Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations
→ https://github.com/vchinnipilli/kubestriker
→ https://github.com/vchinnipilli/kubestriker
This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
An alternative approach to Secrets management in Helm 3
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Medium
Helm 3 — Secrets management, an alternative approach
There are many ways of managing secrets in Kubernetes, some ways are simpler than others but when researching this topic for my project at…
Learn how to set up K0s in air-gapped environment
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
Medium
K0s Cluster Without Internet Access
Let’s see how k0s makes the Air-Gap installation an easy process
KubeEye is an open-source diagnostic tool for identifying various Kubernetes cluster issues automatically, such as misconfigurations, unhealthy components and node failures
Read more https://github.com/kubesphere/kubeeye
Read more https://github.com/kubesphere/kubeeye
The worst so-called “best practice” for Docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Python⇒Speed
The worst so-called “best practice” for Docker
Many people (although fewer than in the past) will tell you not to install security updates in your Docker image. This is terrible advice.
A detailed guide to help you to ensure that only signed images can get deployed on the cluster (with OPA and Notary)
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
10 Kubernetes Security Context settings you should understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry.
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
Sysdig
Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
Learn how CVE-2021-20291 in containers / storage Go library, can lead to Denial of Service (DoS) in vulnerable container engines.
Reverse Engineering a Docker Image
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
Learn how to use the nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
Medium
Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
While working on a project earlier this week we were given the following requirements :
The right way to authenticate to your clusters from your CI/CD pipelines
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
The Top 5 Kubernetes Admission Control Policies:
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
Styra
Open Policy Agent: The Top 5 Kubernetes Admission Control Policies
These are the top five OPA Kubernetes admission control policies that you should have running in your cluster right now.
Helm-scanner is a tool designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publicly available Helm charts
Read on https://github.com/bridgecrewio/helm-scanner/
Read on https://github.com/bridgecrewio/helm-scanner/
Learn how to use x509 certificates to authenticate users in your cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
CloudHero
Creating Users for your Kubernetes Cluster
When it comes to giving people from your organization access to your Kubernetes cluster, things can get a little tricky. Kubernetes does not have an authentication mechanism by default. By doing this, you get stuck with an admin certificate you must share…
[PDF] Architecting Amazon EKS for PCI DSS Compliance
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them
👉 https://github.com/appvia/krane
👉 https://github.com/appvia/krane
Amazon EKS Pod Identity Webhook is a webhook for mutating pods that will require AWS IAM access
Read on: https://github.com/aws/amazon-eks-pod-identity-webhook
Read on: https://github.com/aws/amazon-eks-pod-identity-webhook
GitHub
GitHub - aws/amazon-eks-pod-identity-webhook: Amazon EKS Pod Identity Webhook
Amazon EKS Pod Identity Webhook. Contribute to aws/amazon-eks-pod-identity-webhook development by creating an account on GitHub.
This repository contains an implementation of a RBAC model for a multi project and multi tenant Kubernetes cluster
→ https://github.com/clvx/k8s-rbac-model
→ https://github.com/clvx/k8s-rbac-model
GitHub
GitHub - clvx/k8s-rbac-model: A multi tenant and multi project RBAC model implementation in Kubernetes
A multi tenant and multi project RBAC model implementation in Kubernetes - clvx/k8s-rbac-model
Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes
👉 https://github.com/external-secrets/kubernetes-external-secrets
👉 https://github.com/external-secrets/kubernetes-external-secrets
RBAC Manager is designed to simplify authorization in Kubernetes. This is an operator that supports declarative configuration for RBAC with new custom resources
Read on: https://github.com/FairwindsOps/rbac-manager
Read on: https://github.com/FairwindsOps/rbac-manager
GitHub
GitHub - FairwindsOps/rbac-manager: A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts. - FairwindsOps/rbac-manager