This article focuses on configuring Kubernetes Audit Logs so you can have records of events happening in your cluster.

More: https://signoz.io/blog/kubernetes-audit-logs

Kubernetes doesn't load balance long-lived connections, and some pods might receive more requests than others.

If you're using gRPC, AMQP or any other long-lived connection (e.g. database), you might want to consider client-side load balancing.

More: https://learnk8s.io/kubernetes-long-lived-connections

KubePi allows administrators to import multiple Kubernetes clusters and assign permissions to different clusters and namespaces.

More: https://github.com/KubeOperator/KubePi

awesome-containerized-security is a collection of tools to improve your containerized apps security posture.

More: https://github.com/koslib/awesome-containerized-security

K8s-gatekeeper is an admission webhook that uses Casbin to apply arbitrary user-defined access control rules to help prevent any operation the administrator doesn't allow.

More: https://github.com/casbin/k8s-gatekeeper

Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources.

RBAC is a security design that limits access to Kubernetes resources based on the user's role.

Learn how to use RBAC in this tutorial.

More: https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383

In this article, you will learn how to scan and discover publicly accessible Kubernetes clusters and how you can protect against it.

More: https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet

This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container.

The generated profile would allow all the syscalls made and deny every other syscall.

More: https://github.com/containers/oci-seccomp-bpf-hook

This article will teach you how to exploit a vulnerability in Linux containers by bypassing negative group permissions.

More: https://benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation

KSOPS is a kustomize exec plugin for SOPS encrypted resources.

KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.

More: https://github.com/viaduct-ai/kustomize-sops

In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume.

The noscript can be used as an init container to inject secrets into any pod.

More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schemas locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

More: https://github.com/kubernetes-sigs/security-profiles-operator

In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes.

To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin.

More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault

Admission controllers are a key component of the admission process performed by the Kubernetes API server.

They enable fine-grained control over the object creation, update, and deletion process.

Learn how they work in this article.

More: https://pradeepl.com/blog/kubernetes/introduction-to-kubernetes-admission-controllers

This repository aggregates over 100 popular Kubernetes CRDs (CustomResourceDefinition) in JSON schema format.

These schemas can be used by various tools, such as Datree, Kubeconform and Kubeval, as an alternative to kubectl --dry-run.

More: https://github.com/datreeio/CRDs-catalog

This article details how to secure mixed HTTP and gRPC web traffic with a single ingress controller.

As part of the process, TLS certificates will be issued by a trusted CA.

This will use Let’s Encrypt with cert-manager.

More: https://joachim8675309.medium.com/gke-with-grpc-and-ingress-nginx-644730915677

The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any pod that is using specially prefixed environment variables and injects secrets accordingly.

More: https://github.com/doitintl/kube-secrets-init

In this article, you will find a list of the security context that can be used to harden and, more importantly, gate deployments from security misconfiguration.

More: https://medium.com/@scotta01/kubernetes-owasp-top-10-insecure-workload-configurations-60818f0c68db

With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.

This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens.

More: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24

This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine.

This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager.

More: https://joachim8675309.medium.com/gke-with-certmanager-9bc00b086b73