Kubernetes

Blog and Research

• Threat matrix for Kubernetes
• Secure containerized environments with updated threat matrix for Kubernetes
• Simplify Kubernetes Resource Access Control using RBAC Impersonation
• Kubernetes RBAC Security Pitfalls
• Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1
• Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2
• Applied Defense On Docker And Kubernetes
• Bad Pods: Kubernetes Pod Privilege Escalation
• Getting into a bind with Kubernetes
• Kubernetes Honey Token
• Kubernetes Threat Model
• Kubernetes Compliance as Code
• Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
• Dostainer - Kubernetes Resource Exhaustion PoC Container
• ECS Fargate threat modeling
• Using Kubelet Client to Attack the Kubernetes Cluster
• 10 Kubernetes Security Context settings you should understand
• How to monitor multi-cloud Kubernetes with Prometheus and Grafana
• Defend the Core: Kubernetes Security at Every Layer
• Kubernetes Multi tenancy with Amazon EKS: Best practices and considerations
• Generating Kubernetes Network Policies Automatically By Sniffing Network Traffic
• Enforcing Policy as Code using OPA and Gatekeeper in Kubernetes

Offensive tools

• Kubestriker - Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations and will help strengthen the overall IT infrastructure of any organisation.
• kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent dedicated for containerized environments

Defensive Tools

• aws-iam-authenticator - A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
• cert-manager - Automatically provision and manage TLS certificates in Kubernetes
• guard - Kubernetes Authentication WebHook Server
• kube2iam - kube2iam provides different AWS IAM roles for pods running on Kubernetes
• kube-lego - Automatically request certificates for Kubernetes Ingress resources from Let’s Encrypt

Security Tools

• kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
• kube-hunter - Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments.
• KubiScan - A tool for scanning Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model.
• kubeaudit - kubeaudit helps you audit your Kubernetes clusters against common security controls