mirror of
https://github.com/nubenetes/awesome-kubernetes.git
synced 2026-07-13 18:30:44 +00:00
95 KiB
95 KiB
description
| description |
|---|
| Top Kubernetes Security resources for 2026, AI-ranked: kube-bench, kubescape and more — curated Cloud Native tools, guides and references. |
Kubernetes Security
!!! tip "Nubenetes V2 Elite Portal" You are browsing the AI-Curated V2 Elite Edition. Looking for the exhaustive list of references? Check out the V1 Historical Archive.
!!! info "Architectural Context" Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.
API Access Protection
Teleport Access Control
- (2021) goteleport.com: Kubernetes API Access Security Hardening [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.
Architectural Foundations
Kubernetes Tools
General Reference
- Dzone - OAuth 2.0 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Dzone - OAuth 2.0 in the Kubernetes Tools ecosystem.
- cncf.io: Kubernetes Security 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering cncf.io: Kubernetes Security 🌟 in the Kubernetes Tools ecosystem.
- cncf.io: How to secure your Kubernetes control plane and node components [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==cncf.io: How to secure your Kubernetes control plane and node components== in the Kubernetes Tools ecosystem.
- Kubernetes Hardening Guidance 🌟🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Kubernetes Hardening Guidance 🌟🌟 in the Kubernetes Tools ecosystem.
- cncf.io: Revealing the secrets of Kubernetes secrets 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering cncf.io: Revealing the secrets of Kubernetes secrets 🌟 in the Kubernetes Tools ecosystem.
- stackoverflow: Accessing the Kubernetes REST end points using bearer token [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering stackoverflow: Accessing the Kubernetes REST end points using bearer token in the Kubernetes Tools ecosystem.
CKS Certification Study Guides
Cluster Lifecycle Security
- (2020) ==github.com/stackrox: Certified Kubernetes Security Specialist Study Guide' 🌟== ⭐ 429 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A comprehensive community study handbook for the Linux Foundation CKS exam, detailing system hardening, threat mitigation, microservice security policies, and runtime compliance enforcement.
CNI Network Vulnerabilities
Network Penetration Testing
- (2020) cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Delves into how container network interfaces (CNIs) and underlying network configurations can be targets for spoofing, route injection, and MITM attacks within shared Kubernetes clusters.
CVE Analysis
Network Vulnerabilities
- (2020) empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562) [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyzes CVE-2020-8562, a vulnerability allowing path-traversal/access bypass to internal restricted subnets through the Kubernetes API server, discussing standard mitigation strategies.
Case Studies
Historical Exploit Analysis
- (2021) thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Conducts retrospective post-mortems on major real-world Kubernetes security incidents, tracing malicious lateral movements, coin-miner deployments, and critical data breaches back to root posture issues.
Cloud Native Networking
Network Policies
Calico and Tigera Security
- (2020) tigera.io: Kubernetes security policy design: 10 critical best practices 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A strategic framework for designing cluster-wide network policies, using tiered structures, explicit default-deny states, and labeling schemas to scale security dynamically.
Cloud Native Security
The 4cs Of Cloud Native Security
- (2020) kubernetes.io: Cloud native security for your clusters [N/A CONTENT] [COMMUNITY-TOOL] — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.
Cluster Hardening
Infrastructural Protection
- (2020) containerjournal.com: How to Secure Your Kubernetes Cluster 🌟 [N/A CONTENT] [LEGACY] — Evaluates cluster configurations across storage, networking, and deployment lifecycles. Discusses the replacement of deprecated Pod Security Policies with built-in Pod Security Standards and third-party policy engines.
Network Policies (1)
- (2019) ==Kubernetes Security Best Practices 🌟== ⭐ 2712 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.
Runtime Secrets Scanning
- (2021) blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt. 2) 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — The second part of a structural security guide detailing advanced settings such as RBAC limitations, audit logging targets, container engine isolation, and secrets scanning policies.
Cluster Lifecycle Security (1)
Operating System Paradigm
- (2020) thenewstack.io: How to Secure Kubernetes, the OS of the Cloud [N/A CONTENT] [COMMUNITY-TOOL] — Examines the concept of Kubernetes operating as a cloud-native OS, presenting strategies for securing core services, container communication, and control plane boundaries.
Cluster Misconfigurations
Common Mistakes
- (2021) fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably) Making [N/A CONTENT] [COMMUNITY-TOOL] — Identifies common configuration mistakes like neglected CPU/memory limits, running containers as root, and using unvalidated base images, offering immediate structural remedies.
Defense In Depth
Cluster Hardening (1)
- (2020) thenewstack.io: Defend the Core: Kubernetes Security at Every Layer [N/A CONTENT] [COMMUNITY-TOOL] — Provides an architectural approach to layered container defense. Examines the integration of secure hardware baselines, API rate limiting, network-level firewalls, and runtime analysis agents.
Identity and Access Management
SSO and OIDC Configuration
- (2020) talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API access with external identity providers (OIDC) to enable secure Single Sign-On (SSO) and unify role assignments across developers.
Industry Reports
Archived Market Trends
- (2021) redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A comprehensive market study from Spring 2021 highlighting systemic security incidents and detailing key threat factors, infrastructure risks, and tooling choices among enterprise development teams.
Enterprise Security Trends
- (2021) redhat.com: The State of Kubernetes Security [N/A CONTENT] [COMMUNITY-TOOL] — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.
Infrastructure
AWS Integration
Networking
- (2024) EC2 ENI and IP Limit [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Critical hardware reference outlining IP address and Elastic Network Interface (ENI) allocation limits per EC2 instance type. This heavily dictates pod density capabilities when utilizing the VPC CNI plug-in. Platform architects use this data to calculate scaling limits and avoid network exhaustion.
Kubernetes Platform Engine
Cluster Installation and Hardening
Infrastructure Provisioning
- (2020) thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Breaks down secure cluster bootstrapping steps, including encrypting secrets at rest in etcd, enabling control plane mutual TLS (mTLS), and minimizing public API endpoint exposure.
Container Runtimes
Runtime Isolation
- (2020) thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Compares the security architecture and attack surfaces of primary container runtimes: Docker, CRI-O, and Containerd. Discusses rootless execution, sandboxed runtimes (Kata, gVisor), and syscall filtering.
Networking (1)
CNI
Cilium
- (2026) cilium.io 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The main website for Cilium, the industry-standard networking, security, and observability engine powered by eBPF. Eliminates routing performance penalties and delivers deep API metrics.
Networking and Security
Security Compliance
CIS Benchmarks
- (2026) ==kube-bench 🌟== ⭐ 8078 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry standard tool to check whether Kubernetes clusters are deployed securely according to the Center for Internet Security (CIS) benchmarks. Can be run inside container workloads or directly on node hosts, outputting detailed reports identifying API, TLS, and permissions vulnerabilities.
Observability and Monitoring
Ebpf Runtime Enforcement
Tetragon Platform
- (2022) ==Tetragon (Cilium)== ⭐ 4749 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.
Runtime Security
Falco and K3s Audit Logging
- (2021) Analyze Kubernetes Audit logs using Falco 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.
Security Industry Analysis
- (2021) infoworld.com: The race to secure Kubernetes at run time [N/A CONTENT] [COMMUNITY-TOOL] — Documents the evolution of runtime threat defense in cloud-native platforms, discussing the industry shift toward kernel-level security telemetry leveraging eBPF technology.
Sysdig and Falco Audit Integration
- (2020) sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API audit logs with CNCF Falco to capture real-time control plane actions and alert on malicious requests, credential abuse, or abnormal operational API traffic.
Penetration Testing
Security Operations
- (2020) youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A practical, demonstration-heavy guide outlining attack-and-defend methodologies for production clusters. Demonstrates common configuration exploits and dynamic remediation.
Pod Privilege Escalation
Vulnerability Exploitation
- (2020) labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A highly cited technical analysis demonstrating how misconfigured container host namespaces, capabilities, and volume mounts can be exploited to escape container boundaries and gain full host-level access.
Policy-as-code
Kyverno Administration
- (2020) kyverno.io 🌟 [GO CONTENT] [COMMUNITY-TOOL] — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.
Kyverno Rules and Policies
- (2020) kyverno.io/policies 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.
RBAC and Authorization
Privilege Escalation
- (2020) jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster [N/A CONTENT] [COMMUNITY-TOOL] — Investigates RBAC misconfigurations and overly permissive default service accounts that elevate microservice workloads to cluster-admin privileges. It provides actionable remediation strategies for locking down namespace-bound credentials.
Risk Analysis and Auditing
Threat Vector Modeling
- (2020) tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A comprehensive vulnerability catalog and risk analysis guide highlighting exploitation pathways in typical cluster deployments. Highlights the security impacts of insecure volume mounts and metadata service access.
Secrets Management
Hashicorp Vault Integration
- (2020) learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — A practical implementation guide showcasing how to leverage the HashiCorp Vault Agent Injector sidecar to dynamically inject secrets directly into application pods via in-memory tmpfs mounts.
Security
Access Control
API Access
- (2024) kubernetes.io: Access Clusters Using the Kubernetes API [DOCUMENTATION] [COMMUNITY-TOOL] — An official task-oriented guide illustrating the safe initialization of connections directly to the Kubernetes API server. It highlights proxying patterns, kubectl integration, and direct API calls via transport-layer security (TLS). Essential for developers automating low-level operations within controlled environments.
Authentication
- (2024) kubernetes.io: Authenticating [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The core official reference for understanding user and service account authentication mechanisms in Kubernetes. It reviews client certificates, bearer tokens, and OIDC federation protocols. This architectural baseline explains how kube-apiserver validates identity requests securely.
Cluster Access
- (2024) kubernetes.io: Accesing Clusters [DOCUMENTATION] [COMMUNITY-TOOL] — Explains how developers and administrators access remote clusters using credential files (kubeconfigs). This documentation reviews contextual switching, multi-cluster management, and local proxy patterns. It serves as a foundational step for secure local engineering workflows.
Custom Authentication
- (2023) Implementing a custom Kubernetes authentication method [ADVANCED LEVEL] [LEGACY] — Provides a technical blueprint for implementing bespoke authentication strategies using webhook token authentication. It explains the integration of custom identity backends with the kube-apiserver lifecycle. Recommended for highly specialized security architectures with legacy SSO restrictions.
Kubectl Authentication
- (2020) kubernetes login [LEGACY] — A legacy-focused technical exploration explaining the login process flow through kubectl. This article breaks down the historical and contemporary mechanics of authentication helpers and tokens. Ideal for engineers seeking to demystify credential caching behaviors.
RBAC
- (2022) engineering.dynatrace.com: Kubernetes Security Best Practices -Part 1: Role Based Access Control (RBAC) [ADVANCED LEVEL] [COMMUNITY-TOOL] — A deep dive into Kubernetes Role-Based Access Control (RBAC) mechanisms and configuration patterns. The guide stresses the architectural importance of the Principle of Least Privilege, outlining best practices for defining Roles and ClusterRoles. Practical mitigation strategies focus on auditing wildcard permissions to avoid escalation risks.
Application Security
Client Security
- (2022) curity.io: Client Security [COMMUNITY-TOOL] — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.
Architecture
Devsecops
- (2022) thenewstack.io: Securing Kubernetes in a Cloud Native World [COMMUNITY-TOOL] — This technical analysis explores how security shifts within high-velocity cloud-native deployments. Outlines strategies for managing immutable infrastructure, dynamic policy updates, and zero-trust routing. Strongly advocates for shifting security controls left and using automated gating engines.
Future Trends
- (2022) thenewstack.io: Basic Principles Key to Securing Kubernetes’ Future [COMMUNITY-TOOL] — Examines long-term trends in cloud-native security, arguing for declarative and immutable configurations as the main vector of defense. Synthesizes principles of software supply chain verification (such as Sigstore/Cosign integration) and automated drift detection. Vital for architects planning 3-to-5 year container strategies.
Audit
Configuration Assessment
- (2023) securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive, step-by-step methodology for auditing the entire configuration footprint of Kubernetes environments. Provides structural steps for scanning RBAC bindings, assessing cluster configuration parameters, and scanning host node vulnerabilities. Essential checklist for compliance officers and security auditors.
Best Practices
General Hardening
- (2024) armosec.io: Kubernetes Security Best Practices: Definitive Guide [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive technical blueprint emphasizing end-to-end cloud-native system security. It details critical hardening strategies including image scanning, continuous compliance auditing, and secure runtime boundaries. Modern operators leverage these concepts to build proactive defensive postures across hybrid clusters.
- (2023) thenewstack.io: 6 Kubernetes Security Best Practices 🌟 [COMMUNITY-TOOL] — A baseline architectural guide covering foundational security principles in Kubernetes. It focuses on isolating workloads, enabling network policies, and minimizing container privileges. Real-world implementation highlights the mitigation of broad blast radii by enforcing namespace segregation.
- (2023) spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut risk [COMMUNITY-TOOL] — Outlines five high-impact security wins to drastically lower cluster risk vectors. Key practices include restrictive network boundary controls, cluster-wide image pinning, and utilizing immutable root filesystems. These pragmatically reduce immediate exposure surfaces for standard multi-tenant setups.
Cloud Security
AWS EKS Network
- (2024) Security Group Rules EKS [DOCUMENTATION] [COMMUNITY-TOOL] — Official AWS configuration documentation detailing the network security boundaries for Amazon EKS clusters. It defines minimal requirements for control-plane-to-node communication over secure ports. This ensures highly restrictive ingress/egress patterns in security groups.
Cluster Hardening (2)
Audit Logs
- (2022) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing [COMMUNITY-TOOL] — Part three of the GitGuardian series, focusing on authentication, authorization, logging, and audit tracking. Demonstrates how to design granular RBAC policies and enable cluster audit logs to detect security anomalies. Essential for establishing reliable forensic trails.
Best Practices (1)
- (2022) cast.ai: Kubernetes Security: 10 Best Practices from the Industry and Community 🌟 [LEGACY] — Consolidates ten core security practices derived from cloud-native community patterns and expert input. Discusses API server hardening, encryption of secrets at rest in etcd, and continuous vulnerability verification. Provides a clear roadmap for migrating legacy infrastructure securely into Kubernetes.
- (2022) dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments 🌟 [COMMUNITY-TOOL] — Presents an action-oriented best practice matrix covering cluster configuration and pod safety profiles. Details etcd encryption setups, secure secrets distribution patterns, and implementing standard Pod Security Admission policies. Highly recommended for establishing cluster baselines.
Deployment Security
- (2022) armosec.io: How to Secure Deployments in Kubernetes? 🌟 [COMMUNITY-TOOL] — An operational guide on implementing Pod Security Standards (PSS) within modern clusters. Provides precise configurations for configuring read-only root filesystems, restricting Linux capability escalation, and rejecting root execution. Helps secure standard application manifests against common run-time threat models.
Pod Security
- (2022) dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads [COMMUNITY-TOOL] — Focuses on runtime container hardening for critical production clusters. Provides examples of setting up restricted securityContext parameters, dropping raw Linux capabilities, and activating seccomp profiles. Ensures configurations restrict exploitation should container escape vulnerabilities emerge.
Standard Checklists
- (2023) kubernetes.io: Security Checklist 🌟🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official security checklist published by upstream Kubernetes maintainers. It serves as an authoritative map for hardening cluster networks, applying role access structures, and validating runtimes. Essential baseline documentation for cloud infrastructure engineers.
Devsecops (1)
CICD
- (2022) infoworld.com: 10 steps to automating security in Kubernetes pipelines [COMMUNITY-TOOL] — A ten-step technical blueprint focused on integrating security scanners directly into automated CI/CD deployment pipelines. Covers static application security testing (SAST), secrets detection, and manifest scanning before changes reach staging or production clusters. Outlines shift-left strategies to mitigate misconfiguration deployment risks.
Continuous Security
- (2022) collabnix.com: Applying DevSecOps Practices to Kubernetes [COMMUNITY-TOOL] — Explores the technical implementation of DevSecOps pipelines targeting Kubernetes applications. Discusses how to configure automated feedback loops between static manifest linters, container register vulnerability databases, and runtime audit monitors. Crucial for scaling secure delivery pipelines.
Developer Guidance
- (2022) dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers [COMMUNITY-TOOL] — Translates complex cluster security profiles into digestible concepts tailored directly for application developers. Focuses on safe manifest construction, secret handling, and using non-root base images. Encourages safe development workflows to eliminate security issues before code merges.
Fundamentals
Concepts
- (2022) dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts [COMMUNITY-TOOL] — An introductory security conceptual guide reviewing isolation techniques like Linux namespaces, cgroups, and capabilities. Correlates these kernel-level tools to upstream abstraction parameters in standard Pod specs. Provides a concise, high-density primer on basic defense constructs.
Threat Modeling
- (2022) blog.gitguardian.com: Hardening Your Kubernetes Cluster - Threat Model (Pt. 1) 🌟🌟 [COMMUNITY-TOOL] — Part one of a tutorial series focusing on threat modeling within Kubernetes systems. Outlines typical attack surface definitions across components like API endpoints, etcd systems, and workers. Aids engineering teams in establishing defense boundaries.
Hardening Standards
Government Guidelines
- (2022) armosec.io: NSA & CISA Kubernetes Hardening Guide – what is new with version 1.1 [LEGACY] — Details updates in version 1.1 of the NSA-CISA Kubernetes Hardening Guide. Highlights transition criteria from deprecated PodSecurityPolicies to Pod Security Standards, alongside advice on checking third-party integrations. Helps teams stay aligned with current guidance.
- (2021) thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters [COMMUNITY-TOOL] — Evaluates the joint security guidance on Kubernetes hardening issued by the NSA and CISA. Translates government recommendations into actionable steps for enterprise IT administrators. Focuses on separation of credentials and configuring audit pathways.
- (2021) therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟 [COMMUNITY-TOOL] — Detailed breakdown of the NSA/CISA Kubernetes Hardening Guide. Emphasizes container sandboxing, running applications with minimal privilege bounds, and dividing networks to limit damage. A vital reference point for regulatory compliance projects.
- (2021) infoq.com [COMMUNITY-TOOL] — Explores key recommendations from CISA and the NSA regarding cluster infrastructure protection. Demystifies technical methods for managing root filesystems, authenticating platform API requests, and using logging setups to trace lateral movement.
- (2021) thenewstack.io: NSA on How to Harden Kubernetes [COMMUNITY-TOOL] — A practical review focusing on the security configurations defined within the NSA hardening guides. Covers container escape avoidance, using read-only structures, and setting up logging patterns. Beneficial for system engineers translating recommendations to production setups.
IAM
Authentication and Authorization
- (2022) dev.to/thenjdevopsguy: The 4 C’s Of Kubernetes Security [ADVANCED LEVEL] [COMMUNITY-TOOL] — Evaluates enterprise patterns for integrating Kubernetes Role-Based Access Control (RBAC) with corporate directory systems (OIDC, Active Directory). Examines tools like Dex to implement single sign-on (SSO) strategies across multi-cluster environments. Essential reading for cluster operations scaling across departments.
SSO
- (2022) dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container [COMMUNITY-TOOL] — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.
Identity and Access
AWS IRSA
Hybrid Cloud
- (2022) dev.to: Binding AWS IAM roles to Kubernetes Service Account for on-prem clusters | Daniele Polencic 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Highlights solutions for extending AWS IAM Roles for Service Accounts (IRSA) configurations into on-premises Kubernetes clusters. Solves the hybrid identity challenge by utilizing OIDC federated discovery documents on local nodes.
Authentication (1)
Legacy Tools
- (2020) github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 [GO CONTENT] [LEGACY] — Curator Insight: Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Live Grounding: The repository has seen no recent development and is considered legacy. It is superseded by modern ephemeral TokenRequest APIs and service mesh mTLS integrations.
- (2023) learnk8s.io/authentication-kubernetes: User and workload identities in Kubernetes 🌟🌟🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — A deep analysis of the conceptual differences between human and workload identities within Kubernetes. Details how API server authentication modules resolve internal workloads using Service Accounts, contrasting them with external OIDC providers.
- (2022) goteleport.com: A Simple Overview of Authentication Methods for Kubernetes Clusters [COMMUNITY-TOOL] — Synthesizes multiple Kubernetes authentication methods—including bootstrap tokens, client certificates, webhook tokens, and OIDC federation. Provides an architect-level comparison of trade-offs regarding credential life and operational complexity.
Cloud Integrations
AWS IRSA (1)
- (2021) mjarosie.github.io: IAM roles for Kubernetes service accounts - deep dive [ADVANCED LEVEL] [COMMUNITY-TOOL] — A thorough exploration of AWS IAM Roles for Service Accounts (IRSA). Demystifies how AWS OpenID Connect (OIDC) federation interacts with mutating admission webhooks to inject dynamic, temporary AWS STS credentials into Kubernetes pods.
Enterprise Authentication
- (2022) loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes [ADVANCED LEVEL] [LEGACY] — Outlines pattern-driven integrations for bridging classic corporate LDAP servers with modern Kubernetes clusters. Focuses on identity broker abstractions like Dex to map legacy LDAP groups to Kubernetes RBAC definitions.
Microservice Identities
- (2023) learnk8s.io: Authentication between microservices using Kubernetes identities 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.
OIDC
Legacy Tools (1)
- (2020) ==gini/dexter== ⭐ 168 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An OIDC-helper CLI tool for generating kubectl credential configurations. Live Grounding: Inactive for over 4 years; considered legacy under Nubenetes MVQ rules. It has been superseded by tools like kubelogin.
Oauth2 Proxy
- (2021) geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard [COMMUNITY-TOOL] [GUIDE] — A configuration guide describing how to wrap the Kubernetes Dashboard and sensitive internal APIs with oauth2-proxy, enabling secure OIDC integrations and SSO workflows.
- (2024) OpenID Connect [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The official specifications for OpenID Connect, the dominant federation protocol for Kubernetes authentication. Implementing OIDC enables modern clusters to offload authentication to external identity providers like Okta, Keycloak, or Microsoft Entra ID. This standardizes identity tokens globally across decentralized services.
RBAC (1)
Legacy Tools (2)
- (2020) ==Krane 🌟== ⭐ 740 [RUBY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.
- (2019) ==github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model== ⭐ 26 [JAVASCRIPT CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.
Security Auditing
- (2022) raesene.github.io: Auditing RBAC - Redux [ADVANCED LEVEL] [COMMUNITY-TOOL] — Highly detailed assessment of tools and manual approaches used to audit RBAC permissions. Looks at the attack surface exposed by privileged service accounts and API server access loopholes, providing concrete defensive guidance.
- (2026) rbac.dev 🌟🌟🌟 [COMMUNITY-TOOL] — A dedicated directory of tools, templates, and best practices for Kubernetes RBAC configurations. Serves as an essential reference for engineers establishing zero-trust access boundaries.
- (2023) devopscube.com: How To Create Kubernetes Service Account For API Access [COMMUNITY-TOOL] [GUIDE] — A practical tutorial focused on provisioning Kubernetes Service Accounts for targeted API server access. Walks through credential auto-generation constraints, manifesting corresponding API access boundaries, and constructing secure automated CI/CD pipelines.
- (2023) learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟 [COMMUNITY-TOOL] [GUIDE] — A rigorous deep-dive into resource constraints using RBAC. Demonstrates how to write custom policies to isolate network endpoints, restrict API-driven actions, and test permissions safely using
kubectl auth can-i. - (2022) loft.sh: Kubernetes RBAC: Basics and Advanced Patterns [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs advanced RBAC patterns, focusing on namespace isolation, virtual cluster (vcluster) control planes, and resolving performance regressions associated with large-scale policy databases.
- (2022) marcusnoble.co.uk: Restricting cluster-admin Permissions [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines security risks associated with widespread
cluster-adminusage. Proposes strategies to design specialized roles with precise apiGroup restrictions to establish guardrails around the control plane. - (2022) anaisurl.com: RBAC Explained with Examples 🌟 [COMMUNITY-TOOL] [GUIDE] — A visual, beginner-friendly guide dissecting RBAC mechanics in Kubernetes. Offers concrete examples of setting up specific read/write permissions for standard development teams.
- (2022) dev.to: Configure RBAC in Kubernetes Like a Boss [COMMUNITY-TOOL] [GUIDE] — An operational checklist and set of best practices for establishing robust, leak-proof RBAC models. Helps administrators avoid common authorization anti-patterns such as wildcards in role rules.
- (2022) youtube: Kubernetes RBAC Explained | Anton Putra 🌟 [COMMUNITY-TOOL] [GUIDE] — Detailed instructional video mapping user groups and service accounts to Kubernetes resources using RBAC. Explains role-binding syntax and access validations in an intuitive, visual style.
- (2021) infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟 [COMMUNITY-TOOL] — Detailed technical analysis of native Kubernetes Role-Based Access Control (RBAC). Explains authorization objects (Roles, ClusterRoles, and Bindings) alongside API groups to help design least-privilege structures.
SSO and SAML
- (2022) gravitational.com: How to Set Up Kubernetes SSO with SAML [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs the mechanics of configuring Single Sign-On (SSO) for cluster environments utilizing SAML. The guide explains authentication federation patterns, mapping identity provider attributes to Kubernetes RBAC roles. This setup ensures seamless, centralized access management for enterprise platform infrastructure.
Workload Identity
- (2021) linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines Linkerd's transition to Kubernetes Bound Service Account Tokens (TokenRequest API). Explains the security benefits of using tokens containing specific audiences, node bindings, and short lifetimes to mitigate credential leakage risks.
Zero Trust Access
- (2024) paralus.io 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Paralus is an open-source tool for managing access to multi-cluster Kubernetes environments. Offers a centralized portal for configuring Just-In-Time (JIT) access, OIDC integration, auditing, and RBAC synchronization across cloud providers.
Identity And Access Management
Access Control (1)
- thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.
Kubernetes Security (1)
Hardening
- (2023) sysdig.com: Kubernetes Security Guide 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Sysdig's comprehensive guide to securing Kubernetes platforms details a multi-layered defense strategy covering container image scanning, runtime protection, network policies, and role-based access control (RBAC). It highlights compliance mappings (such as CIS benchmarks) and operational best practices for detecting abnormal kernel system calls using eBPF-based agents.
Secrets Management (1)
- (2021) Hands on your first Kubernetes secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.
Network Security
Internet Exposure
- (2022) raesene.github.io: Let's talk about Kubernetes on the Internet [ADVANCED LEVEL] [COMMUNITY-TOOL] — An urgent analytical overview assessing why many Kubernetes API control planes remain directly visible on the public internet. Discusses host-level firewall configurations, securing the Kubelet interface, and utilizing private API cluster features in major cloud providers. Emphasizes basic perimeter hygiene.
Network Policies (2)
- (2024) Calico in EKS [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Guides integration of Calico as a high-performance network policy engine alongside EKS. While AWS VPC CNI handles native IP routing, Calico enforces declarative security policies. This hybrid configuration provides robust, fine-grained L3/L4 segregation across namespace borders.
PKI
Certificate Management
- (2022) blog.alexellis.io: What if your Pods need to trust self-signed certificates? [COMMUNITY-TOOL] — Focuses on patterns for trusting self-signed or internal enterprise Root CA certificates inside dynamic pod runtimes. Demonstrates using initContainers and shared volumes to inject trust anchors clean of custom application builds. Prevents hardcoding issues across dynamic corporate multi-tenant infrastructures.
- (2021) thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security [COMMUNITY-TOOL] — Analyzes the release and architecture of Jetstack Secure, which simplifies and automates TLS lifecycle tracking via cert-manager. Explains the centralization of public key infrastructures (PKIs) across multi-cluster hybrid clouds. Prevents application downtime caused by unpredicted certificate expirations.
PKI and Certificates
Cert-manager
Access Control (2)
- (2024) ==github.com/cert-manager: Policy Approver== ⭐ 90 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The cert-manager approver-policy extension code repository. Intercepts CertificateRequest resources before submission, evaluating requested commonNames, SANs, and key constraints against user-defined security guidelines.
- (2026) ==cert-manager/cert-manager== ⭐ 13859 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Consolidated record of the cert-manager repository, automating certificate lifecycles to guarantee encrypted transport paths between internal microservice runtimes.
- (2026) cert-manager.io 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Official documentation portal for cert-manager, the standard tool for cloud-native PKI. Explains configuring Issuers and Certificate manifests, detailing dynamic ACME solver pipelines, Let's Encrypt integration, and automated internal trust routing.
Conceptual
- (2022) dev.to: Kubernetes TLS, Demystified 🌟 [COMMUNITY-TOOL] [GUIDE] — Demystifies Kubernetes TLS configurations by explaining public/private key pairs, certificate authorities, client-cert server validations, and common Ingress security setups.
TLS Ingress
Lets Encrypt
- (2021) rejupillai.com: Let’s Encrypt the Web (for free) [COMMUNITY-TOOL] [GUIDE] — A practical walk-through detailing TLS integration on a GKE Ingress controller. Guides the configuration of HTTP-01 and DNS-01 ACME validations using cert-manager, resulting in automated, free public certificates.
Platform Hardening
Best Practices (2)
- (2024) Kubernetes Security 101: Risks and 29 Best Practices 🌟 [CASE STUDY] [COMMUNITY-TOOL] — Essential Red Hat Security resource detailing 29 structural recommendations across the entire build, deploy, and run lifecycle. Covers vulnerability scanning, image signing, secure context configurations, and network isolation protocols.
Pod Security (1)
Pod Security Policies
- (2022) Pod Security Policy (SCC in OpenShift) 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [LEGACY] — Architectural comparison contrasting OpenShift Security Context Constraints (SCC) with the deprecated Kubernetes Pod Security Policy (PSP). Live Grounding confirms PSP was completely removed in Kubernetes v1.25. This reference highlights how SCC remains enterprise-stable and active for securing namespaces in Red Hat OpenShift clusters.
- (2021) rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1 [LEGACY] — A historical look at securing container runtimes using Pod Security Policies. As PSP is now deprecated and fully removed in modern Kubernetes, this guide serves as a legacy reference for older Rancher setups. It clarifies critical container capabilities, privilege escalation preventions, and namespace defaults.
- (2021) developer.squareup.com: Kubernetes Pod Security Policies (PSP) [ADVANCED LEVEL] [LEGACY] — Legacy deep-dive exploring Square's real-world PSP architecture and rollout procedures. Note that modern engineering standards require migrating these exact controls to Pod Security Standards (PSS) or external engines like Kyverno. Essential reading to understand historical host namespaces and filesystem restrictions.
Policy and Admission Control
Runtime Security (1)
Legacy Tools (3)
- (2018) ==box/kube-exec-controller== ⭐ 126 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics, admission controllers (OPA/Kyverno), and modern service mesh execution boundaries.
Validating Webhooks
- (2022) trstringer.com: Create a Basic Kubernetes Validating Webhook [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.
Policy and Audit
Manifest Auditing
- (2021) blog.frankel.ch: Learning by auditing Kubernetes manifests [COMMUNITY-TOOL] — An educational approach to understanding Kubernetes security postures through direct manifest auditing. The author walks through security context misconfigurations, detailing how over-privileged containers expose node architectures. This technique bridges the gap between passive development and active cluster security controls.
Policy Enforcement
Admission Control
- (2022) Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architectural face-off evaluating Rego-based OPA/Gatekeeper and YAML-native Kyverno. Kyverno offers exceptional ease of use for native K8s manifests, while OPA provides unparalleled expressive power for cross-system policies. It helps architects choose the correct declarative policy engine for high-compliance environments.
Runtime Security (2)
Ebpf
- (2021) developers.redhat.com: Secure your Kubernetes deployments with eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — Details how eBPF (Extended Berkeley Packet Filter) technology shifts the runtime security paradigm away from heavy, sidecar-based observability architectures. Demonstrates writing and attaching kernel sandboxed utilities to track execution and networking footprints with minimal CPU overhead. Crucial reading for high-scale, security-conscious platform teams.
Ebpf and Cilium
- (2021) isovalent.com: Detecting a Container Escape with Cilium and eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — An in-depth case study of container escape tactics and real-time detection utilizing eBPF and Cilium. It highlights limits of traditional syscall auditing, showcasing how kernel-level hooks identify privilege escalation without agent-induced overhead. Live Grounding points to eBPF-based security as the modern baseline for runtime security orchestration.
Ephemeral Containers
- (2022) xenitab.github.io: Kubernetes Ephemeral Container Security 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explores security boundaries regarding ephemeral debugging containers, analyzing potential escalation threats through 'kubectl debug'. Highlights how improper RBAC permissions on debugging tools can expose the underlying host or container namespace. Outlines defensive constraints like restricting hostIPC and hostPID mappings.
Secrets Management (2)
Conceptual (1)
- (2022) macchaffee.com: Plain Kubernetes Secrets are fine 🌟 [COMMUNITY-TOOL] — An alternative architectural perspective defending native Kubernetes Secrets. Argues that when matched with strong RBAC controls, namespace boundaries, and cluster-level etcd KMS encryption, native solutions provide sufficient enterprise protection.
Developer Practice
- (2021) millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — Developer-centric guide to configuring application manifests for secret consumption. Compares the security profiles of importing secrets as environment variables against dynamic filesystem mounts, detailing runtime behavior and update propagation.
External Secrets
- (2025) ==external-secrets.io 🌟== [GO CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry-standard operator for syncing external secrets management services (like AWS Secrets Manager, Vault, or GCP Secret Manager) into Kubernetes Secret objects. This eliminates storing sensitive configuration inside git repositories, supporting true GitOps workflows. Decoupled and secure, it is a critical security-centric component.
Gitops
External Secrets Operator
- (2023) youtube: Manage Kubernetes Secrets With External Secrets Operator (ESO) 🌟 [COMMUNITY-TOOL] [GUIDE] — A technical demonstration detailing the installation and runtime management of the External Secrets Operator (ESO). Demonstrates synchronization pipelines that pull credentials from HashiCorp Vault and cloud providers into native secret schemas.
Sealed Secrets
- (2022) dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! 🌟 [COMMUNITY-TOOL] [GUIDE] — A step-by-step implementation guide for Bitnami's Sealed Secrets (kubeseal). Explains how asymmetric cryptography allows developers to safely commit encrypted secrets to public repositories, leaving cluster-side controllers to handle automated decryption.
- (2022) piotrminkowski.com: Sealed Secrets on Kubernetes with ArgoCD and Terraform [ADVANCED LEVEL] [COMMUNITY-TOOL] — Demonstrates the end-to-end automation of Bitnami Sealed Secrets using Terraform and ArgoCD. Helps DevOps architects define declarative pipelines that provision the sealed secret operator and manage encrypted configurations in Git repositories.
- (2022) cloud.redhat.com: A Guide to Secrets Management with GitOps and Kubernetes 🌟 [ADVANCED LEVEL] [CASE STUDY] [COMMUNITY-TOOL] — Red Hat's whitepaper outlining standard solutions for GitOps secrets management. Contrasts the operational overhead and security profiles of Sealed Secrets, vault-sidecars, and external integration engines in CD environments.
KMS Integration
Legacy Tools (4)
- (2023) ==github.com/ondat/trousseau== ⭐ 181 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules in favor of native Kubernetes KMS v2 features.
Platform Hardening (1)
Conceptual (2)
- (2022) "Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption" [COMMUNITY-TOOL] — A curated synthesis of engineering consensus regarding Kubernetes native base64 secrets. Emphasizes that encoding is not encryption and acts strictly as a data-serialization layer. Highly recommends implementing RBAC, audit logging, and envelope KMS encryption.
- (2026) kubernetes.io: Encrypting Secret Data at Rest 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Official reference guide to implementing etcd database encryption at rest. Walks through configuring structural 'EncryptionConfiguration' resources, comparing local providers (AES-GCM, secretbox) against enterprise Cloud KMS plugins.
System Hardening
Security Profiles Operator
- (2025) kubernetes-sigs/security-profiles-operator ⭐ 848 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — The official Kubernetes SIG operator for managing Seccomp, AppArmor, and SELinux profiles natively. Live Grounding confirms its active role in highly regulated sectors for hardening container execution spaces. It replaces manual node profiling with declarative, cluster-wide configurations.
- (2021) kubernetes.io: What's new in Security Profiles Operator v0.4.0 [COMMUNITY-TOOL] — An official release announcement detailing the evolution of SPO. It highlights improved profile recording capabilities, integration with kubectl, and initial support for SELinux. Crucial for understanding the transition from manual profiles to automation.
Threat Modeling (1)
Penetration Testing (1)
- (2021) dev.to: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1) [ADVANCED LEVEL] [COMMUNITY-TOOL] — Provides an attacker's perspective on Kubernetes deployment flaws. Explores breakout methodologies, privilege escalation via over-permissioned service accounts, and API Server compromise scenarios, illustrating defensive configurations required to counter threats.
Threat Vector
Internet Exposure (1)
- (2023) blog.cyble.com: Exposed Kubernetes Clusters [ADVANCED LEVEL] [COMMUNITY-TOOL] — Threat intelligence research showing search profiles of exposed clusters active across the globe. Highlights typical compromise pathways starting from default configurations or misconfigured control plane boundaries. Recommends strict perimeter restrictions.
Observability Exposure
- (2022) sysdig.com: How attackers use exposed Prometheus server to exploit Kubernetes clusters | Miguel Hernández [ADVANCED LEVEL] [COMMUNITY-TOOL] — An analytical threat report detailing how exposed Prometheus endpoints can facilitate cluster compromise. Explains how attackers scan for unauthenticated metrics interfaces to harvest metadata, endpoints, and environment configurations. Demonstrates step-by-step mitigation paths, including mandatory mTLS and RBAC verification.
Tooling
Security Auditing (1)
- (2022) mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes Cluster [COMMUNITY-TOOL] — This resource provides a comparative overview of seven premier open-source tools designed for Kubernetes security hardening. It introduces utilities like Trivy, Falco, and Kube-hunter, aligning each with specific pipeline gates or runtime defenses. Serves as a useful high-level map for architects selecting security tooling.
Vulnerabilities
CVE Tracking
- (2025) kubernetes.io: Official CVE Feed 🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official database of active and resolved CVEs for the Kubernetes ecosystem. It tracks core component bugs, container execution vulnerabilities, and control plane bypass vectors. Maintaining a regular review of this feed is an essential component of modern enterprise risk mitigation.
- (2022) kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed [COMMUNITY-TOOL] — Details the launch of the programmatically accessible, auto-refreshing CVE feed in JSON/YAML. This allows security automation tooling to dynamically scan and trigger alerts on freshly discovered platform vulnerabilities, greatly speeding up remediation and patching schedules.
Case Studies (1)
- (2021) hackerone.com: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces [ADVANCED LEVEL] [COMMUNITY-TOOL] — A detailed post-mortem report demonstrating how restricted cluster principals could extract ingress-nginx service account tokens. This real-world vulnerability highlights the architectural danger of over-privileged system namespaces. It emphasizes the need to isolate and continuously audit ingress controller configurations.
Post-deployment Scanning
- (2025) ==kubescape== ⭐ 11480 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An active CNCF Sandbox tool providing multi-framework configuration scanning, risk analysis, and vulnerability management. It integrates into CI/CD pipelines to ensure continuous verification of compliance frameworks (like CIS and NSA-CISA). Essential for enterprise teams seeking unified security visibility.
Vulnerability Assessment
CIS Benchmarks (1)
- (2022) rancher/cis-operator ⭐ 55 [GO CONTENT] 🌟🌟 [COMMUNITY-TOOL] — Rancher's cis-operator is an automated tool running CIS security scans natively within Rancher ecosystems. It generates compliance reports validating control plane and worker components against standard security baselines. A key utility for multi-cluster environments managed via Rancher.
- (2022) blog.flant.com: Kubernetes cluster security assessment with kube-bench and kube-hunter [COMMUNITY-TOOL] — Evaluates how to deploy and configure Aqua Security's kube-bench alongside kube-hunter. Shows how to automate node validation against CIS benchmarks, and actively scan cluster endpoints for network exposure vectors. Offers a potent open-source combination for regular pentesting operations.
Policy Enforcement (1)
- (2023) github.com/Shopify/kubeaudit 🌟🌟 ⭐ 1937 [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [LEGACY] — Shopify's kubeaudit is a popular open-source tool targeting configuration analysis. Curators note its ability to audit running clusters or local manifests for root execution or privilege escalations. Live Grounding (2026): The repository is archived/read-only, but its audit logic remains highly influential for policy structures.
- (2021) infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan [COMMUNITY-TOOL] — An interview exploring the architecture, technical goals, and philosophy behind Kubescape. Focuses on simplifying multi-framework compliance analysis for platform engineers. Details how the tool analyzes YAML formats and active runtimes to find security posture anomalies.
Threat Modeling (2)
- (2022) owasp.org: OWASP Kubernetes Top Ten [DOCUMENTATION] [COMMUNITY-TOOL] — The official OWASP Kubernetes Top Ten project document. Outlines the ten most dangerous vulnerabilities facing modern orchestrator deployments, including API vulnerabilities, insecure defaults, and supply-chain bugs. The core benchmark for establishing cluster defense strategies.
Zero Trust
Service Mesh and Networking
- (2022) copado.com: Applying a Zero Trust Infrastructure in Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architecture guide on applying Zero Trust principles to Kubernetes infrastructure environments. It covers building cryptographically verifiable workload identities via SPIFFE/SPIRE, and micro-segmenting service interactions with mTLS. Transitions teams away from perimeter-only defenses to continuous validation.
Zero Trust Architecture
- (2022) thenewstack.io: Securing Access to Kubernetes Environments with Zero Trust [COMMUNITY-TOOL] — Discusses securing cloud-native setups using Zero Trust strategies. Covers real-time threat assessments, deep access auditing, and replacing static certificates with automated network micro-segmentation.
Security Training and Playgrounds
Kubernetes Goat Lab
- (2020) Kubernetes Goat 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.
Supply Chain Security
Signature Verification and Ratify
- (2021) infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Focuses on utilizing Ratify as an admission controller to verify container metadata, secure supply-chain signatures (via Cosign/Notation), and enforce strict provenance validation before execution.
Threat Modeling (3)
MITRE ATTandCK Adaptation
- (2021) microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Discusses updates to Microsoft's threat matrix for Kubernetes, refining mapped attack vectors based on modern production compromise telemetry. Covers control plane compromises and cloud identity integrations.
MITRE ATTandCK Framework
- (2020) Microsoft.com: Attack matrix for Kubernetes 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Microsoft's systematic adaptation of the MITRE ATT&CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.
Vulnerability Assessment Tools
Kubestriker Scanner
- (2021) helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Reviews Kubestriker, a lightweight, agentless open-source security scanner that audits Kubernetes control plane configurations, insecure ports, and IAM roles for vulnerabilities.
Workload Hardening
Identity and Access Management (1)
- (2020) thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users [N/A CONTENT] [COMMUNITY-TOOL] — Analyzes the multi-dimensional security layers required for modern Kubernetes deployments, addressing workload isolation, Pod Security Standards (PSS), and secure developer workflow patterns.
Pod Security Context
- (2020) snyk.io: 10 Kubernetes Security Context settings you should understand [N/A CONTENT] [COMMUNITY-TOOL] — Detailed documentation of essential Security Context settings (e.g.,
allowPrivilegeEscalation,readOnlyRootFilesystem, andrunAsNonRoot) used to harden workload runtimes.
Pod Specifications
- (2021) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods [N/A CONTENT] [COMMUNITY-TOOL] — Part one of GitGuardian's workload security tutorial, targeting critical pod configurations such as root user restrictions, secure namespaces, and minimizing host-level network sharing.
Workstation Client Security
Kubeconfig Hardening
- (2020) gist.github.com: How to protect your ~/.kube/ configuration [SHELL CONTENT] [COMMUNITY-TOOL] [GUIDE] — Provides hardening steps for securing developer workstation
~/.kube/configfiles. Details POSIX permissions adjustments, the usage of credential helpers, and avoiding static administrative token storage.
💡 Explore Related: Securityascode | Ansible | Crossplane