Container Security
[The Kubelist Podcast | Ep. #33, Tailscale with Avery Pennarun | Heavybit](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-33-tailscale-with-avery-pennarun) |
[Securing a Cluster | Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/) |
How to Tail Kubernetes Logs: kubectl Command Explained - Sematext
[Associating security metadata with multi-architecture container images | Jetstack Blog](https://www.jetstack.io/blog/supply-chain-security-multi-arch/) |
[Pod Security Policies are dead, long live Pod Security Admission! | by Federico Carbonetti | FAUN Publication](https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3) |
What your scanner doesn’t know can hurt you
Kubernetes CRD validation with CEL and kubebuilder marker comments
I have written a blog post on developing validations for Kubernetes CRDS with CEL & kubebuilder marker comments. This feature is still in beta phase & got introduced couple of weeks ago in Kubernetes 1.25. Please have a look & let me know your thoughts! https://twitter.com/rewanthtammana
[Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3 | by SILVR.IO | Medium](https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0) |
Pod Security Standards - CloudSecDocs
Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads – Sysdig
TODO
[Announcing the Auto-refreshing Official Kubernetes CVE Feed | Kubernetes](https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha/) |
[Shifting (even further) Left on Kubernetes Resource Compliance | by Thomas Desrosiers | Google Cloud - Community | Sep, 2022 | Medium](https://medium.com/google-cloud/shifting-even-further-left-on-kubernetes-resource-compliance-8f96fb8c72eb) |
Azure/eraser: 🧹 Cleaning up images from Kubernetes nodes
Attacking Firecracker: AWS’ microVM Monitor Written in Rust
TODO
https://twitter.com/chompie1337/status/1569093249188470791
fidelity/kconnect: Kubernetes Connection Manager CLI
Paving Golden Paths On Multi-Cluster Kubernetes: Part 1 (The Theory)
[Falco Driverkit with Docker on Debian | Falco](https://falco.org/blog/falco-driverkit-debian-docker/) |
Exploring Kubernetes Operator Pattern
A Kubernetes User’s Guide to HashiCorp Nomad Secret Management
[Modern workload identity with SPIFFE & Trust Domains | Jetstack Blog](https://www.jetstack.io/blog/workload-identity-with-spiffe-trust-domains/) |
GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes
[Hacking an AWS hosted Kubernetes backed product, and failing | by Riyaz Walikar | Jun, 2022 | Appsecco](https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d) |
[Attesting Image Scans With Kyverno | Neon Mirrors](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/) |
[The Docker, Kubernetes, Terraform, and AWS crash course series | by Yevgeniy Brikman | Jul, 2022 | Gruntwork](https://blog.gruntwork.io/the-docker-kubernetes-terraform-and-aws-crash-course-series-dca343ba1274) |
User and workload identities in Kubernetes
[2022 Argo external security audit: Lessons learned | Cloud Native Computing Foundation](https://www.cncf.io/blog/2022/07/19/2022-argo-external-security-audit-lessons-learned/) |
Breaking down firewalls with BPFDoor (no e!) - How to detect it with Falco – Sysdig
Notes on running containers with bubblewrap
Audit Kubernetes Clusters Collection of tools useful when auditing a Kubernetes cluster and its RBAC policies.
[Introducing GKE Autopilot | Google Cloud Blog](https://cloud.google.com/blog/products/containers-kubernetes/introducing-gke-autopilot) |
https://twitter.com/zoph/status/1369319064405950465 TODO
https://twitter.com/antitree/status/1362118115157364736 Check out this threat model for a serverless platform. Attackers execute stuff in our sandbox, but:
- you get 10ms CPU
- you’re in a v8 isolate sandbox
- you have layer 7 restrictions
- and if you smell salty, you get rescheduled to a confined VM
Face throwing a kissOk hand
https://developers.cloudflare.com/workers/learning/security-model