Top 10 container security best practices
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
Read more: https://infracloud.io/blogs/top-10-things-for-container-security?amp%3Butm_campaign=promoting_blog&%3Butm_content=kubernetes&%3Butm_medium=social
InfraCloud
Top 10 Container Security Best Practices
The top 10 best practices you can follow and implement today to reduce security risks in the containerized workloads and secure the application containers.
Attacking Kubernetes via misconfigured Argo Workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
Read on: https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows
2 Widespread attacks (Man-in-the-Middle, Cryptojacking attack) on your containerized wnvironment and 7 rules to prevent it
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Read more: https://itnext.io/2-widespread-attacks-on-your-containerized-environment-and-7-rules-to-prevent-it-957aa7dfa5e0
Kubernetes Network Policies for isolating Namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
Read on https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces
www.loft.sh
Kubernetes Network Policies for Isolating Namespaces
Learn how to secure pod to pod communication using Kubernetes network policies to secure your cluster and applications.
Verifying Container image signatures in Kubernetes using Notary or Cosign or both
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
More https://medium.com/sse-blog/verify-container-image-signatures-in-kubernetes-using-notary-or-cosign-or-both-c25d9e79ec45
A HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
More: https://armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
ARMO
Symlink vulnerability CVE-2021-25741 | ARMO
Kubescape now checks if your K8s clusters are exposed to CVE-2021-25741 and verify that there are no pods in the cluster that attempt to use subPath function.
In this blog, you will explore advanced persistent threat techniques used in container attacks, learn how rootkits work, and how adversaries are using them to attack cloud native environments.
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
Read more: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
A Security Review of Docker Official Images: Which Do You Trust?
👉 https://blog.aquasec.com/docker-official-images
👉 https://blog.aquasec.com/docker-official-images
How to improve your Docker containers security
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
More: https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet
Creating Malicious Admission Controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
👉 https://blog.rewanthtammana.com/creating-malicious-admission-controllers
Forwarded from Daniele Polencic
👋 We’ve updated the Kubernetes instance calculator to include the recent change from the AWS-CNI. EC2 instances can have more pods than before, and that means running pods becomes cheaper.
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator
You can find the calculator here: https://learnk8s.io/kubernetes-instance-calculator
Top Open Source Kubernetes security tools of 2021
Read on https://cloud.redhat.com/blog/top-open-source-kubernetes-security-tools-of-2021
Read on https://cloud.redhat.com/blog/top-open-source-kubernetes-security-tools-of-2021
How to secure your Kubernetes control plane and node components
Read more: https://cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components
Read more: https://cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components
Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit
→ https://falco.org/blog/detect-malicious-behaviour-on-kubernetes-api-server-through-gathering-audit-logs-by-using-fluentbit-part-2
→ https://falco.org/blog/detect-malicious-behaviour-on-kubernetes-api-server-through-gathering-audit-logs-by-using-fluentbit-part-2
This repository contains various use cases of Kubernetes Network Policies and sample YAML files to leverage in your setup. If you ever wondered how to drop/restrict traffic to applications running on Kubernetes, this is for you
Read on: https://github.com/ahmetb/kubernetes-network-policy-recipes
Read on: https://github.com/ahmetb/kubernetes-network-policy-recipes
Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA
More: https://github.com/armosec/kubescape
More: https://github.com/armosec/kubescape
GitHub
GitHub - kubescape/kubescape: Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.…
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernet...
Curiefense extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site noscripting (XSS), account takeovers (ATOs) and more
Read on https://github.com/curiefense/curiefense
Read on https://github.com/curiefense/curiefense
Vault-CRD is a custom resource definition for holding secrets that are stored in HashiCorp Vault and kept up to date with Kubernetes secrets
Read more: https://github.com/DaspawnW/vault-crd
Read more: https://github.com/DaspawnW/vault-crd
GitHub
GitHub - DaspawnW/vault-crd: Vault CRD for sharing Vault Secrets with Kubernetes
Vault CRD for sharing Vault Secrets with Kubernetes - DaspawnW/vault-crd
“Another LDAP” provides Authentication and Authorization for your applications running on Kubernetes
👉 https://github.com/dignajar/another-ldap
👉 https://github.com/dignajar/another-ldap
Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster
Read on https://github.com/inguardians/peirates
Read on https://github.com/inguardians/peirates
Forwarded from Daniele Polencic
Quick update!
We’ve updated the Kubernetes troubleshooting flowchart to include translations in Spanish, Mandarin, Korean and Portuguese. Many thanks to @elnemesisdivina @yorchveintemil @usernametoken Marcelo & Hoon Jo! 👏👏👏
You can download the poster here: https://learnk8s.io/troubleshooting-deployments
We’ve updated the Kubernetes troubleshooting flowchart to include translations in Spanish, Mandarin, Korean and Portuguese. Many thanks to @elnemesisdivina @yorchveintemil @usernametoken Marcelo & Hoon Jo! 👏👏👏
You can download the poster here: https://learnk8s.io/troubleshooting-deployments