github/awesome-kubernetes
1
0
Fork 0
mirror of https://github.com/nubenetes/awesome-kubernetes.git synced 2026-05-27 19:45:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
awesome-kubernetes/v2-docs/securityascode.md

125 lines
19 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy as Code
!!! info "Architectural Context"
Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.
## Standard Reference
- [searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm](https://www.techtarget.com/searchitoperations/news/252467102/Kubernetes-policy-project-takes-enterprise-IT-by-storm) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA)](https://snyk.io/blog) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent 🌟](https://www.redhat.com/en/blog/fine-grained-policy-enforcement-in-openshift-with-open-policy-agent) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [compile OpenPolicyAgent policies into WebAssembly and run them on the edge](https://github.com/open-policy-agent/contrib/tree/main/wasm/cloudflare-worker) <span class='md-tag md-tag--info'>⭐ 345</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Fugue: Container and Kubernetes. Runtime infrastructure security](https://snyk.io/product/container-vulnerability-management) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [searchitoperations.techtarget.com: CNCF policy-as-code project bridges Kubernetes security gaps](https://www.techtarget.com/searchitoperations/news/252505548/CNCF-policy-as-code-project-bridges-Kubernetes-security-gaps) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [cloud.redhat.com: Automate Your Security Practices and Policies on OpenShift With Kyverno 🌟](https://www.redhat.com/en/blog/automate-your-security-practices-and-policies-on-openshift-with-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [youtube: The Rise of Kubernetes Policy Engine | Ep 57](https://www.youtube.com/watch?v=0TvhTXddRGE&t=12s) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [appsecengineer.com: Kubernetes Policy Management with Kyverno](https://www.appsecengineer.com/courses-collection/kubernetes-policy-management-with-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Apolicy](https://www.sysdig.com) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [sysdig.com: Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation](https://www.sysdig.com/blog/sysdig-and-apolicy-join-forces-to-help-customer-secure-infrastructure-as-code) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [IBM Vault 2.0 UI Enhancements and Reporting Improvements](https://t.co/cvOceuueCF) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Web-Check](https://web-check.xyz) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [IBM IAM for AI Agents](https://t.co/EKsVgKA4xn) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [MagTape](https://github.com/tmobile/magtape) <span class='md-tag md-tag--info'>⭐ 152</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Azure Network Security Perimeter Concepts](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Docker Hardened Images for Every Developer](https://www.docker.com/blog/docker-hardened-images-for-every-developer) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [amazon.com: Policy-based countermeasures for Kubernetes Part 1](https://aws.amazon.com/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Automate policies enforcement with Policy-as-Code 🌟](https://medium.com/airwalk/automate-policies-enforcement-with-policy-as-code-2f20aac9e2b0) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent](https://blog.gitguardian.com/what-is-policy-as-code-an-introduction-to-open-policy-agent) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [OPA Open Policy Agent 🌟](https://www.openpolicyagent.org) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [magalix.com: Integrating Open Policy Agent (OPA) With Kubernetes 🌟](https://www.magalix.com/blog/integrating-open-policy-agent-opa-with-kubernetes-a-deep-dive-tutorial) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟](https://github.com/policy-hub/policy-hub-cli) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Integrating Identity: OAUTH2 and OPENID CONNECT in Open' Policy Agent](https://blog.styra.com/blog/integrating-identity-oauth2-and-openid-connect-in-open-policy-agent) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Rego Unit Testing](https://blog.styra.com/blog/rego-unit-testing) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [github.com/instrumenta/policies: A set of shared policies for use with Conftest' and other Open Policy Agent tools](https://github.com/instrumenta/policies) <span class='md-tag md-tag--info'>⭐ 66</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Dynamic Policy Composition for OPA](https://blog.styra.com/blog/dynamic-policy-composition-for-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: 5 OPA Deployment Performance Models for Microservices](https://blog.styra.com/blog/5-opa-deployment-performance-models-for-microservices) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Open Policy Agent: The Top 5 Kubernetes Admission Control' Policies](https://blog.styra.com/blog/open-policy-agent-the-top-5-kubernetes-admission-control-policies) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Getting Open Policy Agent Up and Running](https://thenewstack.io/getting-open-policy-agent-up-and-running) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [siegert-maximilian.medium.com: Ensure Content Trust on Kubernetes using' Notary and Open Policy Agent](https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Policy-based infrastructure guardrails with Terraform and' OPA 🌟](https://blog.styra.com/blog/policy-based-infrastructure-guardrails-with-terraform-and-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Automated Manifest File Validation Using Open Policy Agent and GitHub' Actions | Ravindu Sandeepa Rathugama](https://medium.com/@ravindursr/automated-manifest-file-validation-using-open-policy-agent-and-github-actions-697fa9fd74f0) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix)](https://thenewstack.io/weaveworks-adds-policy-as-code-to-secure-kubernetes-apps) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Load external data into OPA: The Good, The Bad, and The Ugly](https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [inspektor.cloud: Evaluating open policy agent in rust using wasm](https://inspektor.cloud/blog/evaluating-open-policy-agent-in-rust-using-wasm) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/4th-coffee: What is Policy-as-Code? An Introduction to Open Policy' Agent](https://medium.com/4th-coffee/what-is-policy-as-code-an-introduction-to-open-policy-agent-6098463f8461) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [banzaicloud.com: Istio and Kubernetes ft. OPA policies](https://banzaicloud.com/blog/istio-opa) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Ensure Content Trust on Kubernetes using Notary and Open Policy' Agent](https://medium.com/@siegert.maximilian/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform](https://www.kubermatic.com/blog/using-open-policy-agent-with-kubermatic) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [k8s-security-policies](https://github.com/raspbernetes/k8s-security-policies) <span class='md-tag md-tag--info'>⭐ 177</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium: Deploying Open Policy Agent (OPA) on a GKE cluster — Step by Step](https://medium.com/linkbynet/deploying-opa-on-a-gke-cluster-da4d3d77812c) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.styra.com: Using OPA with GitOps to speed Cloud-Native development](https://blog.styra.com/blog/using-opa-with-gitops-to-speed-cloud-native-development) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/gitguardian: What is Policy-as-Code? An Introduction to Open' Policy Agent](https://medium.com/gitguardian/what-is-policy-as-code-an-introduction-to-open-policy-agent-dba1400bb030) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [hashicorp.com: Securing Infrastructure In Application Pipelines](https://www.hashicorp.com/resources/securing-infrastructure-in-application-pipelines) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [thenewstack.io: Yor Automates Tagging for Infrastructure as Code](https://thenewstack.io/yor-automates-tagging-for-infrastructure-as-code) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [yor.io](https://yor.io) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [checkov.io](https://www.checkov.io) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [aws.amazon.com: Policy-based countermeasures for Kubernetes Part 1](https://aws.amazon.com/es/blogs/containers/policy-based-countermeasures-for-kubernetes-part-1) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Selefra: Selefra is an open-source policy-as-code software that provides' analytics for multi-cloud and SaaS.](https://github.com/selefra/selefra) <span class='md-tag md-tag--info'>⭐ 545</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [venturebeat.com: How Nirmata plans to conquer Kubernetes complexity with' open source Kyverno](https://venturebeat.com/2021/08/10/how-nirmata-plans-to-conquer-kubernetes-complexity-with-open-source-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' 🌟](https://neonmirrors.net/post/2021-02/kubernetes-policy-comparison-opa-gatekeeper-vs-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Using Kyverno To Enforce EKS Best Practices](https://dev.to/rinkiyakedad/using-kyverno-to-enforce-eks-best-practices-cad) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Mutating Resources](https://kyverno.io/docs/writing-policies/mutate) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [squadcast.com: Kyverno - Policy Management in Kubernetes 🌟](https://www.squadcast.com/blog/kyverno-policy-management-in-kubernetes) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Exploring Kyverno: Part 3, Generation](https://neonmirrors.net/post/2020-12/exploring-kyverno-part3) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Check deprecated APIs 🌟](https://kyverno.io/policies/best-practices/check_deprecated_apis) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Generating resources into existing namespaces](https://kyverno.io/docs/writing-policies/generate/#generating-resources-into-existing-namespaces) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Add Pod Proxies](https://kyverno.io/policies/other/add-pod-proxies) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Auto-Gen Rules for Pod Controllers](https://kyverno.io/docs/writing-policies/autogen) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Require PodDisruptionBudget](https://kyverno.io/policies/other/require_pdb) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno](https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [neonmirrors.net: Exploring Kyverno: Introduction 🌟](https://neonmirrors.net/post/2020-11/exploring-kyverno-intro) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient!](https://nirmata.com/2021/08/18/introducing-kyverno-1-4-2-trusted-and-more-efficient) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Policy Reporter 🌟](https://github.com/kyverno/policy-reporter) <span class='md-tag md-tag--info'>⭐ 368</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel](https://www.sesin.at/2021/08/28/securing-kubernetes-with-kyverno-how-to-protect-your-users-from-themselves-by-ritesh-patel) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [movi.hashnode.dev: Simplify Kubernetes Cluster Management with Kyverno](https://movi.hashnode.dev/simplify-kubernetes-cluster-management-with-kyverno-ckt6yxjqy0duy95s14groe7h4) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [arun-sisodiya.medium.com: KyvernoA Kubernetes native policy manager (Policy' as Code)](https://arun-sisodiya.medium.com/kyverno-a-policy-manager-for-kubernetes-286f6e082062) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Default Kyverno Policies for OpenEBS](https://dev.to/niveditacoder/default-kyverno-policies-for-openebs-4abf) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Restrict Image Registries](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [dev.to: Using Kyverno Policies for Kubernetes Governance](https://dev.to/mda590/using-kyverno-policies-for-kubernetes-governance-3e17) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [kyverno.io: Implementing your best practices is simple with kyverno](https://kyverno.io/policies/best-practices/require_probes/require_probes) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/compass-true-north: Governing Multi-Tenant Kubernetes Clusters' with Kyverno](https://medium.com/compass-true-north/governing-multi-tenant-kubernetes-clusters-with-kyverno-3e11ba4a64ad) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/@haseebshaukat2: Kyverno — Policy Engine for Kubernetes | Muhammad' Haseeb Shaukat](https://medium.com/@haseebshaukat2/kyverno-policy-engine-for-kubernetes-b49f3fac43b9) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [blog.sigstore.dev: How to verify container images with Kyverno using KMS,' Cosign, and Workload Identity](https://blog.sigstore.dev/how-to-verify-container-images-with-kyverno-using-kms-cosign-and-workload-identity-1e07d2b85061) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [medium.com/@glen.yu: Why I prefer Kyverno over Gatekeeper for native Kubernetes' policy management](https://medium.com/@glen.yu/why-i-prefer-kyverno-over-gatekeeper-for-native-kubernetes-policy-management-35a05bb94964) <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span>
- [Cloud Custodian](https://github.com/cloud-custodian/cloud-custodian) <span class='md-tag md-tag--info'>⭐ 5988</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span>
## Cloud Infrastructure
### Kubernetes
#### Policy-as-Code
- [Kyverno 🌟](https://kyverno.io) <span class='md-tag md-tag--success'>[DE FACTO STANDARD]</span> — A CNCF graduated Kubernetes-native policy engine.
* Allows policy definition as standard Kubernetes resources (YAML).
* Eliminates the need for complex DSLs like Rego.
* Simplifies admission control, generation, mutation, and validation of workloads.
- [kyverno.io: 56 sample policies 🌟](https://kyverno.io/policies) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — A rich library of ready-to-use Kyverno policy definitions. These templates address common cloud security standards (Pod Security Standards, multi-tenancy constraints, best practices, and resource optimization parameters) for instant cluster hardening.
## Identity and Access Management
### Cloud IAM
#### Microsoft Entra
- [Configure Microsoft Entra for Increased Security](https://learn.microsoft.com/en-us/entra/fundamentals/configure-security) <span class='md-tag md-tag--primary'>[DOCUMENTATION]</span> <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> — Official documentation outlines hardening parameters for Microsoft Entra ID. Features prescriptive blueprints for setting up conditional access, continuous access evaluation, Multi-Factor Authentication (MFA), and role-based identity management.
## Public Cloud Platforms
### AWS
#### EKS Security and Isolation
##### Policy Management
- [aws.amazon.com: Easy as one-two-three policy management with Kyverno on' Amazon EKS 🌟](https://aws.amazon.com/blogs/containers/easy-as-one-two-three-policy-management-with-kyverno-on-amazon-eks) <span class='md-tag md-tag--info'>[ENTERPRISE-STABLE]</span> <span class='md-tag md-tag--secondary'>[GUIDE]</span> — Walkthrough detailing how to manage native policy rules on EKS clusters using Kyverno instead of raw Rego. Illustrates automated resource validation, generation, and mutation patterns to enforce corporate configuration compliance.
## Security
### DevSecOps
#### SAST
- [GitHub Code Security Risk Assessment: Free Vulnerability Scanning](https://github.blog/security/application-security/how-exposed-is-your-code-find-out-in-minutes-for-free) <span class='md-tag md-tag--warning'>[EN CONTENT]</span> <span class='md-tag md-tag--info'>[COMMUNITY-TOOL]</span> — An introduction to GitHub's native, free vulnerability scanning tools designed to locate security regressions, secrets, and supply chain threats directly within the code repository. It highlights automated security alerts and quick enablement configurations.
---
💡 **Explore Related:** [Kubernetes Security](./kubernetes-security.md) | [Devsecops](./devsecops.md) | [Kustomize](./kustomize.md)
Reference in New Issue View Git Blame Copy Permalink