awesome-kubernetes/docs/devsecops.md

Security and DevSecOps. Container Security

• Introduction
• Kubernetes Threat Modelling
• Kubernetes Config Security Threats
• Security Linting on Kubernetes
• Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers
• Project Calico
• Security Patterns for Microservice Architectures
• Anchore Container Security Solutions for DevSecOps
• StackRox
  • Secure Container Based CI/CD Workflows
  • Securing Kubernetes With Anchore
• GitHub security
• Databases in DMZ and Intranet
• Removing Credentials From Git Repo
• Pentesting
• Credential Managers
  • keycloak
  • Git Credential Manager Core
• GitOps Secret Management
  • HashiCorp Vault
  • CyberArk and Ansible
  • SOPS for Kubernetes
  • Alternatives
• Serverless Security Best Practices
• Docker Images & Container Security
• Pod Security Policies
• Kubernetes Network Policies
• Static Analysis SAST
• Kubernetes Security Tools
• Helm Charts Security
• Password Recovery
• Books

Introduction

• fiercesw.com: DevOps vs DevSecOps
• devopszone.info: DevSecOps Explained
• linkedin: Dear Google, my data has left your building!
• snyk.io: The State of Open Source Security 2020
• managedsentinel.com: Executive View — Current and Future Cybersecurity Architecture On One Page
• Exploring the (lack of) security in a typical Docker and Kubernetes installation
• kalilinuxtutorials.com: Deploying & Securing Kubernetes Clusters
• loves.cloud: Creating a fully automated DevSecOps CI/CD Pipeline
• redhat.com: Balancing Linux security with usability Your system should be secure, but open enough to serve its function. Here are some tips on how to strike that balance.
• thenewstack.io: Culture, Vulnerabilities and Budget: Why Devs and AppSec Disagree
• computing.co.uk: CloudBees gets busy with security, visibility and control as DevOps evolves CEO Sacha Labourey: 'DevOps is a pretty good proxy for what needs to happen in any organisation'
• paloaltonetworks.com: Is Your Organization Protected Against IAM Misconfiguration Risks?
• devops.com: How to Successfully Integrate Security and DevOps
• helpnetsecurity.com: How to make DevSecOps stick with developers
• blog.christophetd.fr: Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues
• devclass.com: Docker: It’s not dead yet, but there’s a tendency to walk away, security report finds
• loves.cloud: Creation of a Fully-Automated DevSecOps CICD Pipeline

Kubernetes Threat Modelling

• marcolancini.it: The Current State of Kubernetes Threat Modelling

Kubernetes Config Security Threats

• cncf.io: Identifying Kubernetes Config Security Threats: Pods Running as Root
• mirantis.com: Introduction to Istio Ingress: The easy way to manage incoming Kubernetes app traffic Leaving your cluster exposed can be risky. That's why you need Istio Ingress, which only exposes the part that handles incoming traffic & allows routing rules based on routes, headers, IP addresses and more.
• thenewstack.io: How Kubernetes vulnerabilities have shifted since the first attacks

Security Linting on Kubernetes

• kubeLinter 🌟 KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
• thenewstack.io: StackRox KubeLinter Brings Security Linting to Kubernetes

Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers

• Why you should be using Multi-Category Security (MCS) for your Linux containers
• Using Podman and Containers to make a more secure pipeline

Project Calico

• Project Calico Secure networking for the cloud native era

Security Patterns for Microservice Architectures

• Security Patterns for Microservice Architectures

Anchore Container Security Solutions for DevSecOps

• Anchore Container image inspection and policy-based compliance

StackRox

• stackrox.com
• redhat.com: Red Hat to Acquire Kubernetes-Native Security Leader StackRox

Secure Container Based CI/CD Workflows

• Secure Container Based CI/CD Workflows
• Jenkins Plugin: Anchore Container Image Scanner

Securing Kubernetes With Anchore

• Securing Kubernetes With Anchore

GitHub security

• GitHub security: what does it take to protect your company from credentials leaking on GitHub? 🌟

Databases in DMZ and Intranet

• Databases in DMZ and Intranet

Removing Credentials From Git Repo

• medium: The Easiest Way To Remove Checked In Credentials From A Git Repo

Pentesting

• forbes.com: DevOps Drives Pentesting Delivered As A Service
• emagined.com: How to conduct a penetration test

Credential Managers

keycloak

• keycloak.org Open Source Identity and Access Management For Modern Applications and Services
• Securing Kubernetes Apps with Keycloak and Gatekeeper
• Authorizing multi-language microservices with Louketo Proxy
• developers.redhat.com: A deep dive into Keycloak
• blog.getambassador.io: Step-by-Step Centralized Authentication for Kubernetes with Keycloak and the Ambassador Edge Stack
• blog.sighup.io: How to run Keycloak in HA on Kubernetes How to setup Keycloak, the Open Source Identity and Access Management, in HA on Kubernetes.
• developers.redhat.com: Authentication and authorization using the Keycloak REST API

Git Credential Manager Core

• Git Credential Manager Core GCM Core is a free, open-source, cross-platform credential manager for Git.
• Git Credential Manager Core: Building a universal authentication experience

GitOps Secret Management

• blog.gitguardian.com: Secrets in source code (episode 2/3). Why secrets in git are such a problem

HashiCorp Vault

• vaultproject.io Manage Secrets and Protect Sensitive Data. Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
• medium: Coding for Secrets Reliability with HashiCorp Vault
• hashicorp.com: Vault & Kubernetes: Better Together
• OpenShift Blogs:
  • https://www.openshift.com/blog/managing-secrets-openshift-vault-integration
  • https://www.openshift.com/blog/vault-integration-using-kubernetes-authentication-method
  • https://www.openshift.com/blog/integrating-vault-with-legacy-applications
  • https://www.openshift.com/blog/integrating-hashicorp-vault-in-openshift-4
• Vault Learning Resources: Vault 1.5 features and more
• medium: Securing K8s Ingress Traffic with HashiCorp Vault PKIaaS and JetStack Cert-Manager
• hashicorp.com: Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault
• hashicorp.com: Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault Developers no longer have to make their Lambda functions Vault-aware.
• github.com/kelseyhightower: Serverless Vault with Cloud Run This tutorial walks you through deploying Hashicorp's Vault on Cloud Run, Google Cloud's container based Serverless compute platform.

CyberArk and Ansible

• ansible.com: Simplifying secrets management with CyberArk and Red Hat Ansible Automation Platform
• ansible.com: Automating Security with CyberArk and Red Hat Ansible Automation Platform

SOPS for Kubernetes

• dev.to: Manage your secrets in Git with SOPS for Kubernetes 🌟

Alternatives

• GitOps secret management with bitnami-labs Sealed Secret and GoDaddy Kubernetes External Secrets

Serverless Security Best Practices

• 10 Serverless security best practices

Docker Images & Container Security

• thehackernews.com: Docker Images Containing Cryptojacking Malware Distributed via Docker Hub
• sysdig.com: 12 Container image scanning best practices to adopt in production
• infracloud.io: The Ten Commandments of Container Security
• medium: KubeSecOps Pipeline(Container security) in a cloudnative ecosystem
• sysdig.com: Sysdig 2021 container security and usage report: Shifting left is not enough 🌟
• itnext.io: Hardening Docker and Kubernetes with seccomp 🌟
• redhat.com: Improving Linux container security with seccomp 🌟 Try this method of using an OCI runtime hook for tracing syscalls before you build a container.

Pod Security Policies

• octetz.com: Setting Up Pod Security Policies By default, Kubernetes allows anything capable of creating a Pod to run a fairly privileged container that can compromise a system. Pod Security Policies protect clusters from privileged pods by ensuring the requester is authorised.
• infracloud.io: Kubernetes Pod Security Policies with Open Policy Agent In this blog post, you will learn about the Pod Security Policy admission controller. Then you will see how Open Policy Agent can implement Pod Security Policies.

Kubernetes Network Policies

• medium.com: K8s Network Policies Demystified and Simplified 🌟
• blog.nody.cc: Verify your Kubernetes Cluster Network Policies: From Faith to Proof

Static Analysis SAST

• DevSecOps – Static Analysis SAST with Jenkins Pipeline

Kubernetes Security Tools

• europeclouds.com: Implementing Aqua Security to Secure Kubernetes
• Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium brings consistent authz/authn, tooling, and auditing across cloud and on-premise deployments. No VPN or cloud provider account is required

Helm Charts Security

• medium: Who’s at the Helm? Or, how to deploy 25+ CVEs to prod in one command!

Password Recovery

• hashcat

Books

• Microservices Security in Action