search

wmenjoy / awesome-knowleges

汇总有用的知识
37 stars 7 forks source link

K8S安全 #87

Open wmenjoy opened 3 years ago

wmenjoy commented 3 years ago

安全原理,方法论

image image

  1. Kubernetes Security | Operating Kubernetes Clusters and Applications Safely
  2. 1. Approaching Kubernetes Security - Kubernetes Security [Book]
wmenjoy commented 3 years ago

相关软件

参考

  1. 初识容器安全项目 Falco
  2. madhuakula/kubernetes-goat: Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
wmenjoy commented 3 years ago

安全周边

参考

  1. Kubernetes网络与防火墙联动方案探索
  2. 基于 eBPF 实现容器运行时安全
  3. https://github.com/zoidbergwill/awesome-ebpf
  4. solo-io/bumblebee: Get eBPF programs running from the cloud to the kernel in 1 line of bash
wmenjoy commented 3 years ago

稳定性保障

  1. Kubernetes 稳定性保障手册(极简版)
  2. https://jimmysong.io/kubernetes-hardening-guidance/
wmenjoy commented 3 years ago

文章集锦

  1. Improving Kubernetes and container security with user namespaces | Kinvolk
  2. https://github.com/ksoclabs/awesome-kubernetes-security
wmenjoy commented 3 years ago

端口与网络

image

参考

  1. KubeSail Blog | Building a dedicated Kubernetes cluster on Hetzner
wmenjoy commented 3 years ago

防火墙

  1. How to configure firewalld rules in Linux | 2DayGeek
wmenjoy commented 3 years ago

钓鱼

  1. GemGeorge/SniperPhish: SniperPhish - The Web-Email Spear Phishing Toolkit
wmenjoy commented 3 years ago

Chaos Mesh

  1. Open Source solutions for chaos engineering in Kubernetes – Flant blog
wmenjoy commented 3 years ago

可视化

  1. team-soteria/rback: RBAC in Kubernetes visualizer

认证和授权

1. LDAP

  1. Installing OpenLDAP on Kubernetes with Helm
  2. 利用Keycloak实现Kubernetes单点登录与权限验证(SSO,OIDC,RBAC) - 简书

    SAML

  3. How to Set Up Kubernetes SSO with SAML | Teleport
  4. OpenUnison/openunison-k8s-saml2: Self service portal for Kubernetes. Automate provisioning and access of namespaces, authenticate users using your SAML2 Identity Provider.

  5. oidc

  6. jetstack/kube-oidc-proxy: Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
  7. 利用Keycloak实现Kubernetes单点登录与权限验证(SSO,OIDC,RBAC) - 简书

    其他

  8. Kubernetes Single Sign On - A detailed guide
  9. Get kubectl access to your private cluster from anywhere
  10. Pipelines and Kubernetes Authentication
  11. appvia/krane: Kubernetes RBAC static Analysis & visualisation tool
  12. OT-CONTAINER-KIT/k8s-vault-webhook: A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
  13. cert-manager/policy-approver
wmenjoy commented 3 years ago

敏感信息保护

  1. external-secrets/kubernetes-external-secrets: Integrate external secret management systems with Kubernetes
  2. Using a KMS provider for data encryption | Kubernetes
  3. OT-CONTAINER-KIT/k8s-vault-webhook: A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
wmenjoy commented 3 years ago

失败监控

  1. edrevo/suspicious-pods: Prints a list of k8s pods that might not be working correctly
  2. iovisor/kubectl-trace: Schedule bpftrace programs on your kubernetes cluster using the kubectl
  3. replicatedhq/troubleshoot: Preflight Checks and Support Bundles Framework for Kubernetes Applications
  4. Multi-Cluster Monitoring with Thanos
wmenjoy commented 3 years ago

策略

  1. jetstack/preflight: Automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA)
  2. Kubernetes之NetworkPolicy,Flannel和Calico - 简书
  3. Policy-based countermeasures for Kubernetes – Part 1 | Containers
  4. Generating Kubernetes Network Policies Automatically By Sniffing Network Traffic | by Murat Celep | ITNEXT
  5. Expose Open Policy Agent/Gatekeeper Constraint Violations for Kubernetes Applications with Prometheus and Grafana | by Murat Celep | Jun, 2021 | ITNEXT
  6. Lifecycle of Kubernetes Network Policies and Best Practices | by Murat Celep | May, 2021 | ITNEXT | ITNEXT
  7. Expose Open Policy Agent/Gatekeeper Constraint Violations for Kubernetes Applications with Prometheus and Grafana | by Murat Celep | ITNEXT

    Exploring Kyverno: Introduction | Neon Mirrors anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles

wmenjoy commented 3 years ago

安全扫描

  1. aquasecurity/trivy: A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
  2. SigNoz/signoz: SigNoz helps developers monitor their applications & troubleshoot problems, an open-source alternative to DataDog, NewRelic, etc. 🔥 🖥
  3. The need for slimmer containers

Net Policy

  1. Generating Kubernetes Network Policies Automatically By Sniffing Network Traffic | by Murat Celep | Apr, 2021 | ITNEXT
  2. NetworkPolicy Editor: Create, Visualize, and Share Kubernetes NetworkPolicies — Cilium
  3. loft-sh/jspolicy: jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript
  4. Controlling outbound traffic from Kubernetes

k8s 部署策略

  1. loft-sh/jspolicy: jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

安全工具

  1. vchinnipilli/kubestriker: A Blazing fast Security Auditing tool for Kubernetes
  2. falcosecurity/falco: Cloud Native Runtime Security
  3. derailed/popeye: 👀 A Kubernetes cluster resource sanitizer
wmenjoy commented 3 years ago

镜像安全

  1. 10 Kubernetes Security Context settings you should understand | Snyk
  2. Reverse Engineering a Docker Image — The Art of Machinery
  3. Top 20 Dockerfile best practices for security | Sysdig
  4. https://access.redhat.com/documentation/en-us/red_hat_quay/3.5/html/manage_red_hat_quay/clair-intro2

镜像签名

  1. sigstore/cosign: Container Signing
  2. Ensure Content Trust on Kubernetes using Notary and Open Policy Agent | by Maximilian Siegert | Medium
  3. bitnami/minideb: A small image based on Debian designed for use in containers
wmenjoy commented 3 years ago

其他

  1. KubeHelper/kubehelper: KubeHelper - simplifies many daily Kubernetes cluster tasks through a web interface. Search, analysis, run commands, cron jobs, reports, filters, git synchronization and many more.
  2. How to protect your ~/.kube/ configuration
wmenjoy commented 3 years ago

密码管理

  1. 定制Kubernetes密码资源及金融机构应用实践

k8s集成

  1. Running Vault and Consul on Kubernetes | TestDriven.io
  2. rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
  3. doitintl/kube-secrets-init: Kubernetes mutating webhook for secrets-init injection
  4. Revealing the secrets of Kubernetes secrets | Cloud Native Computing Foundation

其他

  1. Use this chart to see how long it'll take hackers to crack your passwords
wmenjoy commented 3 years ago

理念

daas

  1. Kubernetes Enables DevOps-as-a-Service (DaaS) - Container Journal
wmenjoy commented 3 years ago

周边

  1. Top 20 OpenSSH Server Best Security Practices - nixCraft
  2. arminc/k8s-platform-lcm: A faster and easier way to manage the lifecycle of applications and tools, running and living around your Kubernetes platform
wmenjoy commented 3 years ago

部署

  1. Google Online Security Blog: Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

image

wmenjoy commented 3 years ago

通知与消息

bitnami-labs/kubewatch: Watch k8s events and trigger Handlers

wmenjoy commented 3 years ago

商业安全平台

  1. Automated Cloud Security Codified for DevOps | Bridgecrew
wmenjoy commented 3 years ago

安全列表

  1. Docker Security - OWASP Cheat Sheet Series
wmenjoy commented 3 years ago

理解k8s的安全

  1. 10 Kubernetes Security Context settings you should understand | Snyk
  2. laixintao/lobbyboy: A lobby boy will create a VPS server when you need one, and destroy it after using it.
  3. Network Policy Editor for Kubernetes
wmenjoy commented 3 years ago

安全漏洞

  1. Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
wmenjoy commented 2 years ago

文件权限

1.File Permissions: the painful side of Docker – Coding Thoughts

wmenjoy commented 2 years ago

扫描

  1. Top 7 Subdomain Scanner tools to find subdomains
  2. Verify Container Signatures in Kubernetes using Notary or Cosign | SSE Blog 完整性校验
  3. Use Kubescape to check if your Kubernetes clusters are exposed to the Symlink vulnerability CVE-2021-25741

扫描方案

  1. Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit - Part 2 | Falco
wmenjoy commented 2 years ago

MITRE ATT&CK® mappings released for built-in Azure security controls | Microsoft Security Blog image

wmenjoy commented 2 years ago

安全学习

  1. madhuakula/kubernetes-goat: Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
wmenjoy commented 2 years ago

VPN

  1. Guide: Setting up a Tailscale VPN on Kubernetes
wmenjoy commented 2 years ago

虚拟环境

  1. madhuakula/kubernetes-goat: Kubernetes Goat 🐐 is a "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security 🔐
wmenjoy commented 2 years ago

请求校验

shcema和校验工具

  1. instrumenta/kubernetes-json-schema: Schemas for every version of every object in every version of Kubernetes
  2. brendanjryan/yamlvalidate: A command line tool for validating (Kubernetes) YAML files against a JSON Schema

    format

  3. mjeri/kubefmt: kubefmt is a tool inspired by go fmt that formats your kubernetes yaml files by a predictable schema
wmenjoy commented 2 years ago

攻击模拟

  1. Advanced Persistent Threat Techniques Used in Container Attacks
wmenjoy commented 2 years ago

安全加固

  1. How to secure your Kubernetes control plane and node components | Cloud Native Computing Foundation