10 Kubernetes Security Context settings you should understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry.
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
Sysdig
Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
Learn how CVE-2021-20291 in containers / storage Go library, can lead to Denial of Service (DoS) in vulnerable container engines.
Reverse Engineering a Docker Image
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
More: https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html
Learn how to use the nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
More: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
Medium
Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
While working on a project earlier this week we were given the following requirements :
The right way to authenticate to your clusters from your CI/CD pipelines
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
Read more: https://tremolosecurity.com/post/pipelines-and-kubernetes-authentication
The Top 5 Kubernetes Admission Control Policies:
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
- Trusted Repo
- Label Safety
- Privileged Mode
- Ingress
- Egress
More: https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies
Styra
Open Policy Agent: The Top 5 Kubernetes Admission Control Policies
These are the top five OPA Kubernetes admission control policies that you should have running in your cluster right now.
Helm-scanner is a tool designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publicly available Helm charts
Read on https://github.com/bridgecrewio/helm-scanner/
Read on https://github.com/bridgecrewio/helm-scanner/
Learn how to use x509 certificates to authenticate users in your cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
Read on https://cloudhero.io/creating-users-for-your-kubernetes-cluster
CloudHero
Creating Users for your Kubernetes Cluster
When it comes to giving people from your organization access to your Kubernetes cluster, things can get a little tricky. Kubernetes does not have an authentication mechanism by default. By doing this, you get stuck with an admin certificate you must share…
[PDF] Architecting Amazon EKS for PCI DSS Compliance
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them
👉 https://github.com/appvia/krane
👉 https://github.com/appvia/krane
Amazon EKS Pod Identity Webhook is a webhook for mutating pods that will require AWS IAM access
Read on: https://github.com/aws/amazon-eks-pod-identity-webhook
Read on: https://github.com/aws/amazon-eks-pod-identity-webhook
GitHub
GitHub - aws/amazon-eks-pod-identity-webhook: Amazon EKS Pod Identity Webhook
Amazon EKS Pod Identity Webhook. Contribute to aws/amazon-eks-pod-identity-webhook development by creating an account on GitHub.
This repository contains an implementation of a RBAC model for a multi project and multi tenant Kubernetes cluster
→ https://github.com/clvx/k8s-rbac-model
→ https://github.com/clvx/k8s-rbac-model
GitHub
GitHub - clvx/k8s-rbac-model: A multi tenant and multi project RBAC model implementation in Kubernetes
A multi tenant and multi project RBAC model implementation in Kubernetes - clvx/k8s-rbac-model
Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes
👉 https://github.com/external-secrets/kubernetes-external-secrets
👉 https://github.com/external-secrets/kubernetes-external-secrets
RBAC Manager is designed to simplify authorization in Kubernetes. This is an operator that supports declarative configuration for RBAC with new custom resources
Read on: https://github.com/FairwindsOps/rbac-manager
Read on: https://github.com/FairwindsOps/rbac-manager
GitHub
GitHub - FairwindsOps/rbac-manager: A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts. - FairwindsOps/rbac-manager
Teleport is a certificate authority and access plane for SSH, Kubernetes, web applications, and databases
More https://github.com/gravitational/teleport
More https://github.com/gravitational/teleport
GitHub
GitHub - gravitational/teleport: The easiest, and most secure way to access and protect all of your infrastructure.
The easiest, and most secure way to access and protect all of your infrastructure. - gravitational/teleport
kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication
More: https://github.com/int128/kubelogin
More: https://github.com/int128/kubelogin
kube-oidc-proxy is a reverse proxy server to authenticate users using OIDC to Kubernetes API servers where OIDC authentication is not available
More: https://github.com/jetstack/kube-oidc-proxy
More: https://github.com/jetstack/kube-oidc-proxy
GitHub
GitHub - jetstack/kube-oidc-proxy: Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
Reverse proxy to authenticate to managed Kubernetes API servers via OIDC. - jetstack/kube-oidc-proxy
The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
More https://github.com/madhuakula/kubernetes-goat
More https://github.com/madhuakula/kubernetes-goat
k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap
👉 https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook
👉 https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook
Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification and Trust Pinning into a cluster, as a means to ensure that only valid images are being deployed
→ https://github.com/sse-secure-systems/connaisseur
→ https://github.com/sse-secure-systems/connaisseur
rback is a simple "RBAC in Kubernetes" visualizer. It queries all RBAC info and generates a graph of service accounts, (cluster) roles, and the respective access rules in dot format
Read on: https://github.com/team-soteria/rback
Read on: https://github.com/team-soteria/rback