github/awesome-kubernetes
1
0
Fork 0
mirror of https://github.com/nubenetes/awesome-kubernetes.git synced 2026-05-27 11:36:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
awesome-kubernetes/v2-docs/kubernetes-security.md

120 KiB
Raw Permalink Blame History

Kubernetes Security

!!! info "Architectural Context" Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.

Standard Reference

Cloud Architecture

Cloud Native Infrastructure

Ingress and API Gateways

  • (2025) docs.traefik.io 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — The official documentation for Traefik Proxy, showcasing a clean, production-grade implementation of MkDocs. It illustrates how complex microservice routing, TLS termination, and middleware configurations can be elegantly structured. Double-Evidence: While initially seen as a standard documentation site, live grounding shows it serves as a golden reference for structural information layout and API reference nesting in cloud-native ingress architectures.

Cloud Infrastructure

Container Runtimes

Security

Kubernetes

Education

  • Offers curated study material on cluster setup and cluster hardening.
  • Provides blueprints for microservice security, system hardening, and run-time threat detection.
  • Kubernetes Goat 🌟 [ENTERPRISE-STABLE] — The premier interactive, intentionally vulnerable Kubernetes environment designed for learning cloud-native security. It features various real-world scenarios covering container escapes, SSRF, and credential harvesting, making it invaluable for security training.

Networking

  • cilium.io [ADVANCED LEVEL] [DE FACTO STANDARD] — An eBPF-powered open-source project that provides high-performance, secure, and observable networking, load balancing, and network security for Kubernetes workloads. Cilium is widely adopted by enterprise platforms due to its scale capabilities and granular L3-L7 policy controls.
  • itnext.io: How-To: Kubernetes Cluster Network Security 🌟 [ADVANCED LEVEL] [ENTERPRISE-STABLE] — A detailed technical guide explaining network security configurations within Kubernetes clusters. It demonstrates how to write and apply zero-trust Network Policies to restrict pod-to-pod and egress traffic effectively.

Observability

  • Details rule construction and audit filtering.
  • Provides blueprint event matching for runtime anomalies and suspicious API server activities.
  • Analyze Kubernetes Audit logs using Falco 🌟 [COMMUNITY-TOOL] — A hands-on open-source demonstration project for analyzing Kubernetes audit logs on lightweight K3s clusters using Falco. Ideal for dev environments and homelabs to understand security monitoring patterns.

Policy-as-Code

  • Kyverno 🌟 [DE FACTO STANDARD] — A CNCF graduated Kubernetes-native policy engine.
  • Allows policy definition as standard Kubernetes resources (YAML).
  • Eliminates the need for complex DSLs like Rego.
  • Simplifies admission control, generation, mutation, and validation of workloads.
  • kyverno.io: 56 sample policies 🌟 [DOCUMENTATION] [ENTERPRISE-STABLE] — A rich library of ready-to-use Kyverno policy definitions. These templates address common cloud security standards (Pod Security Standards, multi-tenancy constraints, best practices, and resource optimization parameters) for instant cluster hardening.

Security (1)

  • Explores typical configuration flaws in real-world clusters.
  • Analyzes overly permissive workloads and provides actionable remediation tactics for DevOps teams.
  • Details how network privilege escalation can occur via underlying CNI vulnerabilities.
  • Highlights critical hardening practices for the network layer.
  • Covers network policies and API server firewall configurations.
  • Provides essential port security rules and cluster isolation tactics.
  • Categorizes real-world threat vectors from initial access to execution.
  • Provides cloud security teams with an indispensable threat modeling guide for lateral movement and cluster compromise.
  • Emphasizes shift-left container scanning.
  • Focuses on Kubernetes API exposure minimization and runtime threat detection.
  • Details how the tool scans clusters for RBAC misconfigurations.
  • Pinpoints exposed endpoints and vulnerable images to provide rapid threat-vector modeling.

Cloud Native Security

Supply Chain Security

Security Tooling

Identity and Access Management

Cloud IAM

Microsoft Entra

  • Configure Microsoft Entra for Increased Security [DOCUMENTATION] [ENTERPRISE-STABLE] — Official documentation outlines hardening parameters for Microsoft Entra ID. Features prescriptive blueprints for setting up conditional access, continuous access evaluation, Multi-Factor Authentication (MFA), and role-based identity management.

Microservices

Application Lifecycle

Kubernetes Deployment

  • itnext.io: Journey Of A Microservice Application In The Kubernetes World' 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Follows a microservice application from development to full-scale production deployment on Kubernetes, focusing on ingress, security, and scaling. Curator insight breaks down architectural steps, including secure service routing and config separation. Live grounding verifies that understanding the holistic life cycle helps teams avoid standard reliability bottlenecks and secure their continuous delivery setups.

Platform Security

Compliance and Auditing

Security Frameworks

  • armosec.io: Kubernetes Security Compliance Frameworks 🌟 [ADVANCED LEVEL] [GUIDE] [ENTERPRISE-STABLE] [GUIDE] — Provides a thorough breakdown of standard security compliance frameworks applicable to Kubernetes environments, including CIS Benchmarks, NSA-CISA hardening guides, and MITRE ATT&CK. Details key validation metrics and remediation methods required to audit clusters against these controls.

Kubernetes Fundamentals

Security Concepts

  • (2026) ==kubernetes.io: Overview of Cloud Native Security== [DOCUMENTATION] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The authoritative framework defining Kubernetes security architecture across the 'FourCs' Model: Cloud, Cluster, Container, and Code. Serves as the foundational blueprint for understanding attack vectors, defense-in-depth methodologies, and default-deny paradigms in orchestrating container workloads safely.

Security (2)

Access Control

Execution Control

  • box/kube-exec-controller 126 [EN CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics and modern service mesh execution boundaries.

Hardening

  • marcusnoble.co.uk: Restricting cluster-admin Permissions [EN CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Curator Insight: Practical methodology for limiting root-level administrative bindings in multi-tenant environments. Live Grounding: A crucial case study showing how to configure impersonation limits and prevent privilege escalation via cluster-admin bounds.

Multi-Cluster Access

  • paralus.io 🌟 [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Curator Insight: Open-source access management tool providing centralized RBAC controls for multi-cluster environments. Live Grounding: Integrates seamlessly with OIDC identity providers to enforce fine-grained access policies across diverse cloud providers.

RBAC Architecture

  • (2024) ==learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟== [EN CONTENT] [GUIDE] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [GUIDE] — Curator Insight: A highly visual, structured breakdown of RBAC authorization bounds. Live Grounding: LearnK8s provides precise visual guides mapping Kubernetes cluster components to API requests, forming a gold standard for authorization training.
  • (2023) loft.sh: Kubernetes RBAC: Basics and Advanced Patterns [EN CONTENT] [GUIDE] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Deep-dive architecture guide covering basic principles and complex patterns. Live Grounding: Explains how to scale permissions securely in multi-tenant systems using namespaces and cluster roles, backed by Loft's enterprise virtualization experience.

RBAC Auditing Tools

  • Krane 🌟 740 [EN CONTENT] [LEGACY] — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.
  • raesene.github.io: Auditing RBAC - Redux [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Curator Insight: Expert auditing analysis highlighting stealthy pathways for privilege escalation. Live Grounding: Maintained by veteran security researcher Rory McCune; covers subtle escalation exploits using system roles and custom resources.

RBAC Basics

  • (2023) engineering.dynatrace.com: Kubernetes Security Best Practices -Part 1: Role Based Access Control (RBAC) [EN CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Curator Insight: Part 1 of Dynatrace's engineering series focusing on proper RBAC boundary creation. Live Grounding: Explains the exact telemetry impact of bad cluster role design and details methods to identify unused privileges.
  • anaisurl.com: RBAC Explained with Examples 🌟 [EN CONTENT] [GUIDE] [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Accessible guide explaining subjects, resources, verbs, and role bindings. Live Grounding: An ideal foundational reference with visual aids to fast-track understanding of fundamental security principles.
  • dev.to: Configure RBAC in Kubernetes Like a Boss [EN CONTENT] [GUIDE] [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Tactical guide detailing production-grade RBAC naming conventions and structure. Live Grounding: Features rapid-fire configurations that help bootstrap clean and audit-ready policies in dev clusters.
  • youtube: Kubernetes RBAC Explained | Anton Putra 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Curator Insight: Video-based architectural guide detailing RBAC implementation. Live Grounding: Demonstrates step-by-step role construction, user mocking, and binding validation on active local clusters.

RBAC Modeling

  • github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model 26 [EN CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.

RBAC Resources

  • rbac.dev 🌟🌟🌟 [EN CONTENT] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: A dedicated portal serving as a master index of guides, templates, and hardening vectors for Kubernetes RBAC. Live Grounding: Active and highly referenced by security engineers for baseline templating, simplifying the construction of least-privilege configurations.

Vulnerability Case Studies

Authentication Protocols

Client-Side Security

  • curity.io: Client Security [EN CONTENT] [ENTERPRISE-STABLE] — Analyzes security patterns and best practices for implementing secure clients within modern web architecture. Curator insight focuses on preventing token leakage on client platforms. Live grounding confirms that securing the client architecture is paramount to avoiding credential hijacking in distributed web environments.

OAuth 2.0

  • curity.io: OAuth 2.0 Overview [EN CONTENT] [DE FACTO STANDARD] — An authoritative reference detailing the core flows, mechanics, and actors within the OAuth 2.0 authorization framework. Curator insight describes integration opportunities for web, native, and API client types. Live grounding demonstrates that OAuth 2.0 tokens serve as the underlying standard for authenticating microservice operations.

OIDC

  • curity.io: OpenID Connect Overview [EN CONTENT] [DE FACTO STANDARD] — Provides a comprehensive introduction to OpenID Connect (OIDC), the identity layer built directly on top of OAuth 2.0. Curator insight highlights how OIDC standardizes token delivery to provide secure client identity resolution. Live grounding affirms that OIDC is the preferred mechanism for securing user access to corporate Kubernetes instances.

Certificates

Concepts

  • dev.to: Kubernetes TLS, Demystified 🌟 [COMMUNITY-TOOL] — Demystifies the operational concepts of TLS, explaining how Certificate Authorities (CAs) and mutual TLS (mTLS) protect application network pathways.

Policy Enforcement

  • (2025) github.com/cert-manager: Policy Approver 90 [ADVANCED LEVEL] 🌟🌟🌟 [COMMUNITY-TOOL] — An official cert-manager approver-policy extension that verifies certificate requests against user-defined security guidelines before signing actions take place.

TLS Automation

Cluster Hardening

Best Practices

  • (2024) ==Kubernetes Security 101: Risks and 29 Best Practices 🌟== [EN CONTENT] [GUIDE] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [GUIDE] — Curator Insight: Fundamental 101 guide compiling standard security paradigms and vectors. Live Grounding: Maintained by Red Hat; compiles 29 production-validated rules including image scanning, API isolation, and run-time container metrics.
  • Amazon EKS Best Practices Guide for Security 🌟 [EN CONTENT] [ADVANCED LEVEL] [GUIDE] [DE FACTO STANDARD] [GUIDE] — Curator Insight: The definitive handbook for securing AWS EKS environments, curated by AWS security engineers. Live Grounding: Serves as the primary operational baseline for hardening network, IAM, data, and compute resources in AWS.
  • thenewstack.io: 6 Kubernetes Security Best Practices 🌟 [EN CONTENT] [COMMUNITY-TOOL] — Curator Insight: Conceptual breakdown of the six pillars of native Kubernetes security. Live Grounding: Distills complicated architectures into six action items (e.g., container isolation, CIS benchmarks) for fast-growing engineering teams.
  • armosec.io: Kubernetes Security Best Practices: Definitive Guide [EN CONTENT] [GUIDE] [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Comprehensive security handbook focused on practical remediation. Live Grounding: Authored by Armo (developers of Kubescape); highly detailed on network security, host configuration, and scanning orchestration.
  • spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut' risk [EN CONTENT] [COMMUNITY-TOOL] — Curator Insight: Architectural guide targeting five foundational risk-reduction vectors. Live Grounding: Emphasizes simple steps like node OS patching, configuration drift detection, and early pipeline policy enforcement.

Deployment Security

  • (2023) semaphoreci.com: Secure Your Kubernetes Deployments [EN CONTENT] [GUIDE] 🌟🌟🌟 [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Actionable patterns for securing standard Deployment manifests in CI/CD pipelines. Live Grounding: Explains key-value securityContext settings, network policy bounds, and resource allocations.

Operational Best Practices

  • blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt.' 2) 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Part two of a comprehensive practical guide on hardening Kubernetes installations, covering advanced topics such as RBAC auditing, log aggregation, and secret encryption at rest. Curator insight addresses key steps for locking down communication channels between internal control plane services. Live grounding affirms that implementing these hardening steps drastically reduces the blast radius of compromised microservices.

Compliance Auditing

Automation

  • rancher/cis-operator 55 [COMMUNITY-TOOL] — An automated system tool to execute CIS security scans inside Rancher ecosystems. Generates custom reports mapping nodes and master components against hardened CIS standards.

Hardening (1)

Standards

  • kubernetes.io: Security Checklist 🌟🌟 [DOCUMENTATION] [DE FACTO STANDARD] — The official, continuously updated security checklist mapping out practices across the 4C cloud-native security model. Serves as a foundational reference for cluster hardening, namespace isolation, and API server protection.

Threat Modeling

  • owasp.org: OWASP Kubernetes Top Ten [DOCUMENTATION] [DE FACTO STANDARD] — The official OWASP Kubernetes Top 10 project cataloging critical security issues. Helps engineering teams understand threat models ranging from insecure pod configurations to compromised secrets storage.

Compliance and Auditing (1)

Audit Methodology

  • securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Provides a highly detailed methodology for evaluating cluster configurations, auditing access permissions, and detecting risky configurations. Curator insight details steps for assessing RBAC mappings and node exposure. Live grounding shows that a structured configuration review is essential for passing rigorous enterprise external audits.

Compliance and Scanning

Policy Enforcement (1)

  • kubescape 11437 [ADVANCED LEVEL] [DE FACTO STANDARD] [ENTERPRISE-STABLE] — An open-source Kubernetes security platform and CNCF Sandbox project providing multi-framework compliance scanning, vulnerability assessment, and risk analysis. It automates checks against NSA-CISA, CIS benchmarks, and MITRE ATT&CK frameworks, generating detailed security posture reports. Features deep integration with CI/CD pipelines and admission controllers to enforce security-as-code.

DevSecOps

Automated Compliance

  • collabnix.com: Applying DevSecOps Practices to Kubernetes [EN CONTENT] [COMMUNITY-TOOL] — Explains how to integrate DevSecOps methodologies directly into the lifecycle of containerized infrastructure. Curator insight covers pipeline integration of vulnerability scanners, registry signing, and runtime audit tools. Live grounding indicates that continuous integration of security configurations drastically reduces production attack surfaces.

CICD Pipeline Security

  • (2021) infoworld.com: 10 steps to automating security in Kubernetes pipelines [EN CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Focuses on establishing highly automated security checkpoints across the continuous delivery pipeline. Curator insight lists key automation areas, including infrastructure-as-code linting and automated vulnerability patching. Live grounding proves that shifting security left into the pipeline minimizes runtime surprises and maintains continuous developer velocity.

SAST

  • GitHub Code Security Risk Assessment: Free Vulnerability Scanning [EN CONTENT] [COMMUNITY-TOOL] — An introduction to GitHub's native, free vulnerability scanning tools designed to locate security regressions, secrets, and supply chain threats directly within the code repository. It highlights automated security alerts and quick enablement configurations.

Static Code Analysis

  • itnext.io: Performing Security Checks for Deployed Kubernetes Manifests [EN CONTENT] [ENTERPRISE-STABLE] — Outlines methods and tools used to inspect existing, live-running, or static Kubernetes resource manifests for structural defects. Curator insight showcases policy enforcement tools such as Checkov and Kube-score. Live grounding demonstrates that shift-left auditing of manifests in CI guarantees that only vetted resources enter production.

Endpoint and Client Security

Kubeconfig Hardening

  • gist.github.com: How to protect your ~/.kube/ configuration [EN CONTENT] [COMMUNITY-TOOL] — This Gist provides practical configuration steps to protect the local ~/.kube/config file from unauthorized access. Curator insight highlights standard file permissions (chmod 600), while live grounding demonstrates how local credential storage remains a high-value target for workstation compromise. The guide outlines methods to secure context credentials, including token helpers and shell env configurations.

Foundational Concepts

Cluster Hardening (1)

  • thenewstack.io: How to Secure Kubernetes, the OS of the Cloud [EN CONTENT] [COMMUNITY-TOOL] — Compares the security architecture of Kubernetes to traditional operating systems, identifying the key layers requiring abstraction-level security. Curator insight advocates for a shift in perspective, treating API access as the primary security perimeter. Live grounding supports that defense-in-depth must encompass the host, container, and API boundary to form a resilient cloud-native posture.
  • cast.ai: Kubernetes Security: 10 Best Practices from the Industry and' Community 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Synthesizes expert advice and industry-proven practices for comprehensive cluster defense. Curator insight focuses on the absolute necessity of etcd encryption, regular posture checks, and network policies. Live grounding highlights that combining these strategies creates a multi-layered shield that significantly increases attackers' efforts.
  • itnext.io: Introduction to Kubernetes Security for Security Professionals [EN CONTENT] [ENTERPRISE-STABLE] — Bridges the gap between traditional security methodologies and cloud-native container structures for cybersecurity practitioners. Curator insight maps standard risk controls to container security contexts, networking policies, and etcd encryption. Live grounding reveals that security professionals must master APIs and declarative states to implement automated assurance.

Future of Security

  • thenewstack.io: Basic Principles Key to Securing Kubernetes Future [EN CONTENT] [COMMUNITY-TOOL] — Discusses evolutionary principles designed to ensure the long-term robustness of cloud-native systems. Curator insight stresses the necessity of secure-by-default configurations and standardized API control planes. Live grounding supports that reducing cognitive load for operators through self-healing security layers represents the future of secure operations.

Introductory Security

  • dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts [EN CONTENT] [COMMUNITY-TOOL] — Explains introductory security concepts in Kubernetes, targeting beginner operators and developers. Curator insight highlights the core mechanisms of namespace separation, RBAC roles, and container Isolation. Live grounding confirms that a strong grasp of these fundamental concepts is required before implementing advanced security meshes.

The 4Cs model

  • dev.to/thenjdevopsguy: The 4 Cs Of Kubernetes Security [EN CONTENT] [COMMUNITY-TOOL] — An educational guide summarizing the security dimensions defined by the CNCF '4C' model: Cloud, Cluster, Container, and Code. Curator insight outlines actionable steps to secure each layer. Live grounding confirms that systemic failure at any single layer exposes the entire cluster architecture to risk.

Threat Landscape

  • thenewstack.io: Securing Kubernetes in a Cloud Native World [EN CONTENT] [LEGACY] — Surveys the shifting landscape of threat profiles in modern distributed cloud environments. Curator insight explores how legacy perimeter security controls fail inside highly dynamic container environments. Live grounding reinforces the importance of using identity-driven workload authorization and fine-grained access limits.

Identity Management

Authentication Protocols (1)

  • (2024) Implementing a custom Kubernetes authentication method [EN CONTENT] [ADVANCED LEVEL] [GUIDE] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Highly technical tutorial on implementing custom authentication handlers. Live Grounding: Covers custom webhooks, custom token caching, and request inspection patterns for unique security infrastructures.
  • goteleport.com: A Simple Overview of Authentication Methods for Kubernetes' Clusters [EN CONTENT] [COMMUNITY-TOOL] — Curator Insight: Broad examination of OIDC, X.509 client certs, and webhook authenticators. Live Grounding: A high-density conceptual summary simplifying the choices for enterprise identity providers.
  • kubernetes.io: Authenticating [EN CONTENT] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: Official Kubernetes reference documentation for cluster-wide authentication mechanisms. Live Grounding: Absolute source of truth covering token methods, client certificates, and webhook protocols for API traffic control.
  • kubernetes login [EN CONTENT] [GUIDE] [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Practical deep dive by Christian Posta detailing kubectl token flow and login mechanisms. Live Grounding: Explains underlying client certificate and token caching, helping developers debug authorization blockages.
  • OpenID Connect [EN CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: Home of the OpenID Connect federation standard, which acts as the foundation for Kubernetes authentication. Live Grounding: Critical global standard underpinning identity validation in modern cloud architecture.

Cloud Integration

Enterprise Authentication

  • (2023) gravitational.com: How to Set Up Kubernetes SSO with SAML [EN CONTENT] [ADVANCED LEVEL] [GUIDE] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [GUIDE] [LEGACY] — Curator Insight: Tutorial showing how to secure the Kubernetes API utilizing SAML Single Sign-On. Live Grounding: Details proxy setup and Dex configuration, bridging legacy authentication methods with modern web authorization engines.
  • (2023) loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes [EN CONTENT] [GUIDE] 🌟🌟🌟 [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Deep dive into linking LDAP catalogs with Kubernetes authorization planes. Live Grounding: Focuses on authentication bridging patterns, helping enterprise operators synchronize Active Directory mappings safely.

Microservice Identities

  • (2024) ==learnk8s.io: Authentication between microservices using Kubernetes identities 🌟== [EN CONTENT] [ADVANCED LEVEL] [GUIDE] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [GUIDE] — Curator Insight: Deep guide on binding Pod identities to external identity systems for service-to-service validation. Live Grounding: Critical reference detailing token volume projection and secure microservices cross-boundary authentication workflows.

Identity and Access

API Security

Access Control (1)

Cloud Integrations

Hardening (2)

Workload Identity

Identity and Access Management (1)

API Server Hardening

  • goteleport.com: Kubernetes API Access Security Hardening [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — High-fidelity instructions on securing access to the Kubernetes API server, emphasizing the dangers of exposed endpoints. Curator insight focuses on eliminating permanent credentials in favor of short-lived, role-based certificates. Live grounding demonstrates that protecting the API gateway via proxy solutions and strict IP whitelisting prevents critical control plane compromises.

Access Control (2)

  • thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.

Single Sign-On

  • (2021) talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟 [EN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟 [COMMUNITY-TOOL] — Outlines the end-to-end integration of external identity providers (IdPs) with the Kubernetes API server using OpenID Connect (OIDC). Curator insight guides through configuring API server flags and utilizing helper tools like Gangway or dex. Live grounding establishes that integrating external OIDC is a critical security step for mapping enterprise roles to Kubernetes RBAC.
  • dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar' container [EN CONTENT] [ENTERPRISE-STABLE] — Explains how to offload authentication requirements from applications by wrapping workloads with a sidecar proxy. Curator insight details setting up proxies like OAuth2 Proxy or Keycloak Gatekeeper. Live grounding confirms that sidecar patterns enable centralized single sign-on without changing application code.

Industry Reports

Threat Landscape (1)

  • redhat.com: The State of Kubernetes Security [EN CONTENT] [COMMUNITY-TOOL] — This Red Hat analysis outlines prevalent vulnerabilities, configuration errors, and runtime threats observed in enterprise container environments. Curator insight focuses on the dominance of misconfigurations as the primary cause of security incidents. Live grounding demonstrates that software supply chain issues and runtime security are increasingly challenging for modern enterprises.
  • redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟 [EN CONTENT] [COMMUNITY-TOOL] — An extensive ebook documenting industry security adoption rates, primary concerns, and threat behaviors in Spring 2021. Curator insight highlights that container configuration defects remain the highest source of corporate security anxiety. Live grounding confirms the trends predicted in this report have materialized in modern zero-trust control planes.

Infrastructure Security

API Gateway Access

  • kubernetes.io: Access Clusters Using the Kubernetes API [EN CONTENT] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: Official upstream tasks covering direct API server communication pathways. Live Grounding: Teaches developers and automated CI systems how to authenticate and safely dispatch requests directly to API server endpoints.

Cluster Control Plane

  • kubernetes.io: Accesing Clusters [EN CONTENT] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: Official documentation on general cluster gateway entry points. Live Grounding: Primary map for developers, operators, and tools to locate endpoints and pass initial authentication handshakes.

Network Protection

  • (2025) Calico in EKS [EN CONTENT] [DOCUMENTATION] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Curator Insight: Official AWS guide to configuring Calico as a network policy engine within EKS clusters. Live Grounding: Standard pattern for implementing namespace segregation and network isolation for microservices.
  • Building a DDoS Response Plan with Azure DDoS Protection [EN CONTENT] [COMMUNITY-TOOL] — Curator Insight: Architecture plan to withstand high-volume distributed denial-of-service attempts. Live Grounding: Focuses heavily on cloud-native patterns like rate-limiting, load-balancer protection, and Edge integration on Azure platforms.
  • Security Group Rules EKS [EN CONTENT] [DOCUMENTATION] [ENTERPRISE-STABLE] — Curator Insight: Official AWS guidelines on minimal security group parameters for EKS control planes and workers. Live Grounding: Vital infrastructure design reference preventing accidental exposure of internal cluster controllers.
  • EC2 ENI and IP Limit [EN CONTENT] [DOCUMENTATION] [ENTERPRISE-STABLE] — Curator Insight: Technical documentation specifying ENI limits and IP exhaustion thresholds in EC2. Live Grounding: Critical reference for EKS network planning to avoid pod startup errors due to IP scarcity.

Vulnerability Intelligence

  • kubernetes.io: Official CVE Feed 🌟 [EN CONTENT] [DOCUMENTATION] [DE FACTO STANDARD] — Curator Insight: Upstream Kubernetes project tracking CVE announcements and security advisories. Live Grounding: The authoritative source of vulnerability data necessary for building compliance scans and security guardrails.

Zero Trust

Network Security

Network Policies

  • tigera.io: Kubernetes security policy design: 10 critical best practices' 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — A structured set of recommendations for designing resilient network and security policies. Curator insight advises transitioning from flat networks to zero-trust micro-segmentation. Live grounding reveals that enforcing default-deny ingress and egress rules at the CNI layer is paramount for restricting lateral movement during an active compromise.

Network Segmentation

  • blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network [EN CONTENT] [COMMUNITY-TOOL] — Delves into network-level security configurations, detailing how to implement namespace isolation and default-deny policies. Curator insight highlights key methods for controlling egress traffic to prevent external exfiltration. Live grounding demonstrates that CNI-enforced policies are fundamental for limiting the spread of attacks within multi-tenant clusters.

Public Exposure

  • raesene.github.io: Let's talk about Kubernetes on the Internet [COMMUNITY-TOOL] — Analyzes the operational and security implications of exposing Kubernetes API servers directly to the public internet. Discusses real-world scanning threats and mitigation options like firewalling, OIDC, and endpoint protection.

Threat Intelligence

  • (2022) blog.cyble.com: Exposed Kubernetes Clusters 🌟🌟 [COMMUNITY-TOOL] — A threat analysis analyzing the exposure of insecure Kubernetes endpoints on the public web. Details common scanning methods and real-world exploitation frameworks targeting raw, unauthenticated APIs.

Zero Trust Architecture

  • (2022) copado.com: Applying a Zero Trust Infrastructure in Kubernetes [EN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟 [COMMUNITY-TOOL] — Outlines architectural models for establishing zero-trust policies inside dynamic container structures. Curator insight points to identity-driven micro-segmentation and continuous token validation at each boundary. Live grounding shows that using service meshes (like Istio or Linkerd) simplifies enforcing mutual TLS and granular authorization policies.

Policy Enforcement (2)

Admission Control

  • itnext.io: Kubernetes OWASP Top 10: Centralised Policy Enforcement [ADVANCED LEVEL] [COMMUNITY-TOOL] — Discusses integrating centralized admission control policies (like OPA/Gatekeeper or Kyverno) to mitigate OWASP Kubernetes Top 10 vulnerabilities. Explains how structural constraints on manifests prevent downstream security bypasses.
  • trstringer.com: Create a Basic Kubernetes Validating Webhook [EN CONTENT] [ADVANCED LEVEL] [GUIDE] [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Developer guide demonstrating how to build, deploy, and register a custom validating webhook in Go. Live Grounding: Essential practical reference for building guardrails directly on top of the Kubernetes API server admission phase.

Manifest Auditing

  • blog.frankel.ch: Learning by auditing Kubernetes manifests [EN CONTENT] [GUIDE] [ENTERPRISE-STABLE] [GUIDE] — Curator Insight: Unique learning methodology based on static code analysis of raw Kubernetes manifests. Live Grounding: Teaches engineers how to spot structural vulnerabilities (e.g., hostPath mounts, root privileges) before applying resources.

Policy Engines

  • Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Curator Insight: Detailed evaluation comparing the design paradigms, language limits, and performance of OPA/Gatekeeper versus Kyverno. Live Grounding: Provides objective architectural data comparing Rego-based policies to native YAML definitions.

Runtime Security

  • (2021) Pod Security Policy (SCC in OpenShift) 🌟 [EN CONTENT] [DOCUMENTATION] 🌟 [LEGACY] — Curator Insight: Deprecated native resource that defined security profiles for pod execution. Live Grounding: Completely removed in Kubernetes v1.25. Replaced globally by Pod Security Standards (PSS) and third-party validation engines.
  • (2021) rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1 [EN CONTENT] [GUIDE] 🌟 [GUIDE] [LEGACY] — Curator Insight: Part 1 of SUSE Rancher's historical guide to restricting root access through PSPs. Live Grounding: Useful exclusively for managing legacy clusters. Unusable on modern Kubernetes releases.
  • developer.squareup.com: Kubernetes Pod Security Policies (PSP) [EN CONTENT] [ADVANCED LEVEL] [GUIDE] [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Historical engineering post detailing Square's journey implementing early-generation PSP blocks. Live Grounding: Excellent case study for understanding design challenges but completely obsolete.
  • itnext.io: Implementing a Secure-First Pod Security Policy Architecture [EN CONTENT] [GUIDE] [COMMUNITY-TOOL] [GUIDE] — Curator Insight: Practical implementation guide for designing restricted PSP parameters. Live Grounding: Highly detailed historically, but lacks application in modern environments where PSS or Kyverno is required.
  • kubernetes-sigs/security-profiles-operator 846 [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Curator Insight: Kubernetes SIG operator for managing AppArmor, Seccomp, and SELinux profiles natively within clusters. Live Grounding: Fully active and widely used in secure sectors to harden container execution boundaries.
  • kubernetes.io: What's new in Security Profiles Operator v0.4.0 [EN CONTENT] [ENTERPRISE-STABLE] — Curator Insight: Upstream release notes detailing critical profiles expansion inside the Security Profiles Operator. Live Grounding: Explains runtime metrics tracking and automated profile recording functions.

Runtime Observability

eBPF Threat Detection

  • isovalent.com: Detecting a Container Escape with Cilium and eBPF [EN CONTENT] [ADVANCED LEVEL] [DE FACTO STANDARD] — A deep-dive exploration of container escape methodologies and how they can be detected at the kernel layer using Cilium and eBPF. Curator insight focuses on monitoring system calls directly to bypass container-internal obfuscation. Live grounding confirms that eBPF observability provides the low-overhead, high-fidelity metrics needed to identify escape payloads before damage occurs.
  • developers.redhat.com: Secure your Kubernetes deployments with eBPF [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Technical article explaining the operational advantages of using eBPF for cloud-native workload defense. Curator insight explains how eBPF operates safely within the Linux kernel to record and control system behavior without sidecars. Live grounding confirms that eBPF technology has transitioned from a monitoring utility to a standard tool for runtime security.

Runtime Security (1)

Threat Detection

  • (2022) infoworld.com: The race to secure Kubernetes at run time [EN CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Explores the rapid evolution of security technologies focusing on runtime detection and container-level process isolation. Curator insight details the industry transition away from simple static analysis toward active behavioral profiling. Live grounding confirms that eBPF-driven insights and real-time enforcement have become critical standards for identifying novel zero-day threats.

Secret Management

Certificate Management

  • blog.alexellis.io: What if your Pods need to trust self-signed certificates? [EN CONTENT] [ENTERPRISE-STABLE] — Evaluates options for mounting and trusting custom or self-signed Root Certificate Authorities (CAs) inside container environments. Curator insight shows practical configurations for injecting custom root stores through init containers or volume mounts. Live grounding confirms that managing private PKIs is crucial for microservices in secure enterprise intranets.
  • thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Analyzes Jetstack Secure, an enterprise platform wrapping the open-source cert-manager tool to orchestrate certificates. Curator insight details how this service helps operationalize automated certificate renewal across multi-cluster environments. Live grounding confirms that automated PKI management reduces manual oversight and cuts down on unexpected service outages.

HashiCorp Vault

  • (2023) ==learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟== [EN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [GUIDE] — Step-by-step tutorial on integrating Kubernetes secrets management with an external HashiCorp Vault instance. Curator insight shows how to securely inject secrets using the Vault Agent injector sidecar. Live grounding confirms that externalized secret managers are an industry standard for multi-tenant, enterprise-grade clusters in order to avoid native etcd secrets exposure.

Secrets Management

Automation (1)

Cloud Integrations (1)

Compliance Auditing (1)

  • itnext.io: Kubernetes OWASP Top 10: Secrets Management [COMMUNITY-TOOL] — Deals with risks concerning exposed credentials and hardcoded parameters within Kubernetes workflows. Walks through mitigation setups in compliance with OWASP guidelines to prevent secrets leakage.

Concepts (1)

Data Protection

  • kubernetes.io: Encrypting Secret Data at Rest 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [ENTERPRISE-STABLE] — The official documentation guiding system admins through encrypting etcd secret data at rest. Covers local secrets key providers and external KMS plugin configurations.

Discussion

GitOps

Integration Tools

  • external-secrets.io 🌟 [EN CONTENT] [DE FACTO STANDARD] — Curator Insight: Industry-standard controller designed to inject secrets securely into clusters from external providers. Live Grounding: Highly active; supports AWS, GCP, Azure, and HashiCorp Vault. This avoids storing raw sensitive keys in Git repositories.

KMS Integration

  • github.com/ondat/trousseau 180 [EN CONTENT] [ADVANCED LEVEL] [LEGACY] — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules.

Software Supply Chain

Admission Controllers

  • (2022) infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify [EN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Introduces Ratify, an open-source verification engine designed to validate container image signatures and bills of materials (SBOMs) prior to deployment. Curator insight highlights how Ratify integrates as an admission controller with Gatekeeper to block unsigned or non-compliant artifacts. Live grounding confirms that cryptographic signature verification is a cornerstone of modern secure supply chain initiatives.

Threat Landscape (2)

Incident Response

  • thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Examines real-world attack vectors and high-profile security incidents targeted at Kubernetes infrastructure, including cryptojacking and dashboard exposure. Curator insight breaks down the progression of an attack from initial access to privilege escalation. Live grounding confirms that threat actors consistently exploit exposed management interfaces and unauthenticated endpoints.

Metrics Security

  • (2022) sysdig.com: How attackers use exposed Prometheus server to exploit Kubernetes clusters | Miguel Hernández [EN CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Dissects a threat scenario presented at KubeCon demonstrating how attackers leverage exposed Prometheus targets to leak cluster topology. Curator insight shows that unauthenticated metrics endpoints frequently leak critical environmental data used to plan secondary exploits. Live grounding warns that proper ingress configurations and token-based authentication are mandatory to secure monitoring setups.

Offensive Security

Threat Modeling (1)

Attacking Patterns

Compliance Auditing (2)

  • (2022) sysdig.com: OWASP Kubernetes Top 10 🌟 🌟🌟🌟 [COMMUNITY-TOOL] — Breaks down the OWASP Kubernetes Top 10 architecture from a practical sysadmin viewpoint. Evaluates security boundaries, configurations, and runtime behaviors to mitigate known exploitation routes.

Hardening (3)

Tooling

Open Source Security

  • mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes' Cluster [EN CONTENT] [COMMUNITY-TOOL] — Evaluates seven essential open-source tools for enhancing cluster protection, targeting vulnerability scanning, posture assessment, and threat logs. Curator insight lists classic security aids like Trivy, Falco, and Terrascan. Live grounding shows that combining dynamic runtime checkers with static config linters provides comprehensive coverage across the delivery pipeline.

Vulnerabilities

CVE Case Studies

Vulnerability Management

CVE Feeds

  • kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed [COMMUNITY-TOOL] — Official Kubernetes announcement of an auto-refreshing JSON-based CVE feed designed for programmatic security automation. This feed enables automated scanning engines, SIEMs, and cloud-native vulnerability scanners to ingest real-time vulnerability data natively and authoritative definitions straight from the Kubernetes security team.

Vulnerability Scanning

Compliance Auditing (3)

Interviews

Manifest Auditing (1)

  • github.com/Shopify/kubeaudit 🌟🌟 1936 [ENTERPRISE-STABLE] — An open-source auditor that checks active Kubernetes configurations and YAML manifests against real-world security profiles. Prevents misconfigurations such as running containers as root or with excessive privileges.

Workload Security

AWS EKS Hardening

  • dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments' 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — Focuses on deployment hardening guidelines tailored for AWS Elastic Kubernetes Service (EKS) and native clusters. Curator insight outlines using IAM Roles for Service Accounts (IRSA) to implement AWS credential isolation. Live grounding confirms that configuring infrastructure-level least-privilege policies prevents lateral cloud infrastructure compromise.

Common Misconfigurations

  • fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably)' Making [EN CONTENT] [COMMUNITY-TOOL] — Explores the most common security oversights in Kubernetes cluster deployments, such as running containers as root and missing resource limits. Curator insight matches automated auditing observations, emphasizing the gap between default settings and production requirements. Live grounding highlights that automated policy engines (like Polaris or Kyverno) are essential to systematically mitigate these risks.

Debugging Security

  • xenitab.github.io: Kubernetes Ephemeral Container Security 🌟 [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Explains security considerations around the use of ephemeral containers for live cluster troubleshooting. Curator insight warns against exposing node-level namespaces during ad-hoc diagnostics sessions. Live grounding indicates that while ephemeral containers are critical for debugging distroless images, they require strict RBAC policies to prevent escalation.

Deployment Hardening

  • armosec.io: How to Secure Deployments in Kubernetes? 🌟 [EN CONTENT] [ENTERPRISE-STABLE] — A practical guide addressing how to configure secure deployments using declarative configurations. Curator insight details defensive parameters such as secrets handling, least-privilege service accounts, and resource controls. Live grounding indicates that automated compliance checks during Deployment creation are vital to prevent misconfigurations from reaching live states.

Developer Best Practices

  • dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers [EN CONTENT] [COMMUNITY-TOOL] — Tailored specifically for application developers to guide secure manifest construction and safe build configurations. Curator insight details practical tips like avoiding hardcoded secrets and keeping image footprints minimal. Live grounding confirms that developer training combined with automated IDE feedback is essential for maintaining secure codebases.

Pod Hardening

  • blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods [EN CONTENT] [COMMUNITY-TOOL] — A granular tutorial guiding developers on how to design and build secure Pod configurations. Curator insight instructs on eliminating default privileges and configuring security contexts. Live grounding shows that implementing Pod Security Standards (PSS) provides a straightforward, out-of-the-box framework to systematically restrict critical container permissions.
  • dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads [EN CONTENT] [ENTERPRISE-STABLE] — A specialized checklist for locking down Pod setups in highly regulated production networks. Curator insight addresses how to enforce non-root execution, limit Capabilities, and bind resource consumption quotas. Live grounding shows that consistent enforcement of these checklists eliminates common container breakout opportunities.

Pod Security Context

  • snyk.io: 10 Kubernetes Security Context settings you should understand [EN CONTENT] [ENTERPRISE-STABLE] — A comprehensive guide on utilizing the Kubernetes securityContext API to enforce Pod and container-level boundaries. Curator insight details foundational settings like runAsNonRoot, readOnlyRootFilesystem, and allowPrivilegeEscalation. Live grounding confirms these configurations remain the primary defense-in-depth mechanisms for preventing container breakouts in 2026 production environments.

💡 Explore Related: Devsecops | Kustomize | Crossplane

Reference in New Issue View Git Blame Copy Permalink