- Service Accounts
- Kubernetes Secrets
- Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager
- Admission Control
- Security Best Practices Across Build, Deploy, and Runtime Phases
- Kubernetes Authentication and Authorization
- Pod Security Policies (SCCs - Security Context Constraints in OpenShift)
- EKS Security
- Dzone - devops security at scale
- Dzone - Kubernetes Policy Management with Kyverno
- Dzone - OAuth 2.0
- Kubernetes Security Best Practices 🌟
- jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster
- Microsoft.com: Attack matrix for Kubernetes 🌟
- codeburst.io: 7 Kubernetes Security Best Practices You Must Follow
- thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users
- horovits.wordpress.com: Kubernetes Security Best Practices
- containerjournal.com: How to Secure Your Kubernetes Cluster 🌟
- medium: How to Harden Your Kubernetes Cluster for Production 🌟
- kubernetes.io: Cloud native security for your clusters
- tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟 A zero-to-hero guide for assessing the security risk of your Kubernetes cluster and hardening it.
- microsoft.com: Threat matrix for Kubernetes 🌟
- labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟 What are the risks associated with overly permissive pod creation in Kubernetes? The answer varies based on which of the host’s namespaces and security contexts are allowed. In this post, I will describe eight insecure pod configurations and the corresponding methods to perform privilege escalation. This article and the accompanying repository were created to help penetration testers and administrators better understand common misconfiguration scenarios.
- sysdig.com: Kubernetes Security Guide 🌟 Best practices, guidance and steps for implementing Kubernetes security.
- resources.whitesourcesoftware.com: Kubernetes Security Best Practices 🌟
- sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟
- thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security
- thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster
- stackrox/Kubernetes_Security_Specialist_Study_Guide 🌟
- thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟
- github.com/stackrox: Certified Kubernetes Security Specialist Study Guide 🌟
- youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan
- cncf.io: Kubernetes Security 🌟
- microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes
- kyverno.io 🌟 Kubernetes Native Policy Management. Open Policy Agent? That’s old school. Securely manage workloads on your kubernetesio clusters with this handy new tool, Kyverno.Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. youtube: The Way of the Future | Kubernetes Policy Management with Kyverno - youtube: Securing and Automating Kubernetes with Kyverno
- kyverno.io/policies 🌟 K8s policies available in the community repository
- cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1
- redkubes.com: 10 Kubernetes Security Risks & Best Practices
- thenewstack.io: Defend the Core: Kubernetes Security at Every Layer
- techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟
- kube-bench 🌟 Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
- kube-hunter 🌟 Hunt for security weaknesses in Kubernetes clusters
- k21academy.com: Secure and Harden Kubernetes, AKS and EKS Cluster with kube-bench, kube-hunter and CIS Benchmarks 🌟
- Analyze Kubernetes Audit logs using Falco 🌟 Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco
- blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0
- helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟 Kubestriker is an open-source, platform-agnostic tool for identifying security misconfigurations in Kubernetes clusters.
- Kubernetes Goat 🌟 is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
- itnext.io: How-To: Kubernetes Cluster Network Security 🌟
- gist.github.com: How to protect your ~/.kube/ configuration
- levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s)
- snyk.io: 10 Kubernetes Security Context settings you should understand
- magalix.com: Top 8 Kubernetes Security Best Practices 🌟
- redhat.com: The State of Kubernetes Security
- igorzhivilo.com: Network policy and Calico CNI to Secure a Kubernetes cluster
- fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You’re (Probably) Making
- tigera.io: Kubernetes security policy design: 10 critical best practices 🌟
- empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562)
- thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 Constant vigilance is required to ensure that cloud infrastructure is locked down and that DevSecOps teams have the right tools for the job.
- nsa.gov: NSA, CISA release Kubernetes Hardening Guidance 🌟🌟
- Kubernetes Hardening Guidance 🌟🌟
- thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters
- therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟
- Scan containers and Pods for vulnerabilities or misconfigurations.
- Run containers and Pods with the least privileges possible.
- Use network separation to control the amount of damage a compromise can cause.
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
- Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
- Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
- cloud.redhat.com: OpenShift and the NSA-CISA ‘Kubernetes Hardening Guidance’ Red Hat OpenShift is the quickest path to meeting the NSA’s Kubernetes hardening guidance
- Kubescape 🌟 kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
- infoq.com NSA and CISA Publish Kubernetes Hardening Guidance
- cloud.redhat.com: Top Open Source Kubernetes Security Tools of 2021 🌟🌟
- csoonline.com: Kubernetes hardening: Drilling down on the NSA/CISA guidance The new guidance gives a solid foundation for hardening Kubernetes container environments. These are its key components and why they are important.
- cncf.io: How to secure your Kubernetes control plane and node components
- redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟
- kubernetes.io: Overview of Cloud Native Security 🌟🌟 This overview defines a model for thinking about Kubernetes security in the context of Cloud Native security.
- elastisys.com: NSA and CISA Kubernetes Security Guidance: Summarized and Explained
- learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟
- talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟
- Service account is an important concept in terms of Kubernetes security. You can relate it to AWS instance roles and google cloud instance service account if you have a cloud background. By default, every pod gets assigned a default service account if you don’t specify a custom service account. Service account allows pods to make calls to the API server to manage the cluster resources using ClusterRoles or resources scoped to a namespace using Roles. Also, you can use the Service account token from external applications to make API calls to the kubernetes API server.
- devopscube.com: How To Create Kubernetes Service Account For API Access
- devopscube.com: How to Create kubernetes Role for Service Account
- github.com/scriptcamp/kubernetes-serviceaccount-example Example Kubernetes manifests to create service account mapped to Rolebinding.
- medium: Working with Service Account In Kubernetes 🌟 How to configure a service account in Kubernetes and manage it?
- github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 Service accounts are well known in Kubernetes to access the Kubernets API from within the cluster. This is often used for infrastructure components like operators and controllers. But we can also use service accounts to implement authentication in our own applications. This README tries to give an overview on how service accounts work and and shows a couple of variants how you can use them for authentication. Further this repository contains an example Go service which shows how to implement the authentication in an application.
- sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes)
- cncf.io: Revealing the secrets of Kubernetes secrets 🌟 In this article you will learn how to protect Secrets in your Kubernetes cluster
- Hands on your first Kubernetes secrets 🌟
- dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! 🌟
- blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud
- itnext.io: Effective Secrets with Vault and Kubernetes
- kubernetes.io: Encrypting Secret Data at Rest 🌟
- “Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption”
- “I’ve always wondered how folks expect a system would be able to protect data at rest like that. If the public key and private key are local on the machine - nothing is secure no matter what algorithm is used”
- “The issue is not new or unique to k8s. There is a general confusion between encoding and encryption. Ask any web dev about base64, and there is a good chance they’ll tell you it’s encryption”
- “The test is clearly wrong if that is the word used, literally everything is encoded somehow. If they meant encrypted instead, then it’s half true, secrets are encrypted in transit but only at rest if a KMS plugin is used”
- “The semantics are important. Easy to grant an RBAC policy like “read only except secrets”
- “I just meant that base64 prevents you from logging a secret in plain text by accident… but many more layers are required to keep your secrets secret”
- “You need to configure how the key is managed and ideally opt into something like KMS plugin (which depends on how the cluster is hosted) to make it good”
- redhat.com: Managing secrets for Kubernetes pods
- enterprisersproject.com: How to explain Kubernetes Secrets in plain English 🌟 What is a Kubernetes secret? How does this type of Kubernetes object increase security? How do you create a Kubernetes secret? What are some best practices? Experts break it down
- millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟
- kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets
- medium: Kubernetes Secrets Explained
Encrypting the certificate for Kubernetes. SSL certificates with Let’s Encrypt in Kubernetes Ingress via cert-manager¶
- Kubernetes Certs
- Using SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 🌟
- medium: Encrypting the certificate for Kubernetes (Let’s Encrypt) 🌟
- rejupillai.com: Let’s Encrypt the Web (for free)
- betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟 Manage SSL certificate orders in K8s with Helm and Let’s Encrypt.
- Configure RBAC in Kubernetes Like a Boss 🌟 Learn how to configure RBAC in kubernetes. In this post, you will configure RBAC both with kubectl and yaml definitions.
- infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟
- Kubernetes RBAC Permission Manager 🌟
- Krane 🌟 is a Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition.
- rbac.dev 🌟🌟🌟 advocacy site for Kubernetes RBAC. A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
- For recipes, tips and tricks around RBAC see recipes.rbac.dev 🌟
- github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model This is a implementation of a RBAC model for a multi project multi tenant Kubernetes cluster.
- blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟
- medium: Single Sign-On in Kubernetes 🌟
Security Best Practices Across Build, Deploy, and Runtime Phases¶
- Kubernetes Security 101: Risks and 29 Best Practices 🌟
- Build Phase:
- Use minimal base images
- Don’t add unnecessary components
- Use up-to-date images only
- Use an image scanner to identify known vulnerabilities
- Integrate security into your CI/CD pipeline
- Label non-fixable vulnerabilities
- Deploy Phase:
- Use namespaces to isolate sensitive workloads
- Use Kubernetes network policies to control traffic between pods and clusters
- Prevent overly permissive access to secrets
- Assess the privileges used by containers
- Assess image provenance, including registries
- Extend your image scanning to deploy phase
- Use labels and annotations appropriately
- Enable Kubernetes role-based access control (RBAC)
- Runtime Phase:
- Leverage contextual information in Kubernetes
- Extend vulnerability scanning to running deployments
- Use Kubernetes built-in controls when available to tighten security
- Monitor network traffic to limit unnecessary or insecure communication
- Leverage process whitelisting
- Compare and analyze different runtime activity in pods of the same deployments
- If breached, scale suspicious pods to zero
Kubernetes Authentication and Authorization¶
- kubernetes.io: Authenticating
- kubernetes.io: Access Clusters Using the Kubernetes API
- kubernetes.io: Accesing Clusters
- magalix.com: kubernetes authentication 🌟
- magalix.com: kubernetes authorization 🌟
- kubernetes login
- learnk8s.io: Authentication between microservices using Kubernetes identities 🌟
- gravitational.com: How to Set Up Kubernetes SSO with SAML
Kubernetes Authentication Methods¶
Kubernetes supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.
X.509 client certificates¶
Static HTTP Bearer Tokens¶
- kubernetes.io: Access Clusters Using the Kubernetes API
- stackoverflow: Accessing the Kubernetes REST end points using bearer token
Implementing a custom Kubernetes authentication method¶
Pod Security Policies (SCCs - Security Context Constraints in OpenShift)¶
- Pod Security Policy (SCC in OpenShift) 🌟
- rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1
- developer.squareup.com: Kubernetes Pod Security Policies (PSP) an example with exception management
- itnext.io: Implementing a Secure-First Pod Security Policy Architecture
- Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno
- Security Group Rules EKS
- EC2 ENI and IP Limit
- Calico in EKS
- Amazon EKS Best Practices Guide for Security 🌟
- medium.com: Securing Kubernetes Dashboard on EKS with Pomerium
Click to expand!
Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption.— Daniel Smith (@originalavalamp) July 4, 2021
#OAuth has 4 Flows for retrieving an Access Token.— Rohit (@sec_r0) January 8, 2021
If you have worked with it, you know how difficult is it to remember what is what.
A Zine says a lot, seriously a lot. Check this out.
Idea credits @b0rk #IAM #security #infosec #webdev #web #webcomic #webcomics
RT if useful pic.twitter.com/fbrls0V08K