mirror of
https://github.com/nubenetes/awesome-kubernetes.git
synced 2026-07-12 09:51:00 +00:00
151 KiB
151 KiB
Kubernetes Security
!!! info "Architectural Context" Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.
Table of Contents
- Infrastructural Protection
- Network Policies
- Operational Security
- Runtime Secrets Scanning
- Security Best Practices
- Access Control
- Application Security
- Architecture
- Audit
- Best Practices
- Cloud Security
- Cluster Hardening
- Compliance
- Deployment Security
- DevSecOps
- Fundamentals
- Hardening Standards
- IAM
- Identity and Access
- Identity and Access Management
- Kubernetes Security
- Network Security
- Offensive Security
- PKI
- PKI and Certificates
- Platform Hardening
- Pod Security
- Policy and Admission Control
- Policy and Audit
- Policy Enforcement
- Runtime Security
- Secrets Management
- Static Analysis
- System Hardening
- Threat Modeling
- Threat Vector
- Tooling
- Vulnerabilities
- Vulnerability Assessment
- Zero Trust
- Zero Trust Architecture
API Access Protection
Teleport Access Control
- (2021) goteleport.com: Kubernetes API Access Security Hardening [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.
Architectural Foundations
Kubernetes Tools
General Reference
- jetstack.io: Securing Istio workloads with mTLS using cert-manager [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering www.cyberark.com in the Kubernetes Tools ecosystem.
- medium: Single Sign-On in Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Single Sign-On in Kubernetes in the Kubernetes Tools ecosystem.
- Dzone - OAuth 2.0 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Dzone - OAuth 2.0 in the Kubernetes Tools ecosystem.
- medium: How to Harden Your Kubernetes Cluster for Production 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: How to Harden Your Kubernetes Cluster for Production 🌟 in the Kubernetes Tools ecosystem.
- cncf.io: Kubernetes Security 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering cncf.io: Kubernetes Security 🌟 in the Kubernetes Tools ecosystem.
- redkubes.com: 10 Kubernetes Security Risks & Best Practices [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering redkubes.com: 10 Kubernetes Security Risks & Best Practices in the Kubernetes Tools ecosystem.
- blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.kasten.io: Kubernetes Ransomware Protection with Kasten K10 v4.0 in the Kubernetes Tools ecosystem.
- levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s) [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering levelup.gitconnected.com: Enforce Audit Policy in Kubernetes (k8s) in the Kubernetes Tools ecosystem.
- magalix.com: Top 8 Kubernetes Security Best Practices 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering magalix.com: Top 8 Kubernetes Security Best Practices 🌟 in the Kubernetes Tools ecosystem.
- cncf.io: How to secure your Kubernetes control plane and node components [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==cncf.io: How to secure your Kubernetes control plane and node components== in the Kubernetes Tools ecosystem.
- akhilsharma.work: The 4C's of Kubernetes Security [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering akhilsharma.work: The 4C's of Kubernetes Security in the Kubernetes Tools ecosystem.
- medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Securing the Kubernetes cluster | Lessandro Z. Ugulino in the Kubernetes Tools ecosystem.
- amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud' Native stack [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering amazicworld.com: Top 5 security threats unique to a Kubernetes and Cloud' Native stack in the Kubernetes Tools ecosystem.
- venturebeat.com: Kubernetes security will have a breakout year in 2022 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering venturebeat.com: Kubernetes security will have a breakout year in 2022 in the Kubernetes Tools ecosystem.
- medium: Comparing Kubernetes Security Frameworks and Guidance 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium: Comparing Kubernetes Security Frameworks and Guidance== 🌟 in the Kubernetes Tools ecosystem.
- blog.devgenius.io: How is security managed in Kubernetes clusters? [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.devgenius.io: How is security managed in Kubernetes clusters? in the Kubernetes Tools ecosystem.
- medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive' Guide [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@jonathan_37674: Kubernetes Security Best Practices: Definitive' Guide== in the Kubernetes Tools ecosystem.
- faun.pub: From dev to admin: an easy Kubernetes privilege escalation you' should be aware of — the attack [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering faun.pub: From dev to admin: an easy Kubernetes privilege escalation you' should be aware of — the attack in the Kubernetes Tools ecosystem.
- medium.com/@dotdc: Is your Kubernetes API Server exposed? Learn how to' check and fix! 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@dotdc: Is your Kubernetes API Server exposed? Learn how to' check and fix!== 🌟 in the Kubernetes Tools ecosystem.
- levelup.gitconnected.com: The Core of Kubernetes Security: Clusters [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering levelup.gitconnected.com: The Core of Kubernetes Security: Clusters in the Kubernetes Tools ecosystem.
- medium.com/@codingkarma: Kubernetes Goat Part-1 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@codingkarma: Kubernetes Goat Part-1 in the Kubernetes Tools ecosystem.
- medium.com/@badawekoo: Limit number of processes running in a Kubernetes' pod [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@badawekoo: Limit number of processes running in a Kubernetes' pod== in the Kubernetes Tools ecosystem.
- medium.com/cloudyrion: Kubernetes end-to-end chain exploit [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/cloudyrion: Kubernetes end-to-end chain exploit in the Kubernetes Tools ecosystem.
- xgrid.medium.com: Securing a Kubernetes cluster using TLS certificates' 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==xgrid.medium.com: Securing a Kubernetes cluster using TLS certificates==' 🌟 in the Kubernetes Tools ecosystem.
- ahmedy.hashnode.dev: Creating TLS Certificates for K8s components with OpenSSL [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ahmedy.hashnode.dev: Creating TLS Certificates for K8s components with OpenSSL in the Kubernetes Tools ecosystem.
- erkanzileli.medium.com: How TLS Certificates Work [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==erkanzileli.medium.com: How TLS Certificates Work== in the Kubernetes Tools ecosystem.
- medium.com/@martin.hodges: Using a wildcard certificate within your Kubernetes' cluster [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@martin.hodges: Using a wildcard certificate within your Kubernetes' cluster in the Kubernetes Tools ecosystem.
- blog.cloudsecque.com: How to Improve the Security of Your Applications' with Kubernetes Security Scanners [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==blog.cloudsecque.com: How to Improve the Security of Your Applications' with Kubernetes Security Scanners== in the Kubernetes Tools ecosystem.
- techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering techmanyu.com: Kubernetes Security with Kube-bench and Kube-hunter 🌟 in the Kubernetes Tools ecosystem.
- aninditabasak.medium.com: A Lap around Kubernetes Security & Vulnerability' scanning Tools — checkov, kube-hunter, kube-bench & Starboard [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==aninditabasak.medium.com: A Lap around Kubernetes Security & Vulnerability' scanning Tools — checkov, kube-hunter, kube-bench & Starboard== in the Kubernetes Tools ecosystem.
- towardsdev.com: 12 Scanners to Find Security Vulnerabilities and Misconfigurations' in Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering towardsdev.com: 12 Scanners to Find Security Vulnerabilities and Misconfigurations' in Kubernetes in the Kubernetes Tools ecosystem.
- faun.pub: Gatekeeper | K8 hardening backlog [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering faun.pub: Gatekeeper | K8 hardening backlog in the Kubernetes Tools ecosystem.
- systemweakness.com: OWASP-K8S Security: Insecure Workload Configurations [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering systemweakness.com: OWASP-K8S Security: Insecure Workload Configurations in the Kubernetes Tools ecosystem.
- darkreading.com: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should' Know [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering darkreading.com: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should' Know in the Kubernetes Tools ecosystem.
- Kubernetes Hardening Guidance 🌟🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Kubernetes Hardening Guidance 🌟🌟 in the Kubernetes Tools ecosystem.
- aymen-abdelwahed.medium.com: K8s Operators — CIS Kubernetes Benchmarks [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering aymen-abdelwahed.medium.com: K8s Operators — CIS Kubernetes Benchmarks in the Kubernetes Tools ecosystem.
- medium: Working with Service Account In Kubernetes 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Working with Service Account In Kubernetes 🌟 in the Kubernetes Tools ecosystem.
- sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes) [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering sandeepbaldawa.medium.com: Service Accounts in K8s (Kubernetes) in the Kubernetes Tools ecosystem.
- medium.com/pareture: Kubernetes Bound Projected Service Account Token Volumes' Might Surprise You [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/pareture: Kubernetes Bound Projected Service Account Token Volumes' Might Surprise You in the Kubernetes Tools ecosystem.
- medium.com/geekculture: K8s — ServiceAccount Token [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/geekculture: K8s — ServiceAccount Token in the Kubernetes Tools ecosystem.
- motilayo.hashnode.dev: Exploring Kubernetes Service Account Tokens and Secure' Workload Identity Federation [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering motilayo.hashnode.dev: Exploring Kubernetes Service Account Tokens and Secure' Workload Identity Federation in the Kubernetes Tools ecosystem.
- overcast.blog: Kubernetes Service Accounts: A Practical Guide [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering overcast.blog: Kubernetes Service Accounts: A Practical Guide in the Kubernetes Tools ecosystem.
- cncf.io: Revealing the secrets of Kubernetes secrets 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering cncf.io: Revealing the secrets of Kubernetes secrets 🌟 in the Kubernetes Tools ecosystem.
- blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.doit-intl.com: Kubernetes and Secrets Management in the Cloud in the Kubernetes Tools ecosystem.
- medium: Kubernetes Secrets Explained [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Kubernetes Secrets Explained in the Kubernetes Tools ecosystem.
- medium: Managing your sensitive information during GitOps process with Secret' Sealed [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Managing your sensitive information during GitOps process with Secret' Sealed in the Kubernetes Tools ecosystem.
- enlear.academy: Sealed Secrets with Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==enlear.academy: Sealed Secrets with Kubernetes== in the Kubernetes Tools ecosystem.
- medium.com/codex: Sealed Secrets for Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/codex: Sealed Secrets for Kubernetes in the Kubernetes Tools ecosystem.
- carlosalca.medium.com: How to manage all my K8s secrets in git securely' with Bitnami Sealed Secrets [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering carlosalca.medium.com: How to manage all my K8s secrets in git securely' with Bitnami Sealed Secrets in the Kubernetes Tools ecosystem.
- pjame-fb.medium.com: Kubernetes Secrets from Secrets Manager using External' Secrets Operators [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering pjame-fb.medium.com: Kubernetes Secrets from Secrets Manager using External' Secrets Operators in the Kubernetes Tools ecosystem.
- mixi-developers.mixi.co.jp: Comparing External Secrets Operator with Secret' Storage CSI as Kubernetes External Secrets is Deprecated [COMMUNITY-TOOL] [LEGACY] — A curated technical resource and architectural guide covering mixi-developers.mixi.co.jp: Comparing External Secrets Operator with Secret' Storage CSI as Kubernetes External Secrets is Deprecated in the Kubernetes Tools ecosystem.
- faun.pub: Secrets | Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==faun.pub: Secrets | Kubernetes== in the Kubernetes Tools ecosystem.
- medium.com/@knoldus: Using sealed secrets in Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@knoldus: Using sealed secrets in Kubernetes in the Kubernetes Tools ecosystem.
- eminalemdar.medium.com: Cloud Native Secret Management with External Secrets' Operator [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering eminalemdar.medium.com: Cloud Native Secret Management with External Secrets' Operator in the Kubernetes Tools ecosystem.
- medium.com/google-cloud: Handle Kubernetes Secrets the GitOps Way — Part' 1 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/google-cloud: Handle Kubernetes Secrets the GitOps Way — Part' 1 in the Kubernetes Tools ecosystem.
- Using SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Using SSL certificates from Let’s Encrypt in your Kubernetes Ingress via cert-manager 🌟 in the Kubernetes Tools ecosystem.
- medium: Encrypting the certificate for Kubernetes (Let’s Encrypt) 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium: Encrypting the certificate for Kubernetes (Let’s Encrypt) 🌟 in the Kubernetes Tools ecosystem.
- betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering betterprogramming.pub: Kubernetes and SSL Certificate Management 🌟 in the Kubernetes Tools ecosystem.
- faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering faun.pub: Automate Certificate Management In Kubernetes Using Cert-Manager in the Kubernetes Tools ecosystem.
- medium.com/@knoldus: Configure SSL certificate with cert-manager on Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@knoldus: Configure SSL certificate with cert-manager on Kubernetes in the Kubernetes Tools ecosystem.
- blog.devgenius.io: Automated DNS/TLS with External DNS & LetsEncrypt on' Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.devgenius.io: Automated DNS/TLS with External DNS & LetsEncrypt on' Kubernetes in the Kubernetes Tools ecosystem.
- faun.pub: Let’s encrypt and CertManager [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==faun.pub: Let’s encrypt and CertManager== in the Kubernetes Tools ecosystem.
- armin.su: SSL certificates from Let’s Encrypt for Kubernetes Private Ingress' via Terraform [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering armin.su: SSL certificates from Let’s Encrypt for Kubernetes Private Ingress' via Terraform in the Kubernetes Tools ecosystem.
- betterprogramming.pub: Kubernetes Authentication Sidecars: A Revelation' in Microservice Architecture [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering betterprogramming.pub: Kubernetes Authentication Sidecars: A Revelation' in Microservice Architecture in the Kubernetes Tools ecosystem.
- blog.devgenius.io: SSO Authentication for Applications in Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.devgenius.io: SSO Authentication for Applications in Kubernetes in the Kubernetes Tools ecosystem.
- imanishchaudhary.medium.com: Securing Kubernetes Dashboards: SSO Authentication' and RBAC Implementation with Okta and OAuth2 Proxy [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering imanishchaudhary.medium.com: Securing Kubernetes Dashboards: SSO Authentication' and RBAC Implementation with Okta and OAuth2 Proxy in the Kubernetes Tools ecosystem.
- Configure RBAC in Kubernetes Like a Boss 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Configure RBAC in Kubernetes Like a Boss 🌟 in the Kubernetes Tools ecosystem.
- Kubernetes RBAC Permission Manager 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Kubernetes RBAC Permission Manager 🌟 in the Kubernetes Tools ecosystem.
- medium.com/devops-mojo: Kubernetes — Role-Based Access Control (RBAC) Overview [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/devops-mojo: Kubernetes — Role-Based Access Control (RBAC) Overview in the Kubernetes Tools ecosystem.
- loft-sh.medium.com: 10 Essentials for Kubernetes Access Control [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering loft-sh.medium.com: 10 Essentials for Kubernetes Access Control in the Kubernetes Tools ecosystem.
- sumanthkumarc.medium.com: Kubernetes RBAC — Update default ClusterRoles' without editing them [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering sumanthkumarc.medium.com: Kubernetes RBAC — Update default ClusterRoles' without editing them in the Kubernetes Tools ecosystem.
- faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based' AuthZ in k8s 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering faun.pub: Assign permissions to an user in Kubernetes. An overview of RBAC-based' AuthZ in k8s 🌟 in the Kubernetes Tools ecosystem.
- medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete' Demo-Part 1 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@badawekoo: Using RBAC in Kubernetes for authorization-Complete' Demo-Part 1 in the Kubernetes Tools ecosystem.
- medium.com/@15daniel10: YOYO attack on a K8S cluster [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@15daniel10: YOYO attack on a K8S cluster== in the Kubernetes Tools ecosystem.
- medium.com/@danielepolencic: How does RBAC work in kubernetes 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@danielepolencic: How does RBAC work in kubernetes== 🌟 in the Kubernetes Tools ecosystem.
- dominik-tornow.medium.com: Inside Kubernetes RBAC [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==dominik-tornow.medium.com: Inside Kubernetes RBAC== in the Kubernetes Tools ecosystem.
- medium.com/@jtdv01: Kubernetes Authorization and Role Based Access Controls' 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==medium.com/@jtdv01: Kubernetes Authorization and Role Based Access Controls==' 🌟 in the Kubernetes Tools ecosystem.
- faun.pub: Give Users and Groups Access to Kubernetes Cluster Using RBAC [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ==faun.pub: Give Users and Groups Access to Kubernetes Cluster Using RBAC== in the Kubernetes Tools ecosystem.
- medium.com/@danielepolencic: AWS IAM Roles for service accounts for on-prem' clusters [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@danielepolencic: AWS IAM Roles for service accounts for on-prem' clusters in the Kubernetes Tools ecosystem.
- medium.com/andcloudio: Setting up Authentication and RBAC Authorization' in Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/andcloudio: Setting up Authentication and RBAC Authorization' in Kubernetes in the Kubernetes Tools ecosystem.
- medium.com/@mehmetodabashi: Authentication and Authorization in Kubernetes:' Client Certificates and Role Based Access Control (RBAC) [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@mehmetodabashi: Authentication and Authorization in Kubernetes:' Client Certificates and Role Based Access Control (RBAC) in the Kubernetes Tools ecosystem.
- medium.com/@brunoolimpio: Kubernetes DeepDive — Parte 2 - Kubernetes RBAC' and more... | Bruno Olimpio [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@brunoolimpio: Kubernetes DeepDive — Parte 2 - Kubernetes RBAC' and more... | Bruno Olimpio in the Kubernetes Tools ecosystem.
- blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.styra.com: Why RBAC is not enough for kubernetes security 🌟🌟 in the Kubernetes Tools ecosystem.
- medium.com/dynatrace-engineering: Kubernetes Security Best Practices Part' 2: Network Policies [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/dynatrace-engineering: Kubernetes Security Best Practices Part' 2: Network Policies in the Kubernetes Tools ecosystem.
- medium.com/@cloud_tips: Kubernetes Security Best Practices [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com/@cloud_tips: Kubernetes Security Best Practices in the Kubernetes Tools ecosystem.
- magalix.com: kubernetes authentication 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering magalix.com: kubernetes authentication 🌟 in the Kubernetes Tools ecosystem.
- magalix.com: kubernetes authorization 🌟 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering magalix.com: kubernetes authorization 🌟 in the Kubernetes Tools ecosystem.
- lisowski0925.medium.com: Using Kubernetes Certificate Signing Requests and' RBAC for User Authentication and Authorization [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering lisowski0925.medium.com: Using Kubernetes Certificate Signing Requests and' RBAC for User Authentication and Authorization in the Kubernetes Tools ecosystem.
- Kubernetes Authentication and Authorization with X509 client certificates [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Kubernetes Authentication and Authorization with X509 client certificates in the Kubernetes Tools ecosystem.
- stackoverflow: Accessing the Kubernetes REST end points using bearer token [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering stackoverflow: Accessing the Kubernetes REST end points using bearer token in the Kubernetes Tools ecosystem.
- ibrahims.medium.com: Security Context — Kubernetes [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering ibrahims.medium.com: Security Context — Kubernetes in the Kubernetes Tools ecosystem.
- medium.com: Securing Kubernetes Dashboard on EKS with Pomerium [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering medium.com: Securing Kubernetes Dashboard on EKS with Pomerium in the Kubernetes Tools ecosystem.
- mahira-technology.medium.com: Kubernetes Secrets Management: Level Up with' External Secrets Operator [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering mahira-technology.medium.com: Kubernetes Secrets Management: Level Up with' External Secrets Operator in the Kubernetes Tools ecosystem.
- faun.pub: External Secret Operator on AKS (with Terraform) for Azure Key' Vault Integration (with Workload Identity) [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering faun.pub: External Secret Operator on AKS (with Terraform) for Azure Key' Vault Integration (with Workload Identity) in the Kubernetes Tools ecosystem.
- blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742 [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering blog.lightspin.io: NGINX Custom Snippets CVE-2021-25742 in the Kubernetes Tools ecosystem.
Architecture
Microservices
Application Lifecycle
- (2022) itnext.io: Journey Of A Microservice Application In The Kubernetes World 🌟 [COMMUNITY-TOOL] — Traces the structural lifecycle of a containerized microservice traversing deployment pipelines, service routing, and load balancing configurations. Provides practical insights into configuring readiness/liveness probes, autoscaling parameters, and ingress rules. Essential reference for microservice platform standardization.
CKS Certification Study Guides
Cluster Lifecycle Security
- (2020) ==github.com/stackrox: Certified Kubernetes Security Specialist Study Guide' 🌟== ⭐ 429 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A comprehensive community study handbook for the Linux Foundation CKS exam, detailing system hardening, threat mitigation, microservice security policies, and runtime compliance enforcement.
CNI Network Vulnerabilities
Network Penetration Testing
- (2020) cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Delves into how container network interfaces (CNIs) and underlying network configurations can be targets for spoofing, route injection, and MITM attacks within shared Kubernetes clusters.
CVE Analysis
Network Vulnerabilities
- (2020) empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562) [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyzes CVE-2020-8562, a vulnerability allowing path-traversal/access bypass to internal restricted subnets through the Kubernetes API server, discussing standard mitigation strategies.
Case Studies
Historical Exploit Analysis
- (2021) thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Conducts retrospective post-mortems on major real-world Kubernetes security incidents, tracing malicious lateral movements, coin-miner deployments, and critical data breaches back to root posture issues.
Cloud Native Networking
Network Policies
Calico and Tigera Security
- (2020) tigera.io: Kubernetes security policy design: 10 critical best practices 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A strategic framework for designing cluster-wide network policies, using tiered structures, explicit default-deny states, and labeling schemas to scale security dynamically.
Secure CNI Implementation
- (2021) itnext.io: How-To: Kubernetes Cluster Network Security 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A practical tutorial covering secure network policy design. Guides readers through limiting pod egress/ingress, utilizing global network policies, and implementing namespaces as security perimeters.
Cloud Native Security
The 4Cs of Cloud Native Security
- (2020) kubernetes.io: Cloud native security for your clusters [N/A CONTENT] [COMMUNITY-TOOL] — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.
Cluster Hardening
Infrastructural Protection
- (2020) containerjournal.com: How to Secure Your Kubernetes Cluster 🌟 [N/A CONTENT] [LEGACY] — Evaluates cluster configurations across storage, networking, and deployment lifecycles. Discusses the replacement of deprecated Pod Security Policies with built-in Pod Security Standards and third-party policy engines.
Network Policies (1)
- (2019) ==Kubernetes Security Best Practices 🌟== ⭐ 2712 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.
Operational Security
- (2020) codeburst.io: 7 Kubernetes Security Best Practices You Must Follow [N/A CONTENT] [COMMUNITY-TOOL] — Outlines fundamental security practices for Kubernetes workloads, focusing on enabling RBAC, using namespaces for boundary control, managing secrets securely, and upgrading Kubernetes control planes to address known CVEs.
Runtime Secrets Scanning
- (2021) blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt. 2) 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — The second part of a structural security guide detailing advanced settings such as RBAC limitations, audit logging targets, container engine isolation, and secrets scanning policies.
Security Best Practices
- (2020) horovits.wordpress.com: Kubernetes Security Best Practices [N/A CONTENT] [COMMUNITY-TOOL] — Explains foundational steps for securing Kubernetes API access, configuring container execution privileges, and auditing container images within CI/CD pipelines.
Cluster Lifecycle Security (1)
Operating System Paradigm
- (2020) thenewstack.io: How to Secure Kubernetes, the OS of the Cloud [N/A CONTENT] [COMMUNITY-TOOL] — Examines the concept of Kubernetes operating as a cloud-native OS, presenting strategies for securing core services, container communication, and control plane boundaries.
Cluster Misconfigurations
Common Mistakes
- (2021) fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably) Making [N/A CONTENT] [COMMUNITY-TOOL] — Identifies common configuration mistakes like neglected CPU/memory limits, running containers as root, and using unvalidated base images, offering immediate structural remedies.
Defense in Depth
Cluster Hardening (1)
- (2020) thenewstack.io: Defend the Core: Kubernetes Security at Every Layer [N/A CONTENT] [COMMUNITY-TOOL] — Provides an architectural approach to layered container defense. Examines the integration of secure hardware baselines, API rate limiting, network-level firewalls, and runtime analysis agents.
Identity and Access Management
SSO and OIDC Configuration
- (2020) talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API access with external identity providers (OIDC) to enable secure Single Sign-On (SSO) and unify role assignments across developers.
Industry Reports
Archived Market Trends
- (2021) redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A comprehensive market study from Spring 2021 highlighting systemic security incidents and detailing key threat factors, infrastructure risks, and tooling choices among enterprise development teams.
Enterprise Security Trends
- (2021) redhat.com: The State of Kubernetes Security [N/A CONTENT] [COMMUNITY-TOOL] — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.
Infrastructure
AWS Integration
Networking
- (2024) EC2 ENI and IP Limit [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Critical hardware reference outlining IP address and Elastic Network Interface (ENI) allocation limits per EC2 instance type. This heavily dictates pod density capabilities when utilizing the VPC CNI plug-in. Platform architects use this data to calculate scaling limits and avoid network exhaustion.
Kubernetes Platform Engine
Cluster Installation and Hardening
Infrastructure Provisioning
- (2020) thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Breaks down secure cluster bootstrapping steps, including encrypting secrets at rest in etcd, enabling control plane mutual TLS (mTLS), and minimizing public API endpoint exposure.
Container Runtimes
Runtime Isolation
- (2020) thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Compares the security architecture and attack surfaces of primary container runtimes: Docker, CRI-O, and Containerd. Discusses rootless execution, sandboxed runtimes (Kata, gVisor), and syscall filtering.
Networking and Security
Security Compliance
CIS Benchmarks
- (2026) ==kube-bench 🌟== ⭐ 8078 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry standard tool to check whether Kubernetes clusters are deployed securely according to the Center for Internet Security (CIS) benchmarks. Can be run inside container workloads or directly on node hosts, outputting detailed reports identifying API, TLS, and permissions vulnerabilities.
Observability and Monitoring
Runtime Security
Falco and K3s Audit Logging
- (2021) Analyze Kubernetes Audit logs using Falco 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.
Security Industry Analysis
- (2021) infoworld.com: The race to secure Kubernetes at run time [N/A CONTENT] [COMMUNITY-TOOL] — Documents the evolution of runtime threat defense in cloud-native platforms, discussing the industry shift toward kernel-level security telemetry leveraging eBPF technology.
Sysdig and Falco Audit Integration
- (2020) sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API audit logs with CNCF Falco to capture real-time control plane actions and alert on malicious requests, credential abuse, or abnormal operational API traffic.
eBPF Runtime Enforcement
Tetragon Platform
- (2022) ==Tetragon (Cilium)== ⭐ 4749 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.
Penetration Testing
Security Operations
- (2020) youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A practical, demonstration-heavy guide outlining attack-and-defend methodologies for production clusters. Demonstrates common configuration exploits and dynamic remediation.
Pod Privilege Escalation
Vulnerability Exploitation
- (2020) labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A highly cited technical analysis demonstrating how misconfigured container host namespaces, capabilities, and volume mounts can be exploited to escape container boundaries and gain full host-level access.
Policy-as-Code
Kyverno Administration
- (2020) kyverno.io 🌟 [GO CONTENT] [COMMUNITY-TOOL] — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.
Kyverno Rules and Policies
- (2020) kyverno.io/policies 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.
RBAC and Authorization
Privilege Escalation
- (2020) jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster [N/A CONTENT] [COMMUNITY-TOOL] — Investigates RBAC misconfigurations and overly permissive default service accounts that elevate microservice workloads to cluster-admin privileges. It provides actionable remediation strategies for locking down namespace-bound credentials.
Risk Analysis and Auditing
Threat Vector Modeling
- (2020) tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A comprehensive vulnerability catalog and risk analysis guide highlighting exploitation pathways in typical cluster deployments. Highlights the security impacts of insecure volume mounts and metadata service access.
Secrets Management
HashiCorp Vault Integration
- (2020) learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — A practical implementation guide showcasing how to leverage the HashiCorp Vault Agent Injector sidecar to dynamically inject secrets directly into application pods via in-memory tmpfs mounts.
Security
Access Control
API Access
- (2024) kubernetes.io: Access Clusters Using the Kubernetes API [DOCUMENTATION] [COMMUNITY-TOOL] — An official task-oriented guide illustrating the safe initialization of connections directly to the Kubernetes API server. It highlights proxying patterns, kubectl integration, and direct API calls via transport-layer security (TLS). Essential for developers automating low-level operations within controlled environments.
Authentication
- (2024) kubernetes.io: Authenticating [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The core official reference for understanding user and service account authentication mechanisms in Kubernetes. It reviews client certificates, bearer tokens, and OIDC federation protocols. This architectural baseline explains how kube-apiserver validates identity requests securely.
Cluster Access
- (2024) kubernetes.io: Accesing Clusters [DOCUMENTATION] [COMMUNITY-TOOL] — Explains how developers and administrators access remote clusters using credential files (kubeconfigs). This documentation reviews contextual switching, multi-cluster management, and local proxy patterns. It serves as a foundational step for secure local engineering workflows.
Custom Authentication
- (2023) Implementing a custom Kubernetes authentication method [ADVANCED LEVEL] [LEGACY] — Provides a technical blueprint for implementing bespoke authentication strategies using webhook token authentication. It explains the integration of custom identity backends with the kube-apiserver lifecycle. Recommended for highly specialized security architectures with legacy SSO restrictions.
RBAC
- (2022) engineering.dynatrace.com: Kubernetes Security Best Practices -Part 1: Role Based Access Control (RBAC) [ADVANCED LEVEL] [COMMUNITY-TOOL] — A deep dive into Kubernetes Role-Based Access Control (RBAC) mechanisms and configuration patterns. The guide stresses the architectural importance of the Principle of Least Privilege, outlining best practices for defining Roles and ClusterRoles. Practical mitigation strategies focus on auditing wildcard permissions to avoid escalation risks.
kubectl Authentication
- (2020) kubernetes login [LEGACY] — A legacy-focused technical exploration explaining the login process flow through kubectl. This article breaks down the historical and contemporary mechanics of authentication helpers and tokens. Ideal for engineers seeking to demystify credential caching behaviors.
Application Security
Client Security
- (2022) curity.io: Client Security [COMMUNITY-TOOL] — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.
Architecture (1)
DevSecOps
- (2022) thenewstack.io: Securing Kubernetes in a Cloud Native World [COMMUNITY-TOOL] — This technical analysis explores how security shifts within high-velocity cloud-native deployments. Outlines strategies for managing immutable infrastructure, dynamic policy updates, and zero-trust routing. Strongly advocates for shifting security controls left and using automated gating engines.
Future Trends
- (2022) thenewstack.io: Basic Principles Key to Securing Kubernetes’ Future [COMMUNITY-TOOL] — Examines long-term trends in cloud-native security, arguing for declarative and immutable configurations as the main vector of defense. Synthesizes principles of software supply chain verification (such as Sigstore/Cosign integration) and automated drift detection. Vital for architects planning 3-to-5 year container strategies.
Audit
Configuration Assessment
- (2023) securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive, step-by-step methodology for auditing the entire configuration footprint of Kubernetes environments. Provides structural steps for scanning RBAC bindings, assessing cluster configuration parameters, and scanning host node vulnerabilities. Essential checklist for compliance officers and security auditors.
Best Practices
General Hardening
- (2024) armosec.io: Kubernetes Security Best Practices: Definitive Guide [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive technical blueprint emphasizing end-to-end cloud-native system security. It details critical hardening strategies including image scanning, continuous compliance auditing, and secure runtime boundaries. Modern operators leverage these concepts to build proactive defensive postures across hybrid clusters.
- (2023) thenewstack.io: 6 Kubernetes Security Best Practices 🌟 [COMMUNITY-TOOL] — A baseline architectural guide covering foundational security principles in Kubernetes. It focuses on isolating workloads, enabling network policies, and minimizing container privileges. Real-world implementation highlights the mitigation of broad blast radii by enforcing namespace segregation.
- (2023) spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut risk [COMMUNITY-TOOL] — Outlines five high-impact security wins to drastically lower cluster risk vectors. Key practices include restrictive network boundary controls, cluster-wide image pinning, and utilizing immutable root filesystems. These pragmatically reduce immediate exposure surfaces for standard multi-tenant setups.
Cloud Security
AWS EKS Network
- (2024) Security Group Rules EKS [DOCUMENTATION] [COMMUNITY-TOOL] — Official AWS configuration documentation detailing the network security boundaries for Amazon EKS clusters. It defines minimal requirements for control-plane-to-node communication over secure ports. This ensures highly restrictive ingress/egress patterns in security groups.
EKS Hardening
- (2024) Amazon EKS Best Practices Guide for Security 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The definitive enterprise guide for hardening EKS clusters against cloud-native threats. It covers network segregation, IAM roles for service accounts (IRSA), secrets encryption, and runtime defense. This is a foundational checklist for any platform engineering team running on AWS.
Cluster Hardening (2)
Audit Logs
- (2022) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 3: Authn, Authz, Logging & Auditing [COMMUNITY-TOOL] — Part three of the GitGuardian series, focusing on authentication, authorization, logging, and audit tracking. Demonstrates how to design granular RBAC policies and enable cluster audit logs to detect security anomalies. Essential for establishing reliable forensic trails.
Best Practices (1)
- (2022) cast.ai: Kubernetes Security: 10 Best Practices from the Industry and Community 🌟 [LEGACY] — Consolidates ten core security practices derived from cloud-native community patterns and expert input. Discusses API server hardening, encryption of secrets at rest in etcd, and continuous vulnerability verification. Provides a clear roadmap for migrating legacy infrastructure securely into Kubernetes.
- (2022) dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments 🌟 [COMMUNITY-TOOL] — Presents an action-oriented best practice matrix covering cluster configuration and pod safety profiles. Details etcd encryption setups, secure secrets distribution patterns, and implementing standard Pod Security Admission policies. Highly recommended for establishing cluster baselines.
Deployment Security
- (2022) armosec.io: How to Secure Deployments in Kubernetes? 🌟 [COMMUNITY-TOOL] — An operational guide on implementing Pod Security Standards (PSS) within modern clusters. Provides precise configurations for configuring read-only root filesystems, restricting Linux capability escalation, and rejecting root execution. Helps secure standard application manifests against common run-time threat models.
Pod Security
- (2022) dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads [COMMUNITY-TOOL] — Focuses on runtime container hardening for critical production clusters. Provides examples of setting up restricted securityContext parameters, dropping raw Linux capabilities, and activating seccomp profiles. Ensures configurations restrict exploitation should container escape vulnerabilities emerge.
Standard Checklists
- (2023) kubernetes.io: Security Checklist 🌟🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official security checklist published by upstream Kubernetes maintainers. It serves as an authoritative map for hardening cluster networks, applying role access structures, and validating runtimes. Essential baseline documentation for cloud infrastructure engineers.
Compliance
CIS Benchmarks (1)
- (2024) ibm.com: CIS Benchmarks [ADVANCED LEVEL] [COMMUNITY-TOOL] — The Center for Internet Security (CIS) Benchmarks provide globally recognized consensus-based best practices for securing IT systems, clouds, and Kubernetes environments. Organizations use these structured guidelines to validate and harden infrastructure configurations, ensuring compliance with strict security mandates through automated configuration auditors.
Deployment Security (1)
Hardening
- (2023) semaphoreci.com: Secure Your Kubernetes Deployments [COMMUNITY-TOOL] — Focuses on incorporating shift-left security strategies directly into the CI/CD deployment pipeline. It details how to leverage static manifest analysis, configuration linters, and runtime context constraints. This is essential for preventing misconfigured workloads from reaching production environments.
DevSecOps (1)
CICD Pipeline Security
- (2022) infoworld.com: 10 steps to automating security in Kubernetes pipelines [COMMUNITY-TOOL] — A ten-step technical blueprint focused on integrating security scanners directly into automated CI/CD deployment pipelines. Covers static application security testing (SAST), secrets detection, and manifest scanning before changes reach staging or production clusters. Outlines shift-left strategies to mitigate misconfiguration deployment risks.
Continuous Security
- (2022) collabnix.com: Applying DevSecOps Practices to Kubernetes [COMMUNITY-TOOL] — Explores the technical implementation of DevSecOps pipelines targeting Kubernetes applications. Discusses how to configure automated feedback loops between static manifest linters, container register vulnerability databases, and runtime audit monitors. Crucial for scaling secure delivery pipelines.
Developer Guidance
- (2022) dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers [COMMUNITY-TOOL] — Translates complex cluster security profiles into digestible concepts tailored directly for application developers. Focuses on safe manifest construction, secret handling, and using non-root base images. Encourages safe development workflows to eliminate security issues before code merges.
Fundamentals
Concepts
- (2022) itnext.io: Introduction to Kubernetes Security for Security Professionals [COMMUNITY-TOOL] — An entry point resource for security practitioners pivoting from virtual machines or bare-metal servers into Kubernetes environments. Explains standard architectural paradigms like Pods, Namespaces, Service Accounts, and Admission Controllers. Focuses on building a coherent threat modeling mental map.
- (2022) dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts [COMMUNITY-TOOL] — An introductory security conceptual guide reviewing isolation techniques like Linux namespaces, cgroups, and capabilities. Correlates these kernel-level tools to upstream abstraction parameters in standard Pod specs. Provides a concise, high-density primer on basic defense constructs.
Threat Modeling
- (2022) blog.gitguardian.com: Hardening Your Kubernetes Cluster - Threat Model (Pt. 1) 🌟🌟 [COMMUNITY-TOOL] — Part one of a tutorial series focusing on threat modeling within Kubernetes systems. Outlines typical attack surface definitions across components like API endpoints, etcd systems, and workers. Aids engineering teams in establishing defense boundaries.
Hardening Standards
Government Guidelines
- (2022) armosec.io: NSA & CISA Kubernetes Hardening Guide – what is new with version 1.1 [LEGACY] — Details updates in version 1.1 of the NSA-CISA Kubernetes Hardening Guide. Highlights transition criteria from deprecated PodSecurityPolicies to Pod Security Standards, alongside advice on checking third-party integrations. Helps teams stay aligned with current guidance.
- (2021) thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters [COMMUNITY-TOOL] — Evaluates the joint security guidance on Kubernetes hardening issued by the NSA and CISA. Translates government recommendations into actionable steps for enterprise IT administrators. Focuses on separation of credentials and configuring audit pathways.
- (2021) therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟 [COMMUNITY-TOOL] — Detailed breakdown of the NSA/CISA Kubernetes Hardening Guide. Emphasizes container sandboxing, running applications with minimal privilege bounds, and dividing networks to limit damage. A vital reference point for regulatory compliance projects.
- (2021) infoq.com [COMMUNITY-TOOL] — Explores key recommendations from CISA and the NSA regarding cluster infrastructure protection. Demystifies technical methods for managing root filesystems, authenticating platform API requests, and using logging setups to trace lateral movement.
- (2021) thenewstack.io: NSA on How to Harden Kubernetes [COMMUNITY-TOOL] — A practical review focusing on the security configurations defined within the NSA hardening guides. Covers container escape avoidance, using read-only structures, and setting up logging patterns. Beneficial for system engineers translating recommendations to production setups.
IAM
Authentication and Authorization
- (2022) dev.to/thenjdevopsguy: The 4 C’s Of Kubernetes Security [ADVANCED LEVEL] [COMMUNITY-TOOL] — Evaluates enterprise patterns for integrating Kubernetes Role-Based Access Control (RBAC) with corporate directory systems (OIDC, Active Directory). Examines tools like Dex to implement single sign-on (SSO) strategies across multi-cluster environments. Essential reading for cluster operations scaling across departments.
SSO
- (2022) dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container [COMMUNITY-TOOL] — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.
Identity and Access
AWS IRSA
Hybrid Cloud
- (2022) dev.to: Binding AWS IAM roles to Kubernetes Service Account for on-prem clusters | Daniele Polencic 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Highlights solutions for extending AWS IAM Roles for Service Accounts (IRSA) configurations into on-premises Kubernetes clusters. Solves the hybrid identity challenge by utilizing OIDC federated discovery documents on local nodes.
Authentication (1)
Legacy Tools
- (2020) github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 [GO CONTENT] [LEGACY] — Curator Insight: Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Live Grounding: The repository has seen no recent development and is considered legacy. It is superseded by modern ephemeral TokenRequest APIs and service mesh mTLS integrations.
- (2023) learnk8s.io/authentication-kubernetes: User and workload identities in Kubernetes 🌟🌟🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — A deep analysis of the conceptual differences between human and workload identities within Kubernetes. Details how API server authentication modules resolve internal workloads using Service Accounts, contrasting them with external OIDC providers.
- (2022) goteleport.com: A Simple Overview of Authentication Methods for Kubernetes Clusters [COMMUNITY-TOOL] — Synthesizes multiple Kubernetes authentication methods—including bootstrap tokens, client certificates, webhook tokens, and OIDC federation. Provides an architect-level comparison of trade-offs regarding credential life and operational complexity.
Cloud Integrations
AWS IRSA (1)
- (2021) mjarosie.github.io: IAM roles for Kubernetes service accounts - deep dive [ADVANCED LEVEL] [COMMUNITY-TOOL] — A thorough exploration of AWS IAM Roles for Service Accounts (IRSA). Demystifies how AWS OpenID Connect (OIDC) federation interacts with mutating admission webhooks to inject dynamic, temporary AWS STS credentials into Kubernetes pods.
Enterprise Authentication
- (2022) loft.sh: Kubernetes and LDAP: Enterprise Authentication for Kubernetes [ADVANCED LEVEL] [LEGACY] — Outlines pattern-driven integrations for bridging classic corporate LDAP servers with modern Kubernetes clusters. Focuses on identity broker abstractions like Dex to map legacy LDAP groups to Kubernetes RBAC definitions.
Microservice Identities
- (2023) learnk8s.io: Authentication between microservices using Kubernetes identities 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.
OIDC
Legacy Tools (1)
- (2020) ==gini/dexter== ⭐ 168 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An OIDC-helper CLI tool for generating kubectl credential configurations. Live Grounding: Inactive for over 4 years; considered legacy under Nubenetes MVQ rules. It has been superseded by tools like kubelogin.
OAuth2 Proxy
- (2021) geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard [COMMUNITY-TOOL] [GUIDE] — A configuration guide describing how to wrap the Kubernetes Dashboard and sensitive internal APIs with oauth2-proxy, enabling secure OIDC integrations and SSO workflows.
- (2024) OpenID Connect [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The official specifications for OpenID Connect, the dominant federation protocol for Kubernetes authentication. Implementing OIDC enables modern clusters to offload authentication to external identity providers like Okta, Keycloak, or Microsoft Entra ID. This standardizes identity tokens globally across decentralized services.
RBAC (1)
Legacy Tools (2)
- (2020) ==Krane 🌟== ⭐ 740 [RUBY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.
- (2019) ==github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model== ⭐ 26 [JAVASCRIPT CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.
Security Auditing
- (2022) raesene.github.io: Auditing RBAC - Redux [ADVANCED LEVEL] [COMMUNITY-TOOL] — Highly detailed assessment of tools and manual approaches used to audit RBAC permissions. Looks at the attack surface exposed by privileged service accounts and API server access loopholes, providing concrete defensive guidance.
- (2026) rbac.dev 🌟🌟🌟 [COMMUNITY-TOOL] — A dedicated directory of tools, templates, and best practices for Kubernetes RBAC configurations. Serves as an essential reference for engineers establishing zero-trust access boundaries.
- (2023) devopscube.com: How To Create Kubernetes Service Account For API Access [COMMUNITY-TOOL] [GUIDE] — A practical tutorial focused on provisioning Kubernetes Service Accounts for targeted API server access. Walks through credential auto-generation constraints, manifesting corresponding API access boundaries, and constructing secure automated CI/CD pipelines.
- (2023) learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟 [COMMUNITY-TOOL] [GUIDE] — A rigorous deep-dive into resource constraints using RBAC. Demonstrates how to write custom policies to isolate network endpoints, restrict API-driven actions, and test permissions safely using
kubectl auth can-i. - (2022) loft.sh: Kubernetes RBAC: Basics and Advanced Patterns [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs advanced RBAC patterns, focusing on namespace isolation, virtual cluster (vcluster) control planes, and resolving performance regressions associated with large-scale policy databases.
- (2022) marcusnoble.co.uk: Restricting cluster-admin Permissions [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines security risks associated with widespread
cluster-adminusage. Proposes strategies to design specialized roles with precise apiGroup restrictions to establish guardrails around the control plane. - (2022) anaisurl.com: RBAC Explained with Examples 🌟 [COMMUNITY-TOOL] [GUIDE] — A visual, beginner-friendly guide dissecting RBAC mechanics in Kubernetes. Offers concrete examples of setting up specific read/write permissions for standard development teams.
- (2022) dev.to: Configure RBAC in Kubernetes Like a Boss [COMMUNITY-TOOL] [GUIDE] — An operational checklist and set of best practices for establishing robust, leak-proof RBAC models. Helps administrators avoid common authorization anti-patterns such as wildcards in role rules.
- (2022) youtube: Kubernetes RBAC Explained | Anton Putra 🌟 [COMMUNITY-TOOL] [GUIDE] — Detailed instructional video mapping user groups and service accounts to Kubernetes resources using RBAC. Explains role-binding syntax and access validations in an intuitive, visual style.
- (2021) infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟 [COMMUNITY-TOOL] — Detailed technical analysis of native Kubernetes Role-Based Access Control (RBAC). Explains authorization objects (Roles, ClusterRoles, and Bindings) alongside API groups to help design least-privilege structures.
SSO and SAML
- (2022) gravitational.com: How to Set Up Kubernetes SSO with SAML [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs the mechanics of configuring Single Sign-On (SSO) for cluster environments utilizing SAML. The guide explains authentication federation patterns, mapping identity provider attributes to Kubernetes RBAC roles. This setup ensures seamless, centralized access management for enterprise platform infrastructure.
Workload Identity
- (2021) linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines Linkerd's transition to Kubernetes Bound Service Account Tokens (TokenRequest API). Explains the security benefits of using tokens containing specific audiences, node bindings, and short lifetimes to mitigate credential leakage risks.
Zero Trust Access
- (2024) paralus.io 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Paralus is an open-source tool for managing access to multi-cluster Kubernetes environments. Offers a centralized portal for configuring Just-In-Time (JIT) access, OIDC integration, auditing, and RBAC synchronization across cloud providers.
Identity and Access Management (1)
Access Control (1)
- thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.
Kubernetes Security (1)
Hardening (1)
- (2023) sysdig.com: Kubernetes Security Guide 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Sysdig's comprehensive guide to securing Kubernetes platforms details a multi-layered defense strategy covering container image scanning, runtime protection, network policies, and role-based access control (RBAC). It highlights compliance mappings (such as CIS benchmarks) and operational best practices for detecting abnormal kernel system calls using eBPF-based agents.
Secrets Management (1)
- (2021) Hands on your first Kubernetes secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.
Network Security
Internet Exposure
- (2022) raesene.github.io: Let's talk about Kubernetes on the Internet [ADVANCED LEVEL] [COMMUNITY-TOOL] — An urgent analytical overview assessing why many Kubernetes API control planes remain directly visible on the public internet. Discusses host-level firewall configurations, securing the Kubelet interface, and utilizing private API cluster features in major cloud providers. Emphasizes basic perimeter hygiene.
Network Policies (2)
- (2024) Calico in EKS [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Guides integration of Calico as a high-performance network policy engine alongside EKS. While AWS VPC CNI handles native IP routing, Calico enforces declarative security policies. This hybrid configuration provides robust, fine-grained L3/L4 segregation across namespace borders.
- (2022) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network [COMMUNITY-TOOL] — This technical tutorial demonstrates the configuration of Kubernetes NetworkPolicies to enforce granular traffic isolation. It contrasts default-allow networking models with secure default-deny postures, providing production-ready ingress and egress manifests. Engineers will learn how to reduce lateral threat movement by restricting pod-to-pod communications.
Offensive Security
Penetration Testing (1)
- (2022) tutorialboy24.blogspot.com: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 2) 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — This deep technical analysis adopts an offensive security posture to highlight subtle vulnerabilities in cluster configurations. Demystifies container escape routes, RBAC over-privileging paths, and target exploration from within compromised pods. Highly valuable for red team operators and defensive engineers building detection rules.
PKI
Certificate Management
- (2022) blog.alexellis.io: What if your Pods need to trust self-signed certificates? [COMMUNITY-TOOL] — Focuses on patterns for trusting self-signed or internal enterprise Root CA certificates inside dynamic pod runtimes. Demonstrates using initContainers and shared volumes to inject trust anchors clean of custom application builds. Prevents hardcoding issues across dynamic corporate multi-tenant infrastructures.
- (2021) thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security [COMMUNITY-TOOL] — Analyzes the release and architecture of Jetstack Secure, which simplifies and automates TLS lifecycle tracking via cert-manager. Explains the centralization of public key infrastructures (PKIs) across multi-cluster hybrid clouds. Prevents application downtime caused by unpredicted certificate expirations.
PKI and Certificates
Conceptual
- (2022) dev.to: Kubernetes TLS, Demystified 🌟 [COMMUNITY-TOOL] [GUIDE] — Demystifies Kubernetes TLS configurations by explaining public/private key pairs, certificate authorities, client-cert server validations, and common Ingress security setups.
TLS Ingress
Lets Encrypt
- (2021) rejupillai.com: Let’s Encrypt the Web (for free) [COMMUNITY-TOOL] [GUIDE] — A practical walk-through detailing TLS integration on a GKE Ingress controller. Guides the configuration of HTTP-01 and DNS-01 ACME validations using cert-manager, resulting in automated, free public certificates.
cert-manager
Access Control (2)
- (2024) ==github.com/cert-manager: Policy Approver== ⭐ 90 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The cert-manager approver-policy extension code repository. Intercepts CertificateRequest resources before submission, evaluating requested commonNames, SANs, and key constraints against user-defined security guidelines.
Operations
- (2021) itnext.io: Upgrade Cert-Manager for Your Production Deployment Without Downtime [ADVANCED LEVEL] [COMMUNITY-TOOL] — A highly technical guide focusing on upgrading production cert-manager instances without cluster downtime. Addresses API version deprecations, webhook migrations, and handling CRD migrations smoothly.
- (2026) ==cert-manager/cert-manager== ⭐ 13859 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Consolidated record of the cert-manager repository, automating certificate lifecycles to guarantee encrypted transport paths between internal microservice runtimes.
- (2026) cert-manager.io 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Official documentation portal for cert-manager, the standard tool for cloud-native PKI. Explains configuring Issuers and Certificate manifests, detailing dynamic ACME solver pipelines, Let's Encrypt integration, and automated internal trust routing.
Platform Hardening
Best Practices (2)
- (2024) Kubernetes Security 101: Risks and 29 Best Practices 🌟 [CASE STUDY] [COMMUNITY-TOOL] — Essential Red Hat Security resource detailing 29 structural recommendations across the entire build, deploy, and run lifecycle. Covers vulnerability scanning, image signing, secure context configurations, and network isolation protocols.
Pod Security (1)
Pod Security Policies
- (2022) Pod Security Policy (SCC in OpenShift) 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [LEGACY] — Architectural comparison contrasting OpenShift Security Context Constraints (SCC) with the deprecated Kubernetes Pod Security Policy (PSP). Live Grounding confirms PSP was completely removed in Kubernetes v1.25. This reference highlights how SCC remains enterprise-stable and active for securing namespaces in Red Hat OpenShift clusters.
- (2021) rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1 [LEGACY] — A historical look at securing container runtimes using Pod Security Policies. As PSP is now deprecated and fully removed in modern Kubernetes, this guide serves as a legacy reference for older Rancher setups. It clarifies critical container capabilities, privilege escalation preventions, and namespace defaults.
- (2021) developer.squareup.com: Kubernetes Pod Security Policies (PSP) [ADVANCED LEVEL] [LEGACY] — Legacy deep-dive exploring Square's real-world PSP architecture and rollout procedures. Note that modern engineering standards require migrating these exact controls to Pod Security Standards (PSS) or external engines like Kyverno. Essential reading to understand historical host namespaces and filesystem restrictions.
- (2021) itnext.io: Implementing a Secure-First Pod Security Policy Architecture [ADVANCED LEVEL] [COMMUNITY-TOOL] — Provides a secure-first PSP implementation strategy. In modern systems, this restricted-first paradigm must be executed via the native Pod Security Admission (PSA) controller. It guides readers on blocking privileged root escalation paths in older clusters.
Policy and Admission Control
Runtime Security (1)
Legacy Tools (3)
- (2018) ==box/kube-exec-controller== ⭐ 126 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics, admission controllers (OPA/Kyverno), and modern service mesh execution boundaries.
Validating Webhooks
- (2022) trstringer.com: Create a Basic Kubernetes Validating Webhook [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.
Policy and Audit
Manifest Auditing
- (2021) blog.frankel.ch: Learning by auditing Kubernetes manifests [COMMUNITY-TOOL] — An educational approach to understanding Kubernetes security postures through direct manifest auditing. The author walks through security context misconfigurations, detailing how over-privileged containers expose node architectures. This technique bridges the gap between passive development and active cluster security controls.
Policy Enforcement
Admission Control
- (2022) Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architectural face-off evaluating Rego-based OPA/Gatekeeper and YAML-native Kyverno. Kyverno offers exceptional ease of use for native K8s manifests, while OPA provides unparalleled expressive power for cross-system policies. It helps architects choose the correct declarative policy engine for high-compliance environments.
Runtime Security (2)
Ephemeral Containers
- (2022) xenitab.github.io: Kubernetes Ephemeral Container Security 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explores security boundaries regarding ephemeral debugging containers, analyzing potential escalation threats through 'kubectl debug'. Highlights how improper RBAC permissions on debugging tools can expose the underlying host or container namespace. Outlines defensive constraints like restricting hostIPC and hostPID mappings.
eBPF
- (2021) developers.redhat.com: Secure your Kubernetes deployments with eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — Details how eBPF (Extended Berkeley Packet Filter) technology shifts the runtime security paradigm away from heavy, sidecar-based observability architectures. Demonstrates writing and attaching kernel sandboxed utilities to track execution and networking footprints with minimal CPU overhead. Crucial reading for high-scale, security-conscious platform teams.
eBPF and Cilium
- (2021) isovalent.com: Detecting a Container Escape with Cilium and eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — An in-depth case study of container escape tactics and real-time detection utilizing eBPF and Cilium. It highlights limits of traditional syscall auditing, showcasing how kernel-level hooks identify privilege escalation without agent-induced overhead. Live Grounding points to eBPF-based security as the modern baseline for runtime security orchestration.
Secrets Management (2)
Conceptual (1)
- (2022) macchaffee.com: Plain Kubernetes Secrets are fine 🌟 [COMMUNITY-TOOL] — An alternative architectural perspective defending native Kubernetes Secrets. Argues that when matched with strong RBAC controls, namespace boundaries, and cluster-level etcd KMS encryption, native solutions provide sufficient enterprise protection.
- (2019) enterprisersproject.com: How to explain Kubernetes Secrets in plain English 🌟 [COMMUNITY-TOOL] [GUIDE] — An introductory conceptual explanation of Kubernetes Secrets. Translates low-level pod definitions and etcd mappings into non-technical language to align business stakeholders on cloud-native security postures.
Developer Practice
- (2021) millionvisit.blogspot.com: Kubernetes for Developers #19: Manage app credentials using Kubernetes Secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — Developer-centric guide to configuring application manifests for secret consumption. Compares the security profiles of importing secrets as environment variables against dynamic filesystem mounts, detailing runtime behavior and update propagation.
External Secrets
- (2025) ==external-secrets.io 🌟== [GO CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry-standard operator for syncing external secrets management services (like AWS Secrets Manager, Vault, or GCP Secret Manager) into Kubernetes Secret objects. This eliminates storing sensitive configuration inside git repositories, supporting true GitOps workflows. Decoupled and secure, it is a critical security-centric component.
GitOps
External Secrets Operator
- (2023) youtube: Manage Kubernetes Secrets With External Secrets Operator (ESO) 🌟 [COMMUNITY-TOOL] [GUIDE] — A technical demonstration detailing the installation and runtime management of the External Secrets Operator (ESO). Demonstrates synchronization pipelines that pull credentials from HashiCorp Vault and cloud providers into native secret schemas.
Sealed Secrets
- (2022) dev.to: Store your Kubernetes Secrets in Git thanks to Kubeseal. Hello SealedSecret! 🌟 [COMMUNITY-TOOL] [GUIDE] — A step-by-step implementation guide for Bitnami's Sealed Secrets (kubeseal). Explains how asymmetric cryptography allows developers to safely commit encrypted secrets to public repositories, leaving cluster-side controllers to handle automated decryption.
- (2022) piotrminkowski.com: Sealed Secrets on Kubernetes with ArgoCD and Terraform [ADVANCED LEVEL] [COMMUNITY-TOOL] — Demonstrates the end-to-end automation of Bitnami Sealed Secrets using Terraform and ArgoCD. Helps DevOps architects define declarative pipelines that provision the sealed secret operator and manage encrypted configurations in Git repositories.
- (2022) cloud.redhat.com: A Guide to Secrets Management with GitOps and Kubernetes 🌟 [ADVANCED LEVEL] [CASE STUDY] [COMMUNITY-TOOL] — Red Hat's whitepaper outlining standard solutions for GitOps secrets management. Contrasts the operational overhead and security profiles of Sealed Secrets, vault-sidecars, and external integration engines in CD environments.
HashiCorp Vault
- (2021) itnext.io: Effective Secrets with Vault and Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Architectural overview on configuring HashiCorp Vault inside Kubernetes clusters. Covers the Vault Agent Sidecar Injector pattern, dynamic database credential generation, and leveraging Kubernetes service accounts for seamless Vault token exchange.
- (2021) itnext.io: Vault cluster with auto unseal on Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed structural guide for configuring an enterprise-grade, highly available HashiCorp Vault cluster in Kubernetes. Features automated unsealing integrations using cloud KMS systems (AWS KMS/GCP KMS) to remove manual keys dependencies.
KMS Integration
Legacy Tools (4)
- (2023) ==github.com/ondat/trousseau== ⭐ 181 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules in favor of native Kubernetes KMS v2 features.
OWASP
- (2022) itnext.io: Kubernetes OWASP Top 10: Secrets Management [COMMUNITY-TOOL] — Addresses Secrets Management under the OWASP Kubernetes threat framework. Details vulnerabilities of default etcd storage parameters and details using External Secrets Operator or HashiCorp Vault. Prevents secrets exposure via repository check-ins or pod environment parameters.
Platform Hardening (1)
Conceptual (2)
- (2022) "Kubernetes base64 encodes secrets because that makes arbitrary data play nice with JSON. It had nothing to do with the security model (or lack thereof). It did not occur to us at the time that people could mistake base64 for some form of encryption" [COMMUNITY-TOOL] — A curated synthesis of engineering consensus regarding Kubernetes native base64 secrets. Emphasizes that encoding is not encryption and acts strictly as a data-serialization layer. Highly recommends implementing RBAC, audit logging, and envelope KMS encryption.
- (2026) kubernetes.io: Encrypting Secret Data at Rest 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Official reference guide to implementing etcd database encryption at rest. Walks through configuring structural 'EncryptionConfiguration' resources, comparing local providers (AES-GCM, secretbox) against enterprise Cloud KMS plugins.
Stateful Apps
- (2021) kubermatic.com: Keeping the State of Apps Part 2: Introduction to Secrets [COMMUNITY-TOOL] — An overview of state management strategies within modern Kubernetes runtimes. Highlights basic secrets integration patterns, emphasizing security isolation layers required to protect persistent state in complex application architectures.
Static Analysis
Manifest Auditing (1)
- (2022) itnext.io: Performing Security Checks for Deployed Kubernetes Manifests [COMMUNITY-TOOL] — Reviews technical methods to assess security profiles of Kubernetes configurations prior to cluster deployment. Explains standard static evaluation tools and custom policy syntax like Open Policy Agent (OPA) or Kyverno. Focuses on integrating these guardrails directly within pull request pipelines.
System Hardening
Security Profiles Operator
- (2025) kubernetes-sigs/security-profiles-operator ⭐ 848 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — The official Kubernetes SIG operator for managing Seccomp, AppArmor, and SELinux profiles natively. Live Grounding confirms its active role in highly regulated sectors for hardening container execution spaces. It replaces manual node profiling with declarative, cluster-wide configurations.
- (2021) kubernetes.io: What's new in Security Profiles Operator v0.4.0 [COMMUNITY-TOOL] — An official release announcement detailing the evolution of SPO. It highlights improved profile recording capabilities, integration with kubectl, and initial support for SELinux. Crucial for understanding the transition from manual profiles to automation.
Threat Modeling (1)
Penetration Testing (2)
- (2021) dev.to: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1) [ADVANCED LEVEL] [COMMUNITY-TOOL] — Provides an attacker's perspective on Kubernetes deployment flaws. Explores breakout methodologies, privilege escalation via over-permissioned service accounts, and API Server compromise scenarios, illustrating defensive configurations required to counter threats.
Threat Vector
Internet Exposure (1)
- (2023) blog.cyble.com: Exposed Kubernetes Clusters [ADVANCED LEVEL] [COMMUNITY-TOOL] — Threat intelligence research showing search profiles of exposed clusters active across the globe. Highlights typical compromise pathways starting from default configurations or misconfigured control plane boundaries. Recommends strict perimeter restrictions.
Observability Exposure
- (2022) sysdig.com: How attackers use exposed Prometheus server to exploit Kubernetes clusters | Miguel Hernández [ADVANCED LEVEL] [COMMUNITY-TOOL] — An analytical threat report detailing how exposed Prometheus endpoints can facilitate cluster compromise. Explains how attackers scan for unauthenticated metrics interfaces to harvest metadata, endpoints, and environment configurations. Demonstrates step-by-step mitigation paths, including mandatory mTLS and RBAC verification.
Tooling
Security Auditing (1)
- (2022) mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes Cluster [COMMUNITY-TOOL] — This resource provides a comparative overview of seven premier open-source tools designed for Kubernetes security hardening. It introduces utilities like Trivy, Falco, and Kube-hunter, aligning each with specific pipeline gates or runtime defenses. Serves as a useful high-level map for architects selecting security tooling.
Vulnerabilities
CVE Tracking
- (2025) kubernetes.io: Official CVE Feed 🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official database of active and resolved CVEs for the Kubernetes ecosystem. It tracks core component bugs, container execution vulnerabilities, and control plane bypass vectors. Maintaining a regular review of this feed is an essential component of modern enterprise risk mitigation.
- (2022) kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed [COMMUNITY-TOOL] — Details the launch of the programmatically accessible, auto-refreshing CVE feed in JSON/YAML. This allows security automation tooling to dynamically scan and trigger alerts on freshly discovered platform vulnerabilities, greatly speeding up remediation and patching schedules.
Case Studies (1)
- (2021) hackerone.com: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces [ADVANCED LEVEL] [COMMUNITY-TOOL] — A detailed post-mortem report demonstrating how restricted cluster principals could extract ingress-nginx service account tokens. This real-world vulnerability highlights the architectural danger of over-privileged system namespaces. It emphasizes the need to isolate and continuously audit ingress controller configurations.
Post-Deployment Scanning
- (2025) ==kubescape== ⭐ 11480 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An active CNCF Sandbox tool providing multi-framework configuration scanning, risk analysis, and vulnerability management. It integrates into CI/CD pipelines to ensure continuous verification of compliance frameworks (like CIS and NSA-CISA). Essential for enterprise teams seeking unified security visibility.
Vulnerability Assessment
CIS Benchmarks (2)
- (2022) rancher/cis-operator ⭐ 55 [GO CONTENT] 🌟🌟 [COMMUNITY-TOOL] — Rancher's cis-operator is an automated tool running CIS security scans natively within Rancher ecosystems. It generates compliance reports validating control plane and worker components against standard security baselines. A key utility for multi-cluster environments managed via Rancher.
- (2022) blog.flant.com: Kubernetes cluster security assessment with kube-bench and kube-hunter [COMMUNITY-TOOL] — Evaluates how to deploy and configure Aqua Security's kube-bench alongside kube-hunter. Shows how to automate node validation against CIS benchmarks, and actively scan cluster endpoints for network exposure vectors. Offers a potent open-source combination for regular pentesting operations.
Policy Enforcement (1)
- (2023) github.com/Shopify/kubeaudit 🌟🌟 ⭐ 1937 [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [LEGACY] — Shopify's kubeaudit is a popular open-source tool targeting configuration analysis. Curators note its ability to audit running clusters or local manifests for root execution or privilege escalations. Live Grounding (2026): The repository is archived/read-only, but its audit logic remains highly influential for policy structures.
- (2022) itnext.io: Kubernetes OWASP Top 10: Centralised Policy Enforcement [COMMUNITY-TOOL] — Investigates mitigating risks from the OWASP Kubernetes Top 10 using centralized Policy-as-Code platforms like OPA Gatekeeper or Kyverno. Focuses on setting up mutating and validating admission webhooks to prevent non-compliant configs from deploying. Establishes programmatic posture control.
- (2021) infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan [COMMUNITY-TOOL] — An interview exploring the architecture, technical goals, and philosophy behind Kubescape. Focuses on simplifying multi-framework compliance analysis for platform engineers. Details how the tool analyzes YAML formats and active runtimes to find security posture anomalies.
Threat Modeling (2)
- (2022) owasp.org: OWASP Kubernetes Top Ten [DOCUMENTATION] [COMMUNITY-TOOL] — The official OWASP Kubernetes Top Ten project document. Outlines the ten most dangerous vulnerabilities facing modern orchestrator deployments, including API vulnerabilities, insecure defaults, and supply-chain bugs. The core benchmark for establishing cluster defense strategies.
- (2022) sysdig.com: OWASP Kubernetes Top 10 🌟 [COMMUNITY-TOOL] — A deep analysis of the OWASP Kubernetes Top 10, exploring actual deployment misconfigurations that map to these risks. Details supply chain threats, poor credentials storage, and audit log gaps. Offers recommendations to strengthen system setups.
Zero Trust
Service Mesh and Networking
- (2022) copado.com: Applying a Zero Trust Infrastructure in Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architecture guide on applying Zero Trust principles to Kubernetes infrastructure environments. It covers building cryptographically verifiable workload identities via SPIFFE/SPIRE, and micro-segmenting service interactions with mTLS. Transitions teams away from perimeter-only defenses to continuous validation.
Zero Trust Architecture
- (2022) thenewstack.io: Securing Access to Kubernetes Environments with Zero Trust [COMMUNITY-TOOL] — Discusses securing cloud-native setups using Zero Trust strategies. Covers real-time threat assessments, deep access auditing, and replacing static certificates with automated network micro-segmentation.
Security Training and Playgrounds
Kubernetes Goat Lab
- (2020) Kubernetes Goat 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.
Supply Chain Security
Open Source Vulnerability Scanning
- (2020) resources.whitesourcesoftware.com: Kubernetes Security Best Practices 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Details patterns for implementing automated security controls, concentrating on software composition analysis (SCA), secrets lifecycle management, and validating supply-chain container provenance.
Signature Verification and Ratify
- (2021) infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Focuses on utilizing Ratify as an admission controller to verify container metadata, secure supply-chain signatures (via Cosign/Notation), and enforce strict provenance validation before execution.
Threat Modeling (3)
MITRE ATTandCK Adaptation
- (2021) microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Discusses updates to Microsoft's threat matrix for Kubernetes, refining mapped attack vectors based on modern production compromise telemetry. Covers control plane compromises and cloud identity integrations.
MITRE ATTandCK Framework
- (2020) Microsoft.com: Attack matrix for Kubernetes 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Microsoft's systematic adaptation of the MITRE ATT&CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.
Vulnerability Assessment Tools
Kubestriker Scanner
- (2021) helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Reviews Kubestriker, a lightweight, agentless open-source security scanner that audits Kubernetes control plane configurations, insecure ports, and IAM roles for vulnerabilities.
Workload Hardening
Identity and Access Management (2)
- (2020) thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users [N/A CONTENT] [COMMUNITY-TOOL] — Analyzes the multi-dimensional security layers required for modern Kubernetes deployments, addressing workload isolation, Pod Security Standards (PSS), and secure developer workflow patterns.
Pod Security Context
- (2020) snyk.io: 10 Kubernetes Security Context settings you should understand [N/A CONTENT] [COMMUNITY-TOOL] — Detailed documentation of essential Security Context settings (e.g.,
allowPrivilegeEscalation,readOnlyRootFilesystem, andrunAsNonRoot) used to harden workload runtimes.
Pod Specifications
- (2021) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods [N/A CONTENT] [COMMUNITY-TOOL] — Part one of GitGuardian's workload security tutorial, targeting critical pod configurations such as root user restrictions, secure namespaces, and minimizing host-level network sharing.
Workstation Client Security
Kubeconfig Hardening
- (2020) gist.github.com: How to protect your ~/.kube/ configuration [SHELL CONTENT] [COMMUNITY-TOOL] [GUIDE] — Provides hardening steps for securing developer workstation
~/.kube/configfiles. Details POSIX permissions adjustments, the usage of credential helpers, and avoiding static administrative token storage.