awesome-kubernetes/v2-docs/kubernetes-security.md

# Kubernetes Security

!!! info "Architectural Context"
    Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.

## Standard Reference

  - [jetstack.io: Securing Istio workloads with mTLS using cert-manager](https://www.cyberark.com/venafi-and-cyberark-machine-identity-security)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [kube-bench 🌟](https://github.com/aquasecurity/kube-bench) <span class='md-tag md-tag--info'>⭐ 8049</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span>
  - [medium: Single Sign-On in Kubernetes](https://medium.com/@andriisumko/single-sign-on-in-kubernetes-1ad9528350ed)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Dzone - OAuth 2.0](https://dzone.com/articles/oauth-20-beginners-guide)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: How to Harden Your Kubernetes Cluster for Production 🌟](https://medium.com/better-programming/how-to-harden-your-kubernetes-cluster-for-production-7e47990efc2a)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [cncf.io: Kubernetes Security 🌟](https://www.cncf.io/blog/2021/03/22/kubernetes-security)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [redkubes.com: 10 Kubernetes Security Risks & Best Practices](https://redkubes.com/10-kubernetes-security-risks-best-practices)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0](https://blog.kasten.io/ransomware-protection-kasten-k10-v4)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s)](https://levelup.gitconnected.com/enforce-audit-policy-in-kubernetes-k8s-34e504733300)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [magalix.com: Top 8 Kubernetes Security Best Practices 🌟](https://www.magalix.com/blog/top-8-kubernetes-security-best-practices)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [cncf.io: How to secure your Kubernetes control plane and node components](https://www.cncf.io/blog/2021/08/20/how-to-secure-your-kubernetes-control-plane-and-node-components)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [akhilsharma.work: The 4C's of Kubernetes Security](https://akhilsharma.work/the-4cs-of-kubernetes-security)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino](https://medium.com/@lessandro.ugulino/securing-the-kubernetes-cluster-c5ab43fe0dd0)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud' Native stack](https://amazicworld.com/top-5-security-threats-unique-to-a-kubernetes-and-cloud-native-stack)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [venturebeat.com: Kubernetes security will have a breakout year in 2022](https://venturebeat.com/2021/12/27/kubernetes-security-will-have-a-breakout-year-in-2022)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Comparing Kubernetes Security Frameworks and Guidance 🌟](https://medium.com/@jonathan_37674/comparing-kubernetes-security-frameworks-and-guidance-f1c2821ea733)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.devgenius.io: How is security managed in Kubernetes clusters?](https://blog.devgenius.io/how-is-security-managed-in-kubernetes-clusters-addefffd2b0)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive' Guide](https://medium.com/@jonathan_37674/kubernetes-security-best-practices-definitive-guide-bcb546e9f529)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: From dev to admin: an easy Kubernetes privilege escalation you' should be aware of — the attack](https://faun.pub/from-dev-to-admin-an-easy-kubernetes-privilege-escalation-you-should-be-aware-of-the-attack-950e6cf76cac)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@dotdc: Is your Kubernetes API Server exposed? Learn how to' check and fix! 🌟](https://medium.com/@dotdc/is-your-kubernetes-api-server-exposed-learn-how-to-check-and-fix-609ab9638fae)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [levelup.gitconnected.com: The Core of Kubernetes Security: Clusters](https://levelup.gitconnected.com/the-core-of-kubernetes-security-clusters-5d9a69f1dba4)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@codingkarma: Kubernetes Goat Part-1](https://medium.com/@codingkarma/kubernetes-goat-part-1-8718b1345a42)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@badawekoo: Limit number of processes running in a Kubernetes' pod](https://medium.com/@badawekoo/limit-number-of-processes-running-in-a-kubernetes-pod-50ccf156ec18)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/cloudyrion: Kubernetes end-to-end chain exploit](https://medium.com/cloudyrion/kubernetes-end-to-end-chain-exploit-c2be32688fd0)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [xgrid.medium.com: Securing a Kubernetes cluster using TLS certificates' 🌟](https://xgrid.medium.com/securing-a-kubernetes-cluster-using-tls-certificates-5e64a6bb26de)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [ahmedy.hashnode.dev: Creating TLS Certificates for K8s components with OpenSSL](https://ahmedy.hashnode.dev/creating-tls-certificates-for-k8s-components-with-openssl)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [erkanzileli.medium.com: How TLS Certificates Work](https://erkanzileli.medium.com/how-tls-certificates-work-422d95f1df5e)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@martin.hodges: Using a wildcard certificate within your Kubernetes' cluster](https://medium.com/@martin.hodges/using-a-wildcard-certificate-within-your-kubernetes-cluster-87c014e8dafe)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.cloudsecque.com: How to Improve the Security of Your Applications' with Kubernetes Security Scanners](https://blog.cloudsecque.com/how-to-improve-the-security-of-your-applications-with-kubernetes-security-scanners-cda97fd2f574)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟](https://www.techmanyu.com/kubernetes-security-with-kube-bench-and-kube-hunter-6765bf44ebc6)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [aninditabasak.medium.com: A Lap around Kubernetes Security & Vulnerability' scanning Tools — checkov, kube-hunter, kube-bench & Starboard](https://aninditabasak.medium.com/a-lap-around-kubernetes-security-vulnerability-scanning-tools-checkov-kube-hunter-kube-bench-4ffda92c4cf1)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [towardsdev.com: 12 Scanners to Find Security Vulnerabilities and Misconfigurations' in Kubernetes](https://towardsdev.com/12-scanners-to-find-security-vulnerabilities-and-misconfigurations-in-kubernetes-332a738d076d)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Gatekeeper | K8 hardening backlog](https://faun.pub/gatekeeper-k8-hardening-backlog-956d1b6860b6)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [systemweakness.com: OWASP-K8S Security: Insecure Workload Configurations](https://systemweakness.com/owasp-k8s-security-insecure-workload-configurations-c14c4028beb1)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [darkreading.com: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should' Know](https://www.darkreading.com/dr-tech/top-10-kubernetes-security-risks-every-devsecops-needs-to-know)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Kubernetes Hardening Guidance 🌟🌟](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [aymen-abdelwahed.medium.com: K8s Operators — CIS Kubernetes Benchmarks](https://aymen-abdelwahed.medium.com/k8s-operators-cis-benchmarks-8d7915d5cb2d)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Working with Service Account In Kubernetes 🌟](https://medium.com/the-programmer/working-with-service-account-in-kubernetes-df129cb4d1cc)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes)](https://sandeepbaldawa.medium.com/service-accounts-in-k8s-kubernetes-2779ee4fb331)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/pareture: Kubernetes Bound Projected Service Account Token Volumes' Might Surprise You](https://medium.com/pareture/kubernetes-bound-projected-service-account-token-volumes-might-surprise-you-434ff2cd1483)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/geekculture: K8s — ServiceAccount Token](https://medium.com/geekculture/k8s-serviceaccount-token-313d62aee119)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [motilayo.hashnode.dev: Exploring Kubernetes Service Account Tokens and Secure' Workload Identity Federation](https://motilayo.hashnode.dev/exploring-kubernetes-service-account-tokens-and-secure-workload-identity-federation)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [overcast.blog: Kubernetes Service Accounts: A Practical Guide](https://overcast.blog/kubernetes-service-accounts-a-practical-guide-f99c1ed65483)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [cncf.io: Revealing the secrets of Kubernetes secrets 🌟](https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud](https://blog.doit-intl.com/kubernetes-and-secrets-management-in-cloud-858533c20dca)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Kubernetes Secrets Explained](https://medium.com/codex/kubernetes-secrets-explained-f45baf8cefa7)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Managing your sensitive information during GitOps process with Secret' Sealed](https://medium.com/@jerome_tarte/managing-your-sensitive-information-during-gitops-process-with-secret-sealed-27498c77e2b8)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [enlear.academy: Sealed Secrets with Kubernetes](https://enlear.academy/sealed-secrets-with-kubernetes-a3f4d13dbc17)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/codex: Sealed Secrets for Kubernetes](https://medium.com/codex/sealed-secrets-for-kubernetes-722d643eb658)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [carlosalca.medium.com: How to manage all my K8s secrets in git securely' with Bitnami Sealed Secrets](https://carlosalca.medium.com/how-to-manage-all-my-k8s-secrets-in-git-securely-with-bitnami-sealed-secrets-43580b8fa0c7)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [pjame-fb.medium.com: Kubernetes Secrets from Secrets Manager using External' Secrets Operators](https://pjame-fb.medium.com/kubernetes-secrets-from-secrets-manager-using-external-secrets-operators-4819562c3b02)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [mixi-developers.mixi.co.jp: Comparing External Secrets Operator with Secret' Storage CSI as Kubernetes External Secrets is Deprecated](https://mixi-developers.mixi.co.jp/compare-eso-with-secret-csi-402bf37f20bc?gi=a7ce4398a8d7)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Secrets | Kubernetes](https://faun.pub/secrets-kubernetes-298ea8dd9911)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@knoldus: Using sealed secrets in Kubernetes](https://medium.com/@knoldus/using-sealed-secrets-in-kubernetes-7f7518d4c984)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [eminalemdar.medium.com: Cloud Native Secret Management with External Secrets' Operator](https://eminalemdar.medium.com/cloud-native-secret-management-with-external-secrets-operator-2912f41f9c49)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/google-cloud: Handle Kubernetes Secrets the GitOps Way — Part' 1](https://medium.com/google-cloud/handle-kubernetes-secrets-the-gitops-way-part-1-7079bd8221f3)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Using SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 🌟](https://medium.com/flant-com/cert-manager-lets-encrypt-ssl-certs-for-kubernetes-7642e463bbce)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium: Encrypting the certificate for Kubernetes (Let’s Encrypt) 🌟](https://medium.com/avmconsulting-blog/encrypting-the-certificate-for-kubernetes-lets-encrypt-805d2bf88b2a)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟](https://betterprogramming.pub/kubernetes-and-ssl-certificate-management-5f6a4b6f5ae9)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager](https://faun.pub/automate-certificate-management-in-kubernetes-using-cert-manager-d0745e5c7757)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@knoldus: Configure SSL certificate with cert-manager on Kubernetes](https://medium.com/@knoldus/configure-ssl-certificate-with-cert-manager-on-kubernetes-e5ca8a804e16)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.devgenius.io: Automated DNS/TLS with External DNS & LetsEncrypt on' Kubernetes](https://blog.devgenius.io/automated-dns-tls-with-external-dns-letsencrypt-on-kubernetes-6f4f41827df9)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Let’s encrypt and CertManager](https://faun.pub/lets-encrypt-and-certmanager-aa88775730b8)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [armin.su: SSL certificates from Let’s Encrypt for Kubernetes Private Ingress' via Terraform](https://armin.su/ssl-certificates-from-lets-encrypt-for-kubernetes-private-ingress-via-terraform-c9f595ee65fa)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [betterprogramming.pub: Kubernetes Authentication Sidecars: A Revelation' in Microservice Architecture](https://betterprogramming.pub/kubernetes-authentication-sidecars-a-revelation-in-microservice-architecture-12c4608189ab)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.devgenius.io: SSO Authentication for Applications in Kubernetes](https://blog.devgenius.io/sso-authentication-for-applications-in-kubernetes-aedc3c189d89)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [imanishchaudhary.medium.com: Securing Kubernetes Dashboards: SSO Authentication' and RBAC Implementation with Okta and OAuth2 Proxy](https://imanishchaudhary.medium.com/secure-kubernetes-dashboards-with-sso-authentication-using-okta-oauth2-proxy-9e52189e9749)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Configure RBAC in Kubernetes Like a Boss 🌟](https://medium.com/trendyol-tech/configure-rbac-in-kubernetes-like-a-boss-665e2a8665dd)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Kubernetes RBAC Permission Manager 🌟](https://toolbox.kali-linuxtr.net/kubernetes-rbac-permission-manager.tool)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/devops-mojo: Kubernetes — Role-Based Access Control (RBAC) Overview](https://medium.com/devops-mojo/kubernetes-role-based-access-control-rbac-overview-introduction-rbac-with-kubernetes-what-is-2004d13195df)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [loft-sh.medium.com: 10 Essentials for Kubernetes Access Control](https://loft-sh.medium.com/10-essentials-for-kubernetes-access-control-a67ae72977dd)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [sumanthkumarc.medium.com: Kubernetes RBAC — Update default ClusterRoles' without editing them](https://sumanthkumarc.medium.com/kubernetes-rbac-update-default-clusterroles-without-editing-them-ef206254e0)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based' AuthZ in k8s 🌟](https://faun.pub/assign-permissions-to-an-user-in-kubernetes-an-overview-of-rbac-based-authz-in-k8s-7d9e5e1099f1)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete' Demo-Part 1](https://medium.com/@badawekoo/using-rbac-in-kubernetes-for-authorization-complete-demo-part-1-83f0a1fb8f)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@15daniel10: YOYO attack on a K8S cluster](https://medium.com/@15daniel10/yoyo-attack-on-a-k8s-cluster-102bc1d5ca3e)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@danielepolencic: How does RBAC work in kubernetes 🌟](https://medium.com/@danielepolencic/how-does-rbac-work-in-kubernetes-d50dd34771ca)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [dominik-tornow.medium.com: Inside Kubernetes RBAC](https://dominik-tornow.medium.com/inside-kubernetes-rbac-9988b08a738a)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@jtdv01: Kubernetes Authorization and Role Based Access Controls' 🌟](https://medium.com/@jtdv01/kubernetes-authorization-and-role-based-access-controls-ca0b7acc17a4)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: Give Users and Groups Access to Kubernetes Cluster Using RBAC](https://faun.pub/give-users-and-groups-access-to-kubernetes-cluster-using-rbac-b614b6c0b383)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@danielepolencic: AWS IAM Roles for service accounts for on-prem' clusters](https://medium.com/@danielepolencic/binding-aws-iam-roles-to-kubernetes-service-account-for-on-prem-clusters-b8bac41f269d)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/andcloudio: Setting up Authentication and RBAC Authorization' in Kubernetes](https://medium.com/andcloudio/creating-authentication-and-authorization-in-kubernetes-c6c5f0f1d2ad)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@mehmetodabashi: Authentication and Authorization in Kubernetes:' Client Certificates and Role Based Access Control (RBAC)](https://medium.com/@mehmetodabashi/authentication-and-authorization-in-kubernetes-client-certificates-and-role-based-access-control-d4e98a3c1098)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@brunoolimpio: Kubernetes DeepDive — Parte 2 - Kubernetes RBAC' and more... | Bruno Olimpio](https://medium.com/@brunoolimpio/kubernetes-deepdive-parte-2-a65ffdce596d)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟](https://blog.styra.com/blog/why-rbac-is-not-enough-for-kubernetes-api-security)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/dynatrace-engineering: Kubernetes Security Best Practices Part' 2: Network Policies](https://medium.com/dynatrace-engineering/kubernetes-security-best-practices-part-2-network-policies-405b36ed9d94)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com/@cloud_tips: Kubernetes Security Best Practices](https://medium.com/@cloud_tips/kubernetes-security-best-practices-ea1e3913c001)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [magalix.com: kubernetes authentication 🌟](https://www.magalix.com/blog/kubernetes-authentication)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [magalix.com: kubernetes authorization 🌟](https://www.magalix.com/blog/kubernetes-authorization)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [lisowski0925.medium.com: Using Kubernetes Certificate Signing Requests and' RBAC for User Authentication and Authorization](https://lisowski0925.medium.com/using-kubernetes-csrs-and-rbac-for-cluster-user-authentication-and-authorization-9df5498655cd)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [Kubernetes Authentication and Authorization with X509 client certificates](https://medium.com/@sureshpalemoni/kubernetes-authentication-and-authorization-with-x509-client-certificates-edbc3517c10)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [stackoverflow: Accessing the Kubernetes REST end points using bearer token](https://stackoverflow.com/questions/56214715/accessing-the-kubernetes-rest-end-points-using-bearer-token)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [ibrahims.medium.com: Security Context — Kubernetes](https://ibrahims.medium.com/security-context-kubernetes-9672ae2380f9)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [medium.com: Securing Kubernetes Dashboard on EKS with Pomerium](https://medium.com/dev-genius/securing-kubernetes-dashboard-on-eks-with-pomerium-e98c47610e2f)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [mahira-technology.medium.com: Kubernetes Secrets Management: Level Up with' External Secrets Operator](https://mahira-technology.medium.com/kubernetes-secrets-management-level-up-with-external-secrets-operator-ed7d32df2189)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [faun.pub: External Secret Operator on AKS (with Terraform) for Azure Key' Vault Integration (with Workload Identity)](https://faun.pub/external-secret-operator-on-aks-with-terraform-for-azure-key-vault-integration-with-workload-1d0c31082373)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
  - [blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742](https://blog.lightspin.io/nginx-custom-snippets-cve-2021-25742)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>

## Cloud Architecture

### Cloud Native Infrastructure

#### Ingress and API Gateways

  - **(2025)** [**docs.traefik.io**](https://doc.traefik.io/traefik) 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — The official documentation for Traefik Proxy, showcasing a clean, production-grade implementation of MkDocs. It illustrates how complex microservice routing, TLS termination, and middleware configurations can be elegantly structured. Double-Evidence: While initially seen as a standard documentation site, live grounding shows it serves as a golden reference for structural information layout and API reference nesting in cloud-native ingress architectures.
## Cloud Infrastructure

### Container Runtimes

#### Security

  - [thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟](https://thenewstack.io/a-security-comparison-of-docker-cri-o-and-containerd) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A technical comparison of the security profiles of Docker, CRI-O, and Containerd. It analyzes attack surfaces, runtime privilege enforcement, and performance implications of container-runtime interfaces (CRI) within enterprise Kubernetes setups.
### Kubernetes

#### Education

  - [github.com/stackrox: Certified Kubernetes Security Specialist Study Guide' 🌟](https://github.com/stackrox/Kubernetes_Security_Specialist_Study_Guide) <span class='md-tag md-tag--info'>⭐ 429</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A comprehensive community-driven study guide for the Linux Foundation's CKS exam.

*   Offers curated study material on cluster setup and cluster hardening.
*   Provides blueprints for microservice security, system hardening, and run-time threat detection.
  - [Kubernetes Goat 🌟](https://madhuakula.com/kubernetes-goat)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — The premier interactive, intentionally vulnerable Kubernetes environment designed for learning cloud-native security. It features various real-world scenarios covering container escapes, SSRF, and credential harvesting, making it invaluable for security training.
#### Networking

  - [cilium.io](https://cilium.io) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — An eBPF-powered open-source project that provides high-performance, secure, and observable networking, load balancing, and network security for Kubernetes workloads. Cilium is widely adopted by enterprise platforms due to its scale capabilities and granular L3-L7 policy controls.
  - [itnext.io: How-To: Kubernetes Cluster Network Security 🌟](https://itnext.io/how-to-kubernetes-cluster-network-security-f19bc99161f5) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A detailed technical guide explaining network security configurations within Kubernetes clusters. It demonstrates how to write and apply zero-trust Network Policies to restrict pod-to-pod and egress traffic effectively.
#### Observability

  - **(2022)** [**sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟**](https://www.sysdig.com/blog/kubernetes-audit-log-falco) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — An engineering guide from Sysdig illustrating how to pipeline Kubernetes audit logs into Falco for real-time threat detection.

*   Details rule construction and audit filtering.
*   Provides blueprint event matching for runtime anomalies and suspicious API server activities.
  - [Analyze Kubernetes Audit logs using Falco 🌟](https://github.com/developer-guy/falco-analyze-audit-log-from-k3s-cluster)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A hands-on open-source demonstration project for analyzing Kubernetes audit logs on lightweight K3s clusters using Falco. Ideal for dev environments and homelabs to understand security monitoring patterns.
#### Policy-as-Code

  - [Kyverno 🌟](https://kyverno.io)  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A CNCF graduated Kubernetes-native policy engine.

*   Allows policy definition as standard Kubernetes resources (YAML).
*   Eliminates the need for complex DSLs like Rego.
*   Simplifies admission control, generation, mutation, and validation of workloads.
  - [kyverno.io: 56 sample policies 🌟](https://kyverno.io/policies) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A rich library of ready-to-use Kyverno policy definitions. These templates address common cloud security standards (Pod Security Standards, multi-tenancy constraints, best practices, and resource optimization parameters) for instant cluster hardening.
#### Security (1)

  - **(2021)** [**tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟**](https://tldrsec.com/?404=%2Fguides%2Fkubernetes) 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A security auditing guide outlining common vulnerabilities and risk assessment techniques for Kubernetes environments.

*   Explores typical configuration flaws in real-world clusters.
*   Analyzes overly permissive workloads and provides actionable remediation tactics for DevOps teams.
  - **(2021)** [**labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟**](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A highly regarded technical teardown of container privilege escalation paths within Kubernetes. It details how threat actors leverage misconfigured Pod Security Standards (e.g., hostPath, privileged flags, capAdd) to compromise node hosts, providing essential defense tactics.
  - **(2020)** [containerjournal.com: How to Secure Your Kubernetes Cluster 🌟](https://cloudnativenow.com/topics/cloudnativesecurity/how-to-secure-your-kubernetes-cluster) 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A strategic guide to establishing cluster-wide security policies. It details the layers of security required from the underlying cloud provider network up to cluster API access, RBAC, and workload runtimes.
  - **(2020)** [cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1?utm_sq=goa40uvlx1) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A technical blog analyzing complex security vectors in Kubernetes CNI (Container Network Interface) plumbing.

*   Details how network privilege escalation can occur via underlying CNI vulnerabilities.
*   Highlights critical hardening practices for the network layer.
  - [Kubernetes Security Best Practices 🌟](https://github.com/freach/kubernetes-security-best-practice/blob/master/README.md#firewall-ports-fire) <span class='md-tag md-tag--info'>⭐ 2716</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A structured GitHub curation focusing on critical security hardening for Kubernetes clusters.

*   Covers network policies and API server firewall configurations.
*   Provides essential port security rules and cluster isolation tactics.
  - [jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster](https://www.jeffgeerling.com/blog/2020/everyone-might-be-cluster-admin-your-kubernetes-cluster)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Jeff Geerling discusses the severe security implications of misconfigured RBAC (Role-Based Access Control) in Kubernetes. He highlights how default installations can inadvertently grant cluster-admin privileges to arbitrary service accounts, offering clear guidance on auditing and remediation.
  - [Microsoft.com: Attack matrix for Kubernetes 🌟](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Microsoft's foundational threat matrix for Kubernetes, modeled on the MITRE ATT&CK framework.

*   Categorizes real-world threat vectors from initial access to execution.
*   Provides cloud security teams with an indispensable threat modeling guide for lateral movement and cluster compromise.
  - [codeburst.io: 7 Kubernetes Security Best Practices You Must Follow](https://codeburst.io/7-kubernetes-security-best-practices-you-must-follow-ae32f1ed6444)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A quick-reference article outlining seven fundamental security best practices for Kubernetes. It focuses on enabling RBAC, isolating network policies, using namespaces, securing the API server, and container image scanning basics.
  - [thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads,' Pods and Users](https://thenewstack.io/laying-the-groundwork-for-kubernetes-security-across-workloads-pods-and-users)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An analysis of foundational Kubernetes security layers targeting workloads, pods, and user environments. It covers container runtimes, namespace isolation boundaries, and policy engines necessary to secure multi-tenant microservices setups.
  - [horovits.wordpress.com: Kubernetes Security Best Practices](https://horovits.wordpress.com/2020/07/15/kubernetes-security-best-practices)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A holistic compilation of security practices spanning the lifecycle of a Kubernetes cluster.

*   Emphasizes shift-left container scanning.
*   Focuses on Kubernetes API exposure minimization and runtime threat detection.
  - [kubernetes.io: Cloud native security for your clusters](https://kubernetes.io/blog/2020/11/18/cloud-native-security-for-your-clusters)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Official Kubernetes blog overviewing the "4Cs of Cloud Native Security": Cloud, Clusters, Containers, and Code. It serves as an authoritative introduction to multi-layered cloud security hygiene and policy enforcement.
  - [resources.whitesourcesoftware.com: Kubernetes Security Best Practices 🌟](https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-security)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An industry blog focusing on secure software supply chain practices within Kubernetes. It covers automating the detection of outdated libraries, scanning Docker images for CVEs, and applying security controls in CI/CD before deployment.
  - [thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster](https://thenewstack.io/best-practices-for-securely-setting-up-a-kubernetes-cluster)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A practical setup guide focusing on initial bootstrap security for self-managed Kubernetes. It emphasizes disabling default service accounts, enabling TLS for all communications, and using SSH bastions for control-plane access.
  - [youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by' Magno Logan](https://www.youtube.com/watch?v=OOHmg1J_8ck&ab_channel=RedTeamVillage)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A live presentation recording demonstrating hands-on exploitation and defense tactics inside Kubernetes environments. It showcases tools like kube-hunter, kubectl abuse vectors, and configuration defense setups.
  - [microsoft.com: Secure containerized environments with updated threat matrix' for Kubernetes](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Microsoft's revised Kubernetes Threat Matrix update, detailing newly discovered tactics like credential access via cloud metadata service endpoints and API server exploitation pathways. Essential for modern security monitoring teams.
  - [Tetragon (Cilium)](https://github.com/cilium/tetragon) <span class='md-tag md-tag--info'>⭐ 4691</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — An eBPF-based real-time security observability and runtime enforcement tool. Built by the creators of Cilium, Tetragon enables granular process-level, network-level, and file-level security monitoring with low performance overhead, helping to block unauthorized system actions immediately.
  - [thenewstack.io: Defend the Core: Kubernetes Security at Every Layer](https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A practical walkthrough of security layers within a standard Kubernetes deployment stack. It illustrates mapping defensive configurations from container code and pipelines down through the API server and network infrastructure.
  - [helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes' clusters 🌟](https://www.helpnetsecurity.com/2021/05/04/security-kubernetes)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A security auditing platform review focusing on Kubestriker.

*   Details how the tool scans clusters for RBAC misconfigurations.
*   Pinpoints exposed endpoints and vulnerable images to provide rapid threat-vector modeling.
## Identity and Access Management

### Cloud IAM

#### Microsoft Entra

  - [Configure Microsoft Entra for Increased Security](https://learn.microsoft.com/en-us/entra/fundamentals/configure-security) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Official documentation outlines hardening parameters for Microsoft Entra ID. Features prescriptive blueprints for setting up conditional access, continuous access evaluation, Multi-Factor Authentication (MFA), and role-based identity management.
## Microservices

### Application Lifecycle

#### Kubernetes Deployment

  - [itnext.io: Journey Of A Microservice Application In The Kubernetes World' 🌟](https://itnext.io/journey-of-a-microservice-application-in-the-kubernetes-world-6abd625c60fe) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Follows a microservice application from development to full-scale production deployment on Kubernetes, focusing on ingress, security, and scaling. Curator insight breaks down architectural steps, including secure service routing and config separation. Live grounding verifies that understanding the holistic life cycle helps teams avoid standard reliability bottlenecks and secure their continuous delivery setups.
## Platform Security

### Compliance and Auditing

#### Security Frameworks

  - [armosec.io: Kubernetes Security Compliance Frameworks 🌟](https://www.armosec.io/blog/kubernetes-security-frameworks-and-guidance) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Provides a thorough breakdown of standard security compliance frameworks applicable to Kubernetes environments, including CIS Benchmarks, NSA-CISA hardening guides, and MITRE ATT&CK. Details key validation metrics and remediation methods required to audit clusters against these controls.
## Security (2)

### Access Control

#### Execution Control

  - [box/kube-exec-controller](https://github.com/box/kube-exec-controller) <span class='md-tag md-tag--info'>⭐ 126</span> <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics and modern service mesh execution boundaries.
#### Hardening

  - [marcusnoble.co.uk: Restricting cluster-admin Permissions](https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Practical methodology for limiting root-level administrative bindings in multi-tenant environments. Live Grounding: A crucial case study showing how to configure impersonation limits and prevent privilege escalation via cluster-admin bounds.
#### Multi-Cluster Access

  - [paralus.io 🌟](https://www.paralus.io) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Open-source access management tool providing centralized RBAC controls for multi-cluster environments. Live Grounding: Integrates seamlessly with OIDC identity providers to enforce fine-grained access policies across diverse cloud providers.
#### RBAC Architecture

  - **(2024)** [==learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟==](https://learnkube.com/rbac-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: A highly visual, structured breakdown of RBAC authorization bounds. Live Grounding: LearnK8s provides precise visual guides mapping Kubernetes cluster components to API requests, forming a gold standard for authorization training.
  - **(2023)** [**loft.sh: Kubernetes RBAC: Basics and Advanced Patterns**](https://www.vcluster.com/blog/kubernetes-rbac-basics-and-advanced-patterns) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Deep-dive architecture guide covering basic principles and complex patterns. Live Grounding: Explains how to scale permissions securely in multi-tenant systems using namespaces and cluster roles, backed by Loft's enterprise virtualization experience.
#### RBAC Auditing Tools

  - [Krane 🌟](https://github.com/appvia/krane) <span class='md-tag md-tag--info'>⭐ 740</span> <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[LEGACY]</span> — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.
  - [raesene.github.io: Auditing RBAC - Redux](https://raesene.github.io/blog/2022/08/14/auditing-rbac-redux) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Expert auditing analysis highlighting stealthy pathways for privilege escalation. Live Grounding: Maintained by veteran security researcher Rory McCune; covers subtle escalation exploits using system roles and custom resources.
#### RBAC Basics

  - **(2023)** [engineering.dynatrace.com: Kubernetes Security Best Practices -Part 1: Role Based Access Control (RBAC)](https://www.dynatrace.com/news/engineering) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Part 1 of Dynatrace's engineering series focusing on proper RBAC boundary creation. Live Grounding: Explains the exact telemetry impact of bad cluster role design and details methods to identify unused privileges.
  - [anaisurl.com: RBAC Explained with Examples 🌟](https://anaisurl.com/kubernetes-rbac) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Accessible guide explaining subjects, resources, verbs, and role bindings. Live Grounding: An ideal foundational reference with visual aids to fast-track understanding of fundamental security principles.
  - [dev.to: Configure RBAC in Kubernetes Like a Boss](https://dev.to/mstryoda/configure-rbac-in-kubernetes-like-a-boss-h67) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Tactical guide detailing production-grade RBAC naming conventions and structure. Live Grounding: Features rapid-fire configurations that help bootstrap clean and audit-ready policies in dev clusters.
  - [youtube: Kubernetes RBAC Explained | Anton Putra 🌟](https://www.youtube.com/watch?v=iE9Qb8dHqWI) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Video-based architectural guide detailing RBAC implementation. Live Grounding: Demonstrates step-by-step role construction, user mocking, and binding validation on active local clusters.
#### RBAC Modeling

  - [github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model](https://github.com/clvx/k8s-rbac-model) <span class='md-tag md-tag--info'>⭐ 26</span> <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.
#### RBAC Resources

  - [rbac.dev 🌟🌟🌟](https://rbac.dev) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: A dedicated portal serving as a master index of guides, templates, and hardening vectors for Kubernetes RBAC. Live Grounding: Active and highly referenced by security engineers for baseline templating, simplifying the construction of least-privilege configurations.
#### Vulnerability Case Studies

  - [hackerone.com: Authenticated kubernetes principal with restricted permissions' can retrieve ingress-nginx serviceaccount token and secrets across all namespaces](https://hackerone.com/reports/1249583) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Security report detailing a cross-namespace privilege escalation vector in ingress-nginx. Live Grounding: Essential reading showing how service account token leaks can lead to full cluster compromise.
### Authentication Protocols

#### Client-Side Security

  - [curity.io: Client Security](https://curity.io/resources/client-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Analyzes security patterns and best practices for implementing secure clients within modern web architecture. Curator insight focuses on preventing token leakage on client platforms. Live grounding confirms that securing the client architecture is paramount to avoiding credential hijacking in distributed web environments.
#### OAuth 2.0

  - [curity.io: OAuth 2.0 Overview](https://curity.io/resources/learn/oauth-overview) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — An authoritative reference detailing the core flows, mechanics, and actors within the OAuth 2.0 authorization framework. Curator insight describes integration opportunities for web, native, and API client types. Live grounding demonstrates that OAuth 2.0 tokens serve as the underlying standard for authenticating microservice operations.
#### OIDC

  - [curity.io: OpenID Connect Overview](https://curity.io/resources/learn/openid-connect-overview) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Provides a comprehensive introduction to OpenID Connect (OIDC), the identity layer built directly on top of OAuth 2.0. Curator insight highlights how OIDC standardizes token delivery to provide secure client identity resolution. Live grounding affirms that OIDC is the preferred mechanism for securing user access to corporate Kubernetes instances.
### Certificates

#### Concepts

  - [dev.to: Kubernetes TLS, Demystified 🌟](https://dev.to/otomato_io/possible-paths-2hfc)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Demystifies the operational concepts of TLS, explaining how Certificate Authorities (CAs) and mutual TLS (mTLS) protect application network pathways.
#### Policy Enforcement

  - **(2025)** [github.com/cert-manager: Policy Approver](https://github.com/cert-manager/approver-policy) <span class='md-tag md-tag--info'>⭐ 90</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An official cert-manager approver-policy extension that verifies certificate requests against user-defined security guidelines before signing actions take place.
#### TLS Automation

  - **(2021)** [rejupillai.com: Let’s Encrypt the Web (for free)](https://rejupillai.com/index.php/2021/03/06/configure-tls-on-gke-ingress-for-free-with-lets-encrypt) 🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Teaches administrators how to configure automated TLS on Google Kubernetes Engine (GKE) endpoints using GKE Ingress controllers and free Let's Encrypt certificates.
  - [cert-manager.io 🌟](https://cert-manager.io/docs) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The main technical documentation page for cert-manager, the industry-standard PKI and TLS certificate operator for automating certificates generation and renewal.
  - [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) <span class='md-tag md-tag--info'>⭐ 13830</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Consolidated record of the cert-manager project, automating dynamic certificate lifecycles to guarantee encrypted transport paths between internal microservice runtimes.
  - [itnext.io: Upgrade Cert-Manager for Your Production Deployment Without Downtime](https://itnext.io/upgrade-cert-manager-for-your-production-deployment-without-downtime-ee5d32fabec8) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Discusses upgrading cert-manager inside highly available environments without causing downtime, explaining migration mappings of CRDs and webhook components.
### Cluster Hardening

#### Best Practices

  - **(2024)** [==Kubernetes Security 101: Risks and 29 Best Practices 🌟==](https://www.redhat.com/en/topics/containers/kubernetes-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Fundamental 101 guide compiling standard security paradigms and vectors. Live Grounding: Maintained by Red Hat; compiles 29 production-validated rules including image scanning, API isolation, and run-time container metrics.
  - [thenewstack.io: 6 Kubernetes Security Best Practices 🌟](https://thenewstack.io/6-kubernetes-security-best-practices) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Conceptual breakdown of the six pillars of native Kubernetes security. Live Grounding: Distills complicated architectures into six action items (e.g., container isolation, CIS benchmarks) for fast-growing engineering teams.
  - [armosec.io: Kubernetes Security Best Practices: Definitive Guide](https://www.armosec.io/blog/kubernetes-security-best-practices) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Comprehensive security handbook focused on practical remediation. Live Grounding: Authored by Armo (developers of Kubescape); highly detailed on network security, host configuration, and scanning orchestration.
  - [spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut' risk](https://www.spectrocloud.com/blog/kubernetes-security-best-practices-5-easy-ways-to-cut-risk) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Architectural guide targeting five foundational risk-reduction vectors. Live Grounding: Emphasizes simple steps like node OS patching, configuration drift detection, and early pipeline policy enforcement.
  - [Amazon EKS Best Practices Guide for Security 🌟](https://aws.github.io/aws-eks-best-practices) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: The definitive handbook for securing AWS EKS environments, curated by AWS security engineers. Live Grounding: Serves as the primary operational baseline for hardening network, IAM, data, and compute resources in AWS.
#### Deployment Security

  - **(2023)** [semaphoreci.com: Secure Your Kubernetes Deployments](https://semaphore.io/blog/kubernetes-deployments) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Actionable patterns for securing standard Deployment manifests in CI/CD pipelines. Live Grounding: Explains key-value securityContext settings, network policy bounds, and resource allocations.
#### Operational Best Practices

  - [blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt.' 2) 🌟](https://blog.gitguardian.com/hardening-your-k8s-pt-2) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Part two of a comprehensive practical guide on hardening Kubernetes installations, covering advanced topics such as RBAC auditing, log aggregation, and secret encryption at rest. Curator insight addresses key steps for locking down communication channels between internal control plane services. Live grounding affirms that implementing these hardening steps drastically reduces the blast radius of compromised microservices.
### Compliance Auditing

#### Automation

  - [rancher/cis-operator](https://github.com/rancher/cis-operator) <span class='md-tag md-tag--info'>⭐ 55</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An automated system tool to execute CIS security scans inside Rancher ecosystems. Generates custom reports mapping nodes and master components against hardened CIS standards.
#### Hardening (1)

  - [thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters](https://thenewstack.io/the-nsa-can-help-you-secure-your-kubernetes-clusters)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Provides an introductory breakdown of the NSA/CISA collaborative guidelines on hardening Kubernetes, highlighting pod security contexts, network segmentation, and system logging requirements.
  - [therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟](https://therecord.media/nsa-cisa-publish-kubernetes-hardening-guide)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Reports on the publication of the joint NSA and CISA Kubernetes hardening advisory. Highlights major system recommendations to mitigate vulnerabilities associated with lateral movement and remote takeovers.
  - [infoq.com](https://www.infoq.com/news/2021/09/kubernetes-hardening-guidance)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Summarizes key operational pillars of the NSA-CISA Kubernetes hardening guide. Explains the security implications of runtime credentials, etcd access controls, and control plane settings.
  - [thenewstack.io: NSA on How to Harden Kubernetes](https://thenewstack.io/nsa-on-how-to-harden-kubernetes)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Breaks down NSA recommendations on securing containerized apps. Discusses runtime privileges, host isolation, and securing the internal network to prevent privilege escalations.
  - [armosec.io: NSA & CISA Kubernetes Hardening Guide – what is new with version' 1.1](https://www.armosec.io/blog/nsa-cisa-kubernetes-hardening-guide)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Reviews the updates introduced in version 1.1 of the NSA-CISA guide. Explains key modifications to the guidelines regarding egress traffic protection and default pod restrictions.
#### Standards

  - [kubernetes.io: Security Checklist 🌟🌟](https://kubernetes.io/docs/concepts/security/security-checklist) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The official, continuously updated security checklist mapping out practices across the 4C cloud-native security model. Serves as a foundational reference for cluster hardening, namespace isolation, and API server protection.
#### Threat Modeling

  - [owasp.org: OWASP Kubernetes Top Ten](https://owasp.org/www-project-kubernetes-top-ten) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — The official OWASP Kubernetes Top 10 project cataloging critical security issues. Helps engineering teams understand threat models ranging from insecure pod configurations to compromised secrets storage.
### Compliance and Auditing (1)

#### Audit Methodology

  - [securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY](https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Provides a highly detailed methodology for evaluating cluster configurations, auditing access permissions, and detecting risky configurations. Curator insight details steps for assessing RBAC mappings and node exposure. Live grounding shows that a structured configuration review is essential for passing rigorous enterprise external audits.
### Compliance and Scanning

#### Policy Enforcement (1)

  - [kubescape](https://github.com/kubescape/kubescape) <span class='md-tag md-tag--info'>⭐ 11437</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — An open-source Kubernetes security platform and CNCF Sandbox project providing multi-framework compliance scanning, vulnerability assessment, and risk analysis. It automates checks against NSA-CISA, CIS benchmarks, and MITRE ATT&CK frameworks, generating detailed security posture reports. Features deep integration with CI/CD pipelines and admission controllers to enforce security-as-code.
### DevSecOps

#### Automated Compliance

  - [collabnix.com: Applying DevSecOps Practices to Kubernetes](https://collabnix.com/applying-devsecops-practices-to-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains how to integrate DevSecOps methodologies directly into the lifecycle of containerized infrastructure. Curator insight covers pipeline integration of vulnerability scanners, registry signing, and runtime audit tools. Live grounding indicates that continuous integration of security configurations drastically reduces production attack surfaces.
#### CICD Pipeline Security

  - **(2021)** [infoworld.com: 10 steps to automating security in Kubernetes pipelines](https://www.infoworld.com/article/2258136/10-steps-to-automating-security-in-kubernetes-pipelines.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Focuses on establishing highly automated security checkpoints across the continuous delivery pipeline. Curator insight lists key automation areas, including infrastructure-as-code linting and automated vulnerability patching. Live grounding proves that shifting security left into the pipeline minimizes runtime surprises and maintains continuous developer velocity.
#### SAST

  - [GitHub Code Security Risk Assessment: Free Vulnerability Scanning](https://github.blog/security/application-security/how-exposed-is-your-code-find-out-in-minutes-for-free) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An introduction to GitHub's native, free vulnerability scanning tools designed to locate security regressions, secrets, and supply chain threats directly within the code repository. It highlights automated security alerts and quick enablement configurations.
#### Static Code Analysis

  - [itnext.io: Performing Security Checks for Deployed Kubernetes Manifests](https://itnext.io/performing-security-checks-for-deployed-kubernetes-manifests-fa9d442b7951) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Outlines methods and tools used to inspect existing, live-running, or static Kubernetes resource manifests for structural defects. Curator insight showcases policy enforcement tools such as Checkov and Kube-score. Live grounding demonstrates that shift-left auditing of manifests in CI guarantees that only vetted resources enter production.
### Endpoint and Client Security

#### Kubeconfig Hardening

  - [gist.github.com: How to protect your ~/.kube/ configuration](https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This Gist provides practical configuration steps to protect the local `~/.kube/config` file from unauthorized access. Curator insight highlights standard file permissions (`chmod 600`), while live grounding demonstrates how local credential storage remains a high-value target for workstation compromise. The guide outlines methods to secure context credentials, including token helpers and shell env configurations.
### Foundational Concepts

#### Cluster Hardening (1)

  - [thenewstack.io: How to Secure Kubernetes, the OS of the Cloud](https://thenewstack.io/how-to-secure-kubernetes-the-os-of-the-cloud) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Compares the security architecture of Kubernetes to traditional operating systems, identifying the key layers requiring abstraction-level security. Curator insight advocates for a shift in perspective, treating API access as the primary security perimeter. Live grounding supports that defense-in-depth must encompass the host, container, and API boundary to form a resilient cloud-native posture.
  - [cast.ai: Kubernetes Security: 10 Best Practices from the Industry and' Community 🌟](https://cast.ai/blog/kubernetes-security-10-best-practices) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Synthesizes expert advice and industry-proven practices for comprehensive cluster defense. Curator insight focuses on the absolute necessity of etcd encryption, regular posture checks, and network policies. Live grounding highlights that combining these strategies creates a multi-layered shield that significantly increases attackers' efforts.
  - [itnext.io: Introduction to Kubernetes Security for Security Professionals](https://itnext.io/introduction-to-kubernetes-security-for-security-professionals-a61b424f7a2a) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Bridges the gap between traditional security methodologies and cloud-native container structures for cybersecurity practitioners. Curator insight maps standard risk controls to container security contexts, networking policies, and etcd encryption. Live grounding reveals that security professionals must master APIs and declarative states to implement automated assurance.
#### Future of Security

  - [thenewstack.io: Basic Principles Key to Securing Kubernetes’ Future](https://thenewstack.io/key-basic-principles-to-secure-kubernetes-future) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Discusses evolutionary principles designed to ensure the long-term robustness of cloud-native systems. Curator insight stresses the necessity of secure-by-default configurations and standardized API control planes. Live grounding supports that reducing cognitive load for operators through self-healing security layers represents the future of secure operations.
#### Introductory Security

  - [dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts](https://dev.to/mattiasfjellstrom/kubernetes-101-security-concepts-2f4f) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains introductory security concepts in Kubernetes, targeting beginner operators and developers. Curator insight highlights the core mechanisms of namespace separation, RBAC roles, and container Isolation. Live grounding confirms that a strong grasp of these fundamental concepts is required before implementing advanced security meshes.
#### The 4Cs model

  - [dev.to/thenjdevopsguy: The 4 C’s Of Kubernetes Security](https://dev.to/thenjdevopsguy/the-4-cs-of-kubernetes-security-3i9e) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An educational guide summarizing the security dimensions defined by the CNCF '4C' model: Cloud, Cluster, Container, and Code. Curator insight outlines actionable steps to secure each layer. Live grounding confirms that systemic failure at any single layer exposes the entire cluster architecture to risk.
#### Threat Landscape

  - [thenewstack.io: Securing Kubernetes in a Cloud Native World](https://thenewstack.io/securing-kubernetes-in-a-cloud-native-world) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[LEGACY]</span> — Surveys the shifting landscape of threat profiles in modern distributed cloud environments. Curator insight explores how legacy perimeter security controls fail inside highly dynamic container environments. Live grounding reinforces the importance of using identity-driven workload authorization and fine-grained access limits.
### Identity Management

#### Authentication Protocols (1)

  - **(2024)** [**Implementing a custom Kubernetes authentication method**](https://learnkube.com/kubernetes-custom-authentication) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Highly technical tutorial on implementing custom authentication handlers. Live Grounding: Covers custom webhooks, custom token caching, and request inspection patterns for unique security infrastructures.
  - [goteleport.com: A Simple Overview of Authentication Methods for Kubernetes' Clusters](https://goteleport.com/blog/kube-authn-methods) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Broad examination of OIDC, X.509 client certs, and webhook authenticators. Live Grounding: A high-density conceptual summary simplifying the choices for enterprise identity providers.
  - [kubernetes.io: Authenticating](https://kubernetes.io/docs/reference/access-authn-authz/authentication) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Official Kubernetes reference documentation for cluster-wide authentication mechanisms. Live Grounding: Absolute source of truth covering token methods, client certificates, and webhook protocols for API traffic control.
  - [kubernetes login](https://blog.christianposta.com/kubernetes/logging-into-a-kubernetes-cluster-with-kubectl) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Practical deep dive by Christian Posta detailing kubectl token flow and login mechanisms. Live Grounding: Explains underlying client certificate and token caching, helping developers debug authorization blockages.
  - [OpenID Connect](https://openid.net) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Home of the OpenID Connect federation standard, which acts as the foundation for Kubernetes authentication. Live Grounding: Critical global standard underpinning identity validation in modern cloud architecture.
#### Cloud Integration

  - [From Zero to Hero with Identity and Access Control in Azure Kubernetes Service](https://techcommunity.microsoft.com/blog/startupsatmicrosoftblog/from-zero-to-hero-with-identity-and-access-control-in-azure-kubernetes-service/4386350) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Architect blueprint for managing Microsoft Entra ID integration in Azure Kubernetes Service. Live Grounding: Walks through configuring fine-grained identity federation and replacing Kubernetes cluster roles with enterprise Azure AD mappings.
  - [dev.to: Binding AWS IAM roles to Kubernetes Service Account for on-prem' clusters | Daniele Polencic 🌟](https://dev.to/danielepolencic/binding-aws-iam-roles-to-kubernetes-service-account-for-on-prem-clusters-1icc) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Technical guide on binding AWS IAM roles directly to ServiceAccounts inside on-premises nodes. Live Grounding: Offers an architecturally sound pattern for managing hybrid cloud identity federations without static AWS keys.
#### Enterprise Authentication

  - **(2023)** [**gravitational.com: How to Set Up Kubernetes SSO with SAML**](https://goteleport.com/blog/kubernetes-sso-saml) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> <span class='md-tag md-tag--info'>[LEGACY]</span> — Curator Insight: Tutorial showing how to secure the Kubernetes API utilizing SAML Single Sign-On. Live Grounding: Details proxy setup and Dex configuration, bridging legacy authentication methods with modern web authorization engines.
  - **(2023)** [loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes](https://www.vcluster.com/blog/kubernetes-and-ldap-enterprise-authentication-for-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Deep dive into linking LDAP catalogs with Kubernetes authorization planes. Live Grounding: Focuses on authentication bridging patterns, helping enterprise operators synchronize Active Directory mappings safely.
#### Microservice Identities

  - **(2024)** [==learnk8s.io: Authentication between microservices using Kubernetes identities 🌟==](https://learnkube.com/microservices-authentication-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Deep guide on binding Pod identities to external identity systems for service-to-service validation. Live Grounding: Critical reference detailing token volume projection and secure microservices cross-boundary authentication workflows.
### Identity and Access

#### API Security

  - [devopscube.com: How To Create Kubernetes Service Account For API Access](https://devopscube.com/kubernetes-api-access-service-account)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Provides a direct guide on setting up Service Accounts, defining authorization rules using RoleBindings, and managing modern TokenRequest APIs for microservice access.
  - [github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟](https://github.com/dvob/k8s-s2s-auth)  <span class='md-tag md-tag--info'>[LEGACY]</span> — Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Note: The repository has seen no recent development and is considered legacy under MVQ rules.
  - [gini/dexter](https://github.com/gini/dexter) <span class='md-tag md-tag--info'>⭐ 168</span>  <span class='md-tag md-tag--info'>[LEGACY]</span> — An OIDC-helper CLI tool for generating kubectl credential configurations. Inactive for over 4 years; considered legacy under Nubenetes MVQ rules.
#### Access Control (1)

  - [geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard](https://geek-cookbook.funkypenguin.co.nz/recipes/kubernetes/oauth2-proxy)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Shows how to secure access to the default Kubernetes Dashboard using OAuth2-Proxy combined with modern enterprise Identity Providers.
  - [infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster' 🌟](https://www.infracloud.io/blogs/role-based-access-kubernetes)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A deep dive tutorial explaining Role-Based Access Control (RBAC) configurations, highlighting how to design custom Roles, ClusterRoles, and user bindings.
#### Cloud Integrations

  - [mjarosie.github.io: IAM roles for Kubernetes service accounts - deep dive](https://mjarosie.github.io/dev/2021/09/15/iam-roles-for-kubernetes-service-accounts-deep-dive.html) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An in-depth guide on AWS IAM Roles for Service Accounts (IRSA). Demystifies OIDC authentication mechanics and explains how the control plane maps AWS roles to local pods.
#### Hardening (2)

  - [blog.gitguardian.com: Kubernetes Hardening Tutorial Part 3: Authn, Authz,' Logging & Auditing](https://dev.to/gitguardian/kubernetes-hardening-tutorial-part-3-authn-authz-logging-auditing-3fec)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains setup routines for Authentication, RBAC systems, and event logging patterns. Demonstrates how proper audit streams act as reactive verification layers against security threats.
#### Workload Identity

  - **(2024)** [==learnk8s.io/authentication-kubernetes: User and workload identities in Kubernetes 🌟🌟🌟==](https://learnkube.com/authentication-kubernetes) <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — A deep dive comparing human user logins and system-managed Service Accounts. Walks through the mechanics of token verification and the internal request protocols of the API server.
  - **(2021)** [**linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity**](https://linkerd.io/2021/12/28/using-kubernetess-new-bound-service-account-tokens-for-secure-workload-identity/index.html) 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Describes how Linkerd leverages Bound Service Account Tokens to construct cryptographic workload identity, showing their security advantages over older token mechanisms.
### Identity and Access Management (1)

#### API Server Hardening

  - [goteleport.com: Kubernetes API Access Security Hardening](https://goteleport.com/blog/kubernetes-api-access-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — High-fidelity instructions on securing access to the Kubernetes API server, emphasizing the dangers of exposed endpoints. Curator insight focuses on eliminating permanent credentials in favor of short-lived, role-based certificates. Live grounding demonstrates that protecting the API gateway via proxy solutions and strict IP whitelisting prevents critical control plane compromises.
#### Access Control (2)

  - [thenewstack.io: Cloud Native Identity and Access Management in Kubernetes](https://thenewstack.io/cloud-native-identity-and-access-management-in-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.
#### Single Sign-On

  - **(2021)** [talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟](http://www.talkingquickly.co.uk/kubernetes-sso-a-detailed-guide) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Outlines the end-to-end integration of external identity providers (IdPs) with the Kubernetes API server using OpenID Connect (OIDC). Curator insight guides through configuring API server flags and utilizing helper tools like Gangway or dex. Live grounding establishes that integrating external OIDC is a critical security step for mapping enterprise roles to Kubernetes RBAC.
  - [dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar' container](https://dev.to/gabrielbiasi/automatic-sso-in-kubernetes-workloads-using-a-sidecar-container-3752) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Explains how to offload authentication requirements from applications by wrapping workloads with a sidecar proxy. Curator insight details setting up proxies like OAuth2 Proxy or Keycloak Gatekeeper. Live grounding confirms that sidecar patterns enable centralized single sign-on without changing application code.
### Industry Reports

#### Threat Landscape (1)

  - [redhat.com: The State of Kubernetes Security](https://www.redhat.com/en/blog/state-kubernetes-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — This Red Hat analysis outlines prevalent vulnerabilities, configuration errors, and runtime threats observed in enterprise container environments. Curator insight focuses on the dominance of misconfigurations as the primary cause of security incidents. Live grounding demonstrates that software supply chain issues and runtime security are increasingly challenging for modern enterprises.
  - [redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟](https://www.redhat.com/rhdc/managed-files/cl-state-kubernetes-security-report-ebook-f29117-202106-en.pdf) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An extensive ebook documenting industry security adoption rates, primary concerns, and threat behaviors in Spring 2021. Curator insight highlights that container configuration defects remain the highest source of corporate security anxiety. Live grounding confirms the trends predicted in this report have materialized in modern zero-trust control planes.
### Infrastructure Security

#### API Gateway Access

  - [kubernetes.io: Access Clusters Using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Official upstream tasks covering direct API server communication pathways. Live Grounding: Teaches developers and automated CI systems how to authenticate and safely dispatch requests directly to API server endpoints.
#### Cluster Control Plane

  - [kubernetes.io: Accesing Clusters](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Official documentation on general cluster gateway entry points. Live Grounding: Primary map for developers, operators, and tools to locate endpoints and pass initial authentication handshakes.
#### Network Protection

  - **(2025)** [**Calico in EKS**](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Official AWS guide to configuring Calico as a network policy engine within EKS clusters. Live Grounding: Standard pattern for implementing namespace segregation and network isolation for microservices.
  - [Building a DDoS Response Plan with Azure DDoS Protection](https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/building-a-ddos-response-plan/4372256) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Architecture plan to withstand high-volume distributed denial-of-service attempts. Live Grounding: Focuses heavily on cloud-native patterns like rate-limiting, load-balancer protection, and Edge integration on Azure platforms.
  - [Security Group Rules EKS](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Official AWS guidelines on minimal security group parameters for EKS control planes and workers. Live Grounding: Vital infrastructure design reference preventing accidental exposure of internal cluster controllers.
  - [EC2 ENI and IP Limit](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Technical documentation specifying ENI limits and IP exhaustion thresholds in EC2. Live Grounding: Critical reference for EKS network planning to avoid pod startup errors due to IP scarcity.
#### Vulnerability Intelligence

  - [kubernetes.io: Official CVE Feed 🌟](https://kubernetes.io/docs/reference/issues-security/official-cve-feed) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Upstream Kubernetes project tracking CVE announcements and security advisories. Live Grounding: The authoritative source of vulnerability data necessary for building compliance scans and security guardrails.
#### Zero Trust

  - [thenewstack.io: Securing Access to Kubernetes Environments with Zero Trust](https://thenewstack.io/securing-access-to-kubernetes-environments-with-zero-trust) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Curator Insight: Article on applying Zero Trust Network Access (ZTNA) parameters to cluster control planes. Live Grounding: Covers contextual authorization and micro-segmentation workflows designed to replace static kubeconfig files.
### Network Security

#### Network Policies

  - [tigera.io: Kubernetes security policy design: 10 critical best practices' 🌟](https://www.tigera.io/blog/kubernetes-security-policy-10-critical-best-practices) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A structured set of recommendations for designing resilient network and security policies. Curator insight advises transitioning from flat networks to zero-trust micro-segmentation. Live grounding reveals that enforcing default-deny ingress and egress rules at the CNI layer is paramount for restricting lateral movement during an active compromise.
#### Network Segmentation

  - [blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network](https://blog.gitguardian.com/kubernetes-tutorial-part-2-network) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Delves into network-level security configurations, detailing how to implement namespace isolation and default-deny policies. Curator insight highlights key methods for controlling egress traffic to prevent external exfiltration. Live grounding demonstrates that CNI-enforced policies are fundamental for limiting the spread of attacks within multi-tenant clusters.
#### Public Exposure

  - [raesene.github.io: Let's talk about Kubernetes on the Internet](https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Analyzes the operational and security implications of exposing Kubernetes API servers directly to the public internet. Discusses real-world scanning threats and mitigation options like firewalling, OIDC, and endpoint protection.
#### Threat Intelligence

  - **(2022)** [blog.cyble.com: Exposed Kubernetes Clusters](https://cyble.com/blog/exposed-kubernetes-clusters) 🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A threat analysis analyzing the exposure of insecure Kubernetes endpoints on the public web. Details common scanning methods and real-world exploitation frameworks targeting raw, unauthenticated APIs.
#### Zero Trust Architecture

  - **(2022)** [copado.com: Applying a Zero Trust Infrastructure in Kubernetes](https://www.copado.com/resources/blog/applying-a-zero-trust-infrastructure-in-kubernetes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Outlines architectural models for establishing zero-trust policies inside dynamic container structures. Curator insight points to identity-driven micro-segmentation and continuous token validation at each boundary. Live grounding shows that using service meshes (like Istio or Linkerd) simplifies enforcing mutual TLS and granular authorization policies.
### Policy Enforcement (2)

#### Admission Control

  - [itnext.io: Kubernetes OWASP Top 10: Centralised Policy Enforcement](https://itnext.io/kubernetes-owasp-top-10-centralised-policy-enforcement-9adc53438e22) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Discusses integrating centralized admission control policies (like OPA/Gatekeeper or Kyverno) to mitigate OWASP Kubernetes Top 10 vulnerabilities. Explains how structural constraints on manifests prevent downstream security bypasses.
  - [trstringer.com: Create a Basic Kubernetes Validating Webhook](https://trstringer.com/kubernetes-validating-webhook) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Developer guide demonstrating how to build, deploy, and register a custom validating webhook in Go. Live Grounding: Essential practical reference for building guardrails directly on top of the Kubernetes API server admission phase.
#### Manifest Auditing

  - [blog.frankel.ch: Learning by auditing Kubernetes manifests](https://blog.frankel.ch/learning-auditing-kubernetes-manifests) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Unique learning methodology based on static code analysis of raw Kubernetes manifests. Live Grounding: Teaches engineers how to spot structural vulnerabilities (e.g., hostPath mounts, root privileges) before applying resources.
#### Policy Engines

  - [Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno](https://kind-brown-cfb734.netlify.app/post/2021-02/kubernetes-policy-comparison-opa-gatekeeper-vs-kyverno) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Detailed evaluation comparing the design paradigms, language limits, and performance of OPA/Gatekeeper versus Kyverno. Live Grounding: Provides objective architectural data comparing Rego-based policies to native YAML definitions.
#### Runtime Security

  - **(2021)** [Pod Security Policy (SCC in OpenShift) 🌟](https://kubernetes.io/docs/concepts/security/pod-security-policy) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> 🌟 <span class='md-tag md-tag--info'>[LEGACY]</span> — Curator Insight: Deprecated native resource that defined security profiles for pod execution. Live Grounding: Completely removed in Kubernetes v1.25. Replaced globally by Pod Security Standards (PSS) and third-party validation engines.
  - **(2021)** [rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1](https://www.suse.com/c/rancher_blog/enhancing-kubernetes-security-with-pod-security-policies-part-1) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span> 🌟 <span class='md-tag md-tag--secondary'>[GUIDE]</span> <span class='md-tag md-tag--info'>[LEGACY]</span> — Curator Insight: Part 1 of SUSE Rancher's historical guide to restricting root access through PSPs. Live Grounding: Useful exclusively for managing legacy clusters. Unusable on modern Kubernetes releases.
  - [developer.squareup.com: Kubernetes Pod Security Policies (PSP)](https://developer.squareup.com/blog/kubernetes-pod-security-policies) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Historical engineering post detailing Square's journey implementing early-generation PSP blocks. Live Grounding: Excellent case study for understanding design challenges but completely obsolete.
  - [itnext.io: Implementing a Secure-First Pod Security Policy Architecture](https://itnext.io/implementing-a-restricted-first-pod-security-policyarchitecture-af4e906593b0) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--primary'>[GUIDE]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Curator Insight: Practical implementation guide for designing restricted PSP parameters. Live Grounding: Highly detailed historically, but lacks application in modern environments where PSS or Kyverno is required.
  - [kubernetes-sigs/security-profiles-operator](https://github.com/kubernetes-sigs/security-profiles-operator) <span class='md-tag md-tag--info'>⭐ 846</span> <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Kubernetes SIG operator for managing AppArmor, Seccomp, and SELinux profiles natively within clusters. Live Grounding: Fully active and widely used in secure sectors to harden container execution boundaries.
  - [kubernetes.io: What's new in Security Profiles Operator v0.4.0](https://kubernetes.io/blog/2021/12/17/security-profiles-operator) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Curator Insight: Upstream release notes detailing critical profiles expansion inside the Security Profiles Operator. Live Grounding: Explains runtime metrics tracking and automated profile recording functions.
### Runtime Observability

#### eBPF Threat Detection

  - [isovalent.com: Detecting a Container Escape with Cilium and eBPF](https://isovalent.com/blog/post/2021-11-container-escape) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A deep-dive exploration of container escape methodologies and how they can be detected at the kernel layer using Cilium and eBPF. Curator insight focuses on monitoring system calls directly to bypass container-internal obfuscation. Live grounding confirms that eBPF observability provides the low-overhead, high-fidelity metrics needed to identify escape payloads before damage occurs.
  - [developers.redhat.com: Secure your Kubernetes deployments with eBPF](https://developers.redhat.com/articles/2021/12/16/secure-your-kubernetes-deployments-ebpf) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Technical article explaining the operational advantages of using eBPF for cloud-native workload defense. Curator insight explains how eBPF operates safely within the Linux kernel to record and control system behavior without sidecars. Live grounding confirms that eBPF technology has transitioned from a monitoring utility to a standard tool for runtime security.
### Runtime Security (1)

#### Threat Detection

  - **(2022)** [infoworld.com: The race to secure Kubernetes at run time](https://www.infoworld.com/article/2270825/the-race-to-secure-kubernetes-at-runtime.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores the rapid evolution of security technologies focusing on runtime detection and container-level process isolation. Curator insight details the industry transition away from simple static analysis toward active behavioral profiling. Live grounding confirms that eBPF-driven insights and real-time enforcement have become critical standards for identifying novel zero-day threats.
### Secret Management

#### Certificate Management

  - [blog.alexellis.io: What if your Pods need to trust self-signed certificates?](https://blog.alexellis.io/what-if-your-pods-need-to-trust-self-signed-certificates) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Evaluates options for mounting and trusting custom or self-signed Root Certificate Authorities (CAs) inside container environments. Curator insight shows practical configurations for injecting custom root stores through init containers or volume mounts. Live grounding confirms that managing private PKIs is crucial for microservices in secure enterprise intranets.
  - [thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security](https://thenewstack.io/jetstack-secure-promises-to-ease-kubernetes-tls-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Analyzes Jetstack Secure, an enterprise platform wrapping the open-source cert-manager tool to orchestrate certificates. Curator insight details how this service helps operationalize automated certificate renewal across multi-cluster environments. Live grounding confirms that automated PKI management reduces manual oversight and cuts down on unexpected service outages.
#### HashiCorp Vault

  - **(2023)** [==learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟==](https://developer.hashicorp.com/vault/tutorials/kubernetes-introduction/kubernetes-external-vault) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟🌟 <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Step-by-step tutorial on integrating Kubernetes secrets management with an external HashiCorp Vault instance. Curator insight shows how to securely inject secrets using the Vault Agent injector sidecar. Live grounding confirms that externalized secret managers are an industry standard for multi-tenant, enterprise-grade clusters in order to avoid native etcd secrets exposure.
### Secrets Management

#### Automation (1)

  - [youtube: Manage Kubernetes Secrets With External Secrets Operator (ESO)' 🌟](https://www.youtube.com/watch?v=SyRZe5YVCVk)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A video walk-through of the External Secrets Operator (ESO). Explains how to orchestrate automated synchronization between external secrets engines and native Kubernetes workflows.
#### Cloud Integrations (1)

  - [itnext.io: Effective Secrets with Vault and Kubernetes](https://itnext.io/effective-secrets-with-vault-and-kubernetes-9af5f5c04d06)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains HashiCorp Vault integration inside Kubernetes environments. Illustrates the Vault Agent Sidecar Injector mechanism, allowing target workloads to resolve credentials directly.
  - [itnext.io: Vault cluster with auto unseal on Kubernetes](https://itnext.io/vault-cluster-with-auto-unseal-on-kubernetes-8e469f9cdcfd) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Details the configurations needed to bootstrap highly available HashiCorp Vault systems using dynamic KMS systems (AWS or GCP) to automate unsealing tasks.
#### Compliance Auditing (1)

  - [itnext.io: Kubernetes OWASP Top 10: Secrets Management](https://itnext.io/kubernetes-owasp-top-10-secrets-management-c996faa87b47)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Deals with risks concerning exposed credentials and hardcoded parameters within Kubernetes workflows. Walks through mitigation setups in compliance with OWASP guidelines to prevent secrets leakage.
#### Concepts (1)

  - **(2021)** [millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟](http://millionvisit.blogspot.com/2021/07/kubernetes-for-developers-19-manage-app-credentials-using-Kubernetes-Secrets.html) 🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A developer-centric tutorial on provisioning, managing, and consuming API credentials using core Secrets configurations in single-tenant applications.
  - [enterprisersproject.com: How to explain Kubernetes Secrets in plain English' 🌟](https://enterprisersproject.com/article/2019/8/kubernetes-secrets-explained-plain-english)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An easy-to-follow introductory resource explaining Kubernetes Secrets, their typical configuration schemas, and how they help developers protect operational application parameters.
  - [kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets](https://www.kubermatic.com/blog/keeping-the-state-of-apps-part-2-introduction-to-secrets)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Introduces key concepts of stateful configuration security. Analyzes how secrets are handled internally by API controllers and mounted securely on ephemeral container systems.
  - [macchaffee.com: Plain Kubernetes Secrets are fine 🌟](https://www.macchaffee.com/blog/2022/k8s-secrets)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Offers an alternative perspective arguing that built-in Kubernetes secrets are adequate for standard environments when combined with strong RBAC and locked-down etcd storage.
#### Data Protection

  - [kubernetes.io: Encrypting Secret Data at Rest 🌟](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — The official documentation guiding system admins through encrypting etcd secret data at rest. Covers local secrets key providers and external KMS plugin configurations.
#### Discussion

  - **(2022)** [Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof).' It did not occur to us at the time that people could mistake base64 for some form of encryption](https://x.com/originalavalamp) 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A multi-perspective community debate focusing on Base64 encoding in secrets. Reinforces that encoding is not encryption and underlines the absolute need for robust encryption-at-rest configurations.
#### GitOps

  - **(2021)** [**cloud.redhat.com: A Guide to Secrets Management with GitOps and Kubernetes 🌟**](https://www.redhat.com/en/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes) 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — An architectural review of credentials handling within declarative GitOps systems. Evaluates and compares Sealed Secrets with dynamic external resolution services.
  - [dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret!' 🌟](https://dev.to/stack-labs/store-your-kubernetes-secrets-in-git-thanks-to-kubeseal-hello-sealedsecret-2i6h)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Introduces Bitnami's Sealed Secrets (kubeseal), highlighting how asymmetric public-key cryptography allows engineers to securely check encrypted credentials into public Git setups.
  - [piotrminkowski.com: Sealed Secrets on Kubernetes with ArgoCD and Terraform](https://piotrminkowski.com/2022/12/14/sealed-secrets-on-kubernetes-with-argocd-and-terraform) <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Demonstrates a production GitOps configuration combining Bitnami Sealed Secrets, Terraform, and ArgoCD to deploy securely encrypted config files.
#### Integration Tools

  - [external-secrets.io 🌟](https://external-secrets.io) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — Curator Insight: Industry-standard controller designed to inject secrets securely into clusters from external providers. Live Grounding: Highly active; supports AWS, GCP, Azure, and HashiCorp Vault. This avoids storing raw sensitive keys in Git repositories.
#### KMS Integration

  - [github.com/ondat/trousseau](https://github.com/ondat/trousseau) <span class='md-tag md-tag--info'>⭐ 180</span> <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[LEGACY]</span> — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules.
### Software Supply Chain

#### Admission Controllers

  - **(2022)** [**infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify**](https://www.infoworld.com/article/2271333/securing-the-kubernetes-software-supply-chain.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Introduces Ratify, an open-source verification engine designed to validate container image signatures and bills of materials (SBOMs) prior to deployment. Curator insight highlights how Ratify integrates as an admission controller with Gatekeeper to block unsigned or non-compliant artifacts. Live grounding confirms that cryptographic signature verification is a cornerstone of modern secure supply chain initiatives.
### Threat Landscape (2)

#### Incident Response

  - [thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟](https://thenewstack.io/kubernetes-an-examination-of-major-attacks) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Examines real-world attack vectors and high-profile security incidents targeted at Kubernetes infrastructure, including cryptojacking and dashboard exposure. Curator insight breaks down the progression of an attack from initial access to privilege escalation. Live grounding confirms that threat actors consistently exploit exposed management interfaces and unauthenticated endpoints.
#### Metrics Security

  - **(2022)** [**sysdig.com: How attackers use exposed Prometheus server to exploit Kubernetes clusters | Miguel Hernández**](https://www.sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> 🌟🌟🌟🌟 <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Dissects a threat scenario presented at KubeCon demonstrating how attackers leverage exposed Prometheus targets to leak cluster topology. Curator insight shows that unauthenticated metrics endpoints frequently leak critical environmental data used to plan secondary exploits. Live grounding warns that proper ingress configurations and token-based authentication are mandatory to secure monitoring setups.
#### Offensive Security

  - [tutorialboy24.blogspot.com: A Detailed Talk about K8S Cluster Security from' the Perspective of Attackers (Part 2) 🌟](https://tutorialboy24.blogspot.com/2022/09/a-detailed-talk-about-k8s-cluster.html) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explains tactical cluster hacking methodologies and privilege escalation techniques from an offensive perspective. Curator insight analyzes vectors such as service account token theft and mounting the host socket. Live grounding emphasizes that threat-modeling from an attacker's perspective is vital to proactively designing robust admission and detection rules.
### Threat Modeling (1)

#### Attacking Patterns

  - [dev.to: A Detailed Talk about K8S Cluster Security from the Perspective' of Attackers (Part 1)](https://dev.to/tutorialboy/a-detailed-talk-about-k8s-cluster-security-from-the-perspective-of-attackers-part-1-3mm5)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A detailed technical review mapping vulnerability configurations from an attacker's point of view. Examines the impact of insecure cluster APIs and excess container rights.
#### Compliance Auditing (2)

  - **(2022)** [sysdig.com: OWASP Kubernetes Top 10 🌟](https://www.sysdig.com/blog/top-owasp-kubernetes) 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Breaks down the OWASP Kubernetes Top 10 architecture from a practical sysadmin viewpoint. Evaluates security boundaries, configurations, and runtime behaviors to mitigate known exploitation routes.
#### Hardening (3)

  - [blog.gitguardian.com: Hardening Your Kubernetes Cluster - Threat Model (Pt.' 1) 🌟🌟](https://blog.gitguardian.com/hardening-your-k8-pt-1)  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A professional breakdown of modeling security threats across containerized infra. Analyzes the major interfaces and trust boundaries of control systems, nodes, and physical networks.
### Tooling

#### Open Source Security

  - [mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes' Cluster](https://mattermost.com/blog/the-top-7-open-source-tools-for-securing-your-kubernetes-cluster) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Evaluates seven essential open-source tools for enhancing cluster protection, targeting vulnerability scanning, posture assessment, and threat logs. Curator insight lists classic security aids like Trivy, Falco, and Terrascan. Live grounding shows that combining dynamic runtime checkers with static config linters provides comprehensive coverage across the delivery pipeline.
### Vulnerabilities

#### CVE Case Studies

  - [empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes' que permite acceso a redes restringidas (CVE-2020-8562)](https://empresas.blogthinkbig.com/descubierta-vulnerabilidad-kubernetes-permite-acceso-redes-restringidas-cve-2020-8562) <span class='md-tag md-tag--warning'>[ES CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Analiza en detalle la vulnerabilidad de denegación de servicio y elisión de restricciones de red identificada como CVE-2020-8562. El análisis del curador detalla el impacto en la resolución de DNS internas de la API del clúster. La contrastación con el estado actual del sector muestra cómo esta vulnerabilidad impulsó mejoras críticas en los controles de red del plano de control. [SPANISH CONTENT]
### Vulnerability Management

#### CVE Feeds

  - [kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed](https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Official Kubernetes announcement of an auto-refreshing JSON-based CVE feed designed for programmatic security automation. This feed enables automated scanning engines, SIEMs, and cloud-native vulnerability scanners to ingest real-time vulnerability data natively and authoritative definitions straight from the Kubernetes security team.
### Vulnerability Scanning

#### Compliance Auditing (3)

  - **(2021)** [blog.flant.com: Kubernetes cluster security assessment with kube-bench and kube-hunter](https://palark.com/blog/kubernetes-security-with-kube-bench-and-kube-hunter) 🌟🌟🌟 <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores proactive vulnerability scanning and automated compliance verification using kube-bench and kube-hunter. Compares their execution models to establish a multi-layered verification strategy inside target clusters.
#### Interviews

  - [infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP' Jonathan Kaftzan](https://www.infoq.com/news/2021/09/kubescape)  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A developer-focused interview exploring the release of Kubescape. Outlines the technical strategies behind automated cluster auditing and dynamic verification mapping against official security guidelines.
#### Manifest Auditing (1)

  - [github.com/Shopify/kubeaudit 🌟🌟](https://github.com/Shopify/kubeaudit) <span class='md-tag md-tag--info'>⭐ 1936</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — An open-source auditor that checks active Kubernetes configurations and YAML manifests against real-world security profiles. Prevents misconfigurations such as running containers as root or with excessive privileges.
### Workload Security

#### AWS EKS Hardening

  - [dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments' 🌟](https://dev.to/aws-builders/best-practices-for-securing-kubernetes-deployments-1jg6) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Focuses on deployment hardening guidelines tailored for AWS Elastic Kubernetes Service (EKS) and native clusters. Curator insight outlines using IAM Roles for Service Accounts (IRSA) to implement AWS credential isolation. Live grounding confirms that configuring infrastructure-level least-privilege policies prevents lateral cloud infrastructure compromise.
#### Common Misconfigurations

  - [fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably)' Making](https://www.fairwinds.com/blog/top-5-kubernetes-security-mistakes) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Explores the most common security oversights in Kubernetes cluster deployments, such as running containers as root and missing resource limits. Curator insight matches automated auditing observations, emphasizing the gap between default settings and production requirements. Live grounding highlights that automated policy engines (like Polaris or Kyverno) are essential to systematically mitigate these risks.
#### Debugging Security

  - [xenitab.github.io: Kubernetes Ephemeral Container Security 🌟](https://xenitab.github.io/blog/2022/04/12/ephemeral-container-security) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--critical'>[ADVANCED LEVEL]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Explains security considerations around the use of ephemeral containers for live cluster troubleshooting. Curator insight warns against exposing node-level namespaces during ad-hoc diagnostics sessions. Live grounding indicates that while ephemeral containers are critical for debugging distroless images, they require strict RBAC policies to prevent escalation.
#### Deployment Hardening

  - [armosec.io: How to Secure Deployments in Kubernetes? 🌟](https://www.armosec.io/blog/secure-kubernetes-deployment) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A practical guide addressing how to configure secure deployments using declarative configurations. Curator insight details defensive parameters such as secrets handling, least-privilege service accounts, and resource controls. Live grounding indicates that automated compliance checks during Deployment creation are vital to prevent misconfigurations from reaching live states.
#### Developer Best Practices

  - [dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers](https://dev.to/pavanbelagatti/kubernetes-security-best-practices-for-developers-2b92) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — Tailored specifically for application developers to guide secure manifest construction and safe build configurations. Curator insight details practical tips like avoiding hardcoded secrets and keeping image footprints minimal. Live grounding confirms that developer training combined with automated IDE feedback is essential for maintaining secure codebases.
#### Pod Hardening

  - [blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods](https://blog.gitguardian.com/kubernetes-tutorial-part-1-pods) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — A granular tutorial guiding developers on how to design and build secure Pod configurations. Curator insight instructs on eliminating default privileges and configuring security contexts. Live grounding shows that implementing Pod Security Standards (PSS) provides a straightforward, out-of-the-box framework to systematically restrict critical container permissions.
  - [dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads](https://dev.to/thenjdevopsguy/securing-kubernetes-pods-for-production-workloads-51oh) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A specialized checklist for locking down Pod setups in highly regulated production networks. Curator insight addresses how to enforce non-root execution, limit Capabilities, and bind resource consumption quotas. Live grounding shows that consistent enforcement of these checklists eliminates common container breakout opportunities.
#### Pod Security Context

  - [snyk.io: 10 Kubernetes Security Context settings you should understand](https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand) <span class='md-tag md-tag--warning'>[EN CONTENT]</span>  <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A comprehensive guide on utilizing the Kubernetes `securityContext` API to enforce Pod and container-level boundaries. Curator insight details foundational settings like `runAsNonRoot`, `readOnlyRootFilesystem`, and `allowPrivilegeEscalation`. Live grounding confirms these configurations remain the primary defense-in-depth mechanisms for preventing container breakouts in 2026 production environments.

---
💡 **Explore Related:** [IaC](./iac.md) | [Terraform](./terraform.md) | [Ansible](./ansible.md)