In this article, you will find a list of the security context that can be used to harden and, more importantly, gate deployments from security misconfiguration.

More: https://medium.com/@scotta01/kubernetes-owasp-top-10-insecure-workload-configurations-60818f0c68db

With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.

This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens.

More: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24

This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine.

This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager.

More: https://joachim8675309.medium.com/gke-with-certmanager-9bc00b086b73

The Trivy Operator PolicyReport Adapter
maps Trivy CRDs into the unified PolicyReport and ClusterPolicyReport from the Kubernetes Policy Working Group.

This makes it possible to use tooling like Policy Reporter for the different kinds of Trivy Reports.

More: https://github.com/fjogeleit/trivy-operator-polr-adapter

This repository contains a custom Kubernetes controller that can automatically create random secret values.

This may be used for auto-generating random credentials for applications running on Kubernetes.

More: https://github.com/mittwald/kubernetes-secret-generator

In this tutorial, you'll learn how to use the Azure CSI Driver to fetch secrets and inject them in pods running on AKS.

More: https://medium.com/@shivanik111898/use-azure-key-vault-for-secret-store-with-azure-csi-driver-31bc803b7ca8

In this tutorial, you'll learn how to build a simple app that lists resources on the Kubernetes cluster it runs on.

In the process, you will also learn how to utilize Service Accounts, RBAC, the Python client, Ingress and more.

More: https://devoops.blog/kubernetes-pods-extractor

In this article, you will discuss the pitfalls and alternatives of Sealed Secrets as you move your deployments to production using GitOps.

More: https://betterprogramming.pub/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd

argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.

More: https://github.com/argoproj-labs/argocd-vault-plugin

kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:

- Run as non-root.
- Use a read-only root filesystem.
- Drop scary capabilities, don't add new ones.
- Don't run privileged.

More: https://github.com/Shopify/kubeaudit

In this tutorial, you will learn how to automatically schedule Kubeflow pipeline Pods from any number of namespaces on dedicated GKE node pools.

More: https://medium.com/dkatalis/creating-a-mutating-webhook-for-great-good-b21acb941207

Master Kubernetes with our Advanced Kubernetes workshops next week!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!

You can sign up here: https://learnk8s.io/online-advanced-january-2023

This article will teach you how to configure an AKS cluster to consume secrets, keys and certificates from an Azure KeyVault.

More: https://community.ops.io/javi_labs/configuring-aks-to-read-secrets-and-certificates-from-azure-keyvaults-17o1

This article covers the techniques for centralised policy enforcement in a Kubernetes cluster:

- CI/CD pipelines.
- Security Admission controller.
- OPA and Gatekeeper.
- IDE linting and plug-ins.

More: https://itnext.io/kubernetes-owasp-top-10-centralised-policy-enforcement-9adc53438e22

This post describes different EKS log types and ways to optimize costs.

Understanding the levers available for consuming logs not only helps you in optimizing costs but also allows you to focus on the root causes analysis and attribution.

More: https://aws.amazon.com/blogs/containers/understanding-and-cost-optimizing-amazon-eks-control-plane-logs

In this article, you will learn how to test if your EKS control plane is exposed to the public internet and how to fix it.

More: https://medium.com/@dotdc/is-your-kubernetes-api-server-exposed-learn-how-to-check-and-fix-609ab9638fae

This article compares popular Kubernetes security and compliance frameworks, how they differ, when to use them, common goals, and suggested tools.

More: https://armosec.io/blog/kubernetes-security-frameworks-and-guidance

The Kubesploit January digest just dropped!

In this recap, you will find a curated collection of the best Kubernetes, security-related articles, tutorials, libraries and tools republished in January.

https://medium.com/kubesploit/kubesploit-digest-january-2023-ec6253e2f0b3

Validkube combines the best open-source tools to help ensure Kubernetes YAML best practices, hygiene & security.

More: https://github.com/komodorio/validkube

In this article, you will discuss a few strategies to manage secrets using GitOps:

1. Sealed Secrets
2. Argo CD Vault plugin
3. SOPS (Secrets OPerationS)
4. Vault Agent
5. Secrets Store CSI Driver
6. External Secrets
7. Secrets Management and the cloud

More: https://akuity.io/blog/how-to-manage-kubernetes-secrets-gitops

kubeval is a tool for validating a Kubernetes YAML or JSON configuration file.

It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes.

More: https://github.com/instrumenta/kubeval