Home

Awesome

<a href="https://kubernetes.io/"> <img src="https://github.com/magnologan/awesome-k8s-security/blob/master/logo.png" alt="Kubernetes logo" title="Kubernetes" height="100" width="100" /> </a></br>

Awesome Kubernetes (K8s) Security Awesome

A curated list for Kubernetes (K8s) Security resources such as articles, books, tools, talks and videos.

Disclaimer

Most of the resources are in English, the ones that aren't will be flagged as such. All the content in this list is public and free, please use them for educational purposes only!

Not all the tools have been tested or reviewed, use them at your own risk! Also, I don't consider myself a K8s Security expert, I'm just learning and helping others learn along with me. Thanks!

Contents

These are the main topics of this Awesome Kubernetes (K8s) Security List. Everything related to the Security of Kubernetes (and its components such as CoreDNS, etcd) either for learning, breaking or defending it, will be added down below. If you have any other good links or recommendations, feel free to submit a PR!

The Basics

To understand about Kubernetes Security you first need to understand the basics of how Kubernetes works and all the components involved. Here's some links and materials to help you with that journey:

Kubernetes in 5 mins

Kubernetes Concepts Explained in 9 minutes!

Kubernetes 101

Kubernetes: Getting Started

Kubernetes The Hard Way - Kelsey Hightower

Kubernetes Challenge 🇧🇷

Kubernetes de K a S - Erlon Pinheiro 🇧🇷

Kubernetes Training

Introduction to Kubernetes

Kube Academy

Game of Pods (KodeKloud)

Gist of Kubernetes Resources

Uncomplicating Kubernetes (Jeferson Noronha aka LinuxTips) 🇧🇷

Kubernetes Security Checklist and Requirements

Official Pages

Kubernetes.io

Kubernetes GitHub

Kubernetes Security and Disclosure Information

Cloud Native Security

Pod Security Standards

CNCF STAG - Security Technical Advisory Group

CNCF STAG Meeting Notes

CNCF STAG Mailing List

Kubernetes SIG Security

Kubernetes SIG Security Meeting Notes

Kubernetes SIG Auth (Authorization, Authentication, and Cluster Security Policy)

Kubernetes Security Audit 2019 Results

Kubernetes Security Audit 2021 RFP

Talks and Videos

Compromising Kubernetes Cluster by Exploiting RBAC Permissions - Eviatar Gerzi, CyberArk (RSA 2020)

Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down - Carson Anderson, DOMO

Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down - Carson Anderson, DOMO (Extended Version)

Advanced Persistence Threats: The Future of Kubernetes Attacks (RSAC 2020)

Kubernetes Security Best Practices - Ian Lewis, Google

Securing Kubernetes Secrets (Cloud Next '19)

Jay Beale - Attacking and Defending Kubernetes - DEF CON 27 Packet Hacking Village

The State of Kubernetes Security - Liz Rice

DIY Pen-Testing for Your Kubernetes Cluster - Liz Rice, Aqua Security

Kubernetes Security 101: Best Practices to Secure your Cluster

Kubernetes Security 101: OWASP Natal Virtual Meeting 🇧🇷

Rory's McCune @raesene Kubernetes Security Lab | Rawkode Live workshop

Blogs and Articles

Cloud native security for your clusters

Container Security: Examining Potential Threats to the Container Environment

Kubernetes securityContext: Linux capabilities in Kubernetes

10 Kubernetes Security Context settings you should understand

Kubesploit: A New Offensive Tool for Testing Containerized Environments

Securing Kubernetes Clusters by Eliminating Risky Permissions

Using Kubelet Client to Attack the Kubernetes Cluster

Eight Ways to Create a Pod

Risk8s Business: Risk Analysis of Kubernetes Clusters

How to Set Up and Manage Logs with Kubernetes

The Current State of Kubernetes Threat Modelling

Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes

The Basics of Keeping Kubernetes Clusters Secure

The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components

How to Secure Your Kubernetes Cluster

Kubernetes Security 101: Best Practices To Secure Your Cluster

Kubernetes Security

Introducing Kubernetes Goat

Threat Matrix for Kubernetes

Open Sourcing the Kubernetes Security Audit

Amazon EKS Best Practices Guide for Security

Protecting Kubernetes: The Kubernetes Attack Matrix and How to Mitigate Its Threats

Securing the 4Cs of Cloud Native

CVE-2018-18264 Privilege escalation through Kubernetes dashboard

Certified Kubernetes Security Specialist (CKS) exam guide

A Deep Dive Into Kubernetes Schema Validation

A Beginner-Friendly Introduction to Kubernetes

Managing Kubernetes without losing your cool

Kubernetes: Detailed security assessment guidelines and necessary checklist

Books

Hacking Kubernetes by Andrew Martin, Michael Hausenblas

Learn Kubernetes Security by Kaizhe Huang and Pranjal Jumde

Kubernetes Security by Liz Rice and Michael Hausenblas

Container Security by Liz Rice

Kubernetes: Up and Running, Second Edition by Brendan Burns, Joe Beda and Kelsey Hightower

The Kubernetes Book by Nigel Poulton and Pushkar Joglekar

Kubernetes Patterns: Reusable Elements for Designing Cloud-Native Applications by Bilgin Ibryam & Roland Huß

Securing Kubernetes Secrets by Alex Soto Bueno and Andrew Block

Kubernetes in Action, Second Edition by Marko Lukša

Google Anthos by Antonio Gulli et al.

Kubernetes for Developers by William Denniss

Kubernetes on Windows by Jay Vyas and James Sturtevant

Core Kubernetes by Chris Love

Kubernetes Security with M9sweeper

Certifications

CVEs

Exploring container security: Vulnerability management in open-source Kubernetes

CVE-2018-18264 - Kubernetes Dashboard bypass authentication

CVE-2019-11247 - kube-apiserver mistakenly allows access to a cluster-scoped custom resource

CVE-2019-11249 - kubectl cp command tar exploit

CVE-2020-8558 PoC - kube-proxy unexpectedly makes localhost-bound host services available to others on the network

CVE-2020-8559 PoC - kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests

CVE-2020-8559 PoC 2 - kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests

CVE-2020-10749 PoC - malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks

CVE-2021-25735 - kube-apiserver allow node updates to bypass a Validating Admission Webhook

CVE-2021-25737 - user may be able to redirect pod traffic to private networks on a node

CVE-2021-25740 - enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack

CVE-2021-25741 - user may be able to create a container with subpath volume mounts to access files & directories outside of the volume

CVE-2021-30465 - runc container filesystem breakout via directory traversal

Slides

Communication is Key - Understanding Kubernetes Networking (KubeCon EU 2020)

Seccomp Profiles and you: A practical guide (KubeCon EU 2020)

Advanced Persistence Threats: The Future of Kubernetes Attacks (KubeCon EU 2020)

Help! My Cluster Is On The Internet!

Trainings

Secure Kubernetes

Cloud Native Security Tutorial

Kubernetes Security (Advanced Concepts)

Kubernetes Goat Guide

Katacoda Kubernetes Goat Videos

Attacking and Auditing Docker Containers and Kubernetes Clusters

A Cloud Guru Kubernetes Security

SANS Cloud-Native Security Defending Containers and Kubernetes

Tutorial: Getting Started With Cloud-Native Security - KubeCon EU 2020 - Liz Rice & Michael Hausenblas

Control Plane Security Training

Kubernetes CKS Exam Simulator

Kubernetes Security Workshop

Linux Academy - Kubernetes Security

Mumshad's KodeCloud Certified kubernetes security specialist cks

Repositories / Tools

Learning

kubectl

krew

Bust-a-Kube

kube-goat

Kubernetes Goat

Kubernetes Networking Labs for KubeCon EU 2020 Talk

CNCF Security Audits

Kube Security Lab: Learn from Kuberenetes attacks using Ansible and KinD

Attacking

kdigger

kube-hunter

kubeletctl

kubesploit

Peirates

Defending

KubeArmor - Cloud-native runtime protection

Kubescape - Kubernetes is deployed securely according to NSA-CISA and the MITRE ATT&CK® frameworks

KubiScan

Kubernetes Audit by Trail of Bits

kubeaudit

Deepfence ThreatMapper

falco

kubesec

kube-bench

trivy

MKIT

kubetap

kube-forensics

k8s-security-dashboard

CIS Kubernetes Benchmark - InSpec Profile

Kube PodSecurityPolicy Advisor

Inspektor Gadget

Starboard

Advocacy Site for Kubernetes RBAC

Helm-Snyk

Krane

rakkess

kubectl-who-can

Kubernetes Security - Best Practice Guide

External Secrets

kubescape

KubeLinter

Open Policy Agent

Gatekeeper

Kyverno

Kubewarden

KICS - Keeping Infrastructure as Code Secure

cnspec - cloud-native security and policy project

M9sweeper - Kubernetes Security Platform

Papers

Kubernetes Security Assessment - Final Report - May 2019

Kubernetes Security Whitepaper - June 2019

Kubernetes Threat Model - June 2019

Kubernetes Attack Tree

Attacking Kubernetes - A Guide for Administrators and Penetration Testers

CIS Kubernetes Benchmark

Kubernetes é seguro por default ou à prova de má configuração? 🇧🇷

Podcasts

TGI Kubernetes

The Podlets

Kubecast

Kubernetes Podcast (from Google)

PodCTL - Enterprise Kubernetes

Community

Slacks

Kubernetes Slack

CNCF Slack

Kubernetes Canada Slack

Newsletters

kubelist LWKD

Jobs

Kube Careers

K8s Managed Services

AKS

EKS

GKE

K8s Alternatives

Docker Swarm

Apache Mesos

HashiCorp Nomad

Red Hat Openshift

Other Awesome Lists

kubepwn

awesome-kubernetes-security

awesome-kubernetes

awesome-istio

awesome-falco

awesome-cloud-native

awesome-opa

Honk the Planet!

<br> <img src="https://github.com/magnologan/awesome-k8s-security/blob/master/honk.gif"> <br>