Forwarded from Kube Events
🗓 Kubernetes events starting in the next 24 hours:
03 Oct 8:00 am GMT - 🔥 GOTO Copenhagen | Trifork - 📍 In-person conference
03 Oct 10:00 am GMT - KubeHuddle | KubeHuddle - 📍 In-person conference
→ See all Kubernetes events
03 Oct 8:00 am GMT - 🔥 GOTO Copenhagen | Trifork - 📍 In-person conference
03 Oct 10:00 am GMT - KubeHuddle | KubeHuddle - 📍 In-person conference
→ See all Kubernetes events
Since Kubescape's launch in August 2021, it has scanned more than 10,000 Kubernetes clusters.
In this report, you will find the aggregated data and analysis to highlight the essential stats on the state of Kubernetes security, risk, and compliance.
More: https://armosec.io/blog/what-we-learned-from-scanning-over-10k-kubernetes-clusters
In this report, you will find the aggregated data and analysis to highlight the essential stats on the state of Kubernetes security, risk, and compliance.
More: https://armosec.io/blog/what-we-learned-from-scanning-over-10k-kubernetes-clusters
This tutorial will walk through how Kubernetes Certificate Signing Requests can be utilized to distribute certificates that associate a user with a unique identity that can then be assigned access to a Kubernetes cluster with RBAC.
More: https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd
More: https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd
Kubernetes security scanners are tools that can be used to detect vulnerabilities and security issues in your applications. In this article you will find:
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. Kubeaudit.
More: https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
1. Grype.
2. Trivy.
3. Kubesec.
4. Kube-bench.
5. Kubeaudit.
More: https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574
vals-operator syncs secrets from any secrets store supported by vals into Kubernetes.
It works similarly to secrets-manager, but it supports more secret stores other than HashiCorp Vault.
More: https://github.com/digitalis-io/vals-operator
It works similarly to secrets-manager, but it supports more secret stores other than HashiCorp Vault.
More: https://github.com/digitalis-io/vals-operator
During penetration tests and red team engagements, eBPF-based security tools can make detect and block most attacks.
In this article, you'll learn some of the limitations and bypass techniques.
More: https://form3.tech/engineering/content/bypassing-ebpf-tools
In this article, you'll learn some of the limitations and bypass techniques.
More: https://form3.tech/engineering/content/bypassing-ebpf-tools
In this article, you will learn how to attack and defend a Kubernetes cluster by solving the challenges of Kubernetes goat — an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
More: https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42
More: https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42
This report outlines a security engagement of the CRI-O project.
The assessment includes four high-level tasks:
1. Threat model formalisation of CRI-O.
2. Fuzzing integration of CRI-O into OSS-Fuzz.
3. Manual code auditing.
4. Documentation/testing review
More: https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf
The assessment includes four high-level tasks:
1. Threat model formalisation of CRI-O.
2. Fuzzing integration of CRI-O into OSS-Fuzz.
3. Manual code auditing.
4. Documentation/testing review
More: https://github.com/cri-o/cri-o/blob/main/security/2022_security_audit_adalogics.pdf
There is no standardized method for providing IAM group access to an EKS cluster or namespace.
In this article, you will learn how you can use an IAM role to authenticate the user group automatically and transparently when kubectl is being used.
More: https://eng.grip.security/enabling-aws-iam-group-access-to-an-eks-cluster-using-rbac
In this article, you will learn how you can use an IAM role to authenticate the user group automatically and transparently when kubectl is being used.
More: https://eng.grip.security/enabling-aws-iam-group-access-to-an-eks-cluster-using-rbac
This repository contains a set of over 1200 AppArmor profiles that can be used to confine most Linux base applications and processes.
More: https://github.com/roddhjav/apparmor.d
More: https://github.com/roddhjav/apparmor.d
The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.
More: https://github.com/kubernetes-sigs/security-profiles-operator
More: https://github.com/kubernetes-sigs/security-profiles-operator
In this three part series, you will deep dive into Seccomp for Kubernetes workloads:
1. 7 things you should know before you even start.
2. crafting custom seccomp profiles for your applications.
3. The new syntax plus some advanced topics.
More: https://itnext.io/seccomp-in-kubernetes-part-i-7-things-you-should-know-before-you-even-start-97502ad6b6d6
1. 7 things you should know before you even start.
2. crafting custom seccomp profiles for your applications.
3. The new syntax plus some advanced topics.
More: https://itnext.io/seccomp-in-kubernetes-part-i-7-things-you-should-know-before-you-even-start-97502ad6b6d6
KICS stands for Keeping Infrastructure as Code Secure, and it is a tool designed to find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
More: https://github.com/Checkmarx/kics
More: https://github.com/Checkmarx/kics
OWASP Kubernetes Top Ten is aimed at helping security practitioners, system administrators, and developers prioritize risks around the Kubernetes ecosystem.
This is a prioritized list of these risks backed by data.
More: https://owasp.org/www-project-kubernetes-top-ten
This is a prioritized list of these risks backed by data.
More: https://owasp.org/www-project-kubernetes-top-ten
Forwarded from LearnKube news
Master Kubernetes this November with one of our Advanced Kubernetes workshops (London or online)!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- **Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-november-2022
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- **Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
You can sign up here: https://learnk8s.io/online-advanced-november-2022
Enabling a Kubernetes multi-tenant architecture comes with significant challenges, especially regarding cluster isolation and fair resource allocation.
In this article, you'll learn about ten essential considerations when using Kubernetes multi-tenancy.
More: https://loft.sh/blog/10-essentials-for-kubernetes-multi-tenancy
In this article, you'll learn about ten essential considerations when using Kubernetes multi-tenancy.
More: https://loft.sh/blog/10-essentials-for-kubernetes-multi-tenancy
Forwarded from Kube Architect
In this article, you'll learn how to grant access to users of a vcluster using DEX as a federated OpenID provider and kubelogin as a plugin for OIDC integration.
More: https://justinpolidori.it/posts/20220611_vcluster_auth
More: https://justinpolidori.it/posts/20220611_vcluster_auth
Forwarded from Kube Architect
Prior to version 1.7.1, Argo Events had several
More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31054
HandleRoute endpoints making use of the deprecated ioutil.ReadAll().ioutil.ReadAll() reads all the data into memory and an attacker might be able to use it and cause denial of service.More: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31054
This CoreDNS plugin enables the filtering of queries and responses based on expressions.
Since the plugin can also refer to other policy engines to determine the action to take, you could have it integrated with OPA or Kyverno.
More: https://github.com/coredns/policy
Since the plugin can also refer to other policy engines to determine the action to take, you could have it integrated with OPA or Kyverno.
More: https://github.com/coredns/policy
Cosign and Connaisseur allow us to secure the Kubernetes deployment with signature verification, ensuring that our images do not change.
More: https://sysdig.com/blog/secure-kubernetes-deployment-signature-verification
More: https://sysdig.com/blog/secure-kubernetes-deployment-signature-verification
Forwarded from Kube Events
🗓 Kubernetes events starting in the next 24 hours:
31 Oct 7:00 am GMT - Running arm64 and WebAssembly on Azure Kubernetes services | Coding Night NZ - 📍 Online meetup
→ See all Kubernetes events
31 Oct 7:00 am GMT - Running arm64 and WebAssembly on Azure Kubernetes services | Coding Night NZ - 📍 Online meetup
→ See all Kubernetes events