Trivy is a Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
Read more https://github.com/aquasecurity/trivy
Read more https://github.com/aquasecurity/trivy
Kube-secret-syncer is a Kubernetes operator developed using the Kubebuilder framework that keeps the values of Kubernetes Secrets synchronised to secrets in AWS Secrets Manager
Read on: https://github.com/contentful-labs/kube-secret-syncer
Read on: https://github.com/contentful-labs/kube-secret-syncer
GitHub
GitHub - contentful-labs/kube-secret-syncer: A Kubernetes operator to sync secrets from AWS Secrets Manager
A Kubernetes operator to sync secrets from AWS Secrets Manager - contentful-labs/kube-secret-syncer
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk.
→ https://github.com/derailed/popeye
→ https://github.com/derailed/popeye
The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any K8s Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap
👉 https://github.com/doitintl/kube-secrets-init
👉 https://github.com/doitintl/kube-secrets-init
GitHub
GitHub - doitintl/kube-secrets-init: Kubernetes mutating webhook for `secrets-init` injection
Kubernetes mutating webhook for `secrets-init` injection - doitintl/kube-secrets-init
Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
More https://github.com/jetstack/preflight
More https://github.com/jetstack/preflight
GitHub
GitHub - jetstack/jetstack-secure: Open-source components of Jetstack Secure.
Open-source components of Jetstack Secure. Contribute to jetstack/jetstack-secure development by creating an account on GitHub.
awesome-kubernetes-security Awesome a curated list of awesome Kubernetes security resources.
👉 https://github.com/ksoclabs/awesome-kubernetes-security
👉 https://github.com/ksoclabs/awesome-kubernetes-security
GitHub
GitHub - ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources
A curated list of awesome Kubernetes security resources - ksoclabs/awesome-kubernetes-security
kubectl-whisper-secret plugin allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.
👉 https://github.com/rewanth1997/kubectl-whisper-secret
👉 https://github.com/rewanth1997/kubectl-whisper-secret
GitHub
GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
Kubectl extension to create secrets by taking input from the console - GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
cosign is a tool that can sign container images. Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations
→ https://github.com/vchinnipilli/kubestriker
→ https://github.com/vchinnipilli/kubestriker
This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
An alternative approach to Secrets management in Helm 3
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Medium
Helm 3 — Secrets management, an alternative approach
There are many ways of managing secrets in Kubernetes, some ways are simpler than others but when researching this topic for my project at…
Learn how to set up K0s in air-gapped environment
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
Medium
K0s Cluster Without Internet Access
Let’s see how k0s makes the Air-Gap installation an easy process
KubeEye is an open-source diagnostic tool for identifying various Kubernetes cluster issues automatically, such as misconfigurations, unhealthy components and node failures
Read more https://github.com/kubesphere/kubeeye
Read more https://github.com/kubesphere/kubeeye
The worst so-called “best practice” for Docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Python⇒Speed
The worst so-called “best practice” for Docker
Many people (although fewer than in the past) will tell you not to install security updates in your Docker image. This is terrible advice.
A detailed guide to help you to ensure that only signed images can get deployed on the cluster (with OPA and Notary)
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
10 Kubernetes Security Context settings you should understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry.
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
Sysdig
Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
Learn how CVE-2021-20291 in containers / storage Go library, can lead to Denial of Service (DoS) in vulnerable container engines.
Reverse Engineering a Docker Image
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
Learn how to use the nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
Medium
Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
While working on a project earlier this week we were given the following requirements :
The right way to authenticate to your clusters from your CI/CD pipelines
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
The Top 5 Kubernetes Admission Control Policies:
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
Styra
Open Policy Agent: The Top 5 Kubernetes Admission Control Policies
These are the top five OPA Kubernetes admission control policies that you should have running in your cluster right now.