This article shows the core strategies for securing an Argo CD deployment and keeping you ahead of potential exposures

➀ Use a dedicated project for the control plane
➁ Argo resources are for Argo admins only

➅ Have a CVE response plan ready

dnastacio.medium.com/gitops-ar

Granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed

Learn how in this article

blog.aquasec.com/privilege-esc

In this article, you'll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods

By rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware

medium.com/nerd-for-tech/pki-c

Radare2 is an open-source framework for reverse-engineering and binary analysis
In this article, you will learn how to run analysis at scale with Radare2, a CI/CD pipeline and Kubernetes

archcloudlabs.com/projects/dum

Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster

justinpolidori.it/posts/202201

Kubesploit boosted

Learn how to design a Kafka cluster to achieve high availability using standard kubernetes resources and test how it tolerates maintenance and total node failures

learnk8s.io/kafka-ha-kubernete

The kubelet uses startup, readiness, and liveness probes to verify whether a pod is booting, ready to accept traffic and still alive. It is the kubelet who actually executes the probes (and not the pod itself)

Learn how you can exploit them

xxradar.medium.com/exploiting-

keepass-secret is a command-line tool that converts entries from a KeePass 2.3 file into Kubernetes secrets

This tool was created to automatically create Kubernetes Secret in CI/CD pipelines to deploy workloads to Kubernetes clusters

github.com/rene6502/keepass-se

Security researchers discovered a vulnerability where attackers could construct a malicious Helm chart to exfiltrate secrets, tokens, and other sensitive information from Argo CD which could then be potentially used for privilege escalation

blog.argoproj.io/argo-cd-deals

In this guide, you'll learn how to configure Vault to exchange service accounts for a scoped client Vault token. This can be useful for apps deployed in Kubernetes that want to self authenticate against Vault and avoid passing vault credentials around

ddymko.medium.com/vault-using-

PodSecurityPolicy exists in Kubernetes to provide security controls for pods. PSPs are deprecated in 1.21 (April 2021) and will be removed entirely in 1.25 (expected around April 2022). This article explains what PSPs are and their alternatives

appvia.io/blog/podsecuritypoli

In this article, you will explore several scenarios on how to attack etcd in Kubernetes to gain access to its data. You will cover:

- Etcd localhost port access due to SSRF vulnerability
- Etcd Credential Stealing
- Kube API server command execution

tutorialboy24.medium.com/a-det

Kubesploit boosted

Starting with Envoy 1.17, authentication and authorization to Istio clusters don't require setting up external services if you decide to use OAuth2
Learn how it works in this hands-on tutorial

medium.com/getindata-blog/oaut

Kubesploit boosted

Learn Kubernetes on the 9th of June!

Learnk8s is running an online 4-day Advanced Kubernetes workshop

If you're looking to get your hands dirty with Kubernetes, join us for a session packed with hands-on labs!

Sign up here: learnk8s.io/online-advanced-ju

In this article you will compare five open-source tools for Kubernetes security scanning:

➀ Grype
➁ Trivy
➂ Kubesec
➃ Kube-bench
➄ kubeaudit

quesengmany.medium.com/how-to-

It's no secret that Kubernetes Secrets are just base64-encoded strings stored in etcd alongside the rest of the cluster's state

But is it *really* an issue?

Let's create a rudimentary threat model for Kubernetes Secrets and see what comes up

macchaffee.com/blog/2022/k8s-s

Using GitHub Actions, it's easy to improve the security of your containers by automating vulnerability scanning and digital signing. In this post, you'll go over how to set up and secure a CI/CD pipeline using GitHub Actions, Cosign, and Trivy

blog.aquasec.com/trivy-github-

2022 cloud-native threat report from Aquasec highlights the key threats targeting cloud-native applications by analyzing attacks and techniques in the wild

blog.aquasec.com/2022-cloud-na

In this blog post, you will

- Look at RBAC, what it is and how it can be used
- Create a ServiceAccount with restricted rights in the cluster
- Create a Role and ClusterRole to allow a user to access an application namespace

anaisurl.com/kubernetes-rbac

Kubernetes has a pluggable mechanism for enforcing granular policies on its resources

This gets even easier when you add Open Policy Agent and Gatekeeper

In this article, you will learn how to use Gatekeeper to keep your Deployments in check

asankov.dev/blog/2022/04/21/se

Show older
Mastodon

The original server operated by the Mastodon gGmbH non-profit