This repo contains two kubectl plugins:
1.
2.
More: https://github.com/jordanwilson230/kubectl-plugins/tree/krew#kubectl-exec-as
1.
kubectl exec-as — Like kubectl exec, but offers a --user flag to exec as root (or any other user).2.
kubectl prompt — Displays a warning prompt when issuing commands in a flagged cluster or namespace.More: https://github.com/jordanwilson230/kubectl-plugins/tree/krew#kubectl-exec-as
Kube No Trouble (kubent) is a tool to check whether you're using any deprecated APIs in your cluster and therefore should upgrade your workloads first, before upgrading your Kubernetes cluster.
More: https://github.com/doitintl/kube-no-trouble
More: https://github.com/doitintl/kube-no-trouble
This article contains a list of useful risks and mitigations for securing workloads in Kubernetes.
More: https://medium.com/@mkbadeniyi/how-to-secure-cloud-native-applications-38f59d99785e
More: https://medium.com/@mkbadeniyi/how-to-secure-cloud-native-applications-38f59d99785e
This article covers:
- What is a JWT, and why should you care?
- Dissecting Istio's JWT edge authentication & authorization.
- How to build an external authz service for Istio.
More: https://medium.com/globant/istio-jwt-authentication-authorization-at-the-edge-b35b612acd97
- What is a JWT, and why should you care?
- Dissecting Istio's JWT edge authentication & authorization.
- How to build an external authz service for Istio.
More: https://medium.com/globant/istio-jwt-authentication-authorization-at-the-edge-b35b612acd97
Forwarded from LearnKube news
In this article, you will discover the ins and outs of eBPF and why it is particularly exciting when it comes to observing your containers and Kubernetes clusters.
More: https://groundcover.com/blog/what-is-ebpf
More: https://groundcover.com/blog/what-is-ebpf
sKan is a tailor-made Kubernetes configuration files and resources scanner that enables developers and DevOps team members to check whether their work complies with security & ops best practices.
More: https://github.com/alcideio/skan
More: https://github.com/alcideio/skan
In this article, you will learn how to use the IAM Authenticator to authenticate to an EKS cluster.
More: https://betterprogramming.pub/kubernetes-authentication-in-aws-eks-using-iam-authenticator-de3a586e885c
More: https://betterprogramming.pub/kubernetes-authentication-in-aws-eks-using-iam-authenticator-de3a586e885c
This article focuses on configuring Kubernetes Audit Logs so you can have records of events happening in your cluster.
More: https://signoz.io/blog/kubernetes-audit-logs
More: https://signoz.io/blog/kubernetes-audit-logs
Forwarded from LearnKube news
Kubernetes doesn't load balance long-lived connections, and some pods might receive more requests than others.
If you're using gRPC, AMQP or any other long-lived connection (e.g. database), you might want to consider client-side load balancing.
More: https://learnk8s.io/kubernetes-long-lived-connections
If you're using gRPC, AMQP or any other long-lived connection (e.g. database), you might want to consider client-side load balancing.
More: https://learnk8s.io/kubernetes-long-lived-connections
KubePi allows administrators to import multiple Kubernetes clusters and assign permissions to different clusters and namespaces.
More: https://github.com/KubeOperator/KubePi
More: https://github.com/KubeOperator/KubePi
awesome-containerized-security is a collection of tools to improve your containerized apps security posture.
More: https://github.com/koslib/awesome-containerized-security
More: https://github.com/koslib/awesome-containerized-security
K8s-gatekeeper is an admission webhook that uses Casbin to apply arbitrary user-defined access control rules to help prevent any operation the administrator doesn't allow.
More: https://github.com/casbin/k8s-gatekeeper
More: https://github.com/casbin/k8s-gatekeeper
Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources.
RBAC is a security design that limits access to Kubernetes resources based on the user's role.
Learn how to use RBAC in this tutorial.
More: https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383
RBAC is a security design that limits access to Kubernetes resources based on the user's role.
Learn how to use RBAC in this tutorial.
More: https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383
In this article, you will learn how to scan and discover publicly accessible Kubernetes clusters and how you can protect against it.
More: https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet
More: https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet
This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container.
The generated profile would allow all the syscalls made and deny every other syscall.
More: https://github.com/containers/oci-seccomp-bpf-hook
The generated profile would allow all the syscalls made and deny every other syscall.
More: https://github.com/containers/oci-seccomp-bpf-hook
This article will teach you how to exploit a vulnerability in Linux containers by bypassing negative group permissions.
More: https://benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
More: https://benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
KSOPS is a kustomize exec plugin for SOPS encrypted resources.
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://github.com/viaduct-ai/kustomize-sops
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.
More: https://github.com/viaduct-ai/kustomize-sops
In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume.
The noscript can be used as an init container to inject secrets into any pod.
More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d
The noscript can be used as an init container to inject secrets into any pod.
More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d
Kubeconform is a Kubernetes manifests validation tool.
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://github.com/yannh/kubeconform
Similar to Kubeval, but with the following improvements:
1. High performance.
2. Remote or local schemas locations
3. Up-to-date schemas for all recent versions of Kubernetes.
More: https://github.com/yannh/kubeconform
The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.
More: https://github.com/kubernetes-sigs/security-profiles-operator
More: https://github.com/kubernetes-sigs/security-profiles-operator
In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes.
To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin.
More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault
To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin.
More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault