Check resources configurations for policy compliance.| Kyverno
The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Microsoft data […]| Microsoft Security Blog
Pods are the smallest deployable units of computing that you can create and manage in Kubernetes. A Pod (as in a pod of whales or pea pod) is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. A Pod's contents are always co-located and co-scheduled, and run in a shared context. A Pod models an application-specific "logical host": it contains one or more application containers which are relatively tightly coupled.| Kubernetes
FEATURE STATE: Kubernetes v1.26 [stable] Windows HostProcess containers enable you to run containerized workloads on a Windows host. These containers operate as normal processes but have access to the host network namespace, storage, and devices when given the appropriate user privileges. HostProcess containers can be used to deploy network plugins, storage configurations, device plugins, kube-proxy, and other components to Windows nodes without the need for dedicated proxies or the direct in...| Kubernetes
FEATURE STATE: Kubernetes v1.30 [beta] This page explains how user namespaces are used in Kubernetes pods. A user namespace isolates the user running inside the container from the one in the host. A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.| Kubernetes
Special considerations for certain Kubernetes platforms.| Kyverno
On Monday this week I noticed a new and really interesting blog from Imre Rad. The Blog Post described an unpatched issue in Kubernetes, which allows any user with the ability to create gitRepo volumes to execute code on the underlying host as the root user! For the details of how this works, please read Imre’s blog as all the cool research is his, I’m just looking at how it might be exploited :)| raesene.github.io
Security or Scalability? Why not both!| kyverno.io
Providing better Pod security for service meshes with Kyverno.| Kyverno
Methods for installing Kyverno| Kyverno
This post describes how the --init-only flag to kube-proxy can be used to run the main kube-proxy container in a stricter securityContext, by performing the configuration that requires privileged mode in a separate init container. Since Windows doesn’t have the equivalent of capabilities, this only works on Linux. The kube-proxy Pod still only meets the privileged Pod Security Standard, but there is still an improvement because the running container doesn’t need to run privileged.| www.kubernetes.dev
An overview of the Pod Security Admission Controller, which can enforce the Pod Security Standards.| Kubernetes
Learn about AWS Fault Injection Service actions.| docs.aws.amazon.com
Kubernetes reserves all labels, annotations and taints in the kubernetes.io and k8s.io namespaces. This document serves both as a reference to the values and as a coordination point for assigning values. Labels, annotations and taints used on API objects apf.kubernetes.io/autoupdate-spec Type: Annotation Example: apf.kubernetes.io/autoupdate-spec: "true" Used on: FlowSchema and PriorityLevelConfiguration Objects If this annotation is set to true on a FlowSchema or PriorityLevelConfiguration, ...| Kubernetes
Take advantage of Kernel Image Lockdown with eBPF| djalal.opendz.org
Using Pod Security Admission with Kyverno for the best of both worlds.| Kyverno
Migrating from PodSecurityPolicy to Kyverno| Kyverno
Kyverno 1.8 is here.| Kyverno
This page provides an overview of admission controllers. An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the resource, but after the request is authenticated and authorized. Several important features of Kubernetes require an admission controller to be enabled in order to properly support the feature. As a result, a Kubernetes API server that is not properly configured with the right set of admission controllers is an in...| Kubernetes