In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume.

The noscript can be used as an init container to inject secrets into any pod.

More: https://kymidd.medium.com/lets-do-devops-eks-k8s-python-fuzzy-staging-with-aws-secrets-manager-k8s-init-disk-secrets-b0d8022f3a5d

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schemas locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://github.com/yannh/kubeconform

The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

More: https://github.com/kubernetes-sigs/security-profiles-operator

In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes.

To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin.

More: https://piotrminkowski.com/2022/08/08/manage-secrets-on-kubernetes-with-argocd-and-vault

Admission controllers are a key component of the admission process performed by the Kubernetes API server.

They enable fine-grained control over the object creation, update, and deletion process.

Learn how they work in this article.

More: https://pradeepl.com/blog/kubernetes/introduction-to-kubernetes-admission-controllers

This repository aggregates over 100 popular Kubernetes CRDs (CustomResourceDefinition) in JSON schema format.

These schemas can be used by various tools, such as Datree, Kubeconform and Kubeval, as an alternative to kubectl --dry-run.

More: https://github.com/datreeio/CRDs-catalog

This article details how to secure mixed HTTP and gRPC web traffic with a single ingress controller.

As part of the process, TLS certificates will be issued by a trusted CA.

This will use Let’s Encrypt with cert-manager.

More: https://joachim8675309.medium.com/gke-with-grpc-and-ingress-nginx-644730915677

The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any pod that is using specially prefixed environment variables and injects secrets accordingly.

More: https://github.com/doitintl/kube-secrets-init

In this article, you will find a list of the security context that can be used to harden and, more importantly, gate deployments from security misconfiguration.

More: https://medium.com/@scotta01/kubernetes-owasp-top-10-insecure-workload-configurations-60818f0c68db

With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.

This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens.

More: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24

This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine.

This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager.

More: https://joachim8675309.medium.com/gke-with-certmanager-9bc00b086b73

The Trivy Operator PolicyReport Adapter
maps Trivy CRDs into the unified PolicyReport and ClusterPolicyReport from the Kubernetes Policy Working Group.

This makes it possible to use tooling like Policy Reporter for the different kinds of Trivy Reports.

More: https://github.com/fjogeleit/trivy-operator-polr-adapter

This repository contains a custom Kubernetes controller that can automatically create random secret values.

This may be used for auto-generating random credentials for applications running on Kubernetes.

More: https://github.com/mittwald/kubernetes-secret-generator

In this tutorial, you'll learn how to use the Azure CSI Driver to fetch secrets and inject them in pods running on AKS.

More: https://medium.com/@shivanik111898/use-azure-key-vault-for-secret-store-with-azure-csi-driver-31bc803b7ca8

In this tutorial, you'll learn how to build a simple app that lists resources on the Kubernetes cluster it runs on.

In the process, you will also learn how to utilize Service Accounts, RBAC, the Python client, Ingress and more.

More: https://devoops.blog/kubernetes-pods-extractor

In this article, you will discuss the pitfalls and alternatives of Sealed Secrets as you move your deployments to production using GitOps.

More: https://betterprogramming.pub/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.

More: https://github.com/argoproj-labs/argocd-vault-plugin

kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:

- Run as non-root.
- Use a read-only root filesystem.
- Drop scary capabilities, don't add new ones.
- Don't run privileged.

More: https://github.com/Shopify/kubeaudit

In this tutorial, you will learn how to automatically schedule Kubeflow pipeline Pods from any number of namespaces on dedicated GKE node pools.

More: https://medium.com/dkatalis/creating-a-mutating-webhook-for-great-good-b21acb941207

Master Kubernetes with our Advanced Kubernetes workshops next week!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!

You can sign up here: https://learnk8s.io/online-advanced-january-2023

This article will teach you how to configure an AKS cluster to consume secrets, keys and certificates from an Azure KeyVault.

More: https://community.ops.io/javi_labs/configuring-aks-to-read-secrets-and-certificates-from-azure-keyvaults-17o1