How to inject secrets from AWS, GCP, or Vault into a Kubernetes Pod
More: https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-or-vault-into-a-kubernetes-pod-d5a0e84ba892
More: https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-or-vault-into-a-kubernetes-pod-d5a0e84ba892
DoiT International
How to Inject Secrets from AWS, GCP, or Vault Into a Kubernetes Pod | DoiT International
In the world of Kubernetes, we try to automate and minimize code duplication. Consuming secrets from a secret manager in Kubernetes should be the same way. Here’s how to do it.
Best practices for cluster isolation in Azure Kubernetes Service (AKS)
→ https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-isolation
→ https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-isolation
Can you jailbreak rootless Docker-in-Docker?
Read more https://gist.github.com/protosam/0d263bba98d45601df022b70ef308dbf
Read more https://gist.github.com/protosam/0d263bba98d45601df022b70ef308dbf
Gist
audit - dind rootless.md
GitHub Gist: instantly share code, notes, and snippets.
Google Secret Manager Provider for Secret Store CSI Driver allows you to access secrets stored in Secret Manager as files mounted in Kubernetes pods.
More https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
More https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
GitHub
GitHub - GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp: Google Secret Manager provider for the Secret Store CSI Driver.
Google Secret Manager provider for the Secret Store CSI Driver. - GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
HashiCorp Vault provider for the Secrets Store CSI driver allows you to get secrets stored in Vault and use the Secrets Store CSI driver interface to mount them into Kubernetes pods
Read more https://github.com/hashicorp/vault-csi-provider
Read more https://github.com/hashicorp/vault-csi-provider
GitHub
GitHub - hashicorp/vault-csi-provider: HashiCorp Vault Provider for Secret Store CSI Driver
HashiCorp Vault Provider for Secret Store CSI Driver - hashicorp/vault-csi-provider
gsm-controller is a Kubernetes controller that copies secrets from Google Secrets Manager into Kubernetes secrets. The controller watches Kubernetes secrets looking for an annotation, if the annotation is not found on the secret nothing more is done
More https://github.com/jenkins-x/gsm-controller
More https://github.com/jenkins-x/gsm-controller
GitHub
GitHub - jenkins-x/gsm-controller
Contribute to jenkins-x/gsm-controller development by creating an account on GitHub.
Connaisseur is a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster
More https://github.com/sse-secure-systems/connaisseur
More https://github.com/sse-secure-systems/connaisseur
Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations and will help strengthen the overall IT infrastructure of any organisation
More https://github.com/vchinnipilli/kubestriker
More https://github.com/vchinnipilli/kubestriker
The ClusterSecret operator makes sure that all the matching namespaces have a secret available. New namespaces, if they match a pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets
Read more https://github.com/zakkg3/ClusterSecret
Read more https://github.com/zakkg3/ClusterSecret
Enforcing image trust on Docker containers using Notary
More https://infracloud.io/blogs/enforcing-image-trust-docker-containers-notary
More https://infracloud.io/blogs/enforcing-image-trust-docker-containers-notary
InfraCloud
Enforcing Image Trust on Docker Containers using Notary
In this blog post we talk about the importance of supply chain security and how we can implement container image trust in Docker and Kubernetes using Notary.
Top 10 container security best practices
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
InfraCloud
Top 10 Container Security Best Practices
The top 10 best practices you can follow and implement today to reduce security risks in the containerized workloads and secure the application containers.
Attacking Kubernetes via misconfigured Argo Workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
2 Widespread attacks (Man-in-the-Middle, Cryptojacking attack) on your containerized wnvironment and 7 rules to prevent it
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Kubernetes Network Policies for isolating Namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
www.loft.sh
Kubernetes Network Policies for Isolating Namespaces
Learn how to secure pod to pod communication using Kubernetes network policies to secure your cluster and applications.
Verifying Container image signatures in Kubernetes using Notary or Cosign or both
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
A HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
ARMO
Symlink vulnerability CVE-2021-25741 | ARMO
Kubescape now checks if your K8s clusters are exposed to CVE-2021-25741 and verify that there are no pods in the cluster that attempt to use subPath function.
In this blog, you will explore advanced persistent threat techniques used in container attacks, learn how rootkits work, and how adversaries are using them to attack cloud native environments.
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
A Security Review of Docker Official Images: Which Do You Trust?
👉 https://blog.aquasec.com/docker-official-images
👉 https://blog.aquasec.com/docker-official-images
How to improve your Docker containers security
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
Creating Malicious Admission Controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
Forwarded from Daniele Polencic
👋 We’ve updated the Kubernetes instance calculator to include the recent change from the AWS-CNI. EC2 instances can have more pods than before, and that means running pods becomes cheaper.
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator