What happens when you create a Pod in Kubernetes?
A surprisingly simple task reveals a complicated workflow that touches several components in the cluster.
Let's dive into it.
Follow
Kubesploit — @kubesploit@mastodon.social
@kubesploit
Kubesploit — @kubesploit@mastodon.social’s Tweets
This article details how to secure web traffic using TLS with a certificate issued by a trusted CA on Google Kubernetes Engine
This will use Let's Encrypt through a popular Kubernetes add-on called cert-manager
➤ joachim8675309.medium.com/gke-with-certm
23
62
Auditing Kubernetes authorization can be a bit of a tricky task
In this article, you will learn what techniques and tools you can use to identify, reassign and manage RBAC rules in your cluster
➜ raesene.github.io/blog/2022/08/1
8
25
With Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated
This blog post highlights what this means in practice, and what to do if you rely on non-expiring service account tokens
➤
16
51
What if we need to block an action performed by cluster admins?
You can't do it with RBAC: it only allows for adding permissions, not taking them away
Learn how you can use Kyverno to do so in this tutorial
➜ marcusnoble.co.uk/2022-01-20-res
3
14
In this article, you will find a list of the security context that can be used to harden and, more importantly, gate deployments from security misconfiguration
➤ medium.com/@scotta01/kube
9
39
This article details how to secure mixed HTTP and gRPC web traffic with a single ingress controller
As part of the process, TLS certificates will be issued by a trusted CA
This will use Let’s Encrypt with cert-manager
➤
25
81
This tutorial shows how you can leverage Pipy to enforce admission control decisions in Kubernetes clusters without modifying or recompiling any components
Also, policies can be modified on the fly to satisfy changing operational requirements
➜ blog.flomesh.io/using-pipy-as-
9
35
Don't miss this week's "Learn Kubernetes weekly" newsletter with stories on:
→ Scaling requests
→ Proactive scaling
→ Capacity & resource management
→ State of persistent storage
→ Bandwidth exhaustion
And more!
learnk8s.io/learn-kubernet
12
23
The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any pod that is using specially prefixed environment variables and injects secrets accordingly
➤
8
26
Troubleshooting in Kubernetes can be a daunting task. In this article, you will learn how to diagnose issues in Pods, Services and Ingress
➜ learnk8s.io/troubleshootin
56
201
This repository aggregates over 100 popular Kubernetes CRDs (CustomResourceDefinition) in JSON schema format
These schemas can be used by various tools, such as Datree, Kubeconform and Kubeval, as an alternative to `kubectl --dry-run`
➤
8
34
kubeval is a tool for validating a Kubernetes YAML or JSON configuration file
It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes
➜
2
12
28
Do you know all the YAML tricks and gotchas?
Are there any YAML tips for Kubernetes?
Read along!
23
212
790
Show this thread
Admission controllers are a key component of the admission process performed by the Kubernetes API server
They enable fine-grained control over the object creation, update, and deletion process
Learn how they work in this article
➤ pradeepl.com/blog/kubernete
1
24
99
In this article, you will learn how to integrate ArgoCD with HashiCorp Vault to manage secrets on Kubernetes
To use ArgoCD and Vault together, you will use the ArgoCD Vault plugin
➤
31
100
Validkube combines the best open-source tools to help ensure Kubernetes YAML best practices, hygiene & security
➜
11
42
The Kubesploit January digest just dropped!
In this recap, you will find a curated collection of the best Kubernetes, security-related articles, tutorials, libraries and tools republished in January
5
17
The Kubernetes Security Profiles Operator aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters
➤
18
36
This article compares popular Kubernetes security and compliance frameworks, how they differ, when to use them, common goals, and suggested tools
➜
14
34
Kubeconform is a Kubernetes manifests validation tool
Similar to Kubeval, but with the following improvements:
➀ High performance
➁ Remote or local schemas locations
➂ Up-to-date schemas for all recent versions of Kubernetes
➤
13
36
In this article, you will learn how to test if your EKS control plane is exposed to the public internet and how to fix it
➜ medium.com/@dotdc/is-your
9
22
This post describes different EKS log types and ways to optimize costs
Understanding the levers available for consuming logs not only helps you in optimizing costs but also allows you to focus on the root causes analysis and attribution
➜
4
12
Have you ever tried to ping a Service IP address in Kubernetes?
You might have noticed that it doesn't work
Unless it just works
Confusing, I know
Let me explain
16
130
476
Show this thread
In this tutorial, you'll learn how to create a python program that uses IAM for Service Account to search for secrets in Secrets Manager and store them in a volume
The script can be used as an init container to inject secrets into any pod
➤
1
16
68
This article covers the techniques for centralised policy enforcement in a Kubernetes cluster:
- CI/CD pipelines
- Security Admission controller
- OPA and Gatekeeper
- IDE linting and plug-ins
➜ itnext.io/kubernetes-owa
1
28
92
KSOPS is a kustomize exec plugin for SOPS encrypted resources
KSOPS can be used to decrypt any Kubernetes resource, but is most commonly used to decrypt encrypted Kubernetes Secrets and ConfigMaps
➤
10
24
This article will teach you how to configure an AKS cluster to consume secrets, keys and certificates from an Azure KeyVault
➜
2
15
Become an expert in Kubernetes!
Learnk8s is running a 4-day Advanced Kubernetes workshop this January (next week, actually)
If you want to get your hands dirty with Kubernetes, join us for a session packed with hands-on labs!
Sign up here: learnk8s.io/online-advance
14
16
This article will teach you how to exploit a vulnerability in Linux containers by bypassing negative group permissions
➤
16
54
In this tutorial, you will learn how to automatically schedule Kubeflow pipeline Pods from any number of namespaces on dedicated GKE node pools
➜
3
7
kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
- Run as non-root
- Use a read-only root filesystem
- Drop scary capabilities, don't add new ones
- Don't run privileged
➜
1
19
45
Learn Kubernetes weekly is out! 🚀📰
This week with design patterns for Kubernetes, pitfalls in reloading configmaps and secrets, learning and building cloud-native projects from scratch, GKE with service mesh and much more!
learnk8s.io/issues/10
17
53
This project provides an OCI hook to generate seccomp profiles by tracing the syscalls made by the container
The generated profile would allow all the syscalls made and deny every other syscall
➤
5
29
argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes
➜
12
30
How does the Ingress controller really work in Kubernetes?
I had to find out for myself, so I built one from scratch in bash
25
220
846
Show this thread
In this article, you will learn how to scan and discover publicly accessible Kubernetes clusters and how you can protect against it
➤ raesene.github.io/blog/2022/07/0
18
69
In this article, you will discuss the pitfalls and alternatives of Sealed Secrets as you move your deployments to production using GitOps
➜
1
18
41
Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources
RBAC is a security design that limits access to Kubernetes resources based on the user's role
Learn how to use RBAC in this tutorial
➤ faun.pub/give-users-and
19
67
In this tutorial, you'll learn how to build a simple app that lists resources on the Kubernetes cluster it runs on
In the process, you will also learn how to utilize Service Accounts, RBAC, the Python client, Ingress and more
➜
1
14
37