A curated list for Kubernetes (K8s) Security resources such as articles, books, tools, talks and videos.
Disclaimer
Most of the resources are in English, the ones that aren’t will be flagged as such. All the content in this list is public and free, please use them for educational purposes only!
Not all the tools have been tested or reviewed, use them at your own risk! Also, I don’t consider myself a K8s Security expert, I’m just learning and helping others learn along with me. Thanks!
The Basics
To understand about Kubernetes Security you first need to understand the basics of how Kubernetes works and all the components involved. Here’s some links and materials to help you with that journey:
- Kubernetes in 5 mins
- Kubernetes Concepts Explained in 9 minutes!
- Kubernetes 101
- Kubernetes: Getting Started
- Kubernetes The Hard Way – Kelsey Hightower
- Kubernetes Challenge 🇧🇷
- Kubernetes de K a S – Erlon Pinheiro 🇧🇷
- Kubernetes Training
- Introduction to Kubernetes
- Kube Academy
- Game of Pods (KodeKloud)
- Gist of Kubernetes Resources
- Uncomplicating Kubernetes (Jeferson Noronha aka LinuxTips) 🇧🇷
- Kubernetes Security Checklist and Requirements
Official Pages
- Kubernetes.io
- Kubernetes GitHub
- Kubernetes Security and Disclosure Information
- Cloud Native Security
- Pod Security Standards
- CNCF STAG – Security Technical Advisory Group
- CNCF STAG Meeting Notes
- CNCF STAG Mailing List
- Kubernetes SIG Security
- Kubernetes SIG Security Meeting Notes
- Kubernetes SIG Auth (Authorization, Authentication, and Cluster Security Policy)
- Kubernetes Security Audit 2019 Results
- Kubernetes Security Audit 2021 RFP
Talks and Videos
- Compromising Kubernetes Cluster by Exploiting RBAC Permissions – Eviatar Gerzi, CyberArk (RSA 2020)
- Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down – Carson Anderson, DOMO
- Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down – Carson Anderson, DOMO (Extended Version)
- Advanced Persistence Threats: The Future of Kubernetes Attacks (RSAC 2020)
- Kubernetes Security Best Practices – Ian Lewis, Google
- Securing Kubernetes Secrets (Cloud Next ’19)
- Jay Beale – Attacking and Defending Kubernetes – DEF CON 27 Packet Hacking Village
- The State of Kubernetes Security – Liz Rice
- DIY Pen-Testing for Your Kubernetes Cluster – Liz Rice, Aqua Security
- Kubernetes Security 101: Best Practices to Secure your Cluster
- Kubernetes Security 101: OWASP Natal Virtual Meeting 🇧🇷
- Rory’s McCune @raesene Kubernetes Security Lab | Rawkode Live workshop
Blogs and Articles
- Cloud native security for your clusters
- Container Security: Examining Potential Threats to the Container Environment
- Kubernetes securityContext: Linux capabilities in Kubernetes
- 10 Kubernetes Security Context settings you should understand
- Kubesploit: A New Offensive Tool for Testing Containerized Environments
- Securing Kubernetes Clusters by Eliminating Risky Permissions
- Using Kubelet Client to Attack the Kubernetes Cluster
- Eight Ways to Create a Pod
- Risk8s Business: Risk Analysis of Kubernetes Clusters
- How to Set Up and Manage Logs with Kubernetes
- The Current State of Kubernetes Threat Modelling
- Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
- The Basics of Keeping Kubernetes Clusters Secure
- The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components
- How to Secure Your Kubernetes Cluster
- Kubernetes Security 101: Best Practices To Secure Your Cluster
- Kubernetes Security
- Introducing Kubernetes Goat
- Threat Matrix for Kubernetes
- Open Sourcing the Kubernetes Security Audit
- Amazon EKS Best Practices Guide for Security
- Protecting Kubernetes: The Kubernetes Attack Matrix and How to Mitigate Its Threats
- Securing the 4Cs of Cloud Native
- CVE-2018-18264 Privilege escalation through Kubernetes dashboard
- Certified Kubernetes Security Specialist (CKS) exam guide
- A Deep Dive Into Kubernetes Schema Validation
Books
- Hacking Kubernetes by Andrew Martin, Michael Hausenblas
- Learn Kubernetes Security by Kaizhe Huang and Pranjal Jumde
- Kubernetes Security by Liz Rice and Michael Hausenblas
- Container Security by Liz Rice
- Kubernetes: Up and Running, Second Edition by Brendan Burns, Joe Beda and Kelsey Hightower
- The Kubernetes Book by Nigel Poulton and Pushkar Joglekar
- Kubernetes Patterns: Reusable Elements for Designing Cloud-Native Applications by Bilgin Ibryam & Roland Huß
- Securing Kubernetes Secrets by Alex Soto Bueno and Andrew Block
- Kubernetes in Action, Second Edition by Marko Lukša
Certifications
- CKAD
- CKA
- Certified Kubernetes Administrator (CKA) Course
- CKS
- Certified Kubernetes Security Specialist (CKS)
- CKSS-Certified-Kubernetes-Security-Specialist
- Certified Kubernetes Security Specialist Study Guide
- References for CKS Exam Objectives
CVEs
- Exploring container security: Vulnerability management in open-source Kubernetes
- CVE-2018-18264 – Kubernetes Dashboard bypass authentication
- CVE-2019-11247 – kube-apiserver mistakenly allows access to a cluster-scoped custom resource
- CVE-2019-11249 – kubectl cp command tar exploit
- CVE-2020-8558 PoC – kube-proxy unexpectedly makes localhost-bound host services available to others on the network
- CVE-2020-8559 PoC – kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests
- CVE-2020-8559 PoC 2 – kube-apiserver vulnerable to an unvalidated redirect on proxied upgrade requests
- CVE-2020-10749 PoC – malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks
- CVE-2021-25735 – kube-apiserver allow node updates to bypass a Validating Admission Webhook
- CVE-2021-25737 – user may be able to redirect pod traffic to private networks on a node
- CVE-2021-25740 – enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack
- CVE-2021-25741 – user may be able to create a container with subpath volume mounts to access files & directories outside of the volume
- CVE-2021-30465 – runc container filesystem breakout via directory traversal
Slides
- Communication is Key – Understanding Kubernetes Networking (KubeCon EU 2020)
- Seccomp Profiles and you: A practical guide (KubeCon EU 2020)
- Advanced Persistence Threats: The Future of Kubernetes Attacks (KubeCon EU 2020)
- Help! My Cluster Is On The Internet!
Trainings
- Secure Kubernetes
- Cloud Native Security Tutorial
- Kubernetes Security (Advanced Concepts)
- Kubernetes Goat Guide
- Katacoda Kubernetes Goat Videos
- Attacking and Auditing Docker Containers and Kubernetes Clusters
- A Cloud Guru Kubernetes Security
- SANS Cloud-Native Security Defending Containers and Kubernetes
- Tutorial: Getting Started With Cloud-Native Security – KubeCon EU 2020 – Liz Rice & Michael Hausenblas
- Control Plane Security Training
- Kubernetes CKS Exam Simulator
- Kubernetes Security Workshop
- Linux Academy – Kubernetes Security
- Mumshad’s KodeCloud Certified kubernetes security specialist cks
Repositories / Tools
Learning
- kubectl
- krew
- Bust-a-Kube
- kube-goat
- Kubernetes Goat
- Kubernetes Networking Labs for KubeCon EU 2020 Talk
- CNCF Security Audits
- Kube Security Lab: Learn from Kuberenetes attacks using Ansible and KinD
Attacking
Defending
- Kubescape – Kubernetes is deployed securely according to NSA-CISA and the MITRE ATT&CK® frameworks
- KubiScan
- Kubernetes Audit by Trail of Bits
- kubeaudit
- Deepfence ThreatMapper
- falco
- kubesec
- kube-bench
- trivy
- MKIT
- kubetap
- kube-forensics
- k8s-security-dashboard
- CIS Kubernetes Benchmark – InSpec Profile
- Kube PodSecurityPolicy Advisor
- Inspektor Gadget
- Starboard
- Advocacy Site for Kubernetes RBAC
- Helm-Snyk
- Krane
- rakkess
- kubectl-who-can
- Kubernetes Security – Best Practice Guide
- External Secrets
- kubescape
- KubeLinter
- Open Policy Agent
- Gatekeeper
- Kyverno
- Kubewarden
- KICS – Keeping Infrastructure as Code Secure
Papers
- Kubernetes Security Assessment – Final Report – May 2019
- Kubernetes Security Whitepaper – June 2019
- Kubernetes Threat Model – June 2019
- Kubernetes Attack Tree
- Attacking Kubernetes – A Guide for Administrators and Penetration Testers
- CIS Kubernetes Benchmark
- Kubernetes é seguro por default ou à prova de má configuração? 🇧🇷
Podcasts
Community
Slacks
Newsletters
Jobs
K8s Managed Services
K8s Alternatives
Other Awesome Lists
- kubepwn
- awesome-kubernetes-security
- awesome-kubernetes
- awesome-istio
- awesome-falco
- awesome-cloud-native
- awesome-opa
Honk the Planet!
