Container Security

[The Kubelist Podcast Ep. #33, Tailscale with Avery Pennarun Heavybit](
[Securing a Cluster Kubernetes](

How to Tail Kubernetes Logs: kubectl Command Explained - Sematext

[Associating security metadata with multi-architecture container images Jetstack Blog](
[Pod Security Policies are dead, long live Pod Security Admission! by Federico Carbonetti FAUN Publication](

What your scanner doesn’t know can hurt you

Kubernetes CRD validation with CEL and kubebuilder marker comments

I have written a blog post on developing validations for Kubernetes CRDS with CEL & kubebuilder marker comments. This feature is still in beta phase & got introduced couple of weeks ago in Kubernetes 1.25. Please have a look & let me know your thoughts!

[Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3 by SILVR.IO Medium](

Exploiting Distroless Images

Pod Security Standards - CloudSecDocs

sighupio/permission-manager: Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW

Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads – Sysdig

[Announcing the Auto-refreshing Official Kubernetes CVE Feed Kubernetes](
[Shifting (even further) Left on Kubernetes Resource Compliance by Thomas Desrosiers Google Cloud - Community Sep, 2022 Medium](

Azure/eraser: 🧹 Cleaning up images from Kubernetes nodes

Attacking Firecracker: AWS’ microVM Monitor Written in Rust

fidelity/kconnect: Kubernetes Connection Manager CLI

Paving Golden Paths On Multi-Cluster Kubernetes: Part 1 (The Theory)

[Falco Driverkit with Docker on Debian Falco](

Exploring Kubernetes Operator Pattern

A Kubernetes User’s Guide to HashiCorp Nomad Secret Management

[Modern workload identity with SPIFFE & Trust Domains Jetstack Blog](

GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes

[Hacking an AWS hosted Kubernetes backed product, and failing by Riyaz Walikar Jun, 2022 Appsecco](
[Attesting Image Scans With Kyverno Neon Mirrors](
[The Docker, Kubernetes, Terraform, and AWS crash course series by Yevgeniy Brikman Jul, 2022 Gruntwork](

User and workload identities in Kubernetes

[2022 Argo external security audit: Lessons learned Cloud Native Computing Foundation](

Breaking down firewalls with BPFDoor (no e!) - How to detect it with Falco – Sysdig

Notes on running containers with bubblewrap

Network Service Mesh

Audit Kubernetes Clusters Collection of tools useful when auditing a Kubernetes cluster and its RBAC policies.

[Introducing GKE Autopilot Google Cloud Blog]( TODO Check out this threat model for a serverless platform. Attackers execute stuff in our sandbox, but:

  • you get 10ms CPU
  • you’re in a v8 isolate sandbox
  • you have layer 7 restrictions
  • and if you smell salty, you get rescheduled to a confined VM

Face throwing a kissOk hand