Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
More https://github.com/jetstack/preflight
More https://github.com/jetstack/preflight
GitHub
GitHub - jetstack/jetstack-secure: Open-source components of Jetstack Secure.
Open-source components of Jetstack Secure. Contribute to jetstack/jetstack-secure development by creating an account on GitHub.
awesome-kubernetes-security Awesome a curated list of awesome Kubernetes security resources.
👉 https://github.com/ksoclabs/awesome-kubernetes-security
👉 https://github.com/ksoclabs/awesome-kubernetes-security
GitHub
GitHub - ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources
A curated list of awesome Kubernetes security resources - ksoclabs/awesome-kubernetes-security
kubectl-whisper-secret plugin allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.
👉 https://github.com/rewanth1997/kubectl-whisper-secret
👉 https://github.com/rewanth1997/kubectl-whisper-secret
GitHub
GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
Kubectl extension to create secrets by taking input from the console - GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
cosign is a tool that can sign container images. Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations
→ https://github.com/vchinnipilli/kubestriker
→ https://github.com/vchinnipilli/kubestriker
This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
An alternative approach to Secrets management in Helm 3
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Medium
Helm 3 — Secrets management, an alternative approach
There are many ways of managing secrets in Kubernetes, some ways are simpler than others but when researching this topic for my project at…
Learn how to set up K0s in air-gapped environment
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
Medium
K0s Cluster Without Internet Access
Let’s see how k0s makes the Air-Gap installation an easy process
KubeEye is an open-source diagnostic tool for identifying various Kubernetes cluster issues automatically, such as misconfigurations, unhealthy components and node failures
Read more https://github.com/kubesphere/kubeeye
Read more https://github.com/kubesphere/kubeeye
The worst so-called “best practice” for Docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Python⇒Speed
The worst so-called “best practice” for Docker
Many people (although fewer than in the past) will tell you not to install security updates in your Docker image. This is terrible advice.
A detailed guide to help you to ensure that only signed images can get deployed on the cluster (with OPA and Notary)
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
10 Kubernetes Security Context settings you should understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry.
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
Sysdig
Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
Learn how CVE-2021-20291 in containers / storage Go library, can lead to Denial of Service (DoS) in vulnerable container engines.
Reverse Engineering a Docker Image
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
Learn how to use the nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
Medium
Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
While working on a project earlier this week we were given the following requirements :
The right way to authenticate to your clusters from your CI/CD pipelines
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
The Top 5 Kubernetes Admission Control Policies:
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
Styra
Open Policy Agent: The Top 5 Kubernetes Admission Control Policies
These are the top five OPA Kubernetes admission control policies that you should have running in your cluster right now.
Helm-scanner is a tool designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publicly available Helm charts
Read on https://github.com/bridgecrewio/helm-scanner/
Read on https://github.com/bridgecrewio/helm-scanner/
Learn how to use x509 certificates to authenticate users in your cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
CloudHero
Creating Users for your Kubernetes Cluster
When it comes to giving people from your organization access to your Kubernetes cluster, things can get a little tricky. Kubernetes does not have an authentication mechanism by default. By doing this, you get stuck with an admin certificate you must share…
[PDF] Architecting Amazon EKS for PCI DSS Compliance
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them
👉 https://github.com/appvia/krane
👉 https://github.com/appvia/krane