Forwarded from Kube Events
When your Kubernetes cluster runs low on resources, the Cluster Autoscaler provision a new node and adds it to the cluster.
The cloud provider has to create a virtual machine from scratch, provision it and connect it to the cluster.
The process could take more than a few minutes from start to end.
But there's an alternative: you can proactively create nodes that are already provisioned when you need them.
In this webinar, Chris will demo live how you can configure Pod Priorities and a placeholder pod to pre-warm node instances for quicker scaling.
You can register here (it's free): https://kube.events/t/f60e2777-059f-4ef7-a11e-5d71150f956f
The cloud provider has to create a virtual machine from scratch, provision it and connect it to the cluster.
The process could take more than a few minutes from start to end.
But there's an alternative: you can proactively create nodes that are already provisioned when you need them.
In this webinar, Chris will demo live how you can configure Pod Priorities and a placeholder pod to pre-warm node instances for quicker scaling.
You can register here (it's free): https://kube.events/t/f60e2777-059f-4ef7-a11e-5d71150f956f
All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site noscripting (XSS) bug allowing a malicious user to inject a
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31035
javanoscript: link in the UI.More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31035
In this article, you will learn why PodSecurityPolicies never made it as a GA feature, why they had to be replaced and what you should consider going forward.
More: https://macchaffee.com/blog/2022/psp-deprecation
More: https://macchaffee.com/blog/2022/psp-deprecation
In an affected version of KubeEdge a malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server.
This bug has been fixed in Kubeedge
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31076
This bug has been fixed in Kubeedge
1.11.0, 1.10.1, and 1.9.3.More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31076
In this article, you will explore how OpenShift provides a powerful mechanism to enhance the security of your AWS account by using short-lived credentials through STS, instead of static User credentials (Access Keys).
More: https://dev.to/mtulio/deep-dive-into-aws-oidc-identity-provider-when-installing-openshift-with-iam-sts-manual-sts-support-1bo7
More: https://dev.to/mtulio/deep-dive-into-aws-oidc-identity-provider-when-installing-openshift-with-iam-sts-manual-sts-support-1bo7
Paralus is a tool that enables controlled, audited access to Kubernetes infrastructure.
It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO.
Ships as a GUI, API, and CLI.
More: https://github.com/paralus/paralus
It comes with just-in-time service account creation and user-level credential management that integrates with your RBAC and SSO.
Ships as a GUI, API, and CLI.
More: https://github.com/paralus/paralus
Forwarded from Kube Architect
This article focuses on how Teleport can be used to give developers secure access to a Kubernetes cluster.
More: https://edidiongasikpo.com/how-to-give-developers-secure-access-to-kubernetes-clusters
More: https://edidiongasikpo.com/how-to-give-developers-secure-access-to-kubernetes-clusters
Forwarded from Kube Events
One interesting challenge with Kubernetes is deploying workloads across several regions.
While you can technically have a cluster with several nodes located in different regions, this is generally regarded as something you should avoid due to the extra latency.
Another popular alternative is to deploy a cluster for each region and find a way to orchestrate them.
In this webinar, Daniele will demo live how to create, connect and operate three Kubernetes clusters in different regions.
You can register here (it's free): https://kube.events/t/a35a3a6f-2d32-458b-aca4-61bb9d8bb1ce
While you can technically have a cluster with several nodes located in different regions, this is generally regarded as something you should avoid due to the extra latency.
Another popular alternative is to deploy a cluster for each region and find a way to orchestrate them.
In this webinar, Daniele will demo live how to create, connect and operate three Kubernetes clusters in different regions.
You can register here (it's free): https://kube.events/t/a35a3a6f-2d32-458b-aca4-61bb9d8bb1ce
In this tutorial, you'll learn how to use Kyverno to automatically configure annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket for a service of type
More: https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0
LoadBalancer.More: https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0
This media is not supported in your browser
VIEW IN TELEGRAM
k8s-manifest-sigstore is a kubectl plugin that enables developers to sign and verify Kubernetes YAML files.
Also, the integrity of deployed manifests can be confirmed on a Kubernetes cluster.
More: https://github.com/sigstore/k8s-manifest-sigstore
Also, the integrity of deployed manifests can be confirmed on a Kubernetes cluster.
More: https://github.com/sigstore/k8s-manifest-sigstore
In this tutorial, you will learn how to evaluate wasm-compiled rego policies for the Open Policy Agent with Rust and the
More: https://inspektor.cloud/blog/evaluating-open-policy-agent-in-rust-using-wasm
burrego crate.More: https://inspektor.cloud/blog/evaluating-open-policy-agent-in-rust-using-wasm
Forwarded from Kube Events
🗓 Kubernetes events starting in the next 24 hours:
03 Oct 8:00 am GMT - 🔥 GOTO Copenhagen | Trifork - 📍 In-person conference
03 Oct 10:00 am GMT - KubeHuddle | KubeHuddle - 📍 In-person conference
→ See all Kubernetes events
03 Oct 8:00 am GMT - 🔥 GOTO Copenhagen | Trifork - 📍 In-person conference
03 Oct 10:00 am GMT - KubeHuddle | KubeHuddle - 📍 In-person conference
→ See all Kubernetes events
Since Kubescape's launch in August 2021, it has scanned more than 10,000 Kubernetes clusters.
In this report, you will find the aggregated data and analysis to highlight the essential stats on the state of Kubernetes security, risk, and compliance.
More: https://armosec.io/blog/what-we-learned-from-scanning-over-10k-kubernetes-clusters
In this report, you will find the aggregated data and analysis to highlight the essential stats on the state of Kubernetes security, risk, and compliance.
More: https://armosec.io/blog/what-we-learned-from-scanning-over-10k-kubernetes-clusters
This tutorial will walk through how Kubernetes Certificate Signing Requests can be utilized to distribute certificates that associate a user with a unique identity that can then be assigned access to a Kubernetes cluster with RBAC.
More: https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd
More: https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd
Kubernetes security scanners are tools that can be used to detect vulnerabilities and security issues in your applications. In this article you will find:
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. Kubeaudit.
More: https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. Kubeaudit.
More: https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
vals-operator syncs secrets from any secrets store supported by vals into Kubernetes.
It works similarly to secrets-manager, but it supports more secret stores other than HashiCorp Vault.
More: https://github.com/digitalis-io/vals-operator
It works similarly to secrets-manager, but it supports more secret stores other than HashiCorp Vault.
More: https://github.com/digitalis-io/vals-operator
During penetration tests and red team engagements, eBPF-based security tools can make detect and block most attacks.
In this article, you'll learn some of the limitations and bypass techniques.
More: https://form3.tech/engineering/content/bypassing-ebpf-tools
In this article, you'll learn some of the limitations and bypass techniques.
More: https://form3.tech/engineering/content/bypassing-ebpf-tools
In this article, you will learn how to attack and defend a Kubernetes cluster by solving the challenges of Kubernetes goat — an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
More: https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42
More: https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42
This report outlines a security engagement of the CRI-O project.
The assessment includes four high-level tasks:
1. Threat model formalisation of CRI-O.
2. Fuzzing integration of CRI-O into OSS-Fuzz.
3. Manual code auditing.
4. Documentation/testing review
More: https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf
The assessment includes four high-level tasks:
1. Threat model formalisation of CRI-O.
2. Fuzzing integration of CRI-O into OSS-Fuzz.
3. Manual code auditing.
4. Documentation/testing review
More: https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf
There is no standardized method for providing IAM group access to an EKS cluster or namespace.
In this article, you will learn how you can use an IAM role to authenticate the user group automatically and transparently when kubectl is being used.
More: https://eng.grip.security/enabling-aws-iam-group-access-to-an-eks-cluster-using-rbac
In this article, you will learn how you can use an IAM role to authenticate the user group automatically and transparently when kubectl is being used.
More: https://eng.grip.security/enabling-aws-iam-group-access-to-an-eks-cluster-using-rbac
This repository contains a set of over 1200 AppArmor profiles that can be used to confine most Linux base applications and processes.
More: https://github.com/roddhjav/apparmor.d
More: https://github.com/roddhjav/apparmor.d