Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources.

RBAC is a security design that limits access to Kubernetes resources based on the user's role.

Learn how to use RBAC in this tutorial.

More: https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383

In this article, you will learn how to scan and discover publicly accessible Kubernetes clusters and how you can protect against it.

More: https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet

This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container.

The generated profile would allow all the syscalls made and deny every other syscall.

More: https://github.com/containers/oci-seccomp-bpf-hook

This article will teach you how to exploit a vulnerability in Linux containers by bypassing negative group permissions.

More: https://benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation

KSOPS is a kustomize exec plugin for SOPS encrypted resources.

KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps.

More: https://github.com/viaduct-ai/kustomize-sops

In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume.

The noscript can be used as an init container to inject secrets into any pod.

More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schemas locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

More: https://github.com/kubernetes-sigs/security-profiles-operator

In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes.

To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin.

More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault

Admission controllers are a key component of the admission process performed by the Kubernetes API server.

They enable fine-grained control over the object creation, update, and deletion process.

Learn how they work in this article.

More: https://pradeepl.com/blog/kubernetes/introduction-to-kubernetes-admission-controllers

This repository aggregates over 100 popular Kubernetes CRDs (CustomResourceDefinition) in JSON schema format.

These schemas can be used by various tools, such as Datree, Kubeconform and Kubeval, as an alternative to kubectl --dry-run.

More: https://github.com/datreeio/CRDs-catalog

This article details how to secure mixed HTTP and gRPC web traffic with a single ingress controller.

As part of the process, TLS certificates will be issued by a trusted CA.

This will use Let’s Encrypt with cert-manager.

More: https://joachim8675309.medium.com/gke-with-grpc-and-ingress-nginx-644730915677

The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any pod that is using specially prefixed environment variables and injects secrets accordingly.

More: https://github.com/doitintl/kube-secrets-init

In this article, you will find a list of the security context that can be used to harden and, more importantly, gate deployments from security misconfiguration.

More: https://medium.com/@scotta01/kubernetes-owasp-top-10-insecure-workload-configurations-60818f0c68db

With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.

This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens.

More: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24

This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine.

This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager.

More: https://joachim8675309.medium.com/gke-with-certmanager-9bc00b086b73

The Trivy Operator PolicyReport Adapter
maps Trivy CRDs into the unified PolicyReport and ClusterPolicyReport from the Kubernetes Policy Working Group.

This makes it possible to use tooling like Policy Reporter for the different kinds of Trivy Reports.

More: https://github.com/fjogeleit/trivy-operator-polr-adapter

This repository contains a custom Kubernetes controller that can automatically create random secret values.

This may be used for auto-generating random credentials for applications running on Kubernetes.

More: https://github.com/mittwald/kubernetes-secret-generator

In this tutorial, you'll learn how to use the Azure CSI Driver to fetch secrets and inject them in pods running on AKS.

More: https://medium.com/@shivanik111898/use-azure-key-vault-for-secret-store-with-azure-csi-driver-31bc803b7ca8

In this tutorial, you'll learn how to build a simple app that lists resources on the Kubernetes cluster it runs on.

In the process, you will also learn how to utilize Service Accounts, RBAC, the Python client, Ingress and more.

More: https://devoops.blog/kubernetes-pods-extractor

In this article, you will discuss the pitfalls and alternatives of Sealed Secrets as you move your deployments to production using GitOps.

More: https://betterprogramming.pub/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd