Files

6196 lines
276 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Enterprise-grade curated portal for the modern Cloud Native ecosystem. High-density, AI-driven selection of top-tier resources.">
<meta name="author" content="Nubenetes">
<link rel="canonical" href="https://nubenetes.com/kubernetes-security/">
<link rel="prev" href="../iac/">
<link rel="next" href="../kustomize/">
<link rel="icon" href="../images/favicon-ultra.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
<title>Kubernetes Security - Nubenetes V2 | The AI's Cut</title>
<link rel="stylesheet" href="../assets/stylesheets/main.484c7ddc.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.ab4e12ef.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;700&display=swap">
<link rel="stylesheet" href="../static/extra.css">
<link rel="stylesheet" href="../static/v2_elite.css?v=2.3.44">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="slate" data-md-color-primary="custom" data-md-color-accent="custom">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#kubernetes-security" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--shadow md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Nubenetes V2 | The AI&#39;s Cut" class="md-header__button md-logo" aria-label="Nubenetes V2 | The AI's Cut" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Nubenetes V2 | The AI's Cut
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Kubernetes Security
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="" data-md-color-scheme="slate" data-md-color-primary="custom" data-md-color-accent="custom" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 1 3 5v6c0 5.55 3.84 10.74 9 12 5.16-1.26 9-6.45 9-12V5z"/></svg>
</label>
<input class="md-option" data-md-color-media="" data-md-color-scheme="default" data-md-color-primary="custom" data-md-color-accent="custom" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 11c0 5.55-3.84 10.74-9 12-5.16-1.26-9-6.45-9-12V5l9-4 9 4zm-9 10c3.75-1 7-5.46 7-9.78V6.3l-7-3.12L5 6.3v4.92C5 15.54 8.25 20 12 21m-3-6.67c1.76 2.17 5.13 2.24 6.97.07.23-.27.08-.68-.26-.74a4.5 4.5 0 0 1-3.18-2.2 4.5 4.5 0 0 1-.32-3.86.453.453 0 0 0-.51-.6c-3.34.62-4.89 4.61-2.7 7.33"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/nubenetes/awesome-kubernetes" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
nubenetes/awesome-kubernetes
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="https://nubenetes.com/v1/" class="md-tabs__link">
🔙 Back to V1 (Exhaustive)
</a>
</li>
<li class="md-tabs__item">
<a href=".." class="md-tabs__link">
The 2026 Vision
</a>
</li>
<li class="md-tabs__item">
<a href="../tags/" class="md-tabs__link">
Technical Tags
</a>
</li>
<li class="md-tabs__item">
<a href="../videos/" class="md-tabs__link">
Agentic Video Hub
</a>
</li>
<li class="md-tabs__item">
<a href="../ai-agents-mcp/" class="md-tabs__link">
AI
</a>
</li>
<li class="md-tabs__item">
<a href="../about/" class="md-tabs__link">
Architectural Foundations
</a>
</li>
<li class="md-tabs__item">
<a href="../chaos-engineering/" class="md-tabs__link">
Platform & Site Reliability
</a>
</li>
<li class="md-tabs__item md-tabs__item--active">
<a href="../ansible/" class="md-tabs__link">
Hardened Infrastructure
</a>
</li>
<li class="md-tabs__item">
<a href="../GoogleCloudPlatform/" class="md-tabs__link">
Cloud Providers (Hyperscalers)
</a>
</li>
<li class="md-tabs__item">
<a href="../caching/" class="md-tabs__link">
Networking & Service Mesh
</a>
</li>
<li class="md-tabs__item">
<a href="../container-managers/" class="md-tabs__link">
The Container Stack
</a>
</li>
<li class="md-tabs__item">
<a href="../crunchydata/" class="md-tabs__link">
Data & Advanced Analytics
</a>
</li>
<li class="md-tabs__item">
<a href="../argo/" class="md-tabs__link">
Engineering Pipeline
</a>
</li>
<li class="md-tabs__item">
<a href="../ChromeDevTools/" class="md-tabs__link">
Developer Ecosystem
</a>
</li>
<li class="md-tabs__item">
<a href="../appointment-scheduling/" class="md-tabs__link">
Career & Industry
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted md-nav--integrated" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Nubenetes V2 | The AI&#39;s Cut" class="md-nav__button md-logo" aria-label="Nubenetes V2 | The AI's Cut" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Nubenetes V2 | The AI's Cut
</label>
<div class="md-nav__source">
<a href="https://github.com/nubenetes/awesome-kubernetes" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
nubenetes/awesome-kubernetes
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="https://nubenetes.com/v1/" class="md-nav__link">
<span class="md-ellipsis">
🔙 Back to V1 (Exhaustive)
</span>
</a>
</li>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
The 2026 Vision
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../tags/" class="md-nav__link">
<span class="md-ellipsis">
Technical Tags
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../videos/" class="md-nav__link">
<span class="md-ellipsis">
Agentic Video Hub
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../ai-agents-mcp/" class="md-nav__link">
<span class="md-ellipsis">
AI
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../about/" class="md-nav__link">
<span class="md-ellipsis">
Architectural Foundations
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../chaos-engineering/" class="md-nav__link">
<span class="md-ellipsis">
Platform & Site Reliability
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" checked>
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="">
<span class="md-ellipsis">
Hardened Infrastructure
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Hardened Infrastructure
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ansible/" class="md-nav__link">
<span class="md-ellipsis">
Ansible
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../chef/" class="md-nav__link">
<span class="md-ellipsis">
Chef
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../crossplane/" class="md-nav__link">
<span class="md-ellipsis">
Crossplane
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../devsecops/" class="md-nav__link">
<span class="md-ellipsis">
Devsecops
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../iac/" class="md-nav__link">
<span class="md-ellipsis">
IaC
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Kubernetes Security
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Kubernetes Security
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#table-of-contents" class="md-nav__link">
<span class="md-ellipsis">
Table of Contents
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#api-access-protection" class="md-nav__link">
<span class="md-ellipsis">
API Access Protection
</span>
</a>
<nav class="md-nav" aria-label="API Access Protection">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#teleport-access-control" class="md-nav__link">
<span class="md-ellipsis">
Teleport Access Control
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#architectural-foundations" class="md-nav__link">
<span class="md-ellipsis">
Architectural Foundations
</span>
</a>
<nav class="md-nav" aria-label="Architectural Foundations">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#kubernetes-tools" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Tools
</span>
</a>
<nav class="md-nav" aria-label="Kubernetes Tools">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#general-reference" class="md-nav__link">
<span class="md-ellipsis">
General Reference
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#architecture" class="md-nav__link">
<span class="md-ellipsis">
Architecture
</span>
</a>
<nav class="md-nav" aria-label="Architecture">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#microservices" class="md-nav__link">
<span class="md-ellipsis">
Microservices
</span>
</a>
<nav class="md-nav" aria-label="Microservices">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#application-lifecycle" class="md-nav__link">
<span class="md-ellipsis">
Application Lifecycle
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cks-certification-study-guides" class="md-nav__link">
<span class="md-ellipsis">
CKS Certification Study Guides
</span>
</a>
<nav class="md-nav" aria-label="CKS Certification Study Guides">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-lifecycle-security" class="md-nav__link">
<span class="md-ellipsis">
Cluster Lifecycle Security
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cni-network-vulnerabilities" class="md-nav__link">
<span class="md-ellipsis">
CNI Network Vulnerabilities
</span>
</a>
<nav class="md-nav" aria-label="CNI Network Vulnerabilities">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#network-penetration-testing" class="md-nav__link">
<span class="md-ellipsis">
Network Penetration Testing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cve-analysis" class="md-nav__link">
<span class="md-ellipsis">
CVE Analysis
</span>
</a>
<nav class="md-nav" aria-label="CVE Analysis">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#network-vulnerabilities" class="md-nav__link">
<span class="md-ellipsis">
Network Vulnerabilities
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#case-studies" class="md-nav__link">
<span class="md-ellipsis">
Case Studies
</span>
</a>
<nav class="md-nav" aria-label="Case Studies">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#historical-exploit-analysis" class="md-nav__link">
<span class="md-ellipsis">
Historical Exploit Analysis
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cloud-native-networking" class="md-nav__link">
<span class="md-ellipsis">
Cloud Native Networking
</span>
</a>
<nav class="md-nav" aria-label="Cloud Native Networking">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#network-policies" class="md-nav__link">
<span class="md-ellipsis">
Network Policies
</span>
</a>
<nav class="md-nav" aria-label="Network Policies">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#calico-and-tigera-security" class="md-nav__link">
<span class="md-ellipsis">
Calico and Tigera Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#secure-cni-implementation" class="md-nav__link">
<span class="md-ellipsis">
Secure CNI Implementation
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cloud-native-security" class="md-nav__link">
<span class="md-ellipsis">
Cloud Native Security
</span>
</a>
<nav class="md-nav" aria-label="Cloud Native Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#the-4cs-of-cloud-native-security" class="md-nav__link">
<span class="md-ellipsis">
The 4Cs of Cloud Native Security
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cluster-hardening" class="md-nav__link">
<span class="md-ellipsis">
Cluster Hardening
</span>
</a>
<nav class="md-nav" aria-label="Cluster Hardening">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#infrastructural-protection" class="md-nav__link">
<span class="md-ellipsis">
Infrastructural Protection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#network-policies-1" class="md-nav__link">
<span class="md-ellipsis">
Network Policies (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#operational-security" class="md-nav__link">
<span class="md-ellipsis">
Operational Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#runtime-secrets-scanning" class="md-nav__link">
<span class="md-ellipsis">
Runtime Secrets Scanning
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#security-best-practices" class="md-nav__link">
<span class="md-ellipsis">
Security Best Practices
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cluster-lifecycle-security-1" class="md-nav__link">
<span class="md-ellipsis">
Cluster Lifecycle Security (1)
</span>
</a>
<nav class="md-nav" aria-label="Cluster Lifecycle Security (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#operating-system-paradigm" class="md-nav__link">
<span class="md-ellipsis">
Operating System Paradigm
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cluster-misconfigurations" class="md-nav__link">
<span class="md-ellipsis">
Cluster Misconfigurations
</span>
</a>
<nav class="md-nav" aria-label="Cluster Misconfigurations">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#common-mistakes" class="md-nav__link">
<span class="md-ellipsis">
Common Mistakes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#defense-in-depth" class="md-nav__link">
<span class="md-ellipsis">
Defense in Depth
</span>
</a>
<nav class="md-nav" aria-label="Defense in Depth">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-hardening-1" class="md-nav__link">
<span class="md-ellipsis">
Cluster Hardening (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#identity-and-access-management" class="md-nav__link">
<span class="md-ellipsis">
Identity and Access Management
</span>
</a>
<nav class="md-nav" aria-label="Identity and Access Management">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#sso-and-oidc-configuration" class="md-nav__link">
<span class="md-ellipsis">
SSO and OIDC Configuration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#industry-reports" class="md-nav__link">
<span class="md-ellipsis">
Industry Reports
</span>
</a>
<nav class="md-nav" aria-label="Industry Reports">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#archived-market-trends" class="md-nav__link">
<span class="md-ellipsis">
Archived Market Trends
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#enterprise-security-trends" class="md-nav__link">
<span class="md-ellipsis">
Enterprise Security Trends
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#infrastructure" class="md-nav__link">
<span class="md-ellipsis">
Infrastructure
</span>
</a>
<nav class="md-nav" aria-label="Infrastructure">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-integration" class="md-nav__link">
<span class="md-ellipsis">
AWS Integration
</span>
</a>
<nav class="md-nav" aria-label="AWS Integration">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#networking" class="md-nav__link">
<span class="md-ellipsis">
Networking
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#kubernetes-platform-engine" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Platform Engine
</span>
</a>
<nav class="md-nav" aria-label="Kubernetes Platform Engine">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-installation-and-hardening" class="md-nav__link">
<span class="md-ellipsis">
Cluster Installation and Hardening
</span>
</a>
<nav class="md-nav" aria-label="Cluster Installation and Hardening">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#infrastructure-provisioning" class="md-nav__link">
<span class="md-ellipsis">
Infrastructure Provisioning
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#container-runtimes" class="md-nav__link">
<span class="md-ellipsis">
Container Runtimes
</span>
</a>
<nav class="md-nav" aria-label="Container Runtimes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#runtime-isolation" class="md-nav__link">
<span class="md-ellipsis">
Runtime Isolation
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#networking-and-security" class="md-nav__link">
<span class="md-ellipsis">
Networking and Security
</span>
</a>
<nav class="md-nav" aria-label="Networking and Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#security-compliance" class="md-nav__link">
<span class="md-ellipsis">
Security Compliance
</span>
</a>
<nav class="md-nav" aria-label="Security Compliance">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cis-benchmarks" class="md-nav__link">
<span class="md-ellipsis">
CIS Benchmarks
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#observability-and-monitoring" class="md-nav__link">
<span class="md-ellipsis">
Observability and Monitoring
</span>
</a>
<nav class="md-nav" aria-label="Observability and Monitoring">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#runtime-security" class="md-nav__link">
<span class="md-ellipsis">
Runtime Security
</span>
</a>
<nav class="md-nav" aria-label="Runtime Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#falco-and-k3s-audit-logging" class="md-nav__link">
<span class="md-ellipsis">
Falco and K3s Audit Logging
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#security-industry-analysis" class="md-nav__link">
<span class="md-ellipsis">
Security Industry Analysis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sysdig-and-falco-audit-integration" class="md-nav__link">
<span class="md-ellipsis">
Sysdig and Falco Audit Integration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ebpf-runtime-enforcement" class="md-nav__link">
<span class="md-ellipsis">
eBPF Runtime Enforcement
</span>
</a>
<nav class="md-nav" aria-label="eBPF Runtime Enforcement">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#tetragon-platform" class="md-nav__link">
<span class="md-ellipsis">
Tetragon Platform
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#penetration-testing" class="md-nav__link">
<span class="md-ellipsis">
Penetration Testing
</span>
</a>
<nav class="md-nav" aria-label="Penetration Testing">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#security-operations" class="md-nav__link">
<span class="md-ellipsis">
Security Operations
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#pod-privilege-escalation" class="md-nav__link">
<span class="md-ellipsis">
Pod Privilege Escalation
</span>
</a>
<nav class="md-nav" aria-label="Pod Privilege Escalation">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#vulnerability-exploitation" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Exploitation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#policy-as-code" class="md-nav__link">
<span class="md-ellipsis">
Policy-as-Code
</span>
</a>
<nav class="md-nav" aria-label="Policy-as-Code">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#kyverno-administration" class="md-nav__link">
<span class="md-ellipsis">
Kyverno Administration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kyverno-rules-and-policies" class="md-nav__link">
<span class="md-ellipsis">
Kyverno Rules and Policies
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#rbac-and-authorization" class="md-nav__link">
<span class="md-ellipsis">
RBAC and Authorization
</span>
</a>
<nav class="md-nav" aria-label="RBAC and Authorization">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#privilege-escalation" class="md-nav__link">
<span class="md-ellipsis">
Privilege Escalation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#risk-analysis-and-auditing" class="md-nav__link">
<span class="md-ellipsis">
Risk Analysis and Auditing
</span>
</a>
<nav class="md-nav" aria-label="Risk Analysis and Auditing">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#threat-vector-modeling" class="md-nav__link">
<span class="md-ellipsis">
Threat Vector Modeling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#secrets-management" class="md-nav__link">
<span class="md-ellipsis">
Secrets Management
</span>
</a>
<nav class="md-nav" aria-label="Secrets Management">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#hashicorp-vault-integration" class="md-nav__link">
<span class="md-ellipsis">
HashiCorp Vault Integration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security" class="md-nav__link">
<span class="md-ellipsis">
Security
</span>
</a>
<nav class="md-nav" aria-label="Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#access-control" class="md-nav__link">
<span class="md-ellipsis">
Access Control
</span>
</a>
<nav class="md-nav" aria-label="Access Control">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#api-access" class="md-nav__link">
<span class="md-ellipsis">
API Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#authentication" class="md-nav__link">
<span class="md-ellipsis">
Authentication
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cluster-access" class="md-nav__link">
<span class="md-ellipsis">
Cluster Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#custom-authentication" class="md-nav__link">
<span class="md-ellipsis">
Custom Authentication
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#rbac" class="md-nav__link">
<span class="md-ellipsis">
RBAC
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kubectl-authentication" class="md-nav__link">
<span class="md-ellipsis">
kubectl Authentication
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#application-security" class="md-nav__link">
<span class="md-ellipsis">
Application Security
</span>
</a>
<nav class="md-nav" aria-label="Application Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#client-security" class="md-nav__link">
<span class="md-ellipsis">
Client Security
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#architecture-1" class="md-nav__link">
<span class="md-ellipsis">
Architecture (1)
</span>
</a>
<nav class="md-nav" aria-label="Architecture (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#devsecops" class="md-nav__link">
<span class="md-ellipsis">
DevSecOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#future-trends" class="md-nav__link">
<span class="md-ellipsis">
Future Trends
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#audit" class="md-nav__link">
<span class="md-ellipsis">
Audit
</span>
</a>
<nav class="md-nav" aria-label="Audit">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configuration-assessment" class="md-nav__link">
<span class="md-ellipsis">
Configuration Assessment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#best-practices" class="md-nav__link">
<span class="md-ellipsis">
Best Practices
</span>
</a>
<nav class="md-nav" aria-label="Best Practices">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#general-hardening" class="md-nav__link">
<span class="md-ellipsis">
General Hardening
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cloud-security" class="md-nav__link">
<span class="md-ellipsis">
Cloud Security
</span>
</a>
<nav class="md-nav" aria-label="Cloud Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-eks-network" class="md-nav__link">
<span class="md-ellipsis">
AWS EKS Network
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#eks-hardening" class="md-nav__link">
<span class="md-ellipsis">
EKS Hardening
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cluster-hardening-2" class="md-nav__link">
<span class="md-ellipsis">
Cluster Hardening (2)
</span>
</a>
<nav class="md-nav" aria-label="Cluster Hardening (2)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#audit-logs" class="md-nav__link">
<span class="md-ellipsis">
Audit Logs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#best-practices-1" class="md-nav__link">
<span class="md-ellipsis">
Best Practices (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deployment-security" class="md-nav__link">
<span class="md-ellipsis">
Deployment Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#pod-security" class="md-nav__link">
<span class="md-ellipsis">
Pod Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#standard-checklists" class="md-nav__link">
<span class="md-ellipsis">
Standard Checklists
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#compliance" class="md-nav__link">
<span class="md-ellipsis">
Compliance
</span>
</a>
<nav class="md-nav" aria-label="Compliance">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cis-benchmarks-1" class="md-nav__link">
<span class="md-ellipsis">
CIS Benchmarks (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deployment-security-1" class="md-nav__link">
<span class="md-ellipsis">
Deployment Security (1)
</span>
</a>
<nav class="md-nav" aria-label="Deployment Security (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#hardening" class="md-nav__link">
<span class="md-ellipsis">
Hardening
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#devsecops-1" class="md-nav__link">
<span class="md-ellipsis">
DevSecOps (1)
</span>
</a>
<nav class="md-nav" aria-label="DevSecOps (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cicd-pipeline-security" class="md-nav__link">
<span class="md-ellipsis">
CICD Pipeline Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#continuous-security" class="md-nav__link">
<span class="md-ellipsis">
Continuous Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#developer-guidance" class="md-nav__link">
<span class="md-ellipsis">
Developer Guidance
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#fundamentals" class="md-nav__link">
<span class="md-ellipsis">
Fundamentals
</span>
</a>
<nav class="md-nav" aria-label="Fundamentals">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#concepts" class="md-nav__link">
<span class="md-ellipsis">
Concepts
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#threat-modeling" class="md-nav__link">
<span class="md-ellipsis">
Threat Modeling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#hardening-standards" class="md-nav__link">
<span class="md-ellipsis">
Hardening Standards
</span>
</a>
<nav class="md-nav" aria-label="Hardening Standards">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#government-guidelines" class="md-nav__link">
<span class="md-ellipsis">
Government Guidelines
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#iam" class="md-nav__link">
<span class="md-ellipsis">
IAM
</span>
</a>
<nav class="md-nav" aria-label="IAM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#authentication-and-authorization" class="md-nav__link">
<span class="md-ellipsis">
Authentication and Authorization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sso" class="md-nav__link">
<span class="md-ellipsis">
SSO
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#identity-and-access" class="md-nav__link">
<span class="md-ellipsis">
Identity and Access
</span>
</a>
<nav class="md-nav" aria-label="Identity and Access">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-irsa" class="md-nav__link">
<span class="md-ellipsis">
AWS IRSA
</span>
</a>
<nav class="md-nav" aria-label="AWS IRSA">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#hybrid-cloud" class="md-nav__link">
<span class="md-ellipsis">
Hybrid Cloud
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#authentication-1" class="md-nav__link">
<span class="md-ellipsis">
Authentication (1)
</span>
</a>
<nav class="md-nav" aria-label="Authentication (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tools" class="md-nav__link">
<span class="md-ellipsis">
Legacy Tools
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cloud-integrations" class="md-nav__link">
<span class="md-ellipsis">
Cloud Integrations
</span>
</a>
<nav class="md-nav" aria-label="Cloud Integrations">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-irsa-1" class="md-nav__link">
<span class="md-ellipsis">
AWS IRSA (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#enterprise-authentication" class="md-nav__link">
<span class="md-ellipsis">
Enterprise Authentication
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#microservice-identities" class="md-nav__link">
<span class="md-ellipsis">
Microservice Identities
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#oidc" class="md-nav__link">
<span class="md-ellipsis">
OIDC
</span>
</a>
<nav class="md-nav" aria-label="OIDC">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tools-1" class="md-nav__link">
<span class="md-ellipsis">
Legacy Tools (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#oauth2-proxy" class="md-nav__link">
<span class="md-ellipsis">
OAuth2 Proxy
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#rbac-1" class="md-nav__link">
<span class="md-ellipsis">
RBAC (1)
</span>
</a>
<nav class="md-nav" aria-label="RBAC (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tools-2" class="md-nav__link">
<span class="md-ellipsis">
Legacy Tools (2)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#security-auditing" class="md-nav__link">
<span class="md-ellipsis">
Security Auditing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#sso-and-saml" class="md-nav__link">
<span class="md-ellipsis">
SSO and SAML
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#workload-identity" class="md-nav__link">
<span class="md-ellipsis">
Workload Identity
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#zero-trust-access" class="md-nav__link">
<span class="md-ellipsis">
Zero Trust Access
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#identity-and-access-management-1" class="md-nav__link">
<span class="md-ellipsis">
Identity and Access Management (1)
</span>
</a>
<nav class="md-nav" aria-label="Identity and Access Management (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#access-control-1" class="md-nav__link">
<span class="md-ellipsis">
Access Control (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#kubernetes-security-1" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Security (1)
</span>
</a>
<nav class="md-nav" aria-label="Kubernetes Security (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#hardening-1" class="md-nav__link">
<span class="md-ellipsis">
Hardening (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#secrets-management-1" class="md-nav__link">
<span class="md-ellipsis">
Secrets Management (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#network-security" class="md-nav__link">
<span class="md-ellipsis">
Network Security
</span>
</a>
<nav class="md-nav" aria-label="Network Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#internet-exposure" class="md-nav__link">
<span class="md-ellipsis">
Internet Exposure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#network-policies-2" class="md-nav__link">
<span class="md-ellipsis">
Network Policies (2)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#offensive-security" class="md-nav__link">
<span class="md-ellipsis">
Offensive Security
</span>
</a>
<nav class="md-nav" aria-label="Offensive Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#penetration-testing-1" class="md-nav__link">
<span class="md-ellipsis">
Penetration Testing (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#pki" class="md-nav__link">
<span class="md-ellipsis">
PKI
</span>
</a>
<nav class="md-nav" aria-label="PKI">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#certificate-management" class="md-nav__link">
<span class="md-ellipsis">
Certificate Management
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#pki-and-certificates" class="md-nav__link">
<span class="md-ellipsis">
PKI and Certificates
</span>
</a>
<nav class="md-nav" aria-label="PKI and Certificates">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#conceptual" class="md-nav__link">
<span class="md-ellipsis">
Conceptual
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tls-ingress" class="md-nav__link">
<span class="md-ellipsis">
TLS Ingress
</span>
</a>
<nav class="md-nav" aria-label="TLS Ingress">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#lets-encrypt" class="md-nav__link">
<span class="md-ellipsis">
Lets Encrypt
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cert-manager" class="md-nav__link">
<span class="md-ellipsis">
cert-manager
</span>
</a>
<nav class="md-nav" aria-label="cert-manager">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#access-control-2" class="md-nav__link">
<span class="md-ellipsis">
Access Control (2)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#operations" class="md-nav__link">
<span class="md-ellipsis">
Operations
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#platform-hardening" class="md-nav__link">
<span class="md-ellipsis">
Platform Hardening
</span>
</a>
<nav class="md-nav" aria-label="Platform Hardening">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#best-practices-2" class="md-nav__link">
<span class="md-ellipsis">
Best Practices (2)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#pod-security-1" class="md-nav__link">
<span class="md-ellipsis">
Pod Security (1)
</span>
</a>
<nav class="md-nav" aria-label="Pod Security (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#pod-security-policies" class="md-nav__link">
<span class="md-ellipsis">
Pod Security Policies
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#policy-and-admission-control" class="md-nav__link">
<span class="md-ellipsis">
Policy and Admission Control
</span>
</a>
<nav class="md-nav" aria-label="Policy and Admission Control">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#runtime-security-1" class="md-nav__link">
<span class="md-ellipsis">
Runtime Security (1)
</span>
</a>
<nav class="md-nav" aria-label="Runtime Security (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tools-3" class="md-nav__link">
<span class="md-ellipsis">
Legacy Tools (3)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#validating-webhooks" class="md-nav__link">
<span class="md-ellipsis">
Validating Webhooks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#policy-and-audit" class="md-nav__link">
<span class="md-ellipsis">
Policy and Audit
</span>
</a>
<nav class="md-nav" aria-label="Policy and Audit">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#manifest-auditing" class="md-nav__link">
<span class="md-ellipsis">
Manifest Auditing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#policy-enforcement" class="md-nav__link">
<span class="md-ellipsis">
Policy Enforcement
</span>
</a>
<nav class="md-nav" aria-label="Policy Enforcement">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#admission-control" class="md-nav__link">
<span class="md-ellipsis">
Admission Control
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#runtime-security-2" class="md-nav__link">
<span class="md-ellipsis">
Runtime Security (2)
</span>
</a>
<nav class="md-nav" aria-label="Runtime Security (2)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#ephemeral-containers" class="md-nav__link">
<span class="md-ellipsis">
Ephemeral Containers
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ebpf" class="md-nav__link">
<span class="md-ellipsis">
eBPF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ebpf-and-cilium" class="md-nav__link">
<span class="md-ellipsis">
eBPF and Cilium
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#secrets-management-2" class="md-nav__link">
<span class="md-ellipsis">
Secrets Management (2)
</span>
</a>
<nav class="md-nav" aria-label="Secrets Management (2)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#conceptual-1" class="md-nav__link">
<span class="md-ellipsis">
Conceptual (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#developer-practice" class="md-nav__link">
<span class="md-ellipsis">
Developer Practice
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#external-secrets" class="md-nav__link">
<span class="md-ellipsis">
External Secrets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitops" class="md-nav__link">
<span class="md-ellipsis">
GitOps
</span>
</a>
<nav class="md-nav" aria-label="GitOps">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#external-secrets-operator" class="md-nav__link">
<span class="md-ellipsis">
External Secrets Operator
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sealed-secrets" class="md-nav__link">
<span class="md-ellipsis">
Sealed Secrets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#hashicorp-vault" class="md-nav__link">
<span class="md-ellipsis">
HashiCorp Vault
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kms-integration" class="md-nav__link">
<span class="md-ellipsis">
KMS Integration
</span>
</a>
<nav class="md-nav" aria-label="KMS Integration">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tools-4" class="md-nav__link">
<span class="md-ellipsis">
Legacy Tools (4)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#owasp" class="md-nav__link">
<span class="md-ellipsis">
OWASP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#platform-hardening-1" class="md-nav__link">
<span class="md-ellipsis">
Platform Hardening (1)
</span>
</a>
<nav class="md-nav" aria-label="Platform Hardening (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#conceptual-2" class="md-nav__link">
<span class="md-ellipsis">
Conceptual (2)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#stateful-apps" class="md-nav__link">
<span class="md-ellipsis">
Stateful Apps
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#static-analysis" class="md-nav__link">
<span class="md-ellipsis">
Static Analysis
</span>
</a>
<nav class="md-nav" aria-label="Static Analysis">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#manifest-auditing-1" class="md-nav__link">
<span class="md-ellipsis">
Manifest Auditing (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#system-hardening" class="md-nav__link">
<span class="md-ellipsis">
System Hardening
</span>
</a>
<nav class="md-nav" aria-label="System Hardening">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#security-profiles-operator" class="md-nav__link">
<span class="md-ellipsis">
Security Profiles Operator
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#threat-modeling-1" class="md-nav__link">
<span class="md-ellipsis">
Threat Modeling (1)
</span>
</a>
<nav class="md-nav" aria-label="Threat Modeling (1)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#penetration-testing-2" class="md-nav__link">
<span class="md-ellipsis">
Penetration Testing (2)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#threat-vector" class="md-nav__link">
<span class="md-ellipsis">
Threat Vector
</span>
</a>
<nav class="md-nav" aria-label="Threat Vector">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#internet-exposure-1" class="md-nav__link">
<span class="md-ellipsis">
Internet Exposure (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#observability-exposure" class="md-nav__link">
<span class="md-ellipsis">
Observability Exposure
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#tooling" class="md-nav__link">
<span class="md-ellipsis">
Tooling
</span>
</a>
<nav class="md-nav" aria-label="Tooling">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#security-auditing-1" class="md-nav__link">
<span class="md-ellipsis">
Security Auditing (1)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#vulnerabilities" class="md-nav__link">
<span class="md-ellipsis">
Vulnerabilities
</span>
</a>
<nav class="md-nav" aria-label="Vulnerabilities">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cve-tracking" class="md-nav__link">
<span class="md-ellipsis">
CVE Tracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#case-studies-1" class="md-nav__link">
<span class="md-ellipsis">
Case Studies (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#post-deployment-scanning" class="md-nav__link">
<span class="md-ellipsis">
Post-Deployment Scanning
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#vulnerability-assessment" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Assessment
</span>
</a>
<nav class="md-nav" aria-label="Vulnerability Assessment">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cis-benchmarks-2" class="md-nav__link">
<span class="md-ellipsis">
CIS Benchmarks (2)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#policy-enforcement-1" class="md-nav__link">
<span class="md-ellipsis">
Policy Enforcement (1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#threat-modeling-2" class="md-nav__link">
<span class="md-ellipsis">
Threat Modeling (2)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#zero-trust" class="md-nav__link">
<span class="md-ellipsis">
Zero Trust
</span>
</a>
<nav class="md-nav" aria-label="Zero Trust">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#service-mesh-and-networking" class="md-nav__link">
<span class="md-ellipsis">
Service Mesh and Networking
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#zero-trust-architecture" class="md-nav__link">
<span class="md-ellipsis">
Zero Trust Architecture
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security-training-and-playgrounds" class="md-nav__link">
<span class="md-ellipsis">
Security Training and Playgrounds
</span>
</a>
<nav class="md-nav" aria-label="Security Training and Playgrounds">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#kubernetes-goat-lab" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Goat Lab
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#supply-chain-security" class="md-nav__link">
<span class="md-ellipsis">
Supply Chain Security
</span>
</a>
<nav class="md-nav" aria-label="Supply Chain Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#open-source-vulnerability-scanning" class="md-nav__link">
<span class="md-ellipsis">
Open Source Vulnerability Scanning
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#signature-verification-and-ratify" class="md-nav__link">
<span class="md-ellipsis">
Signature Verification and Ratify
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#threat-modeling-3" class="md-nav__link">
<span class="md-ellipsis">
Threat Modeling (3)
</span>
</a>
<nav class="md-nav" aria-label="Threat Modeling (3)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mitre-attandck-adaptation" class="md-nav__link">
<span class="md-ellipsis">
MITRE ATTandCK Adaptation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mitre-attandck-framework" class="md-nav__link">
<span class="md-ellipsis">
MITRE ATTandCK Framework
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#vulnerability-assessment-tools" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Assessment Tools
</span>
</a>
<nav class="md-nav" aria-label="Vulnerability Assessment Tools">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#kubestriker-scanner" class="md-nav__link">
<span class="md-ellipsis">
Kubestriker Scanner
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workload-hardening" class="md-nav__link">
<span class="md-ellipsis">
Workload Hardening
</span>
</a>
<nav class="md-nav" aria-label="Workload Hardening">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#identity-and-access-management-2" class="md-nav__link">
<span class="md-ellipsis">
Identity and Access Management (2)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#pod-security-context" class="md-nav__link">
<span class="md-ellipsis">
Pod Security Context
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#pod-specifications" class="md-nav__link">
<span class="md-ellipsis">
Pod Specifications
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workstation-client-security" class="md-nav__link">
<span class="md-ellipsis">
Workstation Client Security
</span>
</a>
<nav class="md-nav" aria-label="Workstation Client Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#kubeconfig-hardening" class="md-nav__link">
<span class="md-ellipsis">
Kubeconfig Hardening
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../kustomize/" class="md-nav__link">
<span class="md-ellipsis">
Kustomize
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../liquibase/" class="md-nav__link">
<span class="md-ellipsis">
Liquibase
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../oauth/" class="md-nav__link">
<span class="md-ellipsis">
Oauth
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pulumi/" class="md-nav__link">
<span class="md-ellipsis">
Pulumi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../securityascode/" class="md-nav__link">
<span class="md-ellipsis">
Securityascode
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../terraform/" class="md-nav__link">
<span class="md-ellipsis">
Terraform
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../GoogleCloudPlatform/" class="md-nav__link">
<span class="md-ellipsis">
Cloud Providers (Hyperscalers)
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../caching/" class="md-nav__link">
<span class="md-ellipsis">
Networking & Service Mesh
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../container-managers/" class="md-nav__link">
<span class="md-ellipsis">
The Container Stack
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../crunchydata/" class="md-nav__link">
<span class="md-ellipsis">
Data & Advanced Analytics
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../argo/" class="md-nav__link">
<span class="md-ellipsis">
Engineering Pipeline
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../ChromeDevTools/" class="md-nav__link">
<span class="md-ellipsis">
Developer Ecosystem
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
<li class="md-nav__item md-nav__item--pruned md-nav__item--nested">
<a href="../appointment-scheduling/" class="md-nav__link">
<span class="md-ellipsis">
Career & Industry
</span>
<span class="md-nav__icon md-icon"></span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/nubenetes/awesome-kubernetes/edit/master/v2-docs/kubernetes-security.md" title="Edit this page" class="md-content__button md-icon" rel="edit">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/nubenetes/awesome-kubernetes/raw/master/v2-docs/kubernetes-security.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="kubernetes-security">Kubernetes Security<a class="headerlink" href="#kubernetes-security" title="Permanent link">&para;</a></h1>
<div class="admonition tip">
<p class="admonition-title">Nubenetes V2 Elite Portal</p>
<p>You are browsing the AI-Curated V2 Elite Edition. Looking for the exhaustive list of references? Check out the <a href="/v1/kubernetes-security/"><strong>V1 Historical Archive</strong></a>.</p>
</div>
<div class="admonition info">
<p class="admonition-title">Architectural Context</p>
<p>Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.</p>
</div>
<h2 id="table-of-contents">Table of Contents<a class="headerlink" href="#table-of-contents" title="Permanent link">&para;</a></h2>
<ol>
<li><a href="#api-access-protection">API Access Protection</a></li>
<li><a href="#teleport-access-control">Teleport Access Control</a></li>
<li><a href="#architectural-foundations">Architectural Foundations</a></li>
<li><a href="#kubernetes-tools">Kubernetes Tools</a><ul>
<li><a href="#general-reference">General Reference</a></li>
</ul>
</li>
<li><a href="#architecture">Architecture</a></li>
<li><a href="#microservices">Microservices</a><ul>
<li><a href="#application-lifecycle">Application Lifecycle</a></li>
</ul>
</li>
<li><a href="#cks-certification-study-guides">CKS Certification Study Guides</a></li>
<li><a href="#cluster-lifecycle-security">Cluster Lifecycle Security</a></li>
<li><a href="#cni-network-vulnerabilities">CNI Network Vulnerabilities</a></li>
<li><a href="#network-penetration-testing">Network Penetration Testing</a></li>
<li><a href="#cve-analysis">CVE Analysis</a></li>
<li><a href="#network-vulnerabilities">Network Vulnerabilities</a></li>
<li><a href="#case-studies">Case Studies</a></li>
<li><a href="#historical-exploit-analysis">Historical Exploit Analysis</a></li>
<li><a href="#cloud-native-networking">Cloud Native Networking</a></li>
<li><a href="#network-policies">Network Policies</a><ul>
<li><a href="#calico-and-tigera-security">Calico and Tigera Security</a></li>
<li><a href="#secure-cni-implementation">Secure CNI Implementation</a></li>
</ul>
</li>
<li><a href="#cloud-native-security">Cloud Native Security</a></li>
<li><a href="#the-4cs-of-cloud-native-security">The 4Cs of Cloud Native Security</a></li>
<li><a href="#cluster-hardening">Cluster Hardening</a></li>
<li><a href="#infrastructural-protection">Infrastructural Protection</a></li>
<li><a href="#network-policies-1">Network Policies</a></li>
<li><a href="#operational-security">Operational Security</a></li>
<li><a href="#runtime-secrets-scanning">Runtime Secrets Scanning</a></li>
<li><a href="#security-best-practices">Security Best Practices</a></li>
<li><a href="#cluster-lifecycle-security-1">Cluster Lifecycle Security</a></li>
<li><a href="#operating-system-paradigm">Operating System Paradigm</a></li>
<li><a href="#cluster-misconfigurations">Cluster Misconfigurations</a></li>
<li><a href="#common-mistakes">Common Mistakes</a></li>
<li><a href="#defense-in-depth">Defense in Depth</a></li>
<li><a href="#cluster-hardening-1">Cluster Hardening</a></li>
<li><a href="#identity-and-access-management">Identity and Access Management</a></li>
<li><a href="#sso-and-oidc-configuration">SSO and OIDC Configuration</a></li>
<li><a href="#industry-reports">Industry Reports</a></li>
<li><a href="#archived-market-trends">Archived Market Trends</a></li>
<li><a href="#enterprise-security-trends">Enterprise Security Trends</a></li>
<li><a href="#infrastructure">Infrastructure</a></li>
<li><a href="#aws-integration">AWS Integration</a><ul>
<li><a href="#networking">Networking</a></li>
</ul>
</li>
<li><a href="#kubernetes-platform-engine">Kubernetes Platform Engine</a></li>
<li><a href="#cluster-installation-and-hardening">Cluster Installation and Hardening</a><ul>
<li><a href="#infrastructure-provisioning">Infrastructure Provisioning</a></li>
</ul>
</li>
<li><a href="#container-runtimes">Container Runtimes</a><ul>
<li><a href="#runtime-isolation">Runtime Isolation</a></li>
</ul>
</li>
<li><a href="#networking-and-security">Networking and Security</a></li>
<li><a href="#security-compliance">Security Compliance</a><ul>
<li><a href="#cis-benchmarks">CIS Benchmarks</a></li>
</ul>
</li>
<li><a href="#observability-and-monitoring">Observability and Monitoring</a></li>
<li><a href="#runtime-security">Runtime Security</a><ul>
<li><a href="#falco-and-k3s-audit-logging">Falco and K3s Audit Logging</a></li>
<li><a href="#security-industry-analysis">Security Industry Analysis</a></li>
<li><a href="#sysdig-and-falco-audit-integration">Sysdig and Falco Audit Integration</a></li>
</ul>
</li>
<li><a href="#ebpf-runtime-enforcement">eBPF Runtime Enforcement</a><ul>
<li><a href="#tetragon-platform">Tetragon Platform</a></li>
</ul>
</li>
<li><a href="#penetration-testing">Penetration Testing</a></li>
<li><a href="#security-operations">Security Operations</a></li>
<li><a href="#pod-privilege-escalation">Pod Privilege Escalation</a></li>
<li><a href="#vulnerability-exploitation">Vulnerability Exploitation</a></li>
<li><a href="#policy-as-code">Policy-as-Code</a></li>
<li><a href="#kyverno-administration">Kyverno Administration</a></li>
<li><a href="#kyverno-rules-and-policies">Kyverno Rules and Policies</a></li>
<li><a href="#rbac-and-authorization">RBAC and Authorization</a></li>
<li><a href="#privilege-escalation">Privilege Escalation</a></li>
<li><a href="#risk-analysis-and-auditing">Risk Analysis and Auditing</a></li>
<li><a href="#threat-vector-modeling">Threat Vector Modeling</a></li>
<li><a href="#secrets-management">Secrets Management</a></li>
<li><a href="#hashicorp-vault-integration">HashiCorp Vault Integration</a></li>
<li><a href="#security">Security</a></li>
<li><a href="#access-control">Access Control</a><ul>
<li><a href="#api-access">API Access</a></li>
<li><a href="#authentication">Authentication</a></li>
<li><a href="#cluster-access">Cluster Access</a></li>
<li><a href="#custom-authentication">Custom Authentication</a></li>
<li><a href="#rbac">RBAC</a></li>
<li><a href="#kubectl-authentication">kubectl Authentication</a></li>
</ul>
</li>
<li><a href="#application-security">Application Security</a><ul>
<li><a href="#client-security">Client Security</a></li>
</ul>
</li>
<li><a href="#architecture-1">Architecture</a><ul>
<li><a href="#devsecops">DevSecOps</a></li>
<li><a href="#future-trends">Future Trends</a></li>
</ul>
</li>
<li><a href="#audit">Audit</a><ul>
<li><a href="#configuration-assessment">Configuration Assessment</a></li>
</ul>
</li>
<li><a href="#best-practices">Best Practices</a><ul>
<li><a href="#general-hardening">General Hardening</a></li>
</ul>
</li>
<li><a href="#cloud-security">Cloud Security</a><ul>
<li><a href="#aws-eks-network">AWS EKS Network</a></li>
<li><a href="#eks-hardening">EKS Hardening</a></li>
</ul>
</li>
<li><a href="#cluster-hardening-2">Cluster Hardening</a><ul>
<li><a href="#audit-logs">Audit Logs</a></li>
<li><a href="#best-practices-1">Best Practices</a></li>
<li><a href="#deployment-security">Deployment Security</a></li>
<li><a href="#pod-security">Pod Security</a></li>
<li><a href="#standard-checklists">Standard Checklists</a></li>
</ul>
</li>
<li><a href="#compliance">Compliance</a><ul>
<li><a href="#cis-benchmarks-1">CIS Benchmarks</a></li>
</ul>
</li>
<li><a href="#deployment-security-1">Deployment Security</a><ul>
<li><a href="#hardening">Hardening</a></li>
</ul>
</li>
<li><a href="#devsecops-1">DevSecOps</a><ul>
<li><a href="#cicd-pipeline-security">CICD Pipeline Security</a></li>
<li><a href="#continuous-security">Continuous Security</a></li>
<li><a href="#developer-guidance">Developer Guidance</a></li>
</ul>
</li>
<li><a href="#fundamentals">Fundamentals</a><ul>
<li><a href="#concepts">Concepts</a></li>
<li><a href="#threat-modeling">Threat Modeling</a></li>
</ul>
</li>
<li><a href="#hardening-standards">Hardening Standards</a><ul>
<li><a href="#government-guidelines">Government Guidelines</a></li>
</ul>
</li>
<li><a href="#iam">IAM</a><ul>
<li><a href="#authentication-and-authorization">Authentication and Authorization</a></li>
<li><a href="#sso">SSO</a></li>
</ul>
</li>
<li><a href="#identity-and-access">Identity and Access</a><ul>
<li><a href="#aws-irsa">AWS IRSA</a></li>
<li><a href="#hybrid-cloud">Hybrid Cloud</a></li>
<li><a href="#authentication-1">Authentication</a></li>
<li><a href="#legacy-tools">Legacy Tools</a></li>
<li><a href="#cloud-integrations">Cloud Integrations</a></li>
<li><a href="#aws-irsa-1">AWS IRSA</a></li>
<li><a href="#enterprise-authentication">Enterprise Authentication</a></li>
<li><a href="#microservice-identities">Microservice Identities</a></li>
<li><a href="#oidc">OIDC</a></li>
<li><a href="#legacy-tools-1">Legacy Tools</a></li>
<li><a href="#oauth2-proxy">OAuth2 Proxy</a></li>
<li><a href="#rbac-1">RBAC</a></li>
<li><a href="#legacy-tools-2">Legacy Tools</a></li>
<li><a href="#security-auditing">Security Auditing</a></li>
<li><a href="#sso-and-saml">SSO and SAML</a></li>
<li><a href="#workload-identity">Workload Identity</a></li>
<li><a href="#zero-trust-access">Zero Trust Access</a></li>
</ul>
</li>
<li><a href="#identity-and-access-management-1">Identity and Access Management</a><ul>
<li><a href="#access-control-1">Access Control</a></li>
</ul>
</li>
<li><a href="#kubernetes-security-1">Kubernetes Security</a><ul>
<li><a href="#hardening-1">Hardening</a></li>
<li><a href="#secrets-management-1">Secrets Management</a></li>
</ul>
</li>
<li><a href="#network-security">Network Security</a><ul>
<li><a href="#internet-exposure">Internet Exposure</a></li>
<li><a href="#network-policies-2">Network Policies</a></li>
</ul>
</li>
<li><a href="#offensive-security">Offensive Security</a><ul>
<li><a href="#penetration-testing-1">Penetration Testing</a></li>
</ul>
</li>
<li><a href="#pki">PKI</a><ul>
<li><a href="#certificate-management">Certificate Management</a></li>
</ul>
</li>
<li><a href="#pki-and-certificates">PKI and Certificates</a><ul>
<li><a href="#conceptual">Conceptual</a></li>
<li><a href="#tls-ingress">TLS Ingress</a></li>
<li><a href="#lets-encrypt">Lets Encrypt</a></li>
<li><a href="#cert-manager">cert-manager</a></li>
<li><a href="#access-control-2">Access Control</a></li>
<li><a href="#operations">Operations</a></li>
</ul>
</li>
<li><a href="#platform-hardening">Platform Hardening</a><ul>
<li><a href="#best-practices-2">Best Practices</a></li>
</ul>
</li>
<li><a href="#pod-security-1">Pod Security</a><ul>
<li><a href="#pod-security-policies">Pod Security Policies</a></li>
</ul>
</li>
<li><a href="#policy-and-admission-control">Policy and Admission Control</a><ul>
<li><a href="#runtime-security-1">Runtime Security</a></li>
<li><a href="#legacy-tools-3">Legacy Tools</a></li>
<li><a href="#validating-webhooks">Validating Webhooks</a></li>
</ul>
</li>
<li><a href="#policy-and-audit">Policy and Audit</a><ul>
<li><a href="#manifest-auditing">Manifest Auditing</a></li>
</ul>
</li>
<li><a href="#policy-enforcement">Policy Enforcement</a><ul>
<li><a href="#admission-control">Admission Control</a></li>
</ul>
</li>
<li><a href="#runtime-security-2">Runtime Security</a><ul>
<li><a href="#ephemeral-containers">Ephemeral Containers</a></li>
<li><a href="#ebpf">eBPF</a></li>
<li><a href="#ebpf-and-cilium">eBPF and Cilium</a></li>
</ul>
</li>
<li><a href="#secrets-management-2">Secrets Management</a><ul>
<li><a href="#conceptual-1">Conceptual</a></li>
<li><a href="#developer-practice">Developer Practice</a></li>
<li><a href="#external-secrets">External Secrets</a></li>
<li><a href="#gitops">GitOps</a></li>
<li><a href="#external-secrets-operator">External Secrets Operator</a></li>
<li><a href="#sealed-secrets">Sealed Secrets</a></li>
<li><a href="#hashicorp-vault">HashiCorp Vault</a></li>
<li><a href="#kms-integration">KMS Integration</a></li>
<li><a href="#legacy-tools-4">Legacy Tools</a></li>
<li><a href="#owasp">OWASP</a></li>
<li><a href="#platform-hardening-1">Platform Hardening</a></li>
<li><a href="#conceptual-2">Conceptual</a></li>
<li><a href="#stateful-apps">Stateful Apps</a></li>
</ul>
</li>
<li><a href="#static-analysis">Static Analysis</a><ul>
<li><a href="#manifest-auditing-1">Manifest Auditing</a></li>
</ul>
</li>
<li><a href="#system-hardening">System Hardening</a><ul>
<li><a href="#security-profiles-operator">Security Profiles Operator</a></li>
</ul>
</li>
<li><a href="#threat-modeling-1">Threat Modeling</a><ul>
<li><a href="#penetration-testing-2">Penetration Testing</a></li>
</ul>
</li>
<li><a href="#threat-vector">Threat Vector</a><ul>
<li><a href="#internet-exposure-1">Internet Exposure</a></li>
<li><a href="#observability-exposure">Observability Exposure</a></li>
</ul>
</li>
<li><a href="#tooling">Tooling</a><ul>
<li><a href="#security-auditing-1">Security Auditing</a></li>
</ul>
</li>
<li><a href="#vulnerabilities">Vulnerabilities</a><ul>
<li><a href="#cve-tracking">CVE Tracking</a></li>
<li><a href="#case-studies-1">Case Studies</a></li>
<li><a href="#post-deployment-scanning">Post-Deployment Scanning</a></li>
</ul>
</li>
<li><a href="#vulnerability-assessment">Vulnerability Assessment</a><ul>
<li><a href="#cis-benchmarks-2">CIS Benchmarks</a></li>
<li><a href="#policy-enforcement-1">Policy Enforcement</a></li>
<li><a href="#threat-modeling-2">Threat Modeling</a></li>
</ul>
</li>
<li><a href="#zero-trust">Zero Trust</a><ul>
<li><a href="#service-mesh-and-networking">Service Mesh and Networking</a></li>
</ul>
</li>
<li><a href="#zero-trust-architecture">Zero Trust Architecture</a></li>
<li><a href="#security-training-and-playgrounds">Security Training and Playgrounds</a></li>
<li><a href="#kubernetes-goat-lab">Kubernetes Goat Lab</a></li>
<li><a href="#supply-chain-security">Supply Chain Security</a></li>
<li><a href="#open-source-vulnerability-scanning">Open Source Vulnerability Scanning</a></li>
<li><a href="#signature-verification-and-ratify">Signature Verification and Ratify</a></li>
<li><a href="#threat-modeling-3">Threat Modeling</a></li>
<li><a href="#mitre-attandck-adaptation">MITRE ATTandCK Adaptation</a></li>
<li><a href="#mitre-attandck-framework">MITRE ATTandCK Framework</a></li>
<li><a href="#vulnerability-assessment-tools">Vulnerability Assessment Tools</a></li>
<li><a href="#kubestriker-scanner">Kubestriker Scanner</a></li>
<li><a href="#workload-hardening">Workload Hardening</a></li>
<li><a href="#identity-and-access-management-2">Identity and Access Management</a></li>
<li><a href="#pod-security-context">Pod Security Context</a></li>
<li><a href="#pod-specifications">Pod Specifications</a></li>
<li><a href="#workstation-client-security">Workstation Client Security</a></li>
<li><a href="#kubeconfig-hardening">Kubeconfig Hardening</a></li>
</ol>
<h2 id="api-access-protection">API Access Protection<a class="headerlink" href="#api-access-protection" title="Permanent link">&para;</a></h2>
<h3 id="teleport-access-control">Teleport Access Control<a class="headerlink" href="#teleport-access-control" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://goteleport.com/blog/kubernetes-api-access-security">goteleport.com: Kubernetes API Access Security Hardening</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.</li>
</ul>
<h2 id="architectural-foundations">Architectural Foundations<a class="headerlink" href="#architectural-foundations" title="Permanent link">&para;</a></h2>
<h3 id="kubernetes-tools">Kubernetes Tools<a class="headerlink" href="#kubernetes-tools" title="Permanent link">&para;</a></h3>
<h4 id="general-reference">General Reference<a class="headerlink" href="#general-reference" title="Permanent link">&para;</a></h4>
<ul>
<li><a href="https://www.cyberark.com/venafi-and-cyberark-machine-identity-security">jetstack.io: Securing Istio workloads with mTLS using cert-manager</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering www.cyberark.com in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@andriisumko/single-sign-on-in-kubernetes-1ad9528350ed">medium: Single Sign-On in Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Single Sign-On in Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://dzone.com/articles/oauth-20-beginners-guide">Dzone - OAuth 2.0</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Dzone - OAuth 2.0 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/better-programming/how-to-harden-your-kubernetes-cluster-for-production-7e47990efc2a">medium: How to Harden Your Kubernetes Cluster for Production 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: How to Harden Your Kubernetes Cluster for Production 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.cncf.io/blog/2021/03/22/kubernetes-security">cncf.io: Kubernetes Security 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering cncf.io: Kubernetes Security 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://redkubes.com/10-kubernetes-security-risks-best-practices">redkubes.com: 10 Kubernetes Security Risks &amp; Best Practices</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering redkubes.com: 10 Kubernetes Security Risks &amp; Best Practices in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.kasten.io/ransomware-protection-kasten-k10-v4">blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://levelup.gitconnected.com/enforce-audit-policy-in-kubernetes-k8s-34e504733300">levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s)</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s) in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.magalix.com/blog/top-8-kubernetes-security-best-practices">magalix.com: Top 8 Kubernetes Security Best Practices 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering magalix.com: Top 8 Kubernetes Security Best Practices 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components">cncf.io: How to secure your Kubernetes control plane and node components</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>cncf.io: How to secure your Kubernetes control plane and node components</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://akhilsharma.work/the-4cs-of-kubernetes-security">akhilsharma.work: The 4C's of Kubernetes Security</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering akhilsharma.work: The 4C's of Kubernetes Security in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@lessandro.ugulino/securing-the-kubernetes-cluster-c5ab43fe0dd0">medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino in the Kubernetes Tools ecosystem.</li>
<li><a href="https://amazicworld.com/top-5-security-threats-unique-to-a-kubernetes-and-cloud-native-stack">amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud' Native stack</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud' Native stack in the Kubernetes Tools ecosystem.</li>
<li><a href="https://venturebeat.com/2021/12/27/kubernetes-security-will-have-a-breakout-year-in-2022">venturebeat.com: Kubernetes security will have a breakout year in 2022</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering venturebeat.com: Kubernetes security will have a breakout year in 2022 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@jonathan_37674/comparing-kubernetes-security-frameworks-and-guidance-f1c2821ea733">medium: Comparing Kubernetes Security Frameworks and Guidance 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium: Comparing Kubernetes Security Frameworks and Guidance</mark> 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.devgenius.io/how-is-security-managed-in-kubernetes-clusters-addefffd2b0">blog.devgenius.io: How is security managed in Kubernetes clusters?</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.devgenius.io: How is security managed in Kubernetes clusters? in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@jonathan_37674/kubernetes-security-best-practices-definitive-guide-bcb546e9f529">medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive' Guide</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive' Guide</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac">faun.pub: From dev to admin: an easy Kubernetes privilege escalation you' should be aware of — the attack</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering faun.pub: From dev to admin: an easy Kubernetes privilege escalation you' should be aware of — the attack in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@dotdc/is-your-kubernetes-api-server-exposed-learn-how-to-check-and-fix-609ab9638fae">medium.com/@dotdc: Is your Kubernetes API Server exposed? Learn how to' check and fix! 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@dotdc: Is your Kubernetes API Server exposed? Learn how to' check and fix!</mark> 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://levelup.gitconnected.com/the-core-of-kubernetes-security-clusters-5d9a69f1dba4">levelup.gitconnected.com: The Core of Kubernetes Security: Clusters</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering levelup.gitconnected.com: The Core of Kubernetes Security: Clusters in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42">medium.com/@codingkarma: Kubernetes Goat Part-1</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@codingkarma: Kubernetes Goat Part-1 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@badawekoo/limit-number-of-processes-running-in-a-kubernetes-pod-50ccf156ec18">medium.com/@badawekoo: Limit number of processes running in a Kubernetes' pod</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@badawekoo: Limit number of processes running in a Kubernetes' pod</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/cloudyrion/kubernetes-end-to-end-chain-exploit-c2be32688fd0">medium.com/cloudyrion: Kubernetes end-to-end chain exploit</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/cloudyrion: Kubernetes end-to-end chain exploit in the Kubernetes Tools ecosystem.</li>
<li><a href="https://xgrid.medium.com/securing-a-kubernetes-cluster-using-tls-certificates-5e64a6bb26de">xgrid.medium.com: Securing a Kubernetes cluster using TLS certificates' 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>xgrid.medium.com: Securing a Kubernetes cluster using TLS certificates</mark>' 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://ahmedy.hashnode.dev/creating-tls-certificates-for-k8s-components-with-openssl">ahmedy.hashnode.dev: Creating TLS Certificates for K8s components with OpenSSL</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering ahmedy.hashnode.dev: Creating TLS Certificates for K8s components with OpenSSL in the Kubernetes Tools ecosystem.</li>
<li><a href="https://erkanzileli.medium.com/how-tls-certificates-work-422d95f1df5e">erkanzileli.medium.com: How TLS Certificates Work</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>erkanzileli.medium.com: How TLS Certificates Work</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@martin.hodges/using-a-wildcard-certificate-within-your-kubernetes-cluster-87c014e8dafe">medium.com/@martin.hodges: Using a wildcard certificate within your Kubernetes' cluster</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@martin.hodges: Using a wildcard certificate within your Kubernetes' cluster in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574">blog.cloudsecque.com: How to Improve the Security of Your Applications' with Kubernetes Security Scanners</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>blog.cloudsecque.com: How to Improve the Security of Your Applications' with Kubernetes Security Scanners</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.techmanyu.com/kubernetes-security-with-kube-bench-and-kube-hunter-6765bf44ebc6">techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://aninditabasak.medium.com/a-lap-around-kubernetes-security-vulnerability-scanning-tools-checkov-kube-hunter-kube-bench-4ffda92c4cf1">aninditabasak.medium.com: A Lap around Kubernetes Security &amp; Vulnerability' scanning Tools — checkov, kube-hunter, kube-bench &amp; Starboard</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>aninditabasak.medium.com: A Lap around Kubernetes Security &amp; Vulnerability' scanning Tools — checkov, kube-hunter, kube-bench &amp; Starboard</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://towardsdev.com/12-scanners-to-find-security-vulnerabilities-and-misconfigurations-in-kubernetes-332a738d076d">towardsdev.com: 12 Scanners to Find Security Vulnerabilities and Misconfigurations' in Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering towardsdev.com: 12 Scanners to Find Security Vulnerabilities and Misconfigurations' in Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/gatekeeper-k8-hardening-backlog-956d1b6860b6">faun.pub: Gatekeeper | K8 hardening backlog</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering faun.pub: Gatekeeper | K8 hardening backlog in the Kubernetes Tools ecosystem.</li>
<li><a href="https://systemweakness.com/owasp-k8s-security-insecure-workload-configurations-c14c4028beb1">systemweakness.com: OWASP-K8S Security: Insecure Workload Configurations</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering systemweakness.com: OWASP-K8S Security: Insecure Workload Configurations in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.darkreading.com/dr-tech/top-10-kubernetes-security-risks-every-devsecops-needs-to-know">darkreading.com: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should' Know</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering darkreading.com: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should' Know in the Kubernetes Tools ecosystem.</li>
<li><a href="https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF">Kubernetes Hardening Guidance 🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Kubernetes Hardening Guidance 🌟🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://aymen-abdelwahed.medium.com/k8s-operators-cis-benchmarks-8d7915d5cb2d">aymen-abdelwahed.medium.com: K8s Operators — CIS Kubernetes Benchmarks</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering aymen-abdelwahed.medium.com: K8s Operators — CIS Kubernetes Benchmarks in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/the-programmer/working-with-service-account-in-kubernetes-df129cb4d1cc">medium: Working with Service Account In Kubernetes 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Working with Service Account In Kubernetes 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://sandeepbaldawa.medium.com/service-accounts-in-k8s-kubernetes-2779ee4fb331">sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes)</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes) in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/pareture/kubernetes-bound-projected-service-account-token-volumes-might-surprise-you-434ff2cd1483">medium.com/pareture: Kubernetes Bound Projected Service Account Token Volumes' Might Surprise You</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/pareture: Kubernetes Bound Projected Service Account Token Volumes' Might Surprise You in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/geekculture/k8s-serviceaccount-token-313d62aee119">medium.com/geekculture: K8s — ServiceAccount Token</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/geekculture: K8s — ServiceAccount Token in the Kubernetes Tools ecosystem.</li>
<li><a href="https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation">motilayo.hashnode.dev: Exploring Kubernetes Service Account Tokens and Secure' Workload Identity Federation</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering motilayo.hashnode.dev: Exploring Kubernetes Service Account Tokens and Secure' Workload Identity Federation in the Kubernetes Tools ecosystem.</li>
<li><a href="https://overcast.blog/kubernetes-service-accounts-a-practical-guide-f99c1ed65483">overcast.blog: Kubernetes Service Accounts: A Practical Guide</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering overcast.blog: Kubernetes Service Accounts: A Practical Guide in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets">cncf.io: Revealing the secrets of Kubernetes secrets 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering cncf.io: Revealing the secrets of Kubernetes secrets 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.doit-intl.com/kubernetes-and-secrets-management-in-cloud-858533c20dca">blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/codex/kubernetes-secrets-explained-f45baf8cefa7">medium: Kubernetes Secrets Explained</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Kubernetes Secrets Explained in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@jerome_tarte/managing-your-sensitive-information-during-gitops-process-with-secret-sealed-27498c77e2b8">medium: Managing your sensitive information during GitOps process with Secret' Sealed</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Managing your sensitive information during GitOps process with Secret' Sealed in the Kubernetes Tools ecosystem.</li>
<li><a href="https://enlear.academy/sealed-secrets-with-kubernetes-a3f4d13dbc17">enlear.academy: Sealed Secrets with Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>enlear.academy: Sealed Secrets with Kubernetes</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/codex/sealed-secrets-for-kubernetes-722d643eb658">medium.com/codex: Sealed Secrets for Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/codex: Sealed Secrets for Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7">carlosalca.medium.com: How to manage all my K8s secrets in git securely' with Bitnami Sealed Secrets</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering carlosalca.medium.com: How to manage all my K8s secrets in git securely' with Bitnami Sealed Secrets in the Kubernetes Tools ecosystem.</li>
<li><a href="https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02">pjame-fb.medium.com: Kubernetes Secrets from Secrets Manager using External' Secrets Operators</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering pjame-fb.medium.com: Kubernetes Secrets from Secrets Manager using External' Secrets Operators in the Kubernetes Tools ecosystem.</li>
<li><a href="https://mixi-developers.mixi.co.jp/compare-eso-with-secret-csi-402bf37f20bc?gi=a7ce4398a8d7">mixi-developers.mixi.co.jp: Comparing External Secrets Operator with Secret' Storage CSI as Kubernetes External Secrets is Deprecated</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — A curated technical resource and architectural guide covering mixi-developers.mixi.co.jp: Comparing External Secrets Operator with Secret' Storage CSI as Kubernetes External Secrets is Deprecated in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/secrets-kubernetes-298ea8dd9911">faun.pub: Secrets | Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>faun.pub: Secrets | Kubernetes</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@knoldus/using-sealed-secrets-in-kubernetes-7f7518d4c984">medium.com/@knoldus: Using sealed secrets in Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@knoldus: Using sealed secrets in Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://eminalemdar.medium.com/cloud-native-secret-management-with-external-secrets-operator-2912f41f9c49">eminalemdar.medium.com: Cloud Native Secret Management with External Secrets' Operator</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering eminalemdar.medium.com: Cloud Native Secret Management with External Secrets' Operator in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/google-cloud/handle-kubernetes-secrets-the-gitops-way-part-1-7079bd8221f3">medium.com/google-cloud: Handle Kubernetes Secrets the GitOps Way — Part' 1</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/google-cloud: Handle Kubernetes Secrets the GitOps Way — Part' 1 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/flant-com/cert-manager-lets-encrypt-ssl-certs-for-kubernetes-7642e463bbce">Using SSL certificates from Lets Encrypt in your Kubernetes Ingress via cert-manager 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Using SSL certificates from Lets Encrypt in your Kubernetes Ingress via cert-manager 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/avmconsulting-blog/encrypting-the-certificate-for-kubernetes-lets-encrypt-805d2bf88b2a">medium: Encrypting the certificate for Kubernetes (Lets Encrypt) 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium: Encrypting the certificate for Kubernetes (Lets Encrypt) 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://betterprogramming.pub/kubernetes-and-ssl-certificate-management-5f6a4b6f5ae9">betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/automate-certificate-management-in-kubernetes-using-cert-manager-d0745e5c7757">faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@knoldus/configure-ssl-certificate-with-cert-manager-on-kubernetes-e5ca8a804e16">medium.com/@knoldus: Configure SSL certificate with cert-manager on Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@knoldus: Configure SSL certificate with cert-manager on Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.devgenius.io/automated-dns-tls-with-external-dns-letsencrypt-on-kubernetes-6f4f41827df9">blog.devgenius.io: Automated DNS/TLS with External DNS &amp; LetsEncrypt on' Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.devgenius.io: Automated DNS/TLS with External DNS &amp; LetsEncrypt on' Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/lets-encrypt-and-certmanager-aa88775730b8">faun.pub: Lets encrypt and CertManager</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>faun.pub: Lets encrypt and CertManager</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://armin.su/ssl-certificates-from-lets-encrypt-for-kubernetes-private-ingress-via-terraform-c9f595ee65fa">armin.su: SSL certificates from Lets Encrypt for Kubernetes Private Ingress' via Terraform</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering armin.su: SSL certificates from Lets Encrypt for Kubernetes Private Ingress' via Terraform in the Kubernetes Tools ecosystem.</li>
<li><a href="https://betterprogramming.pub/kubernetes-authentication-sidecars-a-revelation-in-microservice-architecture-12c4608189ab">betterprogramming.pub: Kubernetes Authentication Sidecars: A Revelation' in Microservice Architecture</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering betterprogramming.pub: Kubernetes Authentication Sidecars: A Revelation' in Microservice Architecture in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.devgenius.io/sso-authentication-for-applications-in-kubernetes-aedc3c189d89">blog.devgenius.io: SSO Authentication for Applications in Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.devgenius.io: SSO Authentication for Applications in Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://imanishchaudhary.medium.com/secure-kubernetes-dashboards-with-sso-authentication-using-okta-oauth2-proxy-9e52189e9749">imanishchaudhary.medium.com: Securing Kubernetes Dashboards: SSO Authentication' and RBAC Implementation with Okta and OAuth2 Proxy</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering imanishchaudhary.medium.com: Securing Kubernetes Dashboards: SSO Authentication' and RBAC Implementation with Okta and OAuth2 Proxy in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/trendyol-tech/configure-rbac-in-kubernetes-like-a-boss-665e2a8665dd">Configure RBAC in Kubernetes Like a Boss 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Configure RBAC in Kubernetes Like a Boss 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://toolbox.kali-linuxtr.net/kubernetes-rbac-permission-manager.tool">Kubernetes RBAC Permission Manager 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Kubernetes RBAC Permission Manager 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/devops-mojo/kubernetes-role-based-access-control-rbac-overview-introduction-rbac-with-kubernetes-what-is-2004d13195df">medium.com/devops-mojo: Kubernetes — Role-Based Access Control (RBAC) Overview</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/devops-mojo: Kubernetes — Role-Based Access Control (RBAC) Overview in the Kubernetes Tools ecosystem.</li>
<li><a href="https://loft-sh.medium.com/10-essentials-for-kubernetes-access-control-a67ae72977dd">loft-sh.medium.com: 10 Essentials for Kubernetes Access Control</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering loft-sh.medium.com: 10 Essentials for Kubernetes Access Control in the Kubernetes Tools ecosystem.</li>
<li><a href="https://sumanthkumarc.medium.com/kubernetes-rbac-update-default-clusterroles-without-editing-them-ef206254e0">sumanthkumarc.medium.com: Kubernetes RBAC — Update default ClusterRoles' without editing them</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering sumanthkumarc.medium.com: Kubernetes RBAC — Update default ClusterRoles' without editing them in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/assign-permissions-to-an-user-in-kubernetes-an-overview-of-rbac-based-authz-in-k8s-7d9e5e1099f1">faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based' AuthZ in k8s 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based' AuthZ in k8s 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@badawekoo/using-rbac-in-kubernetes-for-authorization-complete-demo-part-1-83f0a1fb8f">medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete' Demo-Part 1</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete' Demo-Part 1 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@15daniel10/yoyo-attack-on-a-k8s-cluster-102bc1d5ca3e">medium.com/@15daniel10: YOYO attack on a K8S cluster</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@15daniel10: YOYO attack on a K8S cluster</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@danielepolencic/how-does-rbac-work-in-kubernetes-d50dd34771ca">medium.com/@danielepolencic: How does RBAC work in kubernetes 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@danielepolencic: How does RBAC work in kubernetes</mark> 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://dominik-tornow.medium.com/inside-kubernetes-rbac-9988b08a738a">dominik-tornow.medium.com: Inside Kubernetes RBAC</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>dominik-tornow.medium.com: Inside Kubernetes RBAC</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@jtdv01/kubernetes-authorization-and-role-based-access-controls-ca0b7acc17a4">medium.com/@jtdv01: Kubernetes Authorization and Role Based Access Controls' 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>medium.com/@jtdv01: Kubernetes Authorization and Role Based Access Controls</mark>' 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383">faun.pub: Give Users and Groups Access to Kubernetes Cluster Using RBAC</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering <mark>faun.pub: Give Users and Groups Access to Kubernetes Cluster Using RBAC</mark> in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@danielepolencic/binding-aws-iam-roles-to-kubernetes-service-account-for-on-prem-clusters-b8bac41f269d">medium.com/@danielepolencic: AWS IAM Roles for service accounts for on-prem' clusters</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@danielepolencic: AWS IAM Roles for service accounts for on-prem' clusters in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/andcloudio/creating-authentication-and-authorization-in-kubernetes-c6c5f0f1d2ad">medium.com/andcloudio: Setting up Authentication and RBAC Authorization' in Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/andcloudio: Setting up Authentication and RBAC Authorization' in Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@mehmetodabashi/authentication-and-authorization-in-kubernetes-client-certificates-and-role-based-access-control-d4e98a3c1098">medium.com/@mehmetodabashi: Authentication and Authorization in Kubernetes:' Client Certificates and Role Based Access Control (RBAC)</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@mehmetodabashi: Authentication and Authorization in Kubernetes:' Client Certificates and Role Based Access Control (RBAC) in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@brunoolimpio/kubernetes-deepdive-parte-2-a65ffdce596d">medium.com/@brunoolimpio: Kubernetes DeepDive — Parte 2 - Kubernetes RBAC' and more... | Bruno Olimpio</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@brunoolimpio: Kubernetes DeepDive — Parte 2 - Kubernetes RBAC' and more... | Bruno Olimpio in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.styra.com/blog/why-rbac-is-not-enough-for-kubernetes-api-security">blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/dynatrace-engineering/kubernetes-security-best-practices-part-2-network-policies-405b36ed9d94">medium.com/dynatrace-engineering: Kubernetes Security Best Practices Part' 2: Network Policies</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/dynatrace-engineering: Kubernetes Security Best Practices Part' 2: Network Policies in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@cloud_tips/kubernetes-security-best-practices-ea1e3913c001">medium.com/@cloud_tips: Kubernetes Security Best Practices</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com/@cloud_tips: Kubernetes Security Best Practices in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.magalix.com/blog/kubernetes-authentication">magalix.com: kubernetes authentication 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering magalix.com: kubernetes authentication 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://www.magalix.com/blog/kubernetes-authorization">magalix.com: kubernetes authorization 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering magalix.com: kubernetes authorization 🌟 in the Kubernetes Tools ecosystem.</li>
<li><a href="https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd">lisowski0925.medium.com: Using Kubernetes Certificate Signing Requests and' RBAC for User Authentication and Authorization</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering lisowski0925.medium.com: Using Kubernetes Certificate Signing Requests and' RBAC for User Authentication and Authorization in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/@sureshpalemoni/kubernetes-authentication-and-authorization-with-x509-client-certificates-edbc3517c10">Kubernetes Authentication and Authorization with X509 client certificates</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering Kubernetes Authentication and Authorization with X509 client certificates in the Kubernetes Tools ecosystem.</li>
<li><a href="https://stackoverflow.com/questions/56214715/accessing-the-kubernetes-rest-end-points-using-bearer-token">stackoverflow: Accessing the Kubernetes REST end points using bearer token</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering stackoverflow: Accessing the Kubernetes REST end points using bearer token in the Kubernetes Tools ecosystem.</li>
<li><a href="https://ibrahims.medium.com/security-context-kubernetes-9672ae2380f9">ibrahims.medium.com: Security Context — Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering ibrahims.medium.com: Security Context — Kubernetes in the Kubernetes Tools ecosystem.</li>
<li><a href="https://medium.com/dev-genius/securing-kubernetes-dashboard-on-eks-with-pomerium-e98c47610e2f">medium.com: Securing Kubernetes Dashboard on EKS with Pomerium</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering medium.com: Securing Kubernetes Dashboard on EKS with Pomerium in the Kubernetes Tools ecosystem.</li>
<li><a href="https://mahira-technology.medium.com/kubernetes-secrets-management-level-up-with-external-secrets-operator-ed7d32df2189">mahira-technology.medium.com: Kubernetes Secrets Management: Level Up with' External Secrets Operator</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering mahira-technology.medium.com: Kubernetes Secrets Management: Level Up with' External Secrets Operator in the Kubernetes Tools ecosystem.</li>
<li><a href="https://faun.pub/external-secret-operator-on-aks-with-terraform-for-azure-key-vault-integration-with-workload-1d0c31082373">faun.pub: External Secret Operator on AKS (with Terraform) for Azure Key' Vault Integration (with Workload Identity)</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering faun.pub: External Secret Operator on AKS (with Terraform) for Azure Key' Vault Integration (with Workload Identity) in the Kubernetes Tools ecosystem.</li>
<li><a href="https://blog.lightspin.io/nginx-custom-snippets-cve-2021-25742">blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated technical resource and architectural guide covering blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742 in the Kubernetes Tools ecosystem.</li>
</ul>
<h2 id="architecture">Architecture<a class="headerlink" href="#architecture" title="Permanent link">&para;</a></h2>
<h3 id="microservices">Microservices<a class="headerlink" href="#microservices" title="Permanent link">&para;</a></h3>
<h4 id="application-lifecycle">Application Lifecycle<a class="headerlink" href="#application-lifecycle" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://itnext.io/journey-of-a-microservice-application-in-the-kubernetes-world-6abd625c60fe">itnext.io: Journey Of A Microservice Application In The Kubernetes World 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Traces the structural lifecycle of a containerized microservice traversing deployment pipelines, service routing, and load balancing configurations. Provides practical insights into configuring readiness/liveness probes, autoscaling parameters, and ingress rules. Essential reference for microservice platform standardization.</li>
</ul>
<h2 id="cks-certification-study-guides">CKS Certification Study Guides<a class="headerlink" href="#cks-certification-study-guides" title="Permanent link">&para;</a></h2>
<h3 id="cluster-lifecycle-security">Cluster Lifecycle Security<a class="headerlink" href="#cluster-lifecycle-security" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://github.com/stackrox/Kubernetes_Security_Specialist_Study_Guide"><mark>github.com/stackrox: Certified Kubernetes Security Specialist Study Guide' 🌟</mark></a> <span class='md-tag md-tag--info'>⭐ 429</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-53687d8e" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 13 L 10 12 L 20 7 L 30 11 L 40 3 L 50 2" fill="none" stroke="url(#spark-grad-53687d8e)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[MARKDOWN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A comprehensive community study handbook for the Linux Foundation CKS exam, detailing system hardening, threat mitigation, microservice security policies, and runtime compliance enforcement.</li>
</ul>
<h2 id="cni-network-vulnerabilities">CNI Network Vulnerabilities<a class="headerlink" href="#cni-network-vulnerabilities" title="Permanent link">&para;</a></h2>
<h3 id="network-penetration-testing">Network Penetration Testing<a class="headerlink" href="#network-penetration-testing" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1">cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Delves into how container network interfaces (CNIs) and underlying network configurations can be targets for spoofing, route injection, and MITM attacks within shared Kubernetes clusters.</li>
</ul>
<h2 id="cve-analysis">CVE Analysis<a class="headerlink" href="#cve-analysis" title="Permanent link">&para;</a></h2>
<h3 id="network-vulnerabilities">Network Vulnerabilities<a class="headerlink" href="#network-vulnerabilities" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://empresas.blogthinkbig.com/descubierta-vulnerabilidad-kubernetes-permite-acceso-redes-restringidas-cve-2020-8562">empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562)</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Analyzes CVE-2020-8562, a vulnerability allowing path-traversal/access bypass to internal restricted subnets through the Kubernetes API server, discussing standard mitigation strategies.</li>
</ul>
<h2 id="case-studies">Case Studies<a class="headerlink" href="#case-studies" title="Permanent link">&para;</a></h2>
<h3 id="historical-exploit-analysis">Historical Exploit Analysis<a class="headerlink" href="#historical-exploit-analysis" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://thenewstack.io/kubernetes-an-examination-of-major-attacks">thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Conducts retrospective post-mortems on major real-world Kubernetes security incidents, tracing malicious lateral movements, coin-miner deployments, and critical data breaches back to root posture issues.</li>
</ul>
<h2 id="cloud-native-networking">Cloud Native Networking<a class="headerlink" href="#cloud-native-networking" title="Permanent link">&para;</a></h2>
<h3 id="network-policies">Network Policies<a class="headerlink" href="#network-policies" title="Permanent link">&para;</a></h3>
<h4 id="calico-and-tigera-security">Calico and Tigera Security<a class="headerlink" href="#calico-and-tigera-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2020)</strong> <a href="https://www.tigera.io/blog/kubernetes-security-policy-10-critical-best-practices">tigera.io: Kubernetes security policy design: 10 critical best practices 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A strategic framework for designing cluster-wide network policies, using tiered structures, explicit default-deny states, and labeling schemas to scale security dynamically.</li>
</ul>
<h4 id="secure-cni-implementation">Secure CNI Implementation<a class="headerlink" href="#secure-cni-implementation" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://itnext.io/how-to-kubernetes-cluster-network-security-f19bc99161f5">itnext.io: How-To: Kubernetes Cluster Network Security 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A practical tutorial covering secure network policy design. Guides readers through limiting pod egress/ingress, utilizing global network policies, and implementing namespaces as security perimeters.</li>
</ul>
<h2 id="cloud-native-security">Cloud Native Security<a class="headerlink" href="#cloud-native-security" title="Permanent link">&para;</a></h2>
<h3 id="the-4cs-of-cloud-native-security">The 4Cs of Cloud Native Security<a class="headerlink" href="#the-4cs-of-cloud-native-security" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://kubernetes.io/blog/2020/11/18/cloud-native-security-for-your-clusters">kubernetes.io: Cloud native security for your clusters</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.</li>
</ul>
<h2 id="cluster-hardening">Cluster Hardening<a class="headerlink" href="#cluster-hardening" title="Permanent link">&para;</a></h2>
<h3 id="infrastructural-protection">Infrastructural Protection<a class="headerlink" href="#infrastructural-protection" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://cloudnativenow.com/topics/cloudnativesecurity/how-to-secure-your-kubernetes-cluster">containerjournal.com: How to Secure Your Kubernetes Cluster 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Evaluates cluster configurations across storage, networking, and deployment lifecycles. Discusses the replacement of deprecated Pod Security Policies with built-in Pod Security Standards and third-party policy engines.</li>
</ul>
<h3 id="network-policies-1">Network Policies (1)<a class="headerlink" href="#network-policies-1" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2019)</strong> <a href="https://github.com/freach/kubernetes-security-best-practice/blob/master/README.md"><mark>Kubernetes Security Best Practices 🌟</mark></a> <span class='md-tag md-tag--info'>⭐ 2712</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-57be194f" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 7 L 10 4 L 20 5 L 30 4 L 40 12 L 50 5" fill="none" stroke="url(#spark-grad-57be194f)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="5" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[MARKDOWN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.</li>
</ul>
<h3 id="operational-security">Operational Security<a class="headerlink" href="#operational-security" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://codeburst.io/7-kubernetes-security-best-practices-you-must-follow-ae32f1ed6444">codeburst.io: 7 Kubernetes Security Best Practices You Must Follow</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Outlines fundamental security practices for Kubernetes workloads, focusing on enabling RBAC, using namespaces for boundary control, managing secrets securely, and upgrading Kubernetes control planes to address known CVEs.</li>
</ul>
<h3 id="runtime-secrets-scanning">Runtime Secrets Scanning<a class="headerlink" href="#runtime-secrets-scanning" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://blog.gitguardian.com/hardening-your-k8s-pt-2">blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt. 2) 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The second part of a structural security guide detailing advanced settings such as RBAC limitations, audit logging targets, container engine isolation, and secrets scanning policies.</li>
</ul>
<h3 id="security-best-practices">Security Best Practices<a class="headerlink" href="#security-best-practices" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://horovits.wordpress.com/2020/07/15/kubernetes-security-best-practices">horovits.wordpress.com: Kubernetes Security Best Practices</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains foundational steps for securing Kubernetes API access, configuring container execution privileges, and auditing container images within CI/CD pipelines.</li>
</ul>
<h2 id="cluster-lifecycle-security-1">Cluster Lifecycle Security (1)<a class="headerlink" href="#cluster-lifecycle-security-1" title="Permanent link">&para;</a></h2>
<h3 id="operating-system-paradigm">Operating System Paradigm<a class="headerlink" href="#operating-system-paradigm" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://thenewstack.io/how-to-secure-kubernetes-the-os-of-the-cloud">thenewstack.io: How to Secure Kubernetes, the OS of the Cloud</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Examines the concept of Kubernetes operating as a cloud-native OS, presenting strategies for securing core services, container communication, and control plane boundaries.</li>
</ul>
<h2 id="cluster-misconfigurations">Cluster Misconfigurations<a class="headerlink" href="#cluster-misconfigurations" title="Permanent link">&para;</a></h2>
<h3 id="common-mistakes">Common Mistakes<a class="headerlink" href="#common-mistakes" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.fairwinds.com/blog/top-5-kubernetes-security-mistakes">fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably) Making</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Identifies common configuration mistakes like neglected CPU/memory limits, running containers as root, and using unvalidated base images, offering immediate structural remedies.</li>
</ul>
<h2 id="defense-in-depth">Defense in Depth<a class="headerlink" href="#defense-in-depth" title="Permanent link">&para;</a></h2>
<h3 id="cluster-hardening-1">Cluster Hardening (1)<a class="headerlink" href="#cluster-hardening-1" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer">thenewstack.io: Defend the Core: Kubernetes Security at Every Layer</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Provides an architectural approach to layered container defense. Examines the integration of secure hardware baselines, API rate limiting, network-level firewalls, and runtime analysis agents.</li>
</ul>
<h2 id="identity-and-access-management">Identity and Access Management<a class="headerlink" href="#identity-and-access-management" title="Permanent link">&para;</a></h2>
<h3 id="sso-and-oidc-configuration">SSO and OIDC Configuration<a class="headerlink" href="#sso-and-oidc-configuration" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://www.talkingquickly.co.uk/kubernetes-sso-a-detailed-guide">talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains how to integrate Kubernetes API access with external identity providers (OIDC) to enable secure Single Sign-On (SSO) and unify role assignments across developers.</li>
</ul>
<h2 id="industry-reports">Industry Reports<a class="headerlink" href="#industry-reports" title="Permanent link">&para;</a></h2>
<h3 id="archived-market-trends">Archived Market Trends<a class="headerlink" href="#archived-market-trends" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.redhat.com/rhdc/managed-files/cl-state-kubernetes-security-report-ebook-f29117-202106-en.pdf">redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A comprehensive market study from Spring 2021 highlighting systemic security incidents and detailing key threat factors, infrastructure risks, and tooling choices among enterprise development teams.</li>
</ul>
<h3 id="enterprise-security-trends">Enterprise Security Trends<a class="headerlink" href="#enterprise-security-trends" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.redhat.com/en/blog/state-kubernetes-security">redhat.com: The State of Kubernetes Security</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.</li>
</ul>
<h2 id="infrastructure">Infrastructure<a class="headerlink" href="#infrastructure" title="Permanent link">&para;</a></h2>
<h3 id="aws-integration">AWS Integration<a class="headerlink" href="#aws-integration" title="Permanent link">&para;</a></h3>
<h4 id="networking">Networking<a class="headerlink" href="#networking" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html">EC2 ENI and IP Limit</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Critical hardware reference outlining IP address and Elastic Network Interface (ENI) allocation limits per EC2 instance type. This heavily dictates pod density capabilities when utilizing the VPC CNI plug-in. Platform architects use this data to calculate scaling limits and avoid network exhaustion.</li>
</ul>
<h2 id="kubernetes-platform-engine">Kubernetes Platform Engine<a class="headerlink" href="#kubernetes-platform-engine" title="Permanent link">&para;</a></h2>
<h3 id="cluster-installation-and-hardening">Cluster Installation and Hardening<a class="headerlink" href="#cluster-installation-and-hardening" title="Permanent link">&para;</a></h3>
<h4 id="infrastructure-provisioning">Infrastructure Provisioning<a class="headerlink" href="#infrastructure-provisioning" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2020)</strong> <a href="https://thenewstack.io/best-practices-for-securely-setting-up-a-kubernetes-cluster">thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Breaks down secure cluster bootstrapping steps, including encrypting secrets at rest in etcd, enabling control plane mutual TLS (mTLS), and minimizing public API endpoint exposure.</li>
</ul>
<h3 id="container-runtimes">Container Runtimes<a class="headerlink" href="#container-runtimes" title="Permanent link">&para;</a></h3>
<h4 id="runtime-isolation">Runtime Isolation<a class="headerlink" href="#runtime-isolation" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2020)</strong> <a href="https://thenewstack.io/a-security-comparison-of-docker-cri-o-and-containerd">thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Compares the security architecture and attack surfaces of primary container runtimes: Docker, CRI-O, and Containerd. Discusses rootless execution, sandboxed runtimes (Kata, gVisor), and syscall filtering.</li>
</ul>
<h2 id="networking-and-security">Networking and Security<a class="headerlink" href="#networking-and-security" title="Permanent link">&para;</a></h2>
<h3 id="security-compliance">Security Compliance<a class="headerlink" href="#security-compliance" title="Permanent link">&para;</a></h3>
<h4 id="cis-benchmarks">CIS Benchmarks<a class="headerlink" href="#cis-benchmarks" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2026)</strong> <a href="https://github.com/aquasecurity/kube-bench"><mark>kube-bench 🌟</mark></a> <span class='md-tag md-tag--info'>⭐ 8078</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-534a8e3f" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 7 L 10 4 L 20 13 L 30 9 L 40 12 L 50 5" fill="none" stroke="url(#spark-grad-534a8e3f)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="5" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The industry standard tool to check whether Kubernetes clusters are deployed securely according to the Center for Internet Security (CIS) benchmarks. Can be run inside container workloads or directly on node hosts, outputting detailed reports identifying API, TLS, and permissions vulnerabilities.</li>
</ul>
<h2 id="observability-and-monitoring">Observability and Monitoring<a class="headerlink" href="#observability-and-monitoring" title="Permanent link">&para;</a></h2>
<h3 id="runtime-security">Runtime Security<a class="headerlink" href="#runtime-security" title="Permanent link">&para;</a></h3>
<h4 id="falco-and-k3s-audit-logging">Falco and K3s Audit Logging<a class="headerlink" href="#falco-and-k3s-audit-logging" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://github.com/developer-guy/falco-analyze-audit-log-from-k3s-cluster">Analyze Kubernetes Audit logs using Falco 🌟</a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.</li>
</ul>
<h4 id="security-industry-analysis">Security Industry Analysis<a class="headerlink" href="#security-industry-analysis" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://www.infoworld.com/article/2270825/the-race-to-secure-kubernetes-at-runtime.html">infoworld.com: The race to secure Kubernetes at run time</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Documents the evolution of runtime threat defense in cloud-native platforms, discussing the industry shift toward kernel-level security telemetry leveraging eBPF technology.</li>
</ul>
<h4 id="sysdig-and-falco-audit-integration">Sysdig and Falco Audit Integration<a class="headerlink" href="#sysdig-and-falco-audit-integration" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2020)</strong> <a href="https://www.sysdig.com/blog/kubernetes-audit-log-falco">sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains how to integrate Kubernetes API audit logs with CNCF Falco to capture real-time control plane actions and alert on malicious requests, credential abuse, or abnormal operational API traffic.</li>
</ul>
<h3 id="ebpf-runtime-enforcement">eBPF Runtime Enforcement<a class="headerlink" href="#ebpf-runtime-enforcement" title="Permanent link">&para;</a></h3>
<h4 id="tetragon-platform">Tetragon Platform<a class="headerlink" href="#tetragon-platform" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://github.com/cilium/tetragon"><mark>Tetragon (Cilium)</mark></a> <span class='md-tag md-tag--info'>⭐ 4749</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-5d9825fc" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 4 L 10 3 L 20 11 L 30 3 L 40 5 L 50 2" fill="none" stroke="url(#spark-grad-5d9825fc)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.</li>
</ul>
<h2 id="penetration-testing">Penetration Testing<a class="headerlink" href="#penetration-testing" title="Permanent link">&para;</a></h2>
<h3 id="security-operations">Security Operations<a class="headerlink" href="#security-operations" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://www.youtube.com/watch?v=OOHmg1J_8ck&amp;ab_channel=RedTeamVillage">youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A practical, demonstration-heavy guide outlining attack-and-defend methodologies for production clusters. Demonstrates common configuration exploits and dynamic remediation.</li>
</ul>
<h2 id="pod-privilege-escalation">Pod Privilege Escalation<a class="headerlink" href="#pod-privilege-escalation" title="Permanent link">&para;</a></h2>
<h3 id="vulnerability-exploitation">Vulnerability Exploitation<a class="headerlink" href="#vulnerability-exploitation" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://bishopfox.com/blog/kubernetes-pod-privilege-escalation">labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A highly cited technical analysis demonstrating how misconfigured container host namespaces, capabilities, and volume mounts can be exploited to escape container boundaries and gain full host-level access.</li>
</ul>
<h2 id="policy-as-code">Policy-as-Code<a class="headerlink" href="#policy-as-code" title="Permanent link">&para;</a></h2>
<h3 id="kyverno-administration">Kyverno Administration<a class="headerlink" href="#kyverno-administration" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://kyverno.io">kyverno.io 🌟</a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.</li>
</ul>
<h3 id="kyverno-rules-and-policies">Kyverno Rules and Policies<a class="headerlink" href="#kyverno-rules-and-policies" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://kyverno.io/policies">kyverno.io/policies 🌟</a> <span class='md-tag md-tag--warning'>[YAML CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.</li>
</ul>
<h2 id="rbac-and-authorization">RBAC and Authorization<a class="headerlink" href="#rbac-and-authorization" title="Permanent link">&para;</a></h2>
<h3 id="privilege-escalation">Privilege Escalation<a class="headerlink" href="#privilege-escalation" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://www.jeffgeerling.com/blog/2020/everyone-might-be-cluster-admin-your-kubernetes-cluster">jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Investigates RBAC misconfigurations and overly permissive default service accounts that elevate microservice workloads to cluster-admin privileges. It provides actionable remediation strategies for locking down namespace-bound credentials.</li>
</ul>
<h2 id="risk-analysis-and-auditing">Risk Analysis and Auditing<a class="headerlink" href="#risk-analysis-and-auditing" title="Permanent link">&para;</a></h2>
<h3 id="threat-vector-modeling">Threat Vector Modeling<a class="headerlink" href="#threat-vector-modeling" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://tldrsec.com/?404=%2Fguides%2Fkubernetes">tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A comprehensive vulnerability catalog and risk analysis guide highlighting exploitation pathways in typical cluster deployments. Highlights the security impacts of insecure volume mounts and metadata service access.</li>
</ul>
<h2 id="secrets-management">Secrets Management<a class="headerlink" href="#secrets-management" title="Permanent link">&para;</a></h2>
<h3 id="hashicorp-vault-integration">HashiCorp Vault Integration<a class="headerlink" href="#hashicorp-vault-integration" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://developer.hashicorp.com/vault/tutorials/kubernetes-introduction/kubernetes-external-vault">learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A practical implementation guide showcasing how to leverage the HashiCorp Vault Agent Injector sidecar to dynamically inject secrets directly into application pods via in-memory tmpfs mounts.</li>
</ul>
<h2 id="security">Security<a class="headerlink" href="#security" title="Permanent link">&para;</a></h2>
<h3 id="access-control">Access Control<a class="headerlink" href="#access-control" title="Permanent link">&para;</a></h3>
<h4 id="api-access">API Access<a class="headerlink" href="#api-access" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api">kubernetes.io: Access Clusters Using the Kubernetes API</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An official task-oriented guide illustrating the safe initialization of connections directly to the Kubernetes API server. It highlights proxying patterns, kubectl integration, and direct API calls via transport-layer security (TLS). Essential for developers automating low-level operations within controlled environments.</li>
</ul>
<h4 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication">kubernetes.io: Authenticating</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The core official reference for understanding user and service account authentication mechanisms in Kubernetes. It reviews client certificates, bearer tokens, and OIDC federation protocols. This architectural baseline explains how kube-apiserver validates identity requests securely.</li>
</ul>
<h4 id="cluster-access">Cluster Access<a class="headerlink" href="#cluster-access" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster">kubernetes.io: Accesing Clusters</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains how developers and administrators access remote clusters using credential files (kubeconfigs). This documentation reviews contextual switching, multi-cluster management, and local proxy patterns. It serves as a foundational step for secure local engineering workflows.</li>
</ul>
<h4 id="custom-authentication">Custom Authentication<a class="headerlink" href="#custom-authentication" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://learnkube.com/kubernetes-custom-authentication">Implementing a custom Kubernetes authentication method</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Provides a technical blueprint for implementing bespoke authentication strategies using webhook token authentication. It explains the integration of custom identity backends with the kube-apiserver lifecycle. Recommended for highly specialized security architectures with legacy SSO restrictions.</li>
</ul>
<h4 id="rbac">RBAC<a class="headerlink" href="#rbac" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.dynatrace.com/news/engineering">engineering.dynatrace.com: Kubernetes Security Best Practices -Part 1: Role Based Access Control (RBAC)</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A deep dive into Kubernetes Role-Based Access Control (RBAC) mechanisms and configuration patterns. The guide stresses the architectural importance of the Principle of Least Privilege, outlining best practices for defining Roles and ClusterRoles. Practical mitigation strategies focus on auditing wildcard permissions to avoid escalation risks.</li>
</ul>
<h4 id="kubectl-authentication">kubectl Authentication<a class="headerlink" href="#kubectl-authentication" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2020)</strong> <a href="https://blog.christianposta.com/kubernetes/logging-into-a-kubernetes-cluster-with-kubectl">kubernetes login</a> <span class='md-tag md-tag--critical'>[LEGACY]</span> — A legacy-focused technical exploration explaining the login process flow through kubectl. This article breaks down the historical and contemporary mechanics of authentication helpers and tokens. Ideal for engineers seeking to demystify credential caching behaviors.</li>
</ul>
<h3 id="application-security">Application Security<a class="headerlink" href="#application-security" title="Permanent link">&para;</a></h3>
<h4 id="client-security">Client Security<a class="headerlink" href="#client-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://curity.io/resources/client-security">curity.io: Client Security</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.</li>
</ul>
<h3 id="architecture-1">Architecture (1)<a class="headerlink" href="#architecture-1" title="Permanent link">&para;</a></h3>
<h4 id="devsecops">DevSecOps<a class="headerlink" href="#devsecops" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://thenewstack.io/securing-kubernetes-in-a-cloud-native-world">thenewstack.io: Securing Kubernetes in a Cloud Native World</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This technical analysis explores how security shifts within high-velocity cloud-native deployments. Outlines strategies for managing immutable infrastructure, dynamic policy updates, and zero-trust routing. Strongly advocates for shifting security controls left and using automated gating engines.</li>
</ul>
<h4 id="future-trends">Future Trends<a class="headerlink" href="#future-trends" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://thenewstack.io/key-basic-principles-to-secure-kubernetes-future">thenewstack.io: Basic Principles Key to Securing Kubernetes Future</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Examines long-term trends in cloud-native security, arguing for declarative and immutable configurations as the main vector of defense. Synthesizes principles of software supply chain verification (such as Sigstore/Cosign integration) and automated drift detection. Vital for architects planning 3-to-5 year container strategies.</li>
</ul>
<h3 id="audit">Audit<a class="headerlink" href="#audit" title="Permanent link">&para;</a></h3>
<h4 id="configuration-assessment">Configuration Assessment<a class="headerlink" href="#configuration-assessment" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology">securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An exhaustive, step-by-step methodology for auditing the entire configuration footprint of Kubernetes environments. Provides structural steps for scanning RBAC bindings, assessing cluster configuration parameters, and scanning host node vulnerabilities. Essential checklist for compliance officers and security auditors.</li>
</ul>
<h3 id="best-practices">Best Practices<a class="headerlink" href="#best-practices" title="Permanent link">&para;</a></h3>
<h4 id="general-hardening">General Hardening<a class="headerlink" href="#general-hardening" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://www.armosec.io/blog/kubernetes-security-best-practices">armosec.io: Kubernetes Security Best Practices: Definitive Guide</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An exhaustive technical blueprint emphasizing end-to-end cloud-native system security. It details critical hardening strategies including image scanning, continuous compliance auditing, and secure runtime boundaries. Modern operators leverage these concepts to build proactive defensive postures across hybrid clusters.</li>
<li><strong>(2023)</strong> <a href="https://thenewstack.io/6-kubernetes-security-best-practices">thenewstack.io: 6 Kubernetes Security Best Practices 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A baseline architectural guide covering foundational security principles in Kubernetes. It focuses on isolating workloads, enabling network policies, and minimizing container privileges. Real-world implementation highlights the mitigation of broad blast radii by enforcing namespace segregation.</li>
<li><strong>(2023)</strong> <a href="https://www.spectrocloud.com/blog/kubernetes-security-best-practices-5-easy-ways-to-cut-risk">spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut risk</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Outlines five high-impact security wins to drastically lower cluster risk vectors. Key practices include restrictive network boundary controls, cluster-wide image pinning, and utilizing immutable root filesystems. These pragmatically reduce immediate exposure surfaces for standard multi-tenant setups.</li>
</ul>
<h3 id="cloud-security">Cloud Security<a class="headerlink" href="#cloud-security" title="Permanent link">&para;</a></h3>
<h4 id="aws-eks-network">AWS EKS Network<a class="headerlink" href="#aws-eks-network" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html">Security Group Rules EKS</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Official AWS configuration documentation detailing the network security boundaries for Amazon EKS clusters. It defines minimal requirements for control-plane-to-node communication over secure ports. This ensures highly restrictive ingress/egress patterns in security groups.</li>
</ul>
<h4 id="eks-hardening">EKS Hardening<a class="headerlink" href="#eks-hardening" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://aws.github.io/aws-eks-best-practices">Amazon EKS Best Practices Guide for Security 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The definitive enterprise guide for hardening EKS clusters against cloud-native threats. It covers network segregation, IAM roles for service accounts (IRSA), secrets encryption, and runtime defense. This is a foundational checklist for any platform engineering team running on AWS.</li>
</ul>
<h3 id="cluster-hardening-2">Cluster Hardening (2)<a class="headerlink" href="#cluster-hardening-2" title="Permanent link">&para;</a></h3>
<h4 id="audit-logs">Audit Logs<a class="headerlink" href="#audit-logs" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec">blog.gitguardian.com: Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging &amp; Auditing</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Part three of the GitGuardian series, focusing on authentication, authorization, logging, and audit tracking. Demonstrates how to design granular RBAC policies and enable cluster audit logs to detect security anomalies. Essential for establishing reliable forensic trails.</li>
</ul>
<h4 id="best-practices-1">Best Practices (1)<a class="headerlink" href="#best-practices-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://cast.ai/blog/kubernetes-security-10-best-practices">cast.ai: Kubernetes Security: 10 Best Practices from the Industry and Community 🌟</a> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Consolidates ten core security practices derived from cloud-native community patterns and expert input. Discusses API server hardening, encryption of secrets at rest in etcd, and continuous vulnerability verification. Provides a clear roadmap for migrating legacy infrastructure securely into Kubernetes.</li>
<li><strong>(2022)</strong> <a href="https://dev.to/aws-builders/best-practices-for-securing-kubernetes-deployments-1jg6">dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Presents an action-oriented best practice matrix covering cluster configuration and pod safety profiles. Details etcd encryption setups, secure secrets distribution patterns, and implementing standard Pod Security Admission policies. Highly recommended for establishing cluster baselines.</li>
</ul>
<h4 id="deployment-security">Deployment Security<a class="headerlink" href="#deployment-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.armosec.io/blog/secure-kubernetes-deployment">armosec.io: How to Secure Deployments in Kubernetes? 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An operational guide on implementing Pod Security Standards (PSS) within modern clusters. Provides precise configurations for configuring read-only root filesystems, restricting Linux capability escalation, and rejecting root execution. Helps secure standard application manifests against common run-time threat models.</li>
</ul>
<h4 id="pod-security">Pod Security<a class="headerlink" href="#pod-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh">dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on runtime container hardening for critical production clusters. Provides examples of setting up restricted securityContext parameters, dropping raw Linux capabilities, and activating seccomp profiles. Ensures configurations restrict exploitation should container escape vulnerabilities emerge.</li>
</ul>
<h4 id="standard-checklists">Standard Checklists<a class="headerlink" href="#standard-checklists" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://kubernetes.io/docs/concepts/security/security-checklist">kubernetes.io: Security Checklist 🌟🌟</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The official security checklist published by upstream Kubernetes maintainers. It serves as an authoritative map for hardening cluster networks, applying role access structures, and validating runtimes. Essential baseline documentation for cloud infrastructure engineers.</li>
</ul>
<h3 id="compliance">Compliance<a class="headerlink" href="#compliance" title="Permanent link">&para;</a></h3>
<h4 id="cis-benchmarks-1">CIS Benchmarks (1)<a class="headerlink" href="#cis-benchmarks-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://www.ibm.com/topics">ibm.com: CIS Benchmarks</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The Center for Internet Security (CIS) Benchmarks provide globally recognized consensus-based best practices for securing IT systems, clouds, and Kubernetes environments. Organizations use these structured guidelines to validate and harden infrastructure configurations, ensuring compliance with strict security mandates through automated configuration auditors.</li>
</ul>
<h3 id="deployment-security-1">Deployment Security (1)<a class="headerlink" href="#deployment-security-1" title="Permanent link">&para;</a></h3>
<h4 id="hardening">Hardening<a class="headerlink" href="#hardening" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://semaphore.io/blog/kubernetes-deployments">semaphoreci.com: Secure Your Kubernetes Deployments</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on incorporating shift-left security strategies directly into the CI/CD deployment pipeline. It details how to leverage static manifest analysis, configuration linters, and runtime context constraints. This is essential for preventing misconfigured workloads from reaching production environments.</li>
</ul>
<h3 id="devsecops-1">DevSecOps (1)<a class="headerlink" href="#devsecops-1" title="Permanent link">&para;</a></h3>
<h4 id="cicd-pipeline-security">CICD Pipeline Security<a class="headerlink" href="#cicd-pipeline-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.infoworld.com/article/2258136/10-steps-to-automating-security-in-kubernetes-pipelines.html">infoworld.com: 10 steps to automating security in Kubernetes pipelines</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A ten-step technical blueprint focused on integrating security scanners directly into automated CI/CD deployment pipelines. Covers static application security testing (SAST), secrets detection, and manifest scanning before changes reach staging or production clusters. Outlines shift-left strategies to mitigate misconfiguration deployment risks.</li>
</ul>
<h4 id="continuous-security">Continuous Security<a class="headerlink" href="#continuous-security" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://collabnix.com/applying-devsecops-practices-to-kubernetes">collabnix.com: Applying DevSecOps Practices to Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores the technical implementation of DevSecOps pipelines targeting Kubernetes applications. Discusses how to configure automated feedback loops between static manifest linters, container register vulnerability databases, and runtime audit monitors. Crucial for scaling secure delivery pipelines.</li>
</ul>
<h4 id="developer-guidance">Developer Guidance<a class="headerlink" href="#developer-guidance" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/pavanbelagatti/kubernetes-security-best-practices-for-developers-2b92">dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Translates complex cluster security profiles into digestible concepts tailored directly for application developers. Focuses on safe manifest construction, secret handling, and using non-root base images. Encourages safe development workflows to eliminate security issues before code merges.</li>
</ul>
<h3 id="fundamentals">Fundamentals<a class="headerlink" href="#fundamentals" title="Permanent link">&para;</a></h3>
<h4 id="concepts">Concepts<a class="headerlink" href="#concepts" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://itnext.io/introduction-to-kubernetes-security-for-security-professionals-a61b424f7a2a">itnext.io: Introduction to Kubernetes Security for Security Professionals</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An entry point resource for security practitioners pivoting from virtual machines or bare-metal servers into Kubernetes environments. Explains standard architectural paradigms like Pods, Namespaces, Service Accounts, and Admission Controllers. Focuses on building a coherent threat modeling mental map.</li>
<li><strong>(2022)</strong> <a href="https://dev.to/mattiasfjellstrom/kubernetes-101-security-concepts-2f4f">dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An introductory security conceptual guide reviewing isolation techniques like Linux namespaces, cgroups, and capabilities. Correlates these kernel-level tools to upstream abstraction parameters in standard Pod specs. Provides a concise, high-density primer on basic defense constructs.</li>
</ul>
<h4 id="threat-modeling">Threat Modeling<a class="headerlink" href="#threat-modeling" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://blog.gitguardian.com/hardening-your-k8-pt-1">blog.gitguardian.com: Hardening Your Kubernetes Cluster - Threat Model (Pt. 1) 🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Part one of a tutorial series focusing on threat modeling within Kubernetes systems. Outlines typical attack surface definitions across components like API endpoints, etcd systems, and workers. Aids engineering teams in establishing defense boundaries.</li>
</ul>
<h3 id="hardening-standards">Hardening Standards<a class="headerlink" href="#hardening-standards" title="Permanent link">&para;</a></h3>
<h4 id="government-guidelines">Government Guidelines<a class="headerlink" href="#government-guidelines" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.armosec.io/blog/nsa-cisa-kubernetes-hardening-guide">armosec.io: NSA &amp; CISA Kubernetes Hardening Guide what is new with version 1.1</a> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Details updates in version 1.1 of the NSA-CISA Kubernetes Hardening Guide. Highlights transition criteria from deprecated PodSecurityPolicies to Pod Security Standards, alongside advice on checking third-party integrations. Helps teams stay aligned with current guidance.</li>
<li><strong>(2021)</strong> <a href="https://thenewstack.io/the-nsa-can-help-you-secure-your-kubernetes-clusters">thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Evaluates the joint security guidance on Kubernetes hardening issued by the NSA and CISA. Translates government recommendations into actionable steps for enterprise IT administrators. Focuses on separation of credentials and configuring audit pathways.</li>
<li><strong>(2021)</strong> <a href="https://therecord.media/nsa-cisa-publish-kubernetes-hardening-guide">therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Detailed breakdown of the NSA/CISA Kubernetes Hardening Guide. Emphasizes container sandboxing, running applications with minimal privilege bounds, and dividing networks to limit damage. A vital reference point for regulatory compliance projects.</li>
<li><strong>(2021)</strong> <a href="https://www.infoq.com/news/2021/09/kubernetes-hardening-guidance">infoq.com</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores key recommendations from CISA and the NSA regarding cluster infrastructure protection. Demystifies technical methods for managing root filesystems, authenticating platform API requests, and using logging setups to trace lateral movement.</li>
<li><strong>(2021)</strong> <a href="https://thenewstack.io/nsa-on-how-to-harden-kubernetes">thenewstack.io: NSA on How to Harden Kubernetes</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A practical review focusing on the security configurations defined within the NSA hardening guides. Covers container escape avoidance, using read-only structures, and setting up logging patterns. Beneficial for system engineers translating recommendations to production setups.</li>
</ul>
<h3 id="iam">IAM<a class="headerlink" href="#iam" title="Permanent link">&para;</a></h3>
<h4 id="authentication-and-authorization">Authentication and Authorization<a class="headerlink" href="#authentication-and-authorization" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/thenjdevopsguy/the-4-cs-of-kubernetes-security-3i9e">dev.to/thenjdevopsguy: The 4 Cs Of Kubernetes Security</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Evaluates enterprise patterns for integrating Kubernetes Role-Based Access Control (RBAC) with corporate directory systems (OIDC, Active Directory). Examines tools like Dex to implement single sign-on (SSO) strategies across multi-cluster environments. Essential reading for cluster operations scaling across departments.</li>
</ul>
<h4 id="sso">SSO<a class="headerlink" href="#sso" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/gabrielbiasi/automatic-sso-in-kubernetes-workloads-using-a-sidecar-container-3752">dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.</li>
</ul>
<h3 id="identity-and-access">Identity and Access<a class="headerlink" href="#identity-and-access" title="Permanent link">&para;</a></h3>
<h4 id="aws-irsa">AWS IRSA<a class="headerlink" href="#aws-irsa" title="Permanent link">&para;</a></h4>
<h5 id="hybrid-cloud">Hybrid Cloud<a class="headerlink" href="#hybrid-cloud" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/danielepolencic/binding-aws-iam-roles-to-kubernetes-service-account-for-on-prem-clusters-1icc">dev.to: Binding AWS IAM roles to Kubernetes Service Account for on-prem clusters | Daniele Polencic 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Highlights solutions for extending AWS IAM Roles for Service Accounts (IRSA) configurations into on-premises Kubernetes clusters. Solves the hybrid identity challenge by utilizing OIDC federated discovery documents on local nodes.</li>
</ul>
<h4 id="authentication-1">Authentication (1)<a class="headerlink" href="#authentication-1" title="Permanent link">&para;</a></h4>
<h5 id="legacy-tools">Legacy Tools<a class="headerlink" href="#legacy-tools" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2020)</strong> <a href="https://github.com/dvob/k8s-s2s-auth">github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟</a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Curator Insight: Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Live Grounding: The repository has seen no recent development and is considered legacy. It is superseded by modern ephemeral TokenRequest APIs and service mesh mTLS integrations.</li>
<li><strong>(2023)</strong> <a href="https://learnkube.com/authentication-kubernetes">learnk8s.io/authentication-kubernetes: User and workload identities in Kubernetes 🌟🌟🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A deep analysis of the conceptual differences between human and workload identities within Kubernetes. Details how API server authentication modules resolve internal workloads using Service Accounts, contrasting them with external OIDC providers.</li>
<li><strong>(2022)</strong> <a href="https://goteleport.com/blog/kube-authn-methods">goteleport.com: A Simple Overview of Authentication Methods for Kubernetes Clusters</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Synthesizes multiple Kubernetes authentication methods—including bootstrap tokens, client certificates, webhook tokens, and OIDC federation. Provides an architect-level comparison of trade-offs regarding credential life and operational complexity.</li>
</ul>
<h4 id="cloud-integrations">Cloud Integrations<a class="headerlink" href="#cloud-integrations" title="Permanent link">&para;</a></h4>
<h5 id="aws-irsa-1">AWS IRSA (1)<a class="headerlink" href="#aws-irsa-1" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2021)</strong> <a href="https://mjarosie.github.io/dev/2021/09/15/iam-roles-for-kubernetes-service-accounts-deep-dive.html">mjarosie.github.io: IAM roles for Kubernetes service accounts - deep dive</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A thorough exploration of AWS IAM Roles for Service Accounts (IRSA). Demystifies how AWS OpenID Connect (OIDC) federation interacts with mutating admission webhooks to inject dynamic, temporary AWS STS credentials into Kubernetes pods.</li>
</ul>
<h4 id="enterprise-authentication">Enterprise Authentication<a class="headerlink" href="#enterprise-authentication" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.vcluster.com/blog/kubernetes-and-ldap-enterprise-authentication-for-kubernetes">loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Outlines pattern-driven integrations for bridging classic corporate LDAP servers with modern Kubernetes clusters. Focuses on identity broker abstractions like Dex to map legacy LDAP groups to Kubernetes RBAC definitions.</li>
</ul>
<h4 id="microservice-identities">Microservice Identities<a class="headerlink" href="#microservice-identities" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://learnkube.com/microservices-authentication-kubernetes">learnk8s.io: Authentication between microservices using Kubernetes identities 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.</li>
</ul>
<h4 id="oidc">OIDC<a class="headerlink" href="#oidc" title="Permanent link">&para;</a></h4>
<h5 id="legacy-tools-1">Legacy Tools (1)<a class="headerlink" href="#legacy-tools-1" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2020)</strong> <a href="https://github.com/gini/dexter"><mark>gini/dexter</mark></a> <span class='md-tag md-tag--info'>⭐ 168</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-f44207cc" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 10 L 10 6 L 20 9 L 30 9 L 40 11 L 50 9" fill="none" stroke="url(#spark-grad-f44207cc)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="9" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Curator Insight: An OIDC-helper CLI tool for generating kubectl credential configurations. Live Grounding: Inactive for over 4 years; considered legacy under Nubenetes MVQ rules. It has been superseded by tools like kubelogin.</li>
</ul>
<h5 id="oauth2-proxy">OAuth2 Proxy<a class="headerlink" href="#oauth2-proxy" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2021)</strong> <a href="https://geek-cookbook.funkypenguin.co.nz/recipes/kubernetes/oauth2-proxy">geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A configuration guide describing how to wrap the Kubernetes Dashboard and sensitive internal APIs with oauth2-proxy, enabling secure OIDC integrations and SSO workflows.</li>
<li><strong>(2024)</strong> <a href="https://openid.net">OpenID Connect</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The official specifications for OpenID Connect, the dominant federation protocol for Kubernetes authentication. Implementing OIDC enables modern clusters to offload authentication to external identity providers like Okta, Keycloak, or Microsoft Entra ID. This standardizes identity tokens globally across decentralized services.</li>
</ul>
<h4 id="rbac-1">RBAC (1)<a class="headerlink" href="#rbac-1" title="Permanent link">&para;</a></h4>
<h5 id="legacy-tools-2">Legacy Tools (2)<a class="headerlink" href="#legacy-tools-2" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2020)</strong> <a href="https://github.com/appvia/krane"><mark>Krane 🌟</mark></a> <span class='md-tag md-tag--info'>⭐ 740</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-40940fd4" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 3 L 10 10 L 20 3 L 30 9 L 40 5 L 50 2" fill="none" stroke="url(#spark-grad-40940fd4)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[RUBY CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.</li>
<li><strong>(2019)</strong> <a href="https://github.com/clvx/k8s-rbac-model"><mark>github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model</mark></a> <span class='md-tag md-tag--info'>⭐ 26</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-de8a6018" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 9 L 10 4 L 20 7 L 30 4 L 40 8 L 50 13" fill="none" stroke="url(#spark-grad-de8a6018)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="13" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[JAVASCRIPT CONTENT]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.</li>
</ul>
<h5 id="security-auditing">Security Auditing<a class="headerlink" href="#security-auditing" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2022)</strong> <a href="https://raesene.github.io/blog/2022/08/14/auditing-rbac-redux">raesene.github.io: Auditing RBAC - Redux</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Highly detailed assessment of tools and manual approaches used to audit RBAC permissions. Looks at the attack surface exposed by privileged service accounts and API server access loopholes, providing concrete defensive guidance.</li>
<li><strong>(2026)</strong> <a href="https://rbac.dev">rbac.dev 🌟🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A dedicated directory of tools, templates, and best practices for Kubernetes RBAC configurations. Serves as an essential reference for engineers establishing zero-trust access boundaries.</li>
<li><strong>(2023)</strong> <a href="https://devopscube.com/kubernetes-api-access-service-account">devopscube.com: How To Create Kubernetes Service Account For API Access</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A practical tutorial focused on provisioning Kubernetes Service Accounts for targeted API server access. Walks through credential auto-generation constraints, manifesting corresponding API access boundaries, and constructing secure automated CI/CD pipelines.</li>
<li><strong>(2023)</strong> <a href="https://learnkube.com/rbac-kubernetes">learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A rigorous deep-dive into resource constraints using RBAC. Demonstrates how to write custom policies to isolate network endpoints, restrict API-driven actions, and test permissions safely using <code>kubectl auth can-i</code>.</li>
<li><strong>(2022)</strong> <a href="https://www.vcluster.com/blog/kubernetes-rbac-basics-and-advanced-patterns">loft.sh: Kubernetes RBAC: Basics and Advanced Patterns</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Deconstructs advanced RBAC patterns, focusing on namespace isolation, virtual cluster (vcluster) control planes, and resolving performance regressions associated with large-scale policy databases.</li>
<li><strong>(2022)</strong> <a href="https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions">marcusnoble.co.uk: Restricting cluster-admin Permissions</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Examines security risks associated with widespread <code>cluster-admin</code> usage. Proposes strategies to design specialized roles with precise apiGroup restrictions to establish guardrails around the control plane.</li>
<li><strong>(2022)</strong> <a href="https://anaisurl.com/kubernetes-rbac">anaisurl.com: RBAC Explained with Examples 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A visual, beginner-friendly guide dissecting RBAC mechanics in Kubernetes. Offers concrete examples of setting up specific read/write permissions for standard development teams.</li>
<li><strong>(2022)</strong> <a href="https://dev.to/mstryoda/configure-rbac-in-kubernetes-like-a-boss-h67">dev.to: Configure RBAC in Kubernetes Like a Boss</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — An operational checklist and set of best practices for establishing robust, leak-proof RBAC models. Helps administrators avoid common authorization anti-patterns such as wildcards in role rules.</li>
<li><strong>(2022)</strong> <a href="https://www.youtube.com/watch?v=iE9Qb8dHqWI">youtube: Kubernetes RBAC Explained | Anton Putra 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Detailed instructional video mapping user groups and service accounts to Kubernetes resources using RBAC. Explains role-binding syntax and access validations in an intuitive, visual style.</li>
<li><strong>(2021)</strong> <a href="https://www.infracloud.io/blogs/role-based-access-kubernetes">infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Detailed technical analysis of native Kubernetes Role-Based Access Control (RBAC). Explains authorization objects (Roles, ClusterRoles, and Bindings) alongside API groups to help design least-privilege structures.</li>
</ul>
<h4 id="sso-and-saml">SSO and SAML<a class="headerlink" href="#sso-and-saml" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://goteleport.com/blog/kubernetes-sso-saml">gravitational.com: How to Set Up Kubernetes SSO with SAML</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Deconstructs the mechanics of configuring Single Sign-On (SSO) for cluster environments utilizing SAML. The guide explains authentication federation patterns, mapping identity provider attributes to Kubernetes RBAC roles. This setup ensures seamless, centralized access management for enterprise platform infrastructure.</li>
</ul>
<h4 id="workload-identity">Workload Identity<a class="headerlink" href="#workload-identity" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://linkerd.io/2021/12/28/using-kubernetess-new-bound-service-account-tokens-for-secure-workload-identity/index.html">linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Examines Linkerd's transition to Kubernetes Bound Service Account Tokens (TokenRequest API). Explains the security benefits of using tokens containing specific audiences, node bindings, and short lifetimes to mitigate credential leakage risks.</li>
</ul>
<h4 id="zero-trust-access">Zero Trust Access<a class="headerlink" href="#zero-trust-access" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://www.paralus.io">paralus.io 🌟</a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Paralus is an open-source tool for managing access to multi-cluster Kubernetes environments. Offers a centralized portal for configuring Just-In-Time (JIT) access, OIDC integration, auditing, and RBAC synchronization across cloud providers.</li>
</ul>
<h3 id="identity-and-access-management-1">Identity and Access Management (1)<a class="headerlink" href="#identity-and-access-management-1" title="Permanent link">&para;</a></h3>
<h4 id="access-control-1">Access Control (1)<a class="headerlink" href="#access-control-1" title="Permanent link">&para;</a></h4>
<ul>
<li><a href="https://thenewstack.io/cloud-native-identity-and-access-management-in-kubernetes">thenewstack.io: Cloud Native Identity and Access Management in Kubernetes</a> <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--success'>[ENTERPRISE-STABLE]</span> — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.</li>
</ul>
<h3 id="kubernetes-security-1">Kubernetes Security (1)<a class="headerlink" href="#kubernetes-security-1" title="Permanent link">&para;</a></h3>
<h4 id="hardening-1">Hardening (1)<a class="headerlink" href="#hardening-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://www.sysdig.com/blog/kubernetes-security-guide">sysdig.com: Kubernetes Security Guide 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Sysdig's comprehensive guide to securing Kubernetes platforms details a multi-layered defense strategy covering container image scanning, runtime protection, network policies, and role-based access control (RBAC). It highlights compliance mappings (such as CIS benchmarks) and operational best practices for detecting abnormal kernel system calls using eBPF-based agents.</li>
</ul>
<h4 id="secrets-management-1">Secrets Management (1)<a class="headerlink" href="#secrets-management-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://www.theodo.com/en-uk/blog">Hands on your first Kubernetes secrets 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.</li>
</ul>
<h3 id="network-security">Network Security<a class="headerlink" href="#network-security" title="Permanent link">&para;</a></h3>
<h4 id="internet-exposure">Internet Exposure<a class="headerlink" href="#internet-exposure" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet">raesene.github.io: Let's talk about Kubernetes on the Internet</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An urgent analytical overview assessing why many Kubernetes API control planes remain directly visible on the public internet. Discusses host-level firewall configurations, securing the Kubelet interface, and utilizing private API cluster features in major cloud providers. Emphasizes basic perimeter hygiene.</li>
</ul>
<h4 id="network-policies-2">Network Policies (2)<a class="headerlink" href="#network-policies-2" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html">Calico in EKS</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Guides integration of Calico as a high-performance network policy engine alongside EKS. While AWS VPC CNI handles native IP routing, Calico enforces declarative security policies. This hybrid configuration provides robust, fine-grained L3/L4 segregation across namespace borders.</li>
<li><strong>(2022)</strong> <a href="https://blog.gitguardian.com/kubernetes-tutorial-part-2-network">blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This technical tutorial demonstrates the configuration of Kubernetes NetworkPolicies to enforce granular traffic isolation. It contrasts default-allow networking models with secure default-deny postures, providing production-ready ingress and egress manifests. Engineers will learn how to reduce lateral threat movement by restricting pod-to-pod communications.</li>
</ul>
<h3 id="offensive-security">Offensive Security<a class="headerlink" href="#offensive-security" title="Permanent link">&para;</a></h3>
<h4 id="penetration-testing-1">Penetration Testing (1)<a class="headerlink" href="#penetration-testing-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://tutorialboy24.blogspot.com/2022/09/a-detailed-talk-about-k8s-cluster.html">tutorialboy24.blogspot.com: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 2) 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This deep technical analysis adopts an offensive security posture to highlight subtle vulnerabilities in cluster configurations. Demystifies container escape routes, RBAC over-privileging paths, and target exploration from within compromised pods. Highly valuable for red team operators and defensive engineers building detection rules.</li>
</ul>
<h3 id="pki">PKI<a class="headerlink" href="#pki" title="Permanent link">&para;</a></h3>
<h4 id="certificate-management">Certificate Management<a class="headerlink" href="#certificate-management" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://blog.alexellis.io/what-if-your-pods-need-to-trust-self-signed-certificates">blog.alexellis.io: What if your Pods need to trust self-signed certificates?</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on patterns for trusting self-signed or internal enterprise Root CA certificates inside dynamic pod runtimes. Demonstrates using initContainers and shared volumes to inject trust anchors clean of custom application builds. Prevents hardcoding issues across dynamic corporate multi-tenant infrastructures.</li>
<li><strong>(2021)</strong> <a href="https://thenewstack.io/jetstack-secure-promises-to-ease-kubernetes-tls-security">thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Analyzes the release and architecture of Jetstack Secure, which simplifies and automates TLS lifecycle tracking via cert-manager. Explains the centralization of public key infrastructures (PKIs) across multi-cluster hybrid clouds. Prevents application downtime caused by unpredicted certificate expirations.</li>
</ul>
<h3 id="pki-and-certificates">PKI and Certificates<a class="headerlink" href="#pki-and-certificates" title="Permanent link">&para;</a></h3>
<h4 id="conceptual">Conceptual<a class="headerlink" href="#conceptual" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/otomato_io/possible-paths-2hfc">dev.to: Kubernetes TLS, Demystified 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Demystifies Kubernetes TLS configurations by explaining public/private key pairs, certificate authorities, client-cert server validations, and common Ingress security setups.</li>
</ul>
<h4 id="tls-ingress">TLS Ingress<a class="headerlink" href="#tls-ingress" title="Permanent link">&para;</a></h4>
<h5 id="lets-encrypt">Lets Encrypt<a class="headerlink" href="#lets-encrypt" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2021)</strong> <a href="https://rejupillai.com/index.php/2021/03/06/configure-tls-on-gke-ingress-for-free-with-lets-encrypt">rejupillai.com: Lets Encrypt the Web (for free)</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A practical walk-through detailing TLS integration on a GKE Ingress controller. Guides the configuration of HTTP-01 and DNS-01 ACME validations using cert-manager, resulting in automated, free public certificates.</li>
</ul>
<h4 id="cert-manager">cert-manager<a class="headerlink" href="#cert-manager" title="Permanent link">&para;</a></h4>
<h5 id="access-control-2">Access Control (2)<a class="headerlink" href="#access-control-2" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2024)</strong> <a href="https://github.com/cert-manager/approver-policy"><mark>github.com/cert-manager: Policy Approver</mark></a> <span class='md-tag md-tag--info'>⭐ 90</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-cc1fad06" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 2 L 10 10 L 20 13 L 30 10 L 40 4 L 50 2" fill="none" stroke="url(#spark-grad-cc1fad06)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The cert-manager approver-policy extension code repository. Intercepts CertificateRequest resources before submission, evaluating requested commonNames, SANs, and key constraints against user-defined security guidelines.</li>
</ul>
<h5 id="operations">Operations<a class="headerlink" href="#operations" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2021)</strong> <a href="https://itnext.io/upgrade-cert-manager-for-your-production-deployment-without-downtime-ee5d32fabec8">itnext.io: Upgrade Cert-Manager for Your Production Deployment Without Downtime</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A highly technical guide focusing on upgrading production cert-manager instances without cluster downtime. Addresses API version deprecations, webhook migrations, and handling CRD migrations smoothly.</li>
<li><strong>(2026)</strong> <a href="https://github.com/cert-manager/cert-manager"><mark>cert-manager/cert-manager</mark></a> <span class='md-tag md-tag--info'>⭐ 13859</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-c62f35f1" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 10 L 10 6 L 20 3 L 30 8 L 40 12 L 50 3" fill="none" stroke="url(#spark-grad-c62f35f1)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="3" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Consolidated record of the cert-manager repository, automating certificate lifecycles to guarantee encrypted transport paths between internal microservice runtimes.</li>
<li><strong>(2026)</strong> <a href="https://cert-manager.io/docs">cert-manager.io 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Official documentation portal for cert-manager, the standard tool for cloud-native PKI. Explains configuring Issuers and Certificate manifests, detailing dynamic ACME solver pipelines, Let's Encrypt integration, and automated internal trust routing.</li>
</ul>
<h3 id="platform-hardening">Platform Hardening<a class="headerlink" href="#platform-hardening" title="Permanent link">&para;</a></h3>
<h4 id="best-practices-2">Best Practices (2)<a class="headerlink" href="#best-practices-2" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2024)</strong> <a href="https://www.redhat.com/en/topics/containers/kubernetes-security">Kubernetes Security 101: Risks and 29 Best Practices 🌟</a> <span class='md-tag md-tag--secondary'>[CASE STUDY]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Essential Red Hat Security resource detailing 29 structural recommendations across the entire build, deploy, and run lifecycle. Covers vulnerability scanning, image signing, secure context configurations, and network isolation protocols.</li>
</ul>
<h3 id="pod-security-1">Pod Security (1)<a class="headerlink" href="#pod-security-1" title="Permanent link">&para;</a></h3>
<h4 id="pod-security-policies">Pod Security Policies<a class="headerlink" href="#pod-security-policies" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://kubernetes.io/docs/concepts/security/pod-security-policy">Pod Security Policy (SCC in OpenShift) 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Architectural comparison contrasting OpenShift Security Context Constraints (SCC) with the deprecated Kubernetes Pod Security Policy (PSP). Live Grounding confirms PSP was completely removed in Kubernetes v1.25. This reference highlights how SCC remains enterprise-stable and active for securing namespaces in Red Hat OpenShift clusters.</li>
<li><strong>(2021)</strong> <a href="https://www.suse.com/c/rancher_blog/enhancing-kubernetes-security-with-pod-security-policies-part-1">rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1</a> <span class='md-tag md-tag--critical'>[LEGACY]</span> — A historical look at securing container runtimes using Pod Security Policies. As PSP is now deprecated and fully removed in modern Kubernetes, this guide serves as a legacy reference for older Rancher setups. It clarifies critical container capabilities, privilege escalation preventions, and namespace defaults.</li>
<li><strong>(2021)</strong> <a href="https://developer.squareup.com/blog/kubernetes-pod-security-policies">developer.squareup.com: Kubernetes Pod Security Policies (PSP)</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Legacy deep-dive exploring Square's real-world PSP architecture and rollout procedures. Note that modern engineering standards require migrating these exact controls to Pod Security Standards (PSS) or external engines like Kyverno. Essential reading to understand historical host namespaces and filesystem restrictions.</li>
<li><strong>(2021)</strong> <a href="https://itnext.io/implementing-a-restricted-first-pod-security-policyarchitecture-af4e906593b0">itnext.io: Implementing a Secure-First Pod Security Policy Architecture</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Provides a secure-first PSP implementation strategy. In modern systems, this restricted-first paradigm must be executed via the native Pod Security Admission (PSA) controller. It guides readers on blocking privileged root escalation paths in older clusters.</li>
</ul>
<h3 id="policy-and-admission-control">Policy and Admission Control<a class="headerlink" href="#policy-and-admission-control" title="Permanent link">&para;</a></h3>
<h4 id="runtime-security-1">Runtime Security (1)<a class="headerlink" href="#runtime-security-1" title="Permanent link">&para;</a></h4>
<h5 id="legacy-tools-3">Legacy Tools (3)<a class="headerlink" href="#legacy-tools-3" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2018)</strong> <a href="https://github.com/box/kube-exec-controller"><mark>box/kube-exec-controller</mark></a> <span class='md-tag md-tag--info'>⭐ 126</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-21605944" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 5 L 10 6 L 20 9 L 30 6 L 40 6 L 50 2" fill="none" stroke="url(#spark-grad-21605944)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics, admission controllers (OPA/Kyverno), and modern service mesh execution boundaries.</li>
</ul>
<h4 id="validating-webhooks">Validating Webhooks<a class="headerlink" href="#validating-webhooks" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://trstringer.com/kubernetes-validating-webhook">trstringer.com: Create a Basic Kubernetes Validating Webhook</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.</li>
</ul>
<h3 id="policy-and-audit">Policy and Audit<a class="headerlink" href="#policy-and-audit" title="Permanent link">&para;</a></h3>
<h4 id="manifest-auditing">Manifest Auditing<a class="headerlink" href="#manifest-auditing" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://blog.frankel.ch/learning-auditing-kubernetes-manifests">blog.frankel.ch: Learning by auditing Kubernetes manifests</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An educational approach to understanding Kubernetes security postures through direct manifest auditing. The author walks through security context misconfigurations, detailing how over-privileged containers expose node architectures. This technique bridges the gap between passive development and active cluster security controls.</li>
</ul>
<h3 id="policy-enforcement">Policy Enforcement<a class="headerlink" href="#policy-enforcement" title="Permanent link">&para;</a></h3>
<h4 id="admission-control">Admission Control<a class="headerlink" href="#admission-control" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://kind-brown-cfb734.netlify.app/post/2021-02/kubernetes-policy-comparison-opa-gatekeeper-vs-kyverno">Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An architectural face-off evaluating Rego-based OPA/Gatekeeper and YAML-native Kyverno. Kyverno offers exceptional ease of use for native K8s manifests, while OPA provides unparalleled expressive power for cross-system policies. It helps architects choose the correct declarative policy engine for high-compliance environments.</li>
</ul>
<h3 id="runtime-security-2">Runtime Security (2)<a class="headerlink" href="#runtime-security-2" title="Permanent link">&para;</a></h3>
<h4 id="ephemeral-containers">Ephemeral Containers<a class="headerlink" href="#ephemeral-containers" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://xenitab.github.io/blog/2022/04/12/ephemeral-container-security">xenitab.github.io: Kubernetes Ephemeral Container Security 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores security boundaries regarding ephemeral debugging containers, analyzing potential escalation threats through 'kubectl debug'. Highlights how improper RBAC permissions on debugging tools can expose the underlying host or container namespace. Outlines defensive constraints like restricting hostIPC and hostPID mappings.</li>
</ul>
<h4 id="ebpf">eBPF<a class="headerlink" href="#ebpf" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://developers.redhat.com/articles/2021/12/16/secure-your-kubernetes-deployments-ebpf">developers.redhat.com: Secure your Kubernetes deployments with eBPF</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Details how eBPF (Extended Berkeley Packet Filter) technology shifts the runtime security paradigm away from heavy, sidecar-based observability architectures. Demonstrates writing and attaching kernel sandboxed utilities to track execution and networking footprints with minimal CPU overhead. Crucial reading for high-scale, security-conscious platform teams.</li>
</ul>
<h4 id="ebpf-and-cilium">eBPF and Cilium<a class="headerlink" href="#ebpf-and-cilium" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://isovalent.com/blog/post/2021-11-container-escape">isovalent.com: Detecting a Container Escape with Cilium and eBPF</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An in-depth case study of container escape tactics and real-time detection utilizing eBPF and Cilium. It highlights limits of traditional syscall auditing, showcasing how kernel-level hooks identify privilege escalation without agent-induced overhead. Live Grounding points to eBPF-based security as the modern baseline for runtime security orchestration.</li>
</ul>
<h3 id="secrets-management-2">Secrets Management (2)<a class="headerlink" href="#secrets-management-2" title="Permanent link">&para;</a></h3>
<h4 id="conceptual-1">Conceptual (1)<a class="headerlink" href="#conceptual-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.macchaffee.com/blog/2022/k8s-secrets">macchaffee.com: Plain Kubernetes Secrets are fine 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An alternative architectural perspective defending native Kubernetes Secrets. Argues that when matched with strong RBAC controls, namespace boundaries, and cluster-level etcd KMS encryption, native solutions provide sufficient enterprise protection.</li>
<li><strong>(2019)</strong> <a href="https://enterprisersproject.com/article/2019/8/kubernetes-secrets-explained-plain-english">enterprisersproject.com: How to explain Kubernetes Secrets in plain English 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — An introductory conceptual explanation of Kubernetes Secrets. Translates low-level pod definitions and etcd mappings into non-technical language to align business stakeholders on cloud-native security postures.</li>
</ul>
<h4 id="developer-practice">Developer Practice<a class="headerlink" href="#developer-practice" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://millionvisit.blogspot.com/2021/07/kubernetes-for-developers-19-manage-app-credentials-using-Kubernetes-Secrets.html">millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Developer-centric guide to configuring application manifests for secret consumption. Compares the security profiles of importing secrets as environment variables against dynamic filesystem mounts, detailing runtime behavior and update propagation.</li>
</ul>
<h4 id="external-secrets">External Secrets<a class="headerlink" href="#external-secrets" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2025)</strong> <a href="https://external-secrets.io"><mark>external-secrets.io 🌟</mark></a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The industry-standard operator for syncing external secrets management services (like AWS Secrets Manager, Vault, or GCP Secret Manager) into Kubernetes Secret objects. This eliminates storing sensitive configuration inside git repositories, supporting true GitOps workflows. Decoupled and secure, it is a critical security-centric component.</li>
</ul>
<h4 id="gitops">GitOps<a class="headerlink" href="#gitops" title="Permanent link">&para;</a></h4>
<h5 id="external-secrets-operator">External Secrets Operator<a class="headerlink" href="#external-secrets-operator" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2023)</strong> <a href="https://www.youtube.com/watch?v=SyRZe5YVCVk">youtube: Manage Kubernetes Secrets With External Secrets Operator (ESO) 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A technical demonstration detailing the installation and runtime management of the External Secrets Operator (ESO). Demonstrates synchronization pipelines that pull credentials from HashiCorp Vault and cloud providers into native secret schemas.</li>
</ul>
<h5 id="sealed-secrets">Sealed Secrets<a class="headerlink" href="#sealed-secrets" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2022)</strong> <a href="https://dev.to/stack-labs/store-your-kubernetes-secrets-in-git-thanks-to-kubeseal-hello-sealedsecret-2i6h">dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A step-by-step implementation guide for Bitnami's Sealed Secrets (kubeseal). Explains how asymmetric cryptography allows developers to safely commit encrypted secrets to public repositories, leaving cluster-side controllers to handle automated decryption.</li>
<li><strong>(2022)</strong> <a href="https://piotrminkowski.com/2022/12/14/sealed-secrets-on-kubernetes-with-argocd-and-terraform">piotrminkowski.com: Sealed Secrets on Kubernetes with ArgoCD and Terraform</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Demonstrates the end-to-end automation of Bitnami Sealed Secrets using Terraform and ArgoCD. Helps DevOps architects define declarative pipelines that provision the sealed secret operator and manage encrypted configurations in Git repositories.</li>
<li><strong>(2022)</strong> <a href="https://www.redhat.com/en/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes">cloud.redhat.com: A Guide to Secrets Management with GitOps and Kubernetes 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--secondary'>[CASE STUDY]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Red Hat's whitepaper outlining standard solutions for GitOps secrets management. Contrasts the operational overhead and security profiles of Sealed Secrets, vault-sidecars, and external integration engines in CD environments.</li>
</ul>
<h4 id="hashicorp-vault">HashiCorp Vault<a class="headerlink" href="#hashicorp-vault" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://itnext.io/effective-secrets-with-vault-and-kubernetes-9af5f5c04d06">itnext.io: Effective Secrets with Vault and Kubernetes</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Architectural overview on configuring HashiCorp Vault inside Kubernetes clusters. Covers the Vault Agent Sidecar Injector pattern, dynamic database credential generation, and leveraging Kubernetes service accounts for seamless Vault token exchange.</li>
<li><strong>(2021)</strong> <a href="https://itnext.io/vault-cluster-with-auto-unseal-on-kubernetes-8e469f9cdcfd">itnext.io: Vault cluster with auto unseal on Kubernetes</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Detailed structural guide for configuring an enterprise-grade, highly available HashiCorp Vault cluster in Kubernetes. Features automated unsealing integrations using cloud KMS systems (AWS KMS/GCP KMS) to remove manual keys dependencies.</li>
</ul>
<h4 id="kms-integration">KMS Integration<a class="headerlink" href="#kms-integration" title="Permanent link">&para;</a></h4>
<h5 id="legacy-tools-4">Legacy Tools (4)<a class="headerlink" href="#legacy-tools-4" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2023)</strong> <a href="https://github.com/ondat/trousseau"><mark>github.com/ondat/trousseau</mark></a> <span class='md-tag md-tag--info'>⭐ 181</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-9359322e" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 5 L 10 9 L 20 5 L 30 9 L 40 5 L 50 10" fill="none" stroke="url(#spark-grad-9359322e)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="10" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules in favor of native Kubernetes KMS v2 features.</li>
</ul>
<h4 id="owasp">OWASP<a class="headerlink" href="#owasp" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://itnext.io/kubernetes-owasp-top-10-secrets-management-c996faa87b47">itnext.io: Kubernetes OWASP Top 10: Secrets Management</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Addresses Secrets Management under the OWASP Kubernetes threat framework. Details vulnerabilities of default etcd storage parameters and details using External Secrets Operator or HashiCorp Vault. Prevents secrets exposure via repository check-ins or pod environment parameters.</li>
</ul>
<h4 id="platform-hardening-1">Platform Hardening (1)<a class="headerlink" href="#platform-hardening-1" title="Permanent link">&para;</a></h4>
<h5 id="conceptual-2">Conceptual (2)<a class="headerlink" href="#conceptual-2" title="Permanent link">&para;</a></h5>
<ul>
<li><strong>(2022)</strong> <a href="https://x.com/originalavalamp">"Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption"</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A curated synthesis of engineering consensus regarding Kubernetes native base64 secrets. Emphasizes that encoding is not encryption and acts strictly as a data-serialization layer. Highly recommends implementing RBAC, audit logging, and envelope KMS encryption.</li>
<li><strong>(2026)</strong> <a href="https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data">kubernetes.io: Encrypting Secret Data at Rest 🌟</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Official reference guide to implementing etcd database encryption at rest. Walks through configuring structural 'EncryptionConfiguration' resources, comparing local providers (AES-GCM, secretbox) against enterprise Cloud KMS plugins.</li>
</ul>
<h4 id="stateful-apps">Stateful Apps<a class="headerlink" href="#stateful-apps" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://www.kubermatic.com/blog/keeping-the-state-of-apps-part-2-introduction-to-secrets">kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An overview of state management strategies within modern Kubernetes runtimes. Highlights basic secrets integration patterns, emphasizing security isolation layers required to protect persistent state in complex application architectures.</li>
</ul>
<h3 id="static-analysis">Static Analysis<a class="headerlink" href="#static-analysis" title="Permanent link">&para;</a></h3>
<h4 id="manifest-auditing-1">Manifest Auditing (1)<a class="headerlink" href="#manifest-auditing-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://itnext.io/performing-security-checks-for-deployed-kubernetes-manifests-fa9d442b7951">itnext.io: Performing Security Checks for Deployed Kubernetes Manifests</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Reviews technical methods to assess security profiles of Kubernetes configurations prior to cluster deployment. Explains standard static evaluation tools and custom policy syntax like Open Policy Agent (OPA) or Kyverno. Focuses on integrating these guardrails directly within pull request pipelines.</li>
</ul>
<h3 id="system-hardening">System Hardening<a class="headerlink" href="#system-hardening" title="Permanent link">&para;</a></h3>
<h4 id="security-profiles-operator">Security Profiles Operator<a class="headerlink" href="#security-profiles-operator" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2025)</strong> <a href="https://github.com/kubernetes-sigs/security-profiles-operator"><strong>kubernetes-sigs/security-profiles-operator</strong></a> <span class='md-tag md-tag--info'>⭐ 848</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-ff8a23e7" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 6 L 10 5 L 20 7 L 30 13 L 40 8 L 50 2" fill="none" stroke="url(#spark-grad-ff8a23e7)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[ENTERPRISE-STABLE]</span> — The official Kubernetes SIG operator for managing Seccomp, AppArmor, and SELinux profiles natively. Live Grounding confirms its active role in highly regulated sectors for hardening container execution spaces. It replaces manual node profiling with declarative, cluster-wide configurations.</li>
<li><strong>(2021)</strong> <a href="https://kubernetes.io/blog/2021/12/17/security-profiles-operator">kubernetes.io: What's new in Security Profiles Operator v0.4.0</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An official release announcement detailing the evolution of SPO. It highlights improved profile recording capabilities, integration with kubectl, and initial support for SELinux. Crucial for understanding the transition from manual profiles to automation.</li>
</ul>
<h3 id="threat-modeling-1">Threat Modeling (1)<a class="headerlink" href="#threat-modeling-1" title="Permanent link">&para;</a></h3>
<h4 id="penetration-testing-2">Penetration Testing (2)<a class="headerlink" href="#penetration-testing-2" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://dev.to/tutorialboy/a-detailed-talk-about-k8s-cluster-security-from-the-perspective-of-attackers-part-1-3mm5">dev.to: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1)</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Provides an attacker's perspective on Kubernetes deployment flaws. Explores breakout methodologies, privilege escalation via over-permissioned service accounts, and API Server compromise scenarios, illustrating defensive configurations required to counter threats.</li>
</ul>
<h3 id="threat-vector">Threat Vector<a class="headerlink" href="#threat-vector" title="Permanent link">&para;</a></h3>
<h4 id="internet-exposure-1">Internet Exposure (1)<a class="headerlink" href="#internet-exposure-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://cyble.com/blog/exposed-kubernetes-clusters">blog.cyble.com: Exposed Kubernetes Clusters</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Threat intelligence research showing search profiles of exposed clusters active across the globe. Highlights typical compromise pathways starting from default configurations or misconfigured control plane boundaries. Recommends strict perimeter restrictions.</li>
</ul>
<h4 id="observability-exposure">Observability Exposure<a class="headerlink" href="#observability-exposure" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu">sysdig.com: How attackers use exposed Prometheus server to exploit Kubernetes clusters | Miguel Hernández</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An analytical threat report detailing how exposed Prometheus endpoints can facilitate cluster compromise. Explains how attackers scan for unauthenticated metrics interfaces to harvest metadata, endpoints, and environment configurations. Demonstrates step-by-step mitigation paths, including mandatory mTLS and RBAC verification.</li>
</ul>
<h3 id="tooling">Tooling<a class="headerlink" href="#tooling" title="Permanent link">&para;</a></h3>
<h4 id="security-auditing-1">Security Auditing (1)<a class="headerlink" href="#security-auditing-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://mattermost.com/blog/the-top-7-open-source-tools-for-securing-your-kubernetes-cluster">mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes Cluster</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This resource provides a comparative overview of seven premier open-source tools designed for Kubernetes security hardening. It introduces utilities like Trivy, Falco, and Kube-hunter, aligning each with specific pipeline gates or runtime defenses. Serves as a useful high-level map for architects selecting security tooling.</li>
</ul>
<h3 id="vulnerabilities">Vulnerabilities<a class="headerlink" href="#vulnerabilities" title="Permanent link">&para;</a></h3>
<h4 id="cve-tracking">CVE Tracking<a class="headerlink" href="#cve-tracking" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2025)</strong> <a href="https://kubernetes.io/docs/reference/issues-security/official-cve-feed">kubernetes.io: Official CVE Feed 🌟</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The official database of active and resolved CVEs for the Kubernetes ecosystem. It tracks core component bugs, container execution vulnerabilities, and control plane bypass vectors. Maintaining a regular review of this feed is an essential component of modern enterprise risk mitigation.</li>
<li><strong>(2022)</strong> <a href="https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha">kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Details the launch of the programmatically accessible, auto-refreshing CVE feed in JSON/YAML. This allows security automation tooling to dynamically scan and trigger alerts on freshly discovered platform vulnerabilities, greatly speeding up remediation and patching schedules.</li>
</ul>
<h4 id="case-studies-1">Case Studies (1)<a class="headerlink" href="#case-studies-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2021)</strong> <a href="https://hackerone.com/reports/1249583">hackerone.com: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A detailed post-mortem report demonstrating how restricted cluster principals could extract ingress-nginx service account tokens. This real-world vulnerability highlights the architectural danger of over-privileged system namespaces. It emphasizes the need to isolate and continuously audit ingress controller configurations.</li>
</ul>
<h4 id="post-deployment-scanning">Post-Deployment Scanning<a class="headerlink" href="#post-deployment-scanning" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2025)</strong> <a href="https://github.com/kubescape/kubescape"><mark>kubescape</mark></a> <span class='md-tag md-tag--info'>⭐ 11480</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-405075a0" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 10 L 10 5 L 20 5 L 30 10 L 40 13 L 50 5" fill="none" stroke="url(#spark-grad-405075a0)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="5" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — An active CNCF Sandbox tool providing multi-framework configuration scanning, risk analysis, and vulnerability management. It integrates into CI/CD pipelines to ensure continuous verification of compliance frameworks (like CIS and NSA-CISA). Essential for enterprise teams seeking unified security visibility.</li>
</ul>
<h3 id="vulnerability-assessment">Vulnerability Assessment<a class="headerlink" href="#vulnerability-assessment" title="Permanent link">&para;</a></h3>
<h4 id="cis-benchmarks-2">CIS Benchmarks (2)<a class="headerlink" href="#cis-benchmarks-2" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://github.com/rancher/cis-operator">rancher/cis-operator</a> <span class='md-tag md-tag--info'>⭐ 55</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-551ff0f6" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 5 L 10 2 L 20 13 L 30 6 L 40 4 L 50 2" fill="none" stroke="url(#spark-grad-551ff0f6)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="2" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> 🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Rancher's cis-operator is an automated tool running CIS security scans natively within Rancher ecosystems. It generates compliance reports validating control plane and worker components against standard security baselines. A key utility for multi-cluster environments managed via Rancher.</li>
<li><strong>(2022)</strong> <a href="https://palark.com/blog/kubernetes-security-with-kube-bench-and-kube-hunter">blog.flant.com: Kubernetes cluster security assessment with kube-bench and kube-hunter</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Evaluates how to deploy and configure Aqua Security's kube-bench alongside kube-hunter. Shows how to automate node validation against CIS benchmarks, and actively scan cluster endpoints for network exposure vectors. Offers a potent open-source combination for regular pentesting operations.</li>
</ul>
<h4 id="policy-enforcement-1">Policy Enforcement (1)<a class="headerlink" href="#policy-enforcement-1" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2023)</strong> <a href="https://github.com/Shopify/kubeaudit"><strong>github.com/Shopify/kubeaudit 🌟🌟</strong></a> <span class='md-tag md-tag--info'>⭐ 1937</span> <svg class="v2-sparkline" width="50" height="15" viewBox="0 0 50 15" style="vertical-align: middle; display: inline-block; margin-left: 6px;" title="Activity Trend"><defs><linearGradient id="spark-grad-29183622" x1="0" y1="0" x2="1" y2="0"><stop offset="0%" stop-color="rgba(34, 211, 238, 0.2)" /><stop offset="100%" stop-color="var(--md-accent-fg-color)" /></linearGradient></defs><path class="v2-sparkline-path" d="M 0 10 L 10 10 L 20 2 L 30 8 L 40 2 L 50 5" fill="none" stroke="url(#spark-grad-29183622)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /><circle cx="50" cy="5" r="2" fill="var(--md-accent-fg-color)" /></svg> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--critical'>[LEGACY]</span> — Shopify's kubeaudit is a popular open-source tool targeting configuration analysis. Curators note its ability to audit running clusters or local manifests for root execution or privilege escalations. <em>Live Grounding (2026)</em>: The repository is archived/read-only, but its audit logic remains highly influential for policy structures.</li>
<li><strong>(2022)</strong> <a href="https://itnext.io/kubernetes-owasp-top-10-centralised-policy-enforcement-9adc53438e22">itnext.io: Kubernetes OWASP Top 10: Centralised Policy Enforcement</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Investigates mitigating risks from the OWASP Kubernetes Top 10 using centralized Policy-as-Code platforms like OPA Gatekeeper or Kyverno. Focuses on setting up mutating and validating admission webhooks to prevent non-compliant configs from deploying. Establishes programmatic posture control.</li>
<li><strong>(2021)</strong> <a href="https://www.infoq.com/news/2021/09/kubescape">infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&amp;A with VP Jonathan Kaftzan</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An interview exploring the architecture, technical goals, and philosophy behind Kubescape. Focuses on simplifying multi-framework compliance analysis for platform engineers. Details how the tool analyzes YAML formats and active runtimes to find security posture anomalies.</li>
</ul>
<h4 id="threat-modeling-2">Threat Modeling (2)<a class="headerlink" href="#threat-modeling-2" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://owasp.org/www-project-kubernetes-top-ten">owasp.org: OWASP Kubernetes Top Ten</a> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — The official OWASP Kubernetes Top Ten project document. Outlines the ten most dangerous vulnerabilities facing modern orchestrator deployments, including API vulnerabilities, insecure defaults, and supply-chain bugs. The core benchmark for establishing cluster defense strategies.</li>
<li><strong>(2022)</strong> <a href="https://www.sysdig.com/blog/top-owasp-kubernetes">sysdig.com: OWASP Kubernetes Top 10 🌟</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A deep analysis of the OWASP Kubernetes Top 10, exploring actual deployment misconfigurations that map to these risks. Details supply chain threats, poor credentials storage, and audit log gaps. Offers recommendations to strengthen system setups.</li>
</ul>
<h3 id="zero-trust">Zero Trust<a class="headerlink" href="#zero-trust" title="Permanent link">&para;</a></h3>
<h4 id="service-mesh-and-networking">Service Mesh and Networking<a class="headerlink" href="#service-mesh-and-networking" title="Permanent link">&para;</a></h4>
<ul>
<li><strong>(2022)</strong> <a href="https://www.copado.com/resources/blog/applying-a-zero-trust-infrastructure-in-kubernetes">copado.com: Applying a Zero Trust Infrastructure in Kubernetes</a> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An architecture guide on applying Zero Trust principles to Kubernetes infrastructure environments. It covers building cryptographically verifiable workload identities via SPIFFE/SPIRE, and micro-segmenting service interactions with mTLS. Transitions teams away from perimeter-only defenses to continuous validation.</li>
</ul>
<h3 id="zero-trust-architecture">Zero Trust Architecture<a class="headerlink" href="#zero-trust-architecture" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2022)</strong> <a href="https://thenewstack.io/securing-access-to-kubernetes-environments-with-zero-trust">thenewstack.io: Securing Access to Kubernetes Environments with Zero Trust</a> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Discusses securing cloud-native setups using Zero Trust strategies. Covers real-time threat assessments, deep access auditing, and replacing static certificates with automated network micro-segmentation.</li>
</ul>
<h2 id="security-training-and-playgrounds">Security Training and Playgrounds<a class="headerlink" href="#security-training-and-playgrounds" title="Permanent link">&para;</a></h2>
<h3 id="kubernetes-goat-lab">Kubernetes Goat Lab<a class="headerlink" href="#kubernetes-goat-lab" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://madhuakula.com/kubernetes-goat">Kubernetes Goat 🌟</a> <span class='md-tag md-tag--warning'>[GO CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.</li>
</ul>
<h2 id="supply-chain-security">Supply Chain Security<a class="headerlink" href="#supply-chain-security" title="Permanent link">&para;</a></h2>
<h3 id="open-source-vulnerability-scanning">Open Source Vulnerability Scanning<a class="headerlink" href="#open-source-vulnerability-scanning" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-security">resources.whitesourcesoftware.com: Kubernetes Security Best Practices 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Details patterns for implementing automated security controls, concentrating on software composition analysis (SCA), secrets lifecycle management, and validating supply-chain container provenance.</li>
</ul>
<h3 id="signature-verification-and-ratify">Signature Verification and Ratify<a class="headerlink" href="#signature-verification-and-ratify" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.infoworld.com/article/2271333/securing-the-kubernetes-software-supply-chain.html">infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on utilizing Ratify as an admission controller to verify container metadata, secure supply-chain signatures (via Cosign/Notation), and enforce strict provenance validation before execution.</li>
</ul>
<h2 id="threat-modeling-3">Threat Modeling (3)<a class="headerlink" href="#threat-modeling-3" title="Permanent link">&para;</a></h2>
<h3 id="mitre-attandck-adaptation">MITRE ATTandCK Adaptation<a class="headerlink" href="#mitre-attandck-adaptation" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes">microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Discusses updates to Microsoft's threat matrix for Kubernetes, refining mapped attack vectors based on modern production compromise telemetry. Covers control plane compromises and cloud identity integrations.</li>
</ul>
<h3 id="mitre-attandck-framework">MITRE ATTandCK Framework<a class="headerlink" href="#mitre-attandck-framework" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes">Microsoft.com: Attack matrix for Kubernetes 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Microsoft's systematic adaptation of the MITRE ATT&amp;CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.</li>
</ul>
<h2 id="vulnerability-assessment-tools">Vulnerability Assessment Tools<a class="headerlink" href="#vulnerability-assessment-tools" title="Permanent link">&para;</a></h2>
<h3 id="kubestriker-scanner">Kubestriker Scanner<a class="headerlink" href="#kubestriker-scanner" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://www.helpnetsecurity.com/2021/05/04/security-kubernetes">helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Reviews Kubestriker, a lightweight, agentless open-source security scanner that audits Kubernetes control plane configurations, insecure ports, and IAM roles for vulnerabilities.</li>
</ul>
<h2 id="workload-hardening">Workload Hardening<a class="headerlink" href="#workload-hardening" title="Permanent link">&para;</a></h2>
<h3 id="identity-and-access-management-2">Identity and Access Management (2)<a class="headerlink" href="#identity-and-access-management-2" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://thenewstack.io/laying-the-groundwork-for-kubernetes-security-across-workloads-pods-and-users">thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Analyzes the multi-dimensional security layers required for modern Kubernetes deployments, addressing workload isolation, Pod Security Standards (PSS), and secure developer workflow patterns.</li>
</ul>
<h3 id="pod-security-context">Pod Security Context<a class="headerlink" href="#pod-security-context" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand">snyk.io: 10 Kubernetes Security Context settings you should understand</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Detailed documentation of essential Security Context settings (e.g., <code>allowPrivilegeEscalation</code>, <code>readOnlyRootFilesystem</code>, and <code>runAsNonRoot</code>) used to harden workload runtimes.</li>
</ul>
<h3 id="pod-specifications">Pod Specifications<a class="headerlink" href="#pod-specifications" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2021)</strong> <a href="https://blog.gitguardian.com/kubernetes-tutorial-part-1-pods">blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods</a> <span class='md-tag md-tag--warning'>[N/A CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Part one of GitGuardian's workload security tutorial, targeting critical pod configurations such as root user restrictions, secure namespaces, and minimizing host-level network sharing.</li>
</ul>
<h2 id="workstation-client-security">Workstation Client Security<a class="headerlink" href="#workstation-client-security" title="Permanent link">&para;</a></h2>
<h3 id="kubeconfig-hardening">Kubeconfig Hardening<a class="headerlink" href="#kubeconfig-hardening" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>(2020)</strong> <a href="https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb">gist.github.com: How to protect your ~/.kube/ configuration</a> <span class='md-tag md-tag--warning'>[SHELL CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Provides hardening steps for securing developer workstation <code>~/.kube/config</code> files. Details POSIX permissions adjustments, the usage of credential helpers, and avoiding static administrative token storage.</li>
</ul>
<hr />
<p>💡 <strong>Explore Related:</strong> <a href="../iac/">IaC</a> | <a href="../terraform/">Terraform</a> | <a href="../chef/">Chef</a></p>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
<div class="md-copyright__highlight">
Copyright &copy; 2026 Nubenetes Agentic Intelligence
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-social">
<a href="https://github.com/nubenetes/awesome-kubernetes" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M173.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M252.8 8C114.1 8 8 113.3 8 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C436.2 457.8 504 362.9 504 252 504 113.3 391.5 8 252.8 8M105.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</a>
<a href="https://twitter.com/nubenetes" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M459.4 151.7c.3 4.5.3 9.1.3 13.6 0 138.7-105.6 298.6-298.6 298.6-59.5 0-114.7-17.2-161.1-47.1 8.4 1 16.6 1.3 25.3 1.3 49.1 0 94.2-16.6 130.3-44.8-46.1-1-84.8-31.2-98.1-72.8 6.5 1 13 1.6 19.8 1.6 9.4 0 18.8-1.3 27.6-3.6-48.1-9.7-84.1-52-84.1-103v-1.3c14 7.8 30.2 12.7 47.4 13.3-28.3-18.8-46.8-51-46.8-87.4 0-19.5 5.2-37.4 14.3-53C87.4 130.8 165 172.4 252.1 176.9c-1.6-7.8-2.6-15.9-2.6-24C249.5 95.1 296.3 48 354.4 48c30.2 0 57.5 12.7 76.7 33.1 23.7-4.5 46.5-13.3 66.6-25.3-7.8 24.4-24.4 44.8-46.1 57.8 21.1-2.3 41.6-8.1 60.4-16.2-14.3 20.8-32.2 39.3-52.6 54.3"/></svg>
</a>
<a href="https://www.linkedin.com/groups/1937212/" target="_blank" rel="noopener" title="www.linkedin.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3M135.4 416H69V202.2h66.5V416zM102.2 96a38.5 38.5 0 1 1 0 77 38.5 38.5 0 1 1 0-77m282.1 320h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"annotate": null, "base": "..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.top", "navigation.tracking", "navigation.sections", "navigation.expand", "navigation.indexes", "search.suggest", "search.highlight", "search.share", "content.code.copy", "content.action.view", "content.action.edit", "content.tooltips", "navigation.prune", "toc.integrate"], "search": "../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.79ae519e.min.js"></script>
<script src="../static/v2_filter.js"></script>
</body>
</html>