[PDF] Architecting Amazon EKS for PCI DSS Compliance

👉 https://d1.awsstatic.com/whitepapers/architecting-amazon-eks-for-pci-dss-compliance.pdf

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them

👉 https://github.com/appvia/krane

Amazon EKS Pod Identity Webhook is a webhook for mutating pods that will require AWS IAM access

Read on: https://github.com/aws/amazon-eks-pod-identity-webhook

This repository contains an implementation of a RBAC model for a multi project and multi tenant Kubernetes cluster

→ https://github.com/clvx/k8s-rbac-model

Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes

👉 https://github.com/external-secrets/kubernetes-external-secrets

RBAC Manager is designed to simplify authorization in Kubernetes. This is an operator that supports declarative configuration for RBAC with new custom resources

Read on: https://github.com/FairwindsOps/rbac-manager

Teleport is a certificate authority and access plane for SSH, Kubernetes, web applications, and databases

More https://github.com/gravitational/teleport

kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication

More: https://github.com/int128/kubelogin

kube-oidc-proxy is a reverse proxy server to authenticate users using OIDC to Kubernetes API servers where OIDC authentication is not available

More: https://github.com/jetstack/kube-oidc-proxy

The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

More https://github.com/madhuakula/kubernetes-goat

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap

👉 https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook

Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification and Trust Pinning into a cluster, as a means to ensure that only valid images are being deployed

→ https://github.com/sse-secure-systems/connaisseur

rback is a simple "RBAC in Kubernetes" visualizer. It queries all RBAC info and generates a graph of service accounts, (cluster) roles, and the respective access rules in dot format

Read on: https://github.com/team-soteria/rback

Learn how to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using our beta Vault Provider for the Kubernetes Secrets Store CSI Driver

More https://hashicorp.com/blog/retrieve-hashicorp-vault-secrets-with-kubernetes-csi

In this blog post, you'll learn the lifecycle of Kubernetes Network Policies (e.g. creation, editing, governance, debugging)

More https://itnext.io/lifecycle-of-kubernetes-network-policies-749b5218f684?source=friends_link

Architecting network isolation in AKS

Read on https://itnext.io/network-isolated-aks-part-1-controlling-network-traffic-2cd0e045352d?source=friends_link

Controlling outbound traffic from Kubernetes

→ https://monzo.com/blog/controlling-outbound-traffic-from-kubernetes

Exploring Kyverno: create and update existing resources

→ https://neonmirrors.net/post/2020-12/exploring-kyverno-part3

Handling Auth in EKS Clusters: Setting Up Kubernetes User Access Using AWS IAM

More https://nextlinklabs.com/insights/handling-authentication-in-EKS-clusters-kubernetes-AWS-IAM

[PDF] State of Kubernetes Security Report

→ https://redhat.com/rhdc/managed-files/cl-state-kubernetes-security-report-ebook-f29117-202106-en.pdf

State of Cloud Native Application Security: how cloud native adoption transforms the way organizations defend against security threats

More: https://snyk.io/state-of-cloud-native-application-security