K8S安全

[wmenjoy]

安全原理，方法论

1. Kubernetes Security | Operating Kubernetes Clusters and Applications Safely
2. 1. Approaching Kubernetes Security - Kubernetes Security [Book]

[wmenjoy]

相关软件

参考

1. 初识容器安全项目 Falco
2. madhuakula/kubernetes-goat: Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

[wmenjoy]

安全周边

参考

1. Kubernetes网络与防火墙联动方案探索
2. 基于 eBPF 实现容器运行时安全
3. https://github.com/zoidbergwill/awesome-ebpf
4. solo-io/bumblebee: Get eBPF programs running from the cloud to the kernel in 1 line of bash

[wmenjoy]

稳定性保障

1. Kubernetes 稳定性保障手册（极简版）
2. https://jimmysong.io/kubernetes-hardening-guidance/

[wmenjoy]

文章集锦

1. Improving Kubernetes and container security with user namespaces | Kinvolk
2. https://github.com/ksoclabs/awesome-kubernetes-security

[wmenjoy]

端口与网络

参考

1. KubeSail Blog | Building a dedicated Kubernetes cluster on Hetzner

[wmenjoy]

防火墙

1. How to configure firewalld rules in Linux | 2DayGeek

[wmenjoy]

钓鱼

1. GemGeorge/SniperPhish: SniperPhish - The Web-Email Spear Phishing Toolkit

[wmenjoy]

Chaos Mesh

1. Open Source solutions for chaos engineering in Kubernetes – Flant blog

[wmenjoy]

可视化

1. team-soteria/rback: RBAC in Kubernetes visualizer

认证和授权

1. LDAP

1. Installing OpenLDAP on Kubernetes with Helm
2. 利用Keycloak实现Kubernetes单点登录与权限验证（SSO,OIDC,RBAC） - 简书

   SAML

3. How to Set Up Kubernetes SSO with SAML | Teleport
4. OpenUnison/openunison-k8s-saml2: Self service portal for Kubernetes. Automate provisioning and access of namespaces, authenticate users using your SAML2 Identity Provider.

5. oidc

6. jetstack/kube-oidc-proxy: Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
7. 利用Keycloak实现Kubernetes单点登录与权限验证（SSO,OIDC,RBAC） - 简书

   其他

8. Kubernetes Single Sign On - A detailed guide
9. Get kubectl access to your private cluster from anywhere
10. Pipelines and Kubernetes Authentication
11. appvia/krane: Kubernetes RBAC static Analysis & visualisation tool
12. OT-CONTAINER-KIT/k8s-vault-webhook: A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
13. cert-manager/policy-approver

[wmenjoy]

敏感信息保护

1. external-secrets/kubernetes-external-secrets: Integrate external secret management systems with Kubernetes
2. Using a KMS provider for data encryption | Kubernetes
3. OT-CONTAINER-KIT/k8s-vault-webhook: A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

[wmenjoy]

失败监控

1. edrevo/suspicious-pods: Prints a list of k8s pods that might not be working correctly
2. iovisor/kubectl-trace: Schedule bpftrace programs on your kubernetes cluster using the kubectl
3. replicatedhq/troubleshoot: Preflight Checks and Support Bundles Framework for Kubernetes Applications
4. Multi-Cluster Monitoring with Thanos

[wmenjoy]

策略

1. jetstack/preflight: Automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA)
2. Kubernetes之NetworkPolicy，Flannel和Calico - 简书
3. Policy-based countermeasures for Kubernetes – Part 1 | Containers
4. Generating Kubernetes Network Policies Automatically By Sniffing Network Traffic | by Murat Celep | ITNEXT
5. Expose Open Policy Agent/Gatekeeper Constraint Violations for Kubernetes Applications with Prometheus and Grafana | by Murat Celep | Jun, 2021 | ITNEXT
6. Lifecycle of Kubernetes Network Policies and Best Practices | by Murat Celep | May, 2021 | ITNEXT | ITNEXT
7. Expose Open Policy Agent/Gatekeeper Constraint Violations for Kubernetes Applications with Prometheus and Grafana | by Murat Celep | ITNEXT

   Exploring Kyverno: Introduction | Neon Mirrors anderseknert/awesome-opa: A curated list of OPA related tools, frameworks and articles

[wmenjoy]

安全扫描

1. aquasecurity/trivy: A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
2. SigNoz/signoz: SigNoz helps developers monitor their applications & troubleshoot problems, an open-source alternative to DataDog, NewRelic, etc. 🔥 🖥
3. The need for slimmer containers

Net Policy

1. Generating Kubernetes Network Policies Automatically By Sniffing Network Traffic | by Murat Celep | Apr, 2021 | ITNEXT
2. NetworkPolicy Editor: Create, Visualize, and Share Kubernetes NetworkPolicies — Cilium
3. loft-sh/jspolicy: jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript
4. Controlling outbound traffic from Kubernetes

k8s 部署策略

1. loft-sh/jspolicy: jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

安全工具

1. vchinnipilli/kubestriker: A Blazing fast Security Auditing tool for Kubernetes
2. falcosecurity/falco: Cloud Native Runtime Security
3. derailed/popeye: 👀 A Kubernetes cluster resource sanitizer

[wmenjoy]

镜像安全

1. 10 Kubernetes Security Context settings you should understand | Snyk
2. Reverse Engineering a Docker Image — The Art of Machinery
3. Top 20 Dockerfile best practices for security | Sysdig
4. https://access.redhat.com/documentation/en-us/red_hat_quay/3.5/html/manage_red_hat_quay/clair-intro2

镜像签名

1. sigstore/cosign: Container Signing
2. Ensure Content Trust on Kubernetes using Notary and Open Policy Agent | by Maximilian Siegert | Medium
3. bitnami/minideb: A small image based on Debian designed for use in containers

[wmenjoy]

其他

1. KubeHelper/kubehelper: KubeHelper - simplifies many daily Kubernetes cluster tasks through a web interface. Search, analysis, run commands, cron jobs, reports, filters, git synchronization and many more.
2. How to protect your ~/.kube/ configuration

[wmenjoy]

密码管理

1. 定制Kubernetes密码资源及金融机构应用实践

k8s集成

2. Running Vault and Consul on Kubernetes | TestDriven.io
3. rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
4. doitintl/kube-secrets-init: Kubernetes mutating webhook for secrets-init injection
5. Revealing the secrets of Kubernetes secrets | Cloud Native Computing Foundation

其他

1. Use this chart to see how long it'll take hackers to crack your passwords

[wmenjoy]

理念

daas

1. Kubernetes Enables DevOps-as-a-Service (DaaS) - Container Journal

[wmenjoy]

周边

1. Top 20 OpenSSH Server Best Security Practices - nixCraft
2. arminc/k8s-platform-lcm: A faster and easier way to manage the lifecycle of applications and tools, running and living around your Kubernetes platform

[wmenjoy]

部署

1. Google Online Security Blog: Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

[wmenjoy]

通知与消息

bitnami-labs/kubewatch: Watch k8s events and trigger Handlers

[wmenjoy]

商业安全平台

1. Automated Cloud Security Codified for DevOps | Bridgecrew

[wmenjoy]

安全列表

1. Docker Security - OWASP Cheat Sheet Series

[wmenjoy]

理解k8s的安全

1. 10 Kubernetes Security Context settings you should understand | Snyk
2. laixintao/lobbyboy: A lobby boy will create a VPS server when you need one, and destroy it after using it.
3. Network Policy Editor for Kubernetes

[wmenjoy]

安全漏洞

1. Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman

[wmenjoy]

文件权限

1.File Permissions: the painful side of Docker – Coding Thoughts

[wmenjoy]

扫描

1. Top 7 Subdomain Scanner tools to find subdomains
2. Verify Container Signatures in Kubernetes using Notary or Cosign | SSE Blog 完整性校验
3. Use Kubescape to check if your Kubernetes clusters are exposed to the Symlink vulnerability CVE-2021-25741

扫描方案

1. Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit - Part 2 | Falco

[wmenjoy]

MITRE ATT&CK® mappings released for built-in Azure security controls | Microsoft Security Blog

[wmenjoy]

安全学习

1. madhuakula/kubernetes-goat: Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

[wmenjoy]

VPN

1. Guide: Setting up a Tailscale VPN on Kubernetes

[wmenjoy]

虚拟环境

1. madhuakula/kubernetes-goat: Kubernetes Goat 🐐 is a "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security 🔐

[wmenjoy]

请求校验

shcema和校验工具

1. instrumenta/kubernetes-json-schema: Schemas for every version of every object in every version of Kubernetes
2. brendanjryan/yamlvalidate: A command line tool for validating (Kubernetes) YAML files against a JSON Schema

   format

3. mjeri/kubefmt: kubefmt is a tool inspired by go fmt that formats your kubernetes yaml files by a predictable schema

[wmenjoy]

攻击模拟

1. Advanced Persistent Threat Techniques Used in Container Attacks

[wmenjoy]

安全加固

1. How to secure your Kubernetes control plane and node components | Cloud Native Computing Foundation