read on: https://github.com/contentful-labs/kube-secret-syncer
GitHub
GitHub - contentful-labs/kube-secret-syncer: A Kubernetes operator to sync secrets from AWS Secrets Manager
A Kubernetes operator to sync secrets from AWS Secrets Manager - contentful-labs/kube-secret-syncer
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk.
→ https://github.com/derailed/popeye
→ https://github.com/derailed/popeye
The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any K8s Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap
👉 https://github.com/doitintl/kube-secrets-init
👉 https://github.com/doitintl/kube-secrets-init
GitHub
GitHub - doitintl/kube-secrets-init: Kubernetes mutating webhook for `secrets-init` injection
Kubernetes mutating webhook for `secrets-init` injection - doitintl/kube-secrets-init
Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
More https://github.com/jetstack/preflight
More https://github.com/jetstack/preflight
GitHub
GitHub - jetstack/jetstack-secure: Open-source components of Jetstack Secure.
Open-source components of Jetstack Secure. Contribute to jetstack/jetstack-secure development by creating an account on GitHub.
awesome-kubernetes-security Awesome a curated list of awesome Kubernetes security resources.
👉 https://github.com/ksoclabs/awesome-kubernetes-security
👉 https://github.com/ksoclabs/awesome-kubernetes-security
GitHub
GitHub - ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources
A curated list of awesome Kubernetes security resources - ksoclabs/awesome-kubernetes-security
kubectl-whisper-secret plugin allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.
👉 https://github.com/rewanth1997/kubectl-whisper-secret
👉 https://github.com/rewanth1997/kubectl-whisper-secret
GitHub
GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
Kubectl extension to create secrets by taking input from the console - GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
cosign is a tool that can sign container images. Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign