In this post, you will look at the Node authorization mode and NodeRestriction admission controller, which are used to provide rights to Kubelets to access the resources they need to function.

More: https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization

In this article, you will learn how to use the Open Policy Agent to enforce security and governance policies to have fine-grain control on the services running in a Kubernetes cluster.

More: https://awstip.com/enforce-security-and-governance-in-kubernetes-using-opa-gatekeeper-2fd5b55f91d1

This week on the Learn Kubernetes Weekly:

🚗 Reacting faster to node failures
🏗 IP and pod allocations in EKS
👮‍♂️ Let's talk about kubelet authorization
🤕 Abusing etcd to inject resources
💘 Cilium: why we use it and why we ♥️ it

Read it now: https://learnk8s.io/issues/32

In this article, you will look into the different mitigations implemented to address privilege escalation and powerful permissions in Kubernetes.

More: https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation

KubeCSR is a lightweight REST service written in Go leveraging the Gin framework that automates the toil of creating Kubernetes x509 certificates for users.

More: https://github.com/tonedefdev/kubecsr

The External Secrets Operator allows the fetching of secret data from external secret management providers.

But a less known feature is that you can push Kubernetes secrets to third parties.

You can use this feature to migrate secrets between providers.

More: https://eminalemdar.medium.com/reversing-the-workflow-with-external-secrets-operators-push-secret-feature-f2a64f3db748

This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies.

More: https://github.com/kubescape/cel-admission-library

Should you have more than one team using the same Kubernetes cluster?
Can you run untrusted workloads safely from untrusted users?
Does Kubernetes do multi-tenancy?

This article will explore the challenges of running a cluster with multiple tenants.

More: https://community.ops.io/danielepolencic/multi-tenancy-in-kubernetes-366n

This week on the Learn Kubernetes Weekly:

🏠 Load balancer architecture on-premises
⚖️ Pod rebalancing and allocations
👮‍♀️ Mitigating RBAC-based privilege escalation
☁️ De-cloud and de-k8s
👍 Promoting releases in GitOps

Read it now: https://learnk8s.io/issues/33

You can use Calico and WireGuard to encrypt data in transit in a Kubernetes cluster without mTLS or IPsec.

Encryption is supported for pod-to-pod traffic on different hosts and host-to-host traffic.

Learn how in this article.

More: https://medium.com/@dhawalsaini.devops_50274/wireguard-with-calico-in-k8s-8608fb8192b5

The sixth annual Sysdig Cloud-Native Security and Usage Report digs into how Sysdig customers of all sizes and industries are using, securing, and paying for cloud and container environments.

More: https://sysdig.com/blog/2023-cloud-native-security-usage-report

In this tutorial, you will explore the Evaluating Validating Admission Policy feature paired with a Custom Resource Definition (CRD) as input for easy customisation of policies.

More: https://github.com/tommy-dk/validating-admission-policy

OWASP Kubernetes is aimed at helping security practitioners, sysadmins, and software developers prioritize risks around the Kubernetes ecosystem.

In this article, you will find the top 10 risks you should consider and mitigations you could adopt.

More: https://sysdig.com/blog/top-owasp-kubernetes

In this tutorial, you'll look at how to configure EKS to use secrets and parameters from Amazon Secrets Manager and AWS Systems Manager Parameter Store.

More: https://blog.bootlabstech.com/aws-secrets-manager-in-kubernetes-secret-rotation-and-reloader

Kyverno is a Kubernetes policy engine that can enforce policies like required labels, container image signing, resource existence, etc.

It has a library of ready-to-use policies and allows for easy evaluation with its CLI.

Learn more in this post.

More: https://medium.com/@mabenoit/kyverno-kubernetes-native-policy-management-7ca01fa372a3

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs.

This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA.

More: https://github.com/cert-manager/aws-privateca-issuer

This week on the Learn Kubernetes Weekly:

💦 Mitigating memory leak in Kubernetes with a one-liner commit
🐾 Tracing the path of network traffic
🍼 My first experience with Kyverno
📕 Kustomize best practices
⚙️ WebAssembly on Kubernetes

Read it now: https://learnk8s.io/issues/35

In this article, you will learn how your Kubernetes deployment can access a database with random roles and passwords (and eventually restricted privileges) that are rotated every hour and deleted after expiration.

More: https://itsufficient.me/blog/postgres-vault

mirrors is a custom Kubernetes controller that copies Kubernetes Secret to and from various locations.

Currently, it supports the following sources and destinations:

- Native Kubernetes Secret
- HashiCorp Vault Secret

More: https://github.com/ktsstudio/mirrors

In this article, you will inspect the CoreDNS source code and learn how it is susceptible to cache poisoning.

You will also learn how to mitigate such an attack.

More: http://sbudella.altervista.org/blog/20230308-coredns-conjecture.html

The Otterize Credentials Operator automatically resolves pods to dev-friendly service names, registers them with a SPIRE server or with Otterize Cloud, and optionally provisions credentials as Kubernetes secrets.

More: https://github.com/otterize/credentials-operator