Awesome
<a href="https://kubernetes.io/"> <img src="https://github.com/magnologan/awesome-k8s-security/blob/master/logo.png" alt="Kubernetes logo" title="Kubernetes" height="100" width="100" /> </a></br>Awesome Kubernetes (K8s) Security
A curated list for Kubernetes (K8s) Security resources such as articles, books, tools, talks and videos.
Disclaimer
Most of the resources are in English, the ones that aren't will be flagged as such. All the content in this list is public and free, please use them for educational purposes only!
Not all the tools have been tested or reviewed, use them at your own risk! Also, I don't consider myself a K8s Security expert, I'm just learning and helping others learn along with me. Thanks!
Contents
These are the main topics of this Awesome Kubernetes (K8s) Security List. Everything related to the Security of Kubernetes (and its components such as CoreDNS, etcd) either for learning, breaking or defending it, will be added down below. If you have any other good links or recommendations, feel free to submit a PR!
- 💊 The Basics
- 💼 Official Pages
- 📹 Talks and Videos
- 📰 Blogs and Articles
- 🗒️ Books
- 📆 Certifications
- 🔥 CVEs
- 📑 Slides
- 🧪 Trainings
- 🐾 Repositories
- 📂 Papers
- 🎤 Podcasts
- 🧰 Jobs
- 📡 Community
The Basics
To understand about Kubernetes Security you first need to understand the basics of how Kubernetes works and all the components involved. Here's some links and materials to help you with that journey:
Kubernetes Concepts Explained in 9 minutes!
Kubernetes The Hard Way - Kelsey Hightower
Kubernetes de K a S - Erlon Pinheiro 🇧🇷
Uncomplicating Kubernetes (Jeferson Noronha aka LinuxTips) 🇧🇷
Kubernetes Security Checklist and Requirements
Official Pages
Kubernetes Security and Disclosure Information
CNCF STAG - Security Technical Advisory Group
Kubernetes SIG Security Meeting Notes
Kubernetes SIG Auth (Authorization, Authentication, and Cluster Security Policy)
Kubernetes Security Audit 2019 Results
Kubernetes Security Audit 2021 RFP
Talks and Videos
Compromising Kubernetes Cluster by Exploiting RBAC Permissions - Eviatar Gerzi, CyberArk (RSA 2020)
Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down - Carson Anderson, DOMO
Advanced Persistence Threats: The Future of Kubernetes Attacks (RSAC 2020)
Kubernetes Security Best Practices - Ian Lewis, Google
Securing Kubernetes Secrets (Cloud Next '19)
Jay Beale - Attacking and Defending Kubernetes - DEF CON 27 Packet Hacking Village
The State of Kubernetes Security - Liz Rice
DIY Pen-Testing for Your Kubernetes Cluster - Liz Rice, Aqua Security
Kubernetes Security 101: Best Practices to Secure your Cluster
Kubernetes Security 101: OWASP Natal Virtual Meeting 🇧🇷
Rory's McCune @raesene Kubernetes Security Lab | Rawkode Live workshop
Blogs and Articles
Cloud native security for your clusters
Container Security: Examining Potential Threats to the Container Environment
Kubernetes securityContext: Linux capabilities in Kubernetes
10 Kubernetes Security Context settings you should understand
Kubesploit: A New Offensive Tool for Testing Containerized Environments
Securing Kubernetes Clusters by Eliminating Risky Permissions
Using Kubelet Client to Attack the Kubernetes Cluster
Risk8s Business: Risk Analysis of Kubernetes Clusters
How to Set Up and Manage Logs with Kubernetes
The Current State of Kubernetes Threat Modelling
Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
The Basics of Keeping Kubernetes Clusters Secure
The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components
How to Secure Your Kubernetes Cluster
Kubernetes Security 101: Best Practices To Secure Your Cluster
Open Sourcing the Kubernetes Security Audit
Amazon EKS Best Practices Guide for Security
Protecting Kubernetes: The Kubernetes Attack Matrix and How to Mitigate Its Threats
Securing the 4Cs of Cloud Native
CVE-2018-18264 Privilege escalation through Kubernetes dashboard
Certified Kubernetes Security Specialist (CKS) exam guide
A Deep Dive Into Kubernetes Schema Validation
A Beginner-Friendly Introduction to Kubernetes
Managing Kubernetes without losing your cool
Kubernetes: Detailed security assessment guidelines and necessary checklist
Books
Hacking Kubernetes by Andrew Martin, Michael Hausenblas
Learn Kubernetes Security by Kaizhe Huang and Pranjal Jumde
Kubernetes Security by Liz Rice and Michael Hausenblas
Container Security by Liz Rice
Kubernetes: Up and Running, Second Edition by Brendan Burns, Joe Beda and Kelsey Hightower
The Kubernetes Book by Nigel Poulton and Pushkar Joglekar
Securing Kubernetes Secrets by Alex Soto Bueno and Andrew Block
Kubernetes in Action, Second Edition by Marko Lukša
Google Anthos by Antonio Gulli et al.
Kubernetes for Developers by William Denniss
Kubernetes on Windows by Jay Vyas and James Sturtevant
Kubernetes Security with M9sweeper
Certifications
CVEs
Exploring container security: Vulnerability management in open-source Kubernetes
CVE-2018-18264 - Kubernetes Dashboard bypass authentication
CVE-2019-11247 - kube-apiserver mistakenly allows access to a cluster-scoped custom resource
CVE-2019-11249 - kubectl cp command tar exploit
CVE-2020-8558 PoC - kube-proxy unexpectedly makes localhost-bound host services available to others on the network
CVE-2020-8559 PoC - kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests
CVE-2020-8559 PoC 2 - kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests
CVE-2020-10749 PoC - malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks
CVE-2021-25735 - kube-apiserver allow node updates to bypass a Validating Admission Webhook
CVE-2021-25737 - user may be able to redirect pod traffic to private networks on a node
CVE-2021-25740 - enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack
CVE-2021-25741 - user may be able to create a container with subpath volume mounts to access files & directories outside of the volume
CVE-2021-30465 - runc container filesystem breakout via directory traversal
Slides
Communication is Key - Understanding Kubernetes Networking (KubeCon EU 2020)
Seccomp Profiles and you: A practical guide (KubeCon EU 2020)
Advanced Persistence Threats: The Future of Kubernetes Attacks (KubeCon EU 2020)
Help! My Cluster Is On The Internet!
Trainings
Cloud Native Security Tutorial
Kubernetes Security (Advanced Concepts)
Katacoda Kubernetes Goat Videos
Attacking and Auditing Docker Containers and Kubernetes Clusters
A Cloud Guru Kubernetes Security
SANS Cloud-Native Security Defending Containers and Kubernetes
Control Plane Security Training
Linux Academy - Kubernetes Security
Mumshad's KodeCloud Certified kubernetes security specialist cks
Repositories / Tools
Learning
Kubernetes Networking Labs for KubeCon EU 2020 Talk
Kube Security Lab: Learn from Kuberenetes attacks using Ansible and KinD
Attacking
Defending
KubeArmor - Cloud-native runtime protection
Kubescape - Kubernetes is deployed securely according to NSA-CISA and the MITRE ATT&CK® frameworks
Kubernetes Audit by Trail of Bits
CIS Kubernetes Benchmark - InSpec Profile
Kube PodSecurityPolicy Advisor
Advocacy Site for Kubernetes RBAC
Kubernetes Security - Best Practice Guide
KICS - Keeping Infrastructure as Code Secure
cnspec - cloud-native security and policy project
M9sweeper - Kubernetes Security Platform
Papers
Kubernetes Security Assessment - Final Report - May 2019
Kubernetes Security Whitepaper - June 2019
Kubernetes Threat Model - June 2019
Attacking Kubernetes - A Guide for Administrators and Penetration Testers
Kubernetes é seguro por default ou à prova de má configuração? 🇧🇷
Podcasts
Kubernetes Podcast (from Google)
PodCTL - Enterprise Kubernetes