Container Security

[The Kubelist Podcast

Ep. #33, Tailscale with Avery Pennarun

Heavybit](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-33-tailscale-with-avery-pennarun)

[Securing a Cluster

Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)

How to Tail Kubernetes Logs: kubectl Command Explained - Sematext

[Associating security metadata with multi-architecture container images

Jetstack Blog](https://www.jetstack.io/blog/supply-chain-security-multi-arch/)

[Pod Security Policies are dead, long live Pod Security Admission!

by Federico Carbonetti

FAUN Publication](https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3)

What your scanner doesn’t know can hurt you

Kubernetes CRD validation with CEL and kubebuilder marker comments

I have written a blog post on developing validations for Kubernetes CRDS with CEL & kubebuilder marker comments. This feature is still in beta phase & got introduced couple of weeks ago in Kubernetes 1.25. Please have a look & let me know your thoughts! https://twitter.com/rewanthtammana

[Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3

by SILVR.IO

Medium](https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0)

Exploiting Distroless Images

Pod Security Standards - CloudSecDocs

sighupio/permission-manager: Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW

Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads – Sysdig
TODO

[Announcing the Auto-refreshing Official Kubernetes CVE Feed

Kubernetes](https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha/)

[Shifting (even further) Left on Kubernetes Resource Compliance

by Thomas Desrosiers

Google Cloud - Community

Sep, 2022

Medium](https://medium.com/google-cloud/shifting-even-further-left-on-kubernetes-resource-compliance-8f96fb8c72eb)

Azure/eraser: 🧹 Cleaning up images from Kubernetes nodes

Attacking Firecracker: AWS’ microVM Monitor Written in Rust
TODO https://twitter.com/chompie1337/status/1569093249188470791

fidelity/kconnect: Kubernetes Connection Manager CLI

Paving Golden Paths On Multi-Cluster Kubernetes: Part 1 (The Theory)

[Falco Driverkit with Docker on Debian

Falco](https://falco.org/blog/falco-driverkit-debian-docker/)

Exploring Kubernetes Operator Pattern

A Kubernetes User’s Guide to HashiCorp Nomad Secret Management

[Modern workload identity with SPIFFE & Trust Domains

Jetstack Blog](https://www.jetstack.io/blog/workload-identity-with-spiffe-trust-domains/)

GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes

[Hacking an AWS hosted Kubernetes backed product, and failing

by Riyaz Walikar

Jun, 2022

Appsecco](https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d)

[Attesting Image Scans With Kyverno

Neon Mirrors](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)

[The Docker, Kubernetes, Terraform, and AWS crash course series

by Yevgeniy Brikman

Jul, 2022

Gruntwork](https://blog.gruntwork.io/the-docker-kubernetes-terraform-and-aws-crash-course-series-dca343ba1274)

User and workload identities in Kubernetes

[2022 Argo external security audit: Lessons learned

Cloud Native Computing Foundation](https://www.cncf.io/blog/2022/07/19/2022-argo-external-security-audit-lessons-learned/)

Breaking down firewalls with BPFDoor (no e!) - How to detect it with Falco – Sysdig

Notes on running containers with bubblewrap

Network Service Mesh

Audit Kubernetes Clusters Collection of tools useful when auditing a Kubernetes cluster and its RBAC policies.

[Introducing GKE Autopilot

Google Cloud Blog](https://cloud.google.com/blog/products/containers-kubernetes/introducing-gke-autopilot)

https://twitter.com/zoph/status/1369319064405950465 TODO

https://twitter.com/antitree/status/1362118115157364736 Check out this threat model for a serverless platform. Attackers execute stuff in our sandbox, but:

you get 10ms CPU
you’re in a v8 isolate sandbox
you have layer 7 restrictions
and if you smell salty, you get rescheduled to a confined VM

Face throwing a kissOk hand

https://developers.cloudflare.com/workers/learning/security-model