Container Security

[The Kubelist Podcast Ep. #33, Tailscale with Avery Pennarun Heavybit](https://www.heavybit.com/library/podcasts/the-kubelist-podcast/ep-33-tailscale-with-avery-pennarun)
[Securing a Cluster Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)

How to Tail Kubernetes Logs: kubectl Command Explained - Sematext

[Associating security metadata with multi-architecture container images Jetstack Blog](https://www.jetstack.io/blog/supply-chain-security-multi-arch/)
[Pod Security Policies are dead, long live Pod Security Admission! by Federico Carbonetti FAUN Publication](https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3)

What your scanner doesn’t know can hurt you

Kubernetes CRD validation with CEL and kubebuilder marker comments

I have written a blog post on developing validations for Kubernetes CRDS with CEL & kubebuilder marker comments. This feature is still in beta phase & got introduced couple of weeks ago in Kubernetes 1.25. Please have a look & let me know your thoughts! https://twitter.com/rewanthtammana

[Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3 by SILVR.IO Medium](https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0)

Exploiting Distroless Images

Pod Security Standards - CloudSecDocs

sighupio/permission-manager: Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW

Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads – Sysdig
TODO

[Announcing the Auto-refreshing Official Kubernetes CVE Feed Kubernetes](https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha/)
[Shifting (even further) Left on Kubernetes Resource Compliance by Thomas Desrosiers Google Cloud - Community Sep, 2022 Medium](https://medium.com/google-cloud/shifting-even-further-left-on-kubernetes-resource-compliance-8f96fb8c72eb)

Azure/eraser: 🧹 Cleaning up images from Kubernetes nodes

Attacking Firecracker: AWS’ microVM Monitor Written in Rust
TODO https://twitter.com/chompie1337/status/1569093249188470791

fidelity/kconnect: Kubernetes Connection Manager CLI

Paving Golden Paths On Multi-Cluster Kubernetes: Part 1 (The Theory)

[Falco Driverkit with Docker on Debian Falco](https://falco.org/blog/falco-driverkit-debian-docker/)

Exploring Kubernetes Operator Pattern

A Kubernetes User’s Guide to HashiCorp Nomad Secret Management

[Modern workload identity with SPIFFE & Trust Domains Jetstack Blog](https://www.jetstack.io/blog/workload-identity-with-spiffe-trust-domains/)

GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes

[Hacking an AWS hosted Kubernetes backed product, and failing by Riyaz Walikar Jun, 2022 Appsecco](https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d)
[Attesting Image Scans With Kyverno Neon Mirrors](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
[The Docker, Kubernetes, Terraform, and AWS crash course series by Yevgeniy Brikman Jul, 2022 Gruntwork](https://blog.gruntwork.io/the-docker-kubernetes-terraform-and-aws-crash-course-series-dca343ba1274)

User and workload identities in Kubernetes

[2022 Argo external security audit: Lessons learned Cloud Native Computing Foundation](https://www.cncf.io/blog/2022/07/19/2022-argo-external-security-audit-lessons-learned/)

Breaking down firewalls with BPFDoor (no e!) - How to detect it with Falco – Sysdig

Notes on running containers with bubblewrap

Network Service Mesh

Audit Kubernetes Clusters Collection of tools useful when auditing a Kubernetes cluster and its RBAC policies.

[Introducing GKE Autopilot Google Cloud Blog](https://cloud.google.com/blog/products/containers-kubernetes/introducing-gke-autopilot)

https://twitter.com/zoph/status/1369319064405950465 TODO

https://twitter.com/antitree/status/1362118115157364736 Check out this threat model for a serverless platform. Attackers execute stuff in our sandbox, but:

  • you get 10ms CPU
  • you’re in a v8 isolate sandbox
  • you have layer 7 restrictions
  • and if you smell salty, you get rescheduled to a confined VM

Face throwing a kissOk hand

https://developers.cloudflare.com/workers/learning/security-model