Files
awesome-kubernetes/v2-docs/kubernetes-security.md

151 KiB
Raw Blame History

Kubernetes Security

!!! info "Architectural Context" Detailed reference for Kubernetes Security in the context of Hardened Infrastructure.

Table of Contents

  1. API Access Protection
  1. Architectural Foundations
  1. Architecture
  1. CKS Certification Study Guides
  1. CNI Network Vulnerabilities
  1. CVE Analysis
  1. Case Studies
  1. Cloud Native Networking
  1. Cloud Native Security
  1. Cluster Hardening
  1. Cluster Lifecycle Security
  1. Cluster Misconfigurations
  1. Defense in Depth
  1. Identity and Access Management
  1. Industry Reports
  1. Infrastructure
  1. Kubernetes Platform Engine
  1. Networking and Security
  1. Observability and Monitoring
  1. Penetration Testing
  1. Pod Privilege Escalation
  1. Policy-as-Code
  1. RBAC and Authorization
  1. Risk Analysis and Auditing
  1. Secrets Management
  1. Security
  1. Security Training and Playgrounds
  1. Supply Chain Security
  1. Threat Modeling
  1. Vulnerability Assessment Tools
  1. Workload Hardening
  1. Workstation Client Security

API Access Protection

Teleport Access Control

  • (2021) goteleport.com: Kubernetes API Access Security Hardening [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.

Architectural Foundations

Kubernetes Tools

General Reference

Architecture

Microservices

Application Lifecycle

  • (2022) itnext.io: Journey Of A Microservice Application In The Kubernetes World 🌟 [COMMUNITY-TOOL] — Traces the structural lifecycle of a containerized microservice traversing deployment pipelines, service routing, and load balancing configurations. Provides practical insights into configuring readiness/liveness probes, autoscaling parameters, and ingress rules. Essential reference for microservice platform standardization.

CKS Certification Study Guides

Cluster Lifecycle Security

CNI Network Vulnerabilities

Network Penetration Testing

CVE Analysis

Network Vulnerabilities

Case Studies

Historical Exploit Analysis

Cloud Native Networking

Network Policies

Calico and Tigera Security

Secure CNI Implementation

  • (2021) itnext.io: How-To: Kubernetes Cluster Network Security 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A practical tutorial covering secure network policy design. Guides readers through limiting pod egress/ingress, utilizing global network policies, and implementing namespaces as security perimeters.

Cloud Native Security

The 4Cs of Cloud Native Security

  • (2020) kubernetes.io: Cloud native security for your clusters [N/A CONTENT] [COMMUNITY-TOOL] — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.

Cluster Hardening

Infrastructural Protection

Network Policies (1)

  • (2019) ==Kubernetes Security Best Practices 🌟== 2712 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.

Operational Security

  • (2020) codeburst.io: 7 Kubernetes Security Best Practices You Must Follow [N/A CONTENT] [COMMUNITY-TOOL] — Outlines fundamental security practices for Kubernetes workloads, focusing on enabling RBAC, using namespaces for boundary control, managing secrets securely, and upgrading Kubernetes control planes to address known CVEs.

Runtime Secrets Scanning

Security Best Practices

Cluster Lifecycle Security (1)

Operating System Paradigm

Cluster Misconfigurations

Common Mistakes

Defense in Depth

Cluster Hardening (1)

Identity and Access Management

SSO and OIDC Configuration

Industry Reports

  • (2021) redhat.com: The State of Kubernetes Security [N/A CONTENT] [COMMUNITY-TOOL] — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.

Infrastructure

AWS Integration

Networking

  • (2024) EC2 ENI and IP Limit [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Critical hardware reference outlining IP address and Elastic Network Interface (ENI) allocation limits per EC2 instance type. This heavily dictates pod density capabilities when utilizing the VPC CNI plug-in. Platform architects use this data to calculate scaling limits and avoid network exhaustion.

Kubernetes Platform Engine

Cluster Installation and Hardening

Infrastructure Provisioning

Container Runtimes

Runtime Isolation

Networking and Security

Security Compliance

CIS Benchmarks

  • (2026) ==kube-bench 🌟== 8078 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry standard tool to check whether Kubernetes clusters are deployed securely according to the Center for Internet Security (CIS) benchmarks. Can be run inside container workloads or directly on node hosts, outputting detailed reports identifying API, TLS, and permissions vulnerabilities.

Observability and Monitoring

Runtime Security

Falco and K3s Audit Logging

  • (2021) Analyze Kubernetes Audit logs using Falco 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.

Security Industry Analysis

Sysdig and Falco Audit Integration

eBPF Runtime Enforcement

Tetragon Platform

  • (2022) ==Tetragon (Cilium)== 4749 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.

Penetration Testing

Security Operations

Pod Privilege Escalation

Vulnerability Exploitation

Policy-as-Code

Kyverno Administration

  • (2020) kyverno.io 🌟 [GO CONTENT] [COMMUNITY-TOOL] — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.

Kyverno Rules and Policies

  • (2020) kyverno.io/policies 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.

RBAC and Authorization

Privilege Escalation

Risk Analysis and Auditing

Threat Vector Modeling

Secrets Management

HashiCorp Vault Integration

Security

Access Control

API Access

  • (2024) kubernetes.io: Access Clusters Using the Kubernetes API [DOCUMENTATION] [COMMUNITY-TOOL] — An official task-oriented guide illustrating the safe initialization of connections directly to the Kubernetes API server. It highlights proxying patterns, kubectl integration, and direct API calls via transport-layer security (TLS). Essential for developers automating low-level operations within controlled environments.

Authentication

  • (2024) kubernetes.io: Authenticating [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The core official reference for understanding user and service account authentication mechanisms in Kubernetes. It reviews client certificates, bearer tokens, and OIDC federation protocols. This architectural baseline explains how kube-apiserver validates identity requests securely.

Cluster Access

  • (2024) kubernetes.io: Accesing Clusters [DOCUMENTATION] [COMMUNITY-TOOL] — Explains how developers and administrators access remote clusters using credential files (kubeconfigs). This documentation reviews contextual switching, multi-cluster management, and local proxy patterns. It serves as a foundational step for secure local engineering workflows.

Custom Authentication

  • (2023) Implementing a custom Kubernetes authentication method [ADVANCED LEVEL] [LEGACY] — Provides a technical blueprint for implementing bespoke authentication strategies using webhook token authentication. It explains the integration of custom identity backends with the kube-apiserver lifecycle. Recommended for highly specialized security architectures with legacy SSO restrictions.

RBAC

kubectl Authentication

  • (2020) kubernetes login [LEGACY] — A legacy-focused technical exploration explaining the login process flow through kubectl. This article breaks down the historical and contemporary mechanics of authentication helpers and tokens. Ideal for engineers seeking to demystify credential caching behaviors.

Application Security

Client Security

  • (2022) curity.io: Client Security [COMMUNITY-TOOL] — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.

Architecture (1)

DevSecOps

  • (2022) thenewstack.io: Securing Kubernetes in a Cloud Native World [COMMUNITY-TOOL] — This technical analysis explores how security shifts within high-velocity cloud-native deployments. Outlines strategies for managing immutable infrastructure, dynamic policy updates, and zero-trust routing. Strongly advocates for shifting security controls left and using automated gating engines.
  • (2022) thenewstack.io: Basic Principles Key to Securing Kubernetes Future [COMMUNITY-TOOL] — Examines long-term trends in cloud-native security, arguing for declarative and immutable configurations as the main vector of defense. Synthesizes principles of software supply chain verification (such as Sigstore/Cosign integration) and automated drift detection. Vital for architects planning 3-to-5 year container strategies.

Audit

Configuration Assessment

  • (2023) securitycafe.ro: A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive, step-by-step methodology for auditing the entire configuration footprint of Kubernetes environments. Provides structural steps for scanning RBAC bindings, assessing cluster configuration parameters, and scanning host node vulnerabilities. Essential checklist for compliance officers and security auditors.

Best Practices

General Hardening

  • (2024) armosec.io: Kubernetes Security Best Practices: Definitive Guide [ADVANCED LEVEL] [COMMUNITY-TOOL] — An exhaustive technical blueprint emphasizing end-to-end cloud-native system security. It details critical hardening strategies including image scanning, continuous compliance auditing, and secure runtime boundaries. Modern operators leverage these concepts to build proactive defensive postures across hybrid clusters.
  • (2023) thenewstack.io: 6 Kubernetes Security Best Practices 🌟 [COMMUNITY-TOOL] — A baseline architectural guide covering foundational security principles in Kubernetes. It focuses on isolating workloads, enabling network policies, and minimizing container privileges. Real-world implementation highlights the mitigation of broad blast radii by enforcing namespace segregation.
  • (2023) spectrocloud.com: Kubernetes security best practices: 5 easy ways to cut risk [COMMUNITY-TOOL] — Outlines five high-impact security wins to drastically lower cluster risk vectors. Key practices include restrictive network boundary controls, cluster-wide image pinning, and utilizing immutable root filesystems. These pragmatically reduce immediate exposure surfaces for standard multi-tenant setups.

Cloud Security

AWS EKS Network

  • (2024) Security Group Rules EKS [DOCUMENTATION] [COMMUNITY-TOOL] — Official AWS configuration documentation detailing the network security boundaries for Amazon EKS clusters. It defines minimal requirements for control-plane-to-node communication over secure ports. This ensures highly restrictive ingress/egress patterns in security groups.

EKS Hardening

  • (2024) Amazon EKS Best Practices Guide for Security 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The definitive enterprise guide for hardening EKS clusters against cloud-native threats. It covers network segregation, IAM roles for service accounts (IRSA), secrets encryption, and runtime defense. This is a foundational checklist for any platform engineering team running on AWS.

Cluster Hardening (2)

Audit Logs

Best Practices (1)

  • (2022) cast.ai: Kubernetes Security: 10 Best Practices from the Industry and Community 🌟 [LEGACY] — Consolidates ten core security practices derived from cloud-native community patterns and expert input. Discusses API server hardening, encryption of secrets at rest in etcd, and continuous vulnerability verification. Provides a clear roadmap for migrating legacy infrastructure securely into Kubernetes.
  • (2022) dev.to/aws-builders: Best Practices for Securing Kubernetes Deployments 🌟 [COMMUNITY-TOOL] — Presents an action-oriented best practice matrix covering cluster configuration and pod safety profiles. Details etcd encryption setups, secure secrets distribution patterns, and implementing standard Pod Security Admission policies. Highly recommended for establishing cluster baselines.

Deployment Security

  • (2022) armosec.io: How to Secure Deployments in Kubernetes? 🌟 [COMMUNITY-TOOL] — An operational guide on implementing Pod Security Standards (PSS) within modern clusters. Provides precise configurations for configuring read-only root filesystems, restricting Linux capability escalation, and rejecting root execution. Helps secure standard application manifests against common run-time threat models.

Pod Security

  • (2022) dev.to/thenjdevopsguy: Securing Kubernetes Pods For Production Workloads [COMMUNITY-TOOL] — Focuses on runtime container hardening for critical production clusters. Provides examples of setting up restricted securityContext parameters, dropping raw Linux capabilities, and activating seccomp profiles. Ensures configurations restrict exploitation should container escape vulnerabilities emerge.

Standard Checklists

  • (2023) kubernetes.io: Security Checklist 🌟🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official security checklist published by upstream Kubernetes maintainers. It serves as an authoritative map for hardening cluster networks, applying role access structures, and validating runtimes. Essential baseline documentation for cloud infrastructure engineers.

Compliance

CIS Benchmarks (1)

  • (2024) ibm.com: CIS Benchmarks [ADVANCED LEVEL] [COMMUNITY-TOOL] — The Center for Internet Security (CIS) Benchmarks provide globally recognized consensus-based best practices for securing IT systems, clouds, and Kubernetes environments. Organizations use these structured guidelines to validate and harden infrastructure configurations, ensuring compliance with strict security mandates through automated configuration auditors.

Deployment Security (1)

Hardening

  • (2023) semaphoreci.com: Secure Your Kubernetes Deployments [COMMUNITY-TOOL] — Focuses on incorporating shift-left security strategies directly into the CI/CD deployment pipeline. It details how to leverage static manifest analysis, configuration linters, and runtime context constraints. This is essential for preventing misconfigured workloads from reaching production environments.

DevSecOps (1)

CICD Pipeline Security

  • (2022) infoworld.com: 10 steps to automating security in Kubernetes pipelines [COMMUNITY-TOOL] — A ten-step technical blueprint focused on integrating security scanners directly into automated CI/CD deployment pipelines. Covers static application security testing (SAST), secrets detection, and manifest scanning before changes reach staging or production clusters. Outlines shift-left strategies to mitigate misconfiguration deployment risks.

Continuous Security

  • (2022) collabnix.com: Applying DevSecOps Practices to Kubernetes [COMMUNITY-TOOL] — Explores the technical implementation of DevSecOps pipelines targeting Kubernetes applications. Discusses how to configure automated feedback loops between static manifest linters, container register vulnerability databases, and runtime audit monitors. Crucial for scaling secure delivery pipelines.

Developer Guidance

  • (2022) dev.to/pavanbelagatti: Kubernetes Security Best Practices For Developers [COMMUNITY-TOOL] — Translates complex cluster security profiles into digestible concepts tailored directly for application developers. Focuses on safe manifest construction, secret handling, and using non-root base images. Encourages safe development workflows to eliminate security issues before code merges.

Fundamentals

Concepts

  • (2022) itnext.io: Introduction to Kubernetes Security for Security Professionals [COMMUNITY-TOOL] — An entry point resource for security practitioners pivoting from virtual machines or bare-metal servers into Kubernetes environments. Explains standard architectural paradigms like Pods, Namespaces, Service Accounts, and Admission Controllers. Focuses on building a coherent threat modeling mental map.
  • (2022) dev.to/mattiasfjellstrom: Kubernetes-101: Security concepts [COMMUNITY-TOOL] — An introductory security conceptual guide reviewing isolation techniques like Linux namespaces, cgroups, and capabilities. Correlates these kernel-level tools to upstream abstraction parameters in standard Pod specs. Provides a concise, high-density primer on basic defense constructs.

Threat Modeling

Hardening Standards

Government Guidelines

  • (2022) armosec.io: NSA & CISA Kubernetes Hardening Guide what is new with version 1.1 [LEGACY] — Details updates in version 1.1 of the NSA-CISA Kubernetes Hardening Guide. Highlights transition criteria from deprecated PodSecurityPolicies to Pod Security Standards, alongside advice on checking third-party integrations. Helps teams stay aligned with current guidance.
  • (2021) thenewstack.io: The NSA Can Help Secure Your Kubernetes Clusters [COMMUNITY-TOOL] — Evaluates the joint security guidance on Kubernetes hardening issued by the NSA and CISA. Translates government recommendations into actionable steps for enterprise IT administrators. Focuses on separation of credentials and configuring audit pathways.
  • (2021) therecord.media: NSA, CISA publish Kubernetes hardening guide 🌟🌟 [COMMUNITY-TOOL] — Detailed breakdown of the NSA/CISA Kubernetes Hardening Guide. Emphasizes container sandboxing, running applications with minimal privilege bounds, and dividing networks to limit damage. A vital reference point for regulatory compliance projects.
  • (2021) infoq.com [COMMUNITY-TOOL] — Explores key recommendations from CISA and the NSA regarding cluster infrastructure protection. Demystifies technical methods for managing root filesystems, authenticating platform API requests, and using logging setups to trace lateral movement.
  • (2021) thenewstack.io: NSA on How to Harden Kubernetes [COMMUNITY-TOOL] — A practical review focusing on the security configurations defined within the NSA hardening guides. Covers container escape avoidance, using read-only structures, and setting up logging patterns. Beneficial for system engineers translating recommendations to production setups.

IAM

Authentication and Authorization

  • (2022) dev.to/thenjdevopsguy: The 4 Cs Of Kubernetes Security [ADVANCED LEVEL] [COMMUNITY-TOOL] — Evaluates enterprise patterns for integrating Kubernetes Role-Based Access Control (RBAC) with corporate directory systems (OIDC, Active Directory). Examines tools like Dex to implement single sign-on (SSO) strategies across multi-cluster environments. Essential reading for cluster operations scaling across departments.

SSO

  • (2022) dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container [COMMUNITY-TOOL] — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.

Identity and Access

AWS IRSA

Hybrid Cloud

Authentication (1)

Legacy Tools

Cloud Integrations

AWS IRSA (1)

Enterprise Authentication

Microservice Identities

  • (2023) learnk8s.io: Authentication between microservices using Kubernetes identities 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.

OIDC

Legacy Tools (1)
  • (2020) ==gini/dexter== 168 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An OIDC-helper CLI tool for generating kubectl credential configurations. Live Grounding: Inactive for over 4 years; considered legacy under Nubenetes MVQ rules. It has been superseded by tools like kubelogin.
OAuth2 Proxy
  • (2021) geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard [COMMUNITY-TOOL] [GUIDE] — A configuration guide describing how to wrap the Kubernetes Dashboard and sensitive internal APIs with oauth2-proxy, enabling secure OIDC integrations and SSO workflows.
  • (2024) OpenID Connect [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The official specifications for OpenID Connect, the dominant federation protocol for Kubernetes authentication. Implementing OIDC enables modern clusters to offload authentication to external identity providers like Okta, Keycloak, or Microsoft Entra ID. This standardizes identity tokens globally across decentralized services.

RBAC (1)

Legacy Tools (2)
  • (2020) ==Krane 🌟== 740 [RUBY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: An open-source Kubernetes RBAC static analysis tool designed to identify risky roles, cluster roles, and broad resource access configurations. Live Grounding: The repository is archived and inactive for over 4 years. While the structural rules engine remains historically valuable, it does not support modern Kubernetes RBAC security vectors.
  • (2019) ==github.com/clvx/k8s-rbac-model: Kubernetes RBAC Model== 26 [JAVASCRIPT CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: A conceptual visualization framework for modeling Kubernetes RBAC policies. Live Grounding: The project has seen zero updates in over 5 years. Deprioritized under MVQ rules due to structural obsolescence against modern apiGroups.
Security Auditing
  • (2022) raesene.github.io: Auditing RBAC - Redux [ADVANCED LEVEL] [COMMUNITY-TOOL] — Highly detailed assessment of tools and manual approaches used to audit RBAC permissions. Looks at the attack surface exposed by privileged service accounts and API server access loopholes, providing concrete defensive guidance.
  • (2026) rbac.dev 🌟🌟🌟 [COMMUNITY-TOOL] — A dedicated directory of tools, templates, and best practices for Kubernetes RBAC configurations. Serves as an essential reference for engineers establishing zero-trust access boundaries.
  • (2023) devopscube.com: How To Create Kubernetes Service Account For API Access [COMMUNITY-TOOL] [GUIDE] — A practical tutorial focused on provisioning Kubernetes Service Accounts for targeted API server access. Walks through credential auto-generation constraints, manifesting corresponding API access boundaries, and constructing secure automated CI/CD pipelines.
  • (2023) learnk8s.io: Limiting access to Kubernetes resources with RBAC 🌟🌟🌟 [COMMUNITY-TOOL] [GUIDE] — A rigorous deep-dive into resource constraints using RBAC. Demonstrates how to write custom policies to isolate network endpoints, restrict API-driven actions, and test permissions safely using kubectl auth can-i.
  • (2022) loft.sh: Kubernetes RBAC: Basics and Advanced Patterns [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs advanced RBAC patterns, focusing on namespace isolation, virtual cluster (vcluster) control planes, and resolving performance regressions associated with large-scale policy databases.
  • (2022) marcusnoble.co.uk: Restricting cluster-admin Permissions [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines security risks associated with widespread cluster-admin usage. Proposes strategies to design specialized roles with precise apiGroup restrictions to establish guardrails around the control plane.
  • (2022) anaisurl.com: RBAC Explained with Examples 🌟 [COMMUNITY-TOOL] [GUIDE] — A visual, beginner-friendly guide dissecting RBAC mechanics in Kubernetes. Offers concrete examples of setting up specific read/write permissions for standard development teams.
  • (2022) dev.to: Configure RBAC in Kubernetes Like a Boss [COMMUNITY-TOOL] [GUIDE] — An operational checklist and set of best practices for establishing robust, leak-proof RBAC models. Helps administrators avoid common authorization anti-patterns such as wildcards in role rules.
  • (2022) youtube: Kubernetes RBAC Explained | Anton Putra 🌟 [COMMUNITY-TOOL] [GUIDE] — Detailed instructional video mapping user groups and service accounts to Kubernetes resources using RBAC. Explains role-binding syntax and access validations in an intuitive, visual style.
  • (2021) infracloud.io: How to setup Role based access (RBAC) to Kubernetes Cluster 🌟 [COMMUNITY-TOOL] — Detailed technical analysis of native Kubernetes Role-Based Access Control (RBAC). Explains authorization objects (Roles, ClusterRoles, and Bindings) alongside API groups to help design least-privilege structures.

SSO and SAML

  • (2022) gravitational.com: How to Set Up Kubernetes SSO with SAML [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deconstructs the mechanics of configuring Single Sign-On (SSO) for cluster environments utilizing SAML. The guide explains authentication federation patterns, mapping identity provider attributes to Kubernetes RBAC roles. This setup ensures seamless, centralized access management for enterprise platform infrastructure.

Workload Identity

Zero Trust Access

  • (2024) paralus.io 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Paralus is an open-source tool for managing access to multi-cluster Kubernetes environments. Offers a centralized portal for configuring Just-In-Time (JIT) access, OIDC integration, auditing, and RBAC synchronization across cloud providers.

Identity and Access Management (1)

Access Control (1)

  • thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.

Kubernetes Security (1)

Hardening (1)

  • (2023) sysdig.com: Kubernetes Security Guide 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Sysdig's comprehensive guide to securing Kubernetes platforms details a multi-layered defense strategy covering container image scanning, runtime protection, network policies, and role-based access control (RBAC). It highlights compliance mappings (such as CIS benchmarks) and operational best practices for detecting abnormal kernel system calls using eBPF-based agents.

Secrets Management (1)

  • (2021) Hands on your first Kubernetes secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.

Network Security

Internet Exposure

  • (2022) raesene.github.io: Let's talk about Kubernetes on the Internet [ADVANCED LEVEL] [COMMUNITY-TOOL] — An urgent analytical overview assessing why many Kubernetes API control planes remain directly visible on the public internet. Discusses host-level firewall configurations, securing the Kubelet interface, and utilizing private API cluster features in major cloud providers. Emphasizes basic perimeter hygiene.

Network Policies (2)

  • (2024) Calico in EKS [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Guides integration of Calico as a high-performance network policy engine alongside EKS. While AWS VPC CNI handles native IP routing, Calico enforces declarative security policies. This hybrid configuration provides robust, fine-grained L3/L4 segregation across namespace borders.
  • (2022) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 2: Network [COMMUNITY-TOOL] — This technical tutorial demonstrates the configuration of Kubernetes NetworkPolicies to enforce granular traffic isolation. It contrasts default-allow networking models with secure default-deny postures, providing production-ready ingress and egress manifests. Engineers will learn how to reduce lateral threat movement by restricting pod-to-pod communications.

Offensive Security

Penetration Testing (1)

PKI

Certificate Management

  • (2022) blog.alexellis.io: What if your Pods need to trust self-signed certificates? [COMMUNITY-TOOL] — Focuses on patterns for trusting self-signed or internal enterprise Root CA certificates inside dynamic pod runtimes. Demonstrates using initContainers and shared volumes to inject trust anchors clean of custom application builds. Prevents hardcoding issues across dynamic corporate multi-tenant infrastructures.
  • (2021) thenewstack.io: Jetstack Secure Promises to Ease Kubernetes TLS Security [COMMUNITY-TOOL] — Analyzes the release and architecture of Jetstack Secure, which simplifies and automates TLS lifecycle tracking via cert-manager. Explains the centralization of public key infrastructures (PKIs) across multi-cluster hybrid clouds. Prevents application downtime caused by unpredicted certificate expirations.

PKI and Certificates

Conceptual

  • (2022) dev.to: Kubernetes TLS, Demystified 🌟 [COMMUNITY-TOOL] [GUIDE] — Demystifies Kubernetes TLS configurations by explaining public/private key pairs, certificate authorities, client-cert server validations, and common Ingress security setups.

TLS Ingress

Lets Encrypt
  • (2021) rejupillai.com: Lets Encrypt the Web (for free) [COMMUNITY-TOOL] [GUIDE] — A practical walk-through detailing TLS integration on a GKE Ingress controller. Guides the configuration of HTTP-01 and DNS-01 ACME validations using cert-manager, resulting in automated, free public certificates.

cert-manager

Access Control (2)
  • (2024) ==github.com/cert-manager: Policy Approver== 90 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The cert-manager approver-policy extension code repository. Intercepts CertificateRequest resources before submission, evaluating requested commonNames, SANs, and key constraints against user-defined security guidelines.
Operations
  • (2021) itnext.io: Upgrade Cert-Manager for Your Production Deployment Without Downtime [ADVANCED LEVEL] [COMMUNITY-TOOL] — A highly technical guide focusing on upgrading production cert-manager instances without cluster downtime. Addresses API version deprecations, webhook migrations, and handling CRD migrations smoothly.
  • (2026) ==cert-manager/cert-manager== 13859 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Consolidated record of the cert-manager repository, automating certificate lifecycles to guarantee encrypted transport paths between internal microservice runtimes.
  • (2026) cert-manager.io 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Official documentation portal for cert-manager, the standard tool for cloud-native PKI. Explains configuring Issuers and Certificate manifests, detailing dynamic ACME solver pipelines, Let's Encrypt integration, and automated internal trust routing.

Platform Hardening

Best Practices (2)

  • (2024) Kubernetes Security 101: Risks and 29 Best Practices 🌟 [CASE STUDY] [COMMUNITY-TOOL] — Essential Red Hat Security resource detailing 29 structural recommendations across the entire build, deploy, and run lifecycle. Covers vulnerability scanning, image signing, secure context configurations, and network isolation protocols.

Pod Security (1)

Pod Security Policies

  • (2022) Pod Security Policy (SCC in OpenShift) 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [LEGACY] — Architectural comparison contrasting OpenShift Security Context Constraints (SCC) with the deprecated Kubernetes Pod Security Policy (PSP). Live Grounding confirms PSP was completely removed in Kubernetes v1.25. This reference highlights how SCC remains enterprise-stable and active for securing namespaces in Red Hat OpenShift clusters.
  • (2021) rancher.com: Enhancing Kubernetes Security with Pod Security Policies, Part 1 [LEGACY] — A historical look at securing container runtimes using Pod Security Policies. As PSP is now deprecated and fully removed in modern Kubernetes, this guide serves as a legacy reference for older Rancher setups. It clarifies critical container capabilities, privilege escalation preventions, and namespace defaults.
  • (2021) developer.squareup.com: Kubernetes Pod Security Policies (PSP) [ADVANCED LEVEL] [LEGACY] — Legacy deep-dive exploring Square's real-world PSP architecture and rollout procedures. Note that modern engineering standards require migrating these exact controls to Pod Security Standards (PSS) or external engines like Kyverno. Essential reading to understand historical host namespaces and filesystem restrictions.
  • (2021) itnext.io: Implementing a Secure-First Pod Security Policy Architecture [ADVANCED LEVEL] [COMMUNITY-TOOL] — Provides a secure-first PSP implementation strategy. In modern systems, this restricted-first paradigm must be executed via the native Pod Security Admission (PSA) controller. It guides readers on blocking privileged root escalation paths in older clusters.

Policy and Admission Control

Runtime Security (1)

Legacy Tools (3)
  • (2018) ==box/kube-exec-controller== 126 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Curator Insight: Controller to restrict and audit shell execution inside Kubernetes pods. Live Grounding: Inactive for over five years. Superseded by newer ephemeral container mechanics, admission controllers (OPA/Kyverno), and modern service mesh execution boundaries.

Validating Webhooks

  • (2022) trstringer.com: Create a Basic Kubernetes Validating Webhook [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.

Policy and Audit

Manifest Auditing

  • (2021) blog.frankel.ch: Learning by auditing Kubernetes manifests [COMMUNITY-TOOL] — An educational approach to understanding Kubernetes security postures through direct manifest auditing. The author walks through security context misconfigurations, detailing how over-privileged containers expose node architectures. This technique bridges the gap between passive development and active cluster security controls.

Policy Enforcement

Admission Control

  • (2022) Neon Mirrors: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architectural face-off evaluating Rego-based OPA/Gatekeeper and YAML-native Kyverno. Kyverno offers exceptional ease of use for native K8s manifests, while OPA provides unparalleled expressive power for cross-system policies. It helps architects choose the correct declarative policy engine for high-compliance environments.

Runtime Security (2)

Ephemeral Containers

  • (2022) xenitab.github.io: Kubernetes Ephemeral Container Security 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explores security boundaries regarding ephemeral debugging containers, analyzing potential escalation threats through 'kubectl debug'. Highlights how improper RBAC permissions on debugging tools can expose the underlying host or container namespace. Outlines defensive constraints like restricting hostIPC and hostPID mappings.

eBPF

  • (2021) developers.redhat.com: Secure your Kubernetes deployments with eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — Details how eBPF (Extended Berkeley Packet Filter) technology shifts the runtime security paradigm away from heavy, sidecar-based observability architectures. Demonstrates writing and attaching kernel sandboxed utilities to track execution and networking footprints with minimal CPU overhead. Crucial reading for high-scale, security-conscious platform teams.

eBPF and Cilium

  • (2021) isovalent.com: Detecting a Container Escape with Cilium and eBPF [ADVANCED LEVEL] [COMMUNITY-TOOL] — An in-depth case study of container escape tactics and real-time detection utilizing eBPF and Cilium. It highlights limits of traditional syscall auditing, showcasing how kernel-level hooks identify privilege escalation without agent-induced overhead. Live Grounding points to eBPF-based security as the modern baseline for runtime security orchestration.

Secrets Management (2)

Conceptual (1)

Developer Practice

External Secrets

  • (2025) ==external-secrets.io 🌟== [GO CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — The industry-standard operator for syncing external secrets management services (like AWS Secrets Manager, Vault, or GCP Secret Manager) into Kubernetes Secret objects. This eliminates storing sensitive configuration inside git repositories, supporting true GitOps workflows. Decoupled and secure, it is a critical security-centric component.

GitOps

External Secrets Operator
Sealed Secrets

HashiCorp Vault

  • (2021) itnext.io: Effective Secrets with Vault and Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Architectural overview on configuring HashiCorp Vault inside Kubernetes clusters. Covers the Vault Agent Sidecar Injector pattern, dynamic database credential generation, and leveraging Kubernetes service accounts for seamless Vault token exchange.
  • (2021) itnext.io: Vault cluster with auto unseal on Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed structural guide for configuring an enterprise-grade, highly available HashiCorp Vault cluster in Kubernetes. Features automated unsealing integrations using cloud KMS systems (AWS KMS/GCP KMS) to remove manual keys dependencies.

KMS Integration

Legacy Tools (4)
  • (2023) ==github.com/ondat/trousseau== 181 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — Curator Insight: KMS integration designed to encrypt secrets inside etcd using external key management systems. Live Grounding: This repository is unmaintained and archived following Ondat's acquisition. Deprioritized under MVQ rules in favor of native Kubernetes KMS v2 features.

OWASP

  • (2022) itnext.io: Kubernetes OWASP Top 10: Secrets Management [COMMUNITY-TOOL] — Addresses Secrets Management under the OWASP Kubernetes threat framework. Details vulnerabilities of default etcd storage parameters and details using External Secrets Operator or HashiCorp Vault. Prevents secrets exposure via repository check-ins or pod environment parameters.

Platform Hardening (1)

Conceptual (2)

Stateful Apps

Static Analysis

Manifest Auditing (1)

  • (2022) itnext.io: Performing Security Checks for Deployed Kubernetes Manifests [COMMUNITY-TOOL] — Reviews technical methods to assess security profiles of Kubernetes configurations prior to cluster deployment. Explains standard static evaluation tools and custom policy syntax like Open Policy Agent (OPA) or Kyverno. Focuses on integrating these guardrails directly within pull request pipelines.

System Hardening

Security Profiles Operator

  • (2025) kubernetes-sigs/security-profiles-operator 848 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — The official Kubernetes SIG operator for managing Seccomp, AppArmor, and SELinux profiles natively. Live Grounding confirms its active role in highly regulated sectors for hardening container execution spaces. It replaces manual node profiling with declarative, cluster-wide configurations.
  • (2021) kubernetes.io: What's new in Security Profiles Operator v0.4.0 [COMMUNITY-TOOL] — An official release announcement detailing the evolution of SPO. It highlights improved profile recording capabilities, integration with kubectl, and initial support for SELinux. Crucial for understanding the transition from manual profiles to automation.

Threat Modeling (1)

Penetration Testing (2)

Threat Vector

Internet Exposure (1)

  • (2023) blog.cyble.com: Exposed Kubernetes Clusters [ADVANCED LEVEL] [COMMUNITY-TOOL] — Threat intelligence research showing search profiles of exposed clusters active across the globe. Highlights typical compromise pathways starting from default configurations or misconfigured control plane boundaries. Recommends strict perimeter restrictions.

Observability Exposure

Tooling

Security Auditing (1)

  • (2022) mattermost.com: The Top 7 Open Source Tools for Securing Your Kubernetes Cluster [COMMUNITY-TOOL] — This resource provides a comparative overview of seven premier open-source tools designed for Kubernetes security hardening. It introduces utilities like Trivy, Falco, and Kube-hunter, aligning each with specific pipeline gates or runtime defenses. Serves as a useful high-level map for architects selecting security tooling.

Vulnerabilities

CVE Tracking

  • (2025) kubernetes.io: Official CVE Feed 🌟 [DOCUMENTATION] [COMMUNITY-TOOL] — The official database of active and resolved CVEs for the Kubernetes ecosystem. It tracks core component bugs, container execution vulnerabilities, and control plane bypass vectors. Maintaining a regular review of this feed is an essential component of modern enterprise risk mitigation.
  • (2022) kubernetes.io: Announcing the Auto-refreshing Official Kubernetes CVE Feed [COMMUNITY-TOOL] — Details the launch of the programmatically accessible, auto-refreshing CVE feed in JSON/YAML. This allows security automation tooling to dynamically scan and trigger alerts on freshly discovered platform vulnerabilities, greatly speeding up remediation and patching schedules.

Case Studies (1)

Post-Deployment Scanning

  • (2025) ==kubescape== 11480 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An active CNCF Sandbox tool providing multi-framework configuration scanning, risk analysis, and vulnerability management. It integrates into CI/CD pipelines to ensure continuous verification of compliance frameworks (like CIS and NSA-CISA). Essential for enterprise teams seeking unified security visibility.

Vulnerability Assessment

CIS Benchmarks (2)

  • (2022) rancher/cis-operator 55 [GO CONTENT] 🌟🌟 [COMMUNITY-TOOL] — Rancher's cis-operator is an automated tool running CIS security scans natively within Rancher ecosystems. It generates compliance reports validating control plane and worker components against standard security baselines. A key utility for multi-cluster environments managed via Rancher.
  • (2022) blog.flant.com: Kubernetes cluster security assessment with kube-bench and kube-hunter [COMMUNITY-TOOL] — Evaluates how to deploy and configure Aqua Security's kube-bench alongside kube-hunter. Shows how to automate node validation against CIS benchmarks, and actively scan cluster endpoints for network exposure vectors. Offers a potent open-source combination for regular pentesting operations.

Policy Enforcement (1)

  • (2023) github.com/Shopify/kubeaudit 🌟🌟 1937 [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [LEGACY] — Shopify's kubeaudit is a popular open-source tool targeting configuration analysis. Curators note its ability to audit running clusters or local manifests for root execution or privilege escalations. Live Grounding (2026): The repository is archived/read-only, but its audit logic remains highly influential for policy structures.
  • (2022) itnext.io: Kubernetes OWASP Top 10: Centralised Policy Enforcement [COMMUNITY-TOOL] — Investigates mitigating risks from the OWASP Kubernetes Top 10 using centralized Policy-as-Code platforms like OPA Gatekeeper or Kyverno. Focuses on setting up mutating and validating admission webhooks to prevent non-compliant configs from deploying. Establishes programmatic posture control.
  • (2021) infoq.com: Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan [COMMUNITY-TOOL] — An interview exploring the architecture, technical goals, and philosophy behind Kubescape. Focuses on simplifying multi-framework compliance analysis for platform engineers. Details how the tool analyzes YAML formats and active runtimes to find security posture anomalies.

Threat Modeling (2)

  • (2022) owasp.org: OWASP Kubernetes Top Ten [DOCUMENTATION] [COMMUNITY-TOOL] — The official OWASP Kubernetes Top Ten project document. Outlines the ten most dangerous vulnerabilities facing modern orchestrator deployments, including API vulnerabilities, insecure defaults, and supply-chain bugs. The core benchmark for establishing cluster defense strategies.
  • (2022) sysdig.com: OWASP Kubernetes Top 10 🌟 [COMMUNITY-TOOL] — A deep analysis of the OWASP Kubernetes Top 10, exploring actual deployment misconfigurations that map to these risks. Details supply chain threats, poor credentials storage, and audit log gaps. Offers recommendations to strengthen system setups.

Zero Trust

Service Mesh and Networking

  • (2022) copado.com: Applying a Zero Trust Infrastructure in Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — An architecture guide on applying Zero Trust principles to Kubernetes infrastructure environments. It covers building cryptographically verifiable workload identities via SPIFFE/SPIRE, and micro-segmenting service interactions with mTLS. Transitions teams away from perimeter-only defenses to continuous validation.

Zero Trust Architecture

Security Training and Playgrounds

Kubernetes Goat Lab

  • (2020) Kubernetes Goat 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.

Supply Chain Security

Open Source Vulnerability Scanning

Signature Verification and Ratify

Threat Modeling (3)

MITRE ATTandCK Adaptation

MITRE ATTandCK Framework

  • (2020) Microsoft.com: Attack matrix for Kubernetes 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Microsoft's systematic adaptation of the MITRE ATT&CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.

Vulnerability Assessment Tools

Kubestriker Scanner

Workload Hardening

Identity and Access Management (2)

Pod Security Context

Pod Specifications

Workstation Client Security

Kubeconfig Hardening

  • (2020) gist.github.com: How to protect your ~/.kube/ configuration [SHELL CONTENT] [COMMUNITY-TOOL] [GUIDE] — Provides hardening steps for securing developer workstation ~/.kube/config files. Details POSIX permissions adjustments, the usage of credential helpers, and avoiding static administrative token storage.

💡 Explore Related: IaC | Terraform | Chef