KubeCSR is a lightweight REST service written in Go leveraging the Gin framework that automates the toil of creating Kubernetes x509 certificates for users.

More: https://github.com/tonedefdev/kubecsr

The External Secrets Operator allows the fetching of secret data from external secret management providers.

But a less known feature is that you can push Kubernetes secrets to third parties.

You can use this feature to migrate secrets between providers.

More: https://eminalemdar.medium.com/reversing-the-workflow-with-external-secrets-operators-push-secret-feature-f2a64f3db748

This is a library of policies based on Kubescape controls ready for use with Kubernetes Validating Admission Policies.

More: https://github.com/kubescape/cel-admission-library

Should you have more than one team using the same Kubernetes cluster?
Can you run untrusted workloads safely from untrusted users?
Does Kubernetes do multi-tenancy?

This article will explore the challenges of running a cluster with multiple tenants.

More: https://community.ops.io/danielepolencic/multi-tenancy-in-kubernetes-366n

This week on the Learn Kubernetes Weekly:

🏠 Load balancer architecture on-premises
⚖️ Pod rebalancing and allocations
👮‍♀️ Mitigating RBAC-based privilege escalation
☁️ De-cloud and de-k8s
👍 Promoting releases in GitOps

Read it now: https://learnk8s.io/issues/33

You can use Calico and WireGuard to encrypt data in transit in a Kubernetes cluster without mTLS or IPsec.

Encryption is supported for pod-to-pod traffic on different hosts and host-to-host traffic.

Learn how in this article.

More: https://medium.com/@dhawalsaini.devops_50274/wireguard-with-calico-in-k8s-8608fb8192b5

The sixth annual Sysdig Cloud-Native Security and Usage Report digs into how Sysdig customers of all sizes and industries are using, securing, and paying for cloud and container environments.

More: https://sysdig.com/blog/2023-cloud-native-security-usage-report

In this tutorial, you will explore the Evaluating Validating Admission Policy feature paired with a Custom Resource Definition (CRD) as input for easy customisation of policies.

More: https://github.com/tommy-dk/validating-admission-policy

OWASP Kubernetes is aimed at helping security practitioners, sysadmins, and software developers prioritize risks around the Kubernetes ecosystem.

In this article, you will find the top 10 risks you should consider and mitigations you could adopt.

More: https://sysdig.com/blog/top-owasp-kubernetes

In this tutorial, you'll look at how to configure EKS to use secrets and parameters from Amazon Secrets Manager and AWS Systems Manager Parameter Store.

More: https://blog.bootlabstech.com/aws-secrets-manager-in-kubernetes-secret-rotation-and-reloader

Kyverno is a Kubernetes policy engine that can enforce policies like required labels, container image signing, resource existence, etc.

It has a library of ready-to-use policies and allows for easy evaluation with its CLI.

Learn more in this post.

More: https://medium.com/@mabenoit/kyverno-kubernetes-native-policy-management-7ca01fa372a3

AWS ACM Private CA is a module of the AWS Certificate Manager that can set up and manage private CAs.

This project acts as an addon to cert-manager that signs off certificate requests using AWS PCA.

More: https://github.com/cert-manager/aws-privateca-issuer

This week on the Learn Kubernetes Weekly:

💦 Mitigating memory leak in Kubernetes with a one-liner commit
🐾 Tracing the path of network traffic
🍼 My first experience with Kyverno
📕 Kustomize best practices
⚙️ WebAssembly on Kubernetes

Read it now: https://learnk8s.io/issues/35

In this article, you will learn how your Kubernetes deployment can access a database with random roles and passwords (and eventually restricted privileges) that are rotated every hour and deleted after expiration.

More: https://itsufficient.me/blog/postgres-vault

mirrors is a custom Kubernetes controller that copies Kubernetes Secret to and from various locations.

Currently, it supports the following sources and destinations:

- Native Kubernetes Secret
- HashiCorp Vault Secret

More: https://github.com/ktsstudio/mirrors

In this article, you will inspect the CoreDNS source code and learn how it is susceptible to cache poisoning.

You will also learn how to mitigate such an attack.

More: http://sbudella.altervista.org/blog/20230308-coredns-conjecture.html

The Otterize Credentials Operator automatically resolves pods to dev-friendly service names, registers them with a SPIRE server or with Otterize Cloud, and optionally provisions credentials as Kubernetes secrets.

More: https://github.com/otterize/credentials-operator

Netchecks is a set of tools for testing network conditions and asserting that they are as expected.

There are two main components:

1. The operator that runs network checks and reports results.
2. Netcheck CLI and Python Library.

More: https://github.com/hardbyte/netchecks

This week on the Learn Kubernetes Weekly:

🆚 CPU requests & limits VS autoscaling
🤢 CoreDNS cache poisoning
🐣 What happens when you create a pod
🎭 Managing roles for PostgreSQL with Vault
💸 Price comparison of managed Kubernetes

Read it now: https://learnk8s.io/issues/36

In this article, you will dissect how an attacker can gain access to a Kubernetes cluster that allows anonymous access to mine cryptocurrency.

In the process, you will uncover:

- Usage of DaemonSets to utilize all nodes.
- "Fake" pause containers.

More: https://crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes

In this tutorial, you will learn how to use Kubearmor to have granular control over container behaviour, allowing you to enforce security policies tailored to their needs.

More: https://medium.com/@alex.ivenin/enhancing-kubernetes-security-with-kubearmor-323ca754dbf8