Kubernetes clusters belonging to over 350 organizations were found to be openly accessible and largely unprotected, with at least 60% breached and used for malware deployment.
Learn the attacks (and mitigations) in this article.
More: https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster
Learn the attacks (and mitigations) in this article.
More: https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster
Passmower is an OIDC Identity Provider that is designed for Kubernetes environments.
It integrates with Kubernetes, persisting its data, including users and enrolled apps, using Custom Resource Definitions while storing session data in Redis.
More: https://github.com/passmower/passmower
It integrates with Kubernetes, persisting its data, including users and enrolled apps, using Custom Resource Definitions while storing session data in Redis.
More: https://github.com/passmower/passmower
This article explores how SecurityContext in Kubernetes can enhance security by adjusting operating system settings, including process and filesystem permissions, making the root filesystem read-only, and limiting Linux process capabilities.
More: https://medium.com/marionete/kubernetes-securitycontext-with-practical-examples-67d890558d11
More: https://medium.com/marionete/kubernetes-securitycontext-with-practical-examples-67d890558d11
Forwarded from KubeFM
What does it take to build a Kubernetes cluster on bare metal?
In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.
You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:
- Identify dependencies and priorities between components to avoid incidents in the future.
- Leverage FluxCD to have a predictable and documented setup.
- Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
- Use Talos to have a self-contained Kubernetes operating system.
Mathias also shared tips and advice for other engineers embarking on the same process.
Watch it here: https://kube.fm/bare-metal-kubernetes-mathias
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.
You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:
- Identify dependencies and priorities between components to avoid incidents in the future.
- Leverage FluxCD to have a predictable and documented setup.
- Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
- Use Talos to have a self-contained Kubernetes operating system.
Mathias also shared tips and advice for other engineers embarking on the same process.
Watch it here: https://kube.fm/bare-metal-kubernetes-mathias
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
Dex-operator is a Kubernetes operator for deploying and managing Dex IdP.
More: https://github.com/gpu-ninja/dex-operator
More: https://github.com/gpu-ninja/dex-operator
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
⚖️ Load balancing long-lived connections
💪 40% more performant with Cilium
👷♀️ Single-tenant architecture with Crossplane
🥷 1 yaml away from disaster
📚 SecurityContext with examples
Read it now: https://learnk8s.io/issues/54
⚖️ Load balancing long-lived connections
💪 40% more performant with Cilium
👷♀️ Single-tenant architecture with Crossplane
🥷 1 yaml away from disaster
📚 SecurityContext with examples
Read it now: https://learnk8s.io/issues/54
Forwarded from LearnKube news
In this tutorial, you will learn how to create a mutating webhook handler for namespaces using Kubebuilder.
More: https://levelup.gitconnected.com/mutating-webhook-handler-for-built-in-core-types-456aa146cc46
More: https://levelup.gitconnected.com/mutating-webhook-handler-for-built-in-core-types-456aa146cc46
This article discusses Kubernetes security fundamentals and provides five practical steps to bolster security:
1. Proper configuration.
2. Image scanning.
3. Network security.
4. Controlling running applications.
5. Auditing and logging events.
More: https://blog.palark.com/kubernetes-security-best-practices
1. Proper configuration.
2. Image scanning.
3. Network security.
4. Controlling running applications.
5. Auditing and logging events.
More: https://blog.palark.com/kubernetes-security-best-practices
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 420 Kubernetes jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
DevSecOps Engineer with Palo Alto Networks
💰 $180.2K to $236.5K a year
🏠🏃🏻♂️🌎 Santa Clara, CA, USA
→ https://kube.careers/t/c50a52bc-e5ec-43f7-9f4c-bc0103fb9632?s=55
👉 Browse all 420 Kubernetes jobs on Kube Careers https://kube.careers
Kubelet Serving Certificate Approver is a custom approving controller which approves
More: https://github.com/alex1989hu/kubelet-serving-cert-approver
kubernetes·io/kubelet-serving Certificate Signing Request that kubelet uses to serve TLS endpoints.More: https://github.com/alex1989hu/kubelet-serving-cert-approver
This article contains seven different known privilege-escalation threat vectors, which are enabled by the following permissions:
- Create Pods
- Read Secrets
- Bind Roles
- Escalate existing Roles
- Impersonate entities in the Cluster
More: https://schutzwerk.com/blog/kubernetes-privilege-escalation-01
- Create Pods
- Read Secrets
- Bind Roles
- Escalate existing Roles
- Impersonate entities in the Cluster
More: https://schutzwerk.com/blog/kubernetes-privilege-escalation-01
In this tutorial, you'll learn how to sign and verify Docker distroless images with Cosign and Kyverno.
More: https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264
More: https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264
Forwarded from KubeFM
By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
- How to define a threat model to inform your security posture and mitigations.
- How Kubernetes Secrets offer sufficient guarantees for most common threat models.
- If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Watch it here: https://kube.fm/kubernetes-secrets-mac
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
And this is fine — at least, this is what Mac argues in this episode of KubeFM.
Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.
In this episode, you will learn:
- How to define a threat model to inform your security posture and mitigations.
- How Kubernetes Secrets offer sufficient guarantees for most common threat models.
- If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).
Mac also covers tips and advice on becoming a security expert.
Watch it here: https://kube.fm/kubernetes-secrets-mac
Listen on:
- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer
In this article, you will learn how an attacker with access to a privileged container can break out of it using a Kernel module and get access to the underlying host.
More: https://raesene.github.io/blog/2023/08/06/fun-with-privileged-container-breakout
More: https://raesene.github.io/blog/2023/08/06/fun-with-privileged-container-breakout
Forwarded from LearnKube news
This week on the Learn Kubernetes Weekly:
🏎️ Kubernetes image proxy cache
🏃♀️ Kubernetes workloads to Graviton
📈 Memory settings for Java processes in Kubernetes
🙅 What is GitOps and why is it (almost) useless?
Read it now: https://learnk8s.io/issues/55
🏎️ Kubernetes image proxy cache
🏃♀️ Kubernetes workloads to Graviton
📈 Memory settings for Java processes in Kubernetes
🙅 What is GitOps and why is it (almost) useless?
Read it now: https://learnk8s.io/issues/55
In this tutorial, you'll learn how to set up Vault and the injector service with the Vault Helm chart.
Then, you'll deploy an app to demonstrate how the injector service handles secrets.
More: https://medium.com/@seifeddinerajhi/securely-inject-secrets-to-pods-with-the-vault-agent-injector-3238eb774342
Then, you'll deploy an app to demonstrate how the injector service handles secrets.
More: https://medium.com/@seifeddinerajhi/securely-inject-secrets-to-pods-with-the-vault-agent-injector-3238eb774342
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 428 Kubernetes jobs on Kube Careers https://kube.careers
Security Architect with Reddit
💰 $198.2K to $297.3K a year
👨💻 Remote from the United States
→ https://kube.careers/t/a58310f4-745b-499e-bded-d29ef2353e11?s=55
DevSecOps Engineer with Hyperscience
💰 $190K to $260K a year
👨💻 Remote from the United States
→ https://kube.careers/t/ab01bf82-75af-4610-ba58-d58cd09f529a?s=55
DevSecOps Engineer with 1Password
💰 $180K to $244K a year
👨💻 Remote from the United States, Canada
→ https://kube.careers/t/b733b996-956e-4086-b0fa-514316485975?s=55
DevSecOps Engineer with Robinhood
💰 $169K to $255K a year
🏠 From the office in Menlo Park, CA / New York, NY / Seattle, WA / Washington, DC, USA
→ https://kube.careers/t/bcecc046-9f28-4766-aaad-e8cb41ae9aa3?s=55
👉 Browse all 428 Kubernetes jobs on Kube Careers https://kube.careers
In this article, you will learn how to create a simple yet effective incident response mechanism within Kubernetes, leveraging Falco for threat detection, CRIU for container snapshotting, and OpenFaaS for automating responses.
More: https://blog.fraktal.fi/navigating-kubernetes-incident-response-with-falco-criu-and-openfaas-285021bbdbe4
More: https://blog.fraktal.fi/navigating-kubernetes-incident-response-with-falco-criu-and-openfaas-285021bbdbe4
Forwarded from Kube Events
This February attend the Kubernetes Community Days Brazil 🇧🇷 and extend your stay to enjoy the iconic Brazilian Carnival!
📆 24-24 of Feb
📍 Online and São Paulo, BR
More info: https://kube.events/t/fca77347-2776-4fd6-92aa-d70c0d43e0d8?s=16
📆 24-24 of Feb
📍 Online and São Paulo, BR
More info: https://kube.events/t/fca77347-2776-4fd6-92aa-d70c0d43e0d8?s=16
In this project, you'll learn how to create a Mutating Webhook targeting pods.
The webhook server will intercept requests to create or update pods and apply custom logic to modify the specifications before they are admitted to the cluster.
More: https://github.com/rajibmitra/pod-mutator
The webhook server will intercept requests to create or update pods and apply custom logic to modify the specifications before they are admitted to the cluster.
More: https://github.com/rajibmitra/pod-mutator
In this article, you will learn how to issue X.509 certificates to authenticate users to a Kubernetes cluster.
You'll also explore how to use the credential from within a NodeJS app.
More: https://krateo.medium.com/kubernetes-user-authorization-with-certificates-d3cde5897ff7
You'll also explore how to use the credential from within a NodeJS app.
More: https://krateo.medium.com/kubernetes-user-authorization-with-certificates-d3cde5897ff7