Connaisseur is a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster
More https://github.com/sse-secure-systems/connaisseur
More https://github.com/sse-secure-systems/connaisseur
Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations and will help strengthen the overall IT infrastructure of any organisation
More https://github.com/vchinnipilli/kubestriker
More https://github.com/vchinnipilli/kubestriker
The ClusterSecret operator makes sure that all the matching namespaces have a secret available. New namespaces, if they match a pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets
Read more https://github.com/zakkg3/ClusterSecret
Read more https://github.com/zakkg3/ClusterSecret
Enforcing image trust on Docker containers using Notary
More https://infracloud.io/blogs/enforcing-image-trust-docker-containers-notary
More https://infracloud.io/blogs/enforcing-image-trust-docker-containers-notary
InfraCloud
Enforcing Image Trust on Docker Containers using Notary
In this blog post we talk about the importance of supply chain security and how we can implement container image trust in Docker and Kubernetes using Notary.
Top 10 container security best practices
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
InfraCloud
Top 10 Container Security Best Practices
The top 10 best practices you can follow and implement today to reduce security risks in the containerized workloads and secure the application containers.
Attacking Kubernetes via misconfigured Argo Workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
2 Widespread attacks (Man-in-the-Middle, Cryptojacking attack) on your containerized wnvironment and 7 rules to prevent it
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Kubernetes Network Policies for isolating Namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
www.loft.sh
Kubernetes Network Policies for Isolating Namespaces
Learn how to secure pod to pod communication using Kubernetes network policies to secure your cluster and applications.
Verifying Container image signatures in Kubernetes using Notary or Cosign or both
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
A HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
ARMO
Symlink vulnerability CVE-2021-25741 | ARMO
Kubescape now checks if your K8s clusters are exposed to CVE-2021-25741 and verify that there are no pods in the cluster that attempt to use subPath function.
In this blog, you will explore advanced persistent threat techniques used in container attacks, learn how rootkits work, and how adversaries are using them to attack cloud native environments.
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
A Security Review of Docker Official Images: Which Do You Trust?
👉 https://blog.aquasec.com/docker-official-images
👉 https://blog.aquasec.com/docker-official-images
How to improve your Docker containers security
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
Creating Malicious Admission Controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
Forwarded from Daniele Polencic
👋 We’ve updated the Kubernetes instance calculator to include the recent change from the AWS-CNI. EC2 instances can have more pods than before, and that means running pods becomes cheaper.
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator
Top Open Source Kubernetes security tools of 2021
Read on https://cloud.redhat.com/blog/top-open-source-kubernetes-security-tools-of-2021
Read on https://cloud.redhat.com/blog/top-open-source-kubernetes-security-tools-of-2021
How to secure your Kubernetes control plane and node components
Read more: https://cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components
Read more: https://cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components
Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit
→ https://falco.org/blog/detect-malicious-behaviour-on-kubernetes-api-server-through-gathering-audit-logs-by-using-fluentbit-part-2
→ https://falco.org/blog/detect-malicious-behaviour-on-kubernetes-api-server-through-gathering-audit-logs-by-using-fluentbit-part-2
This repository contains various use cases of Kubernetes Network Policies and sample YAML files to leverage in your setup. If you ever wondered how to drop/restrict traffic to applications running on Kubernetes, this is for you
Read on: https://github.com/ahmetb/kubernetes-network-policy-recipes
Read on: https://github.com/ahmetb/kubernetes-network-policy-recipes
Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA
More: https://github.com/armosec/kubescape
More: https://github.com/armosec/kubescape
GitHub
GitHub - kubescape/kubescape: Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.…
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernet...
Curiefense extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site noscripting (XSS), account takeovers (ATOs) and more
Read on https://github.com/curiefense/curiefense
Read on https://github.com/curiefense/curiefense