{"id":21712626,"url":"https://github.com/mhausenblas/k8s-sec","last_synced_at":"2025-04-12T18:08:42.194Z","repository":{"id":140043626,"uuid":"135135292","full_name":"mhausenblas/k8s-sec","owner":"mhausenblas","description":"Kubernetes Security: from Image Hygiene to Network Policies","archived":false,"fork":false,"pushed_at":"2018-05-30T08:40:33.000Z","size":22,"stargazers_count":143,"open_issues_count":0,"forks_count":21,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-12T18:08:13.959Z","etag":null,"topics":["kubernetes","security"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mhausenblas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-05-28T08:53:33.000Z","updated_at":"2024-08-12T19:38:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"d1d5c7f1-47f6-4a9d-b438-ec79f1a5b36c","html_url":"https://github.com/mhausenblas/k8s-sec","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mhausenblas%2Fk8s-sec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mhausenblas%2Fk8s-sec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mhausenblas%2Fk8s-sec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mhausenblas%2Fk8s-sec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mhausenblas","download_url":"https://codeload.github.com/mhausenblas/k8s-sec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248610340,"owners_count":21132921,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","security"],"created_at":"2024-11-25T23:40:43.165Z","updated_at":"2025-04-12T18:08:42.143Z","avatar_url":"https://github.com/mhausenblas.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Security: from Image Hygiene to Network Policies\n\n- [Building container images](#building-container-images)\n- [Running containers](#running-containers)\n- [Authentication and authorization](#authentication-and-authorization)\n- [Communication](#communication)\n- [Apps](#apps)\n- [Securing the control plane](#securing-the-control-plane)\n- [References](#references)\n\n## Building container images\n\nTooling:\n\n- https://docs.docker.com/docker-cloud/builds/image-scan/ \n- https://github.com/coreos/clair \n- https://www.open-scap.org/tools/ \n- https://www.aquasec.com/use-cases/continuous-image-assurance/ \n- https://neuvector.com/container-compliance-auditing-solutions/ \n- https://github.com/theupdateframework/notary \n- https://github.com/in-toto \n\nFurther reading:\n\n- [Establishing Image Provenance and Security in Kubernetes](https://www.youtube.com/watch?v=zs-6YEUrJAM)\n- [Image Management \u0026 Mutability in Docker and Kubernetes](https://container-solutions.com/image-management-mutability-in-docker-and-kubernetes/) \n- [Container security considerations in a Kubernetes deployment](https://thenewstack.io/container-security-considerations-kubernetes-deployment/)\n- [Building Container Images Securely on Kubernetes](https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/)\n- [The OpenShift Build Process](https://docs.openshift.com/container-platform/3.9/security/build_process.html)\n- [Introducing Grafeas: An open-source API to audit and govern your software supply chain](https://cloudplatform.googleblog.com/2017/10/introducing-grafeas-open-source-api-.html)\n\n## Running containers\n\nTooling:\n\n- https://github.com/aquasecurity/kube-bench\n- https://github.com/docker/docker-bench-security \n- https://sysdig.com/opensource/falco/ \n- https://kubesec.io/\n- https://www.twistlock.com/ \n\nFurther reading:\n\n- [Just say no to root (in containers)](https://opensource.com/article/18/3/just-say-no-root-containers)\n- Exploring Container Mechanisms Through the Story of a Syscall ([slides](https://schd.ws/hosted_files/kccnceu18/46/Exploring%20container%20mechanisms%20through%20the%20story%20of%20a%20syscall.pdf) | [video](https://www.youtube.com/watch?v=1Tl-NURLoq4))\n- [Improving your Kubernetes Workload Security](https://www.youtube.com/watch?v=T_NxDXAdbfo)\nContainer Isolation at Scale (Introducing gVisor) ([slides](https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf) | [video](https://www.youtube.com/watch?v=pWyJahTWa4I))\n\n## Authentication and authorization\n\nTooling:\n\n- https://github.com/coreos/dex \n- https://github.com/liggitt/audit2rbac \n- https://github.com/heptio/authenticator \n\nFurther reading:\n\n- Docs: [Authentication](https://kubernetes.io/docs/admin/authentication/), [Authorization](https://kubernetes.io/docs/admin/authorization/), [Controlling Access to the Kubernetes API](https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/)\n- [Kubernetes deep dive: API Server – part 1](https://blog.openshift.com/kubernetes-deep-dive-api-server-part-1/)\n- [Certifik8s: All You Need to Know About Certificates in Kubernetes](https://www.youtube.com/watch?v=gXz4cq3PKdg)\n- [Kubernetes Auth and Access Control](https://www.youtube.com/watch?v=WvnXemaYQ50)\n- [Effective RBAC](https://www.youtube.com/watch?v=Nw1ymxcLIDI)\n- [Single Sign-On for Kubernetes: An Introduction](https://thenewstack.io/kubernetes-single-sign-one-less-identity/)\n- [Let's Encrypt, OAuth 2, and Kubernetes Ingress](https://eng.fromatob.com/post/2017/02/lets-encrypt-oauth-2-and-kubernetes-ingress/)\n\n\n## Communication\n\nTooling:\n\n- https://github.com/aporeto-inc/trireme-kubernetes \n- https://github.com/jetstack/cert-manager/ \n- https://spiffe.io/ \n- https://www.openpolicyagent.org/ \n\nFurther reading:\n\n- Docs: [Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)\n- [How Kubernetes certificate authorities work](https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/) \n- [Securing Kubernetes Cluster Networking](https://ahmet.im/blog/kubernetes-network-policy/)\n- [Tutorials and Recipes for Kubernetes Network Policies feature](https://github.com/ahmetb/kubernetes-network-policy-recipes) \n- [Kubernetes Security Context and Kubernetes Network Policy](https://sysdig.com/blog/kubernetes-security-psp-network-policy/) \n- [Kubernetes Application Operator Basics](https://blog.openshift.com/kubernetes-application-operator-basics/) \n\n## Apps\n\nTooling:\n\n- https://github.com/kelseyhightower/konfd \n- https://github.com/hashicorp/vault-plugin-auth-kubernetes \n- https://github.com/bitnami-labs/sealed-secrets\n- https://github.com/shyiko/kubesec  \n- https://github.com/weaveworks/flux \n\nFurther reading:\n\n- Docs: [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/), [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/), [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\n- [Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes](https://www.youtube.com/watch?v=ohTq0no0ZVU)\n- [Exploring container security: Isolation at different layers of the Kubernetes stack](https://cloudplatform.googleblog.com/2018/05/Exploring-container-security-Isolation-at-different-layers-of-the-Kubernetes-stack.html) \n- [Security Best Practices for Kubernetes Deployment](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/) \n- [NIST Special Publication 800-190: Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf)\n- [Kubernetes Security Best Practices](https://www.youtube.com/watch?v=pzAwTC8KYV8)\n- [Continuous Kubernetes Security](https://www.youtube.com/watch?v=YtrA7eauSSg)\n\n## Securing the control plane\n\nTooling:\n\n- https://github.com/bgeesaman/kubeatf \n- https://github.com/Shopify/kubeaudit\n- https://k8guard.github.io/ \n\nFurther reading:\n\n- Docs: [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/), [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/), [Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)\n- [Securing Kubernetes components: kubelet, etcd and Docker registry](https://sysdig.com/blog/kubernetes-security-kubelet-etcd/) \n- [K8s security best practices](https://www.slideshare.net/SharonVendrov/k8s-security-best-practices-85961183) \n- [Kubernetes Security - Best Practice Guide](https://github.com/freach/kubernetes-security-best-practice) \n- [Lessons from the Cryptojacking Attack at Tesla](https://blog.redlock.io/cryptojacking-tesla) \n- [Hacking and Hardening Kubernetes Clusters by Example](https://www.youtube.com/watch?v=vTgQLzeBfRU) \n- [What Does “Production Ready” Really Mean for a Kubernetes Cluster](https://weave.works/blog/what-does-production-ready-really-mean-for-a-kubernetes-cluster)\n- [A Hacker's Guide to Kubernetes and the Cloud](https://www.youtube.com/watch?v=dxKpCO2dAy8)\n- [Kubernetes Container Clustering, Catastrophe](https://www.youtube.com/watch?v=b3qJwIttqqs)\n- [Hardening Kubernetes from Scratch](https://github.com/hardening-kubernetes/from-scratch)\n\n## References\n\nKubernetes resources related to security (v1.10):\n\n- [Namespace](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#namespace-v1-core)\n- [Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#secret-v1-core)\n- [ResourceQuota](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#resourcequota-v1-core)\n- [ServiceAccount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#serviceaccount-v1-core)\n- [Role](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#role-v1-rbac-authorization-k8s-io) / [ClusterRole](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#clusterrole-v1-rbac-authorization-k8s-io)\n- [RoleBinding](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#rolebinding-v1-rbac-authorization-k8s-io) / [ClusterRoleBinding](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#clusterrolebinding-v1-rbac-authorization-k8s-io)\n- [PodSecurityPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#podsecuritypolicy-v1beta1-extensions)\n- [NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#networkpolicy-v1-networking-k8s-io)\n\nUseful `kubectl` commands:\n\n- `kubectl create secret`\n- `kubectl create serviceaccount`\n- `kubectl create role`\n- `kubectl create rolebinding`\n- `kubectl auth can-i`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmhausenblas%2Fk8s-sec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmhausenblas%2Fk8s-sec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmhausenblas%2Fk8s-sec/lists"}