72 docs tagged with "CKS"

audit2rbac automatically generates RBAC policies from Kubernetes audit logs, enabling precise least-privilege configurations based on actual API usage.

How attackers exploit cloud provider metadata services (IMDS) from Kubernetes pods to steal IAM credentials and escalate privileges.

How to prevent pods from accessing cloud provider metadata services (IMDS) and stealing IAM credentials in Kubernetes.

cnspec is a cloud-native security scanner from Mondoo that assesses Kubernetes clusters, containers, and infrastructure against security policies and compliance frameworks.

Exploiting Kubernetes API server vulnerabilities and how attackers gain unauthorized access.

How attackers exploit insecure or malicious sidecar containers to intercept data, escalate privileges, and persist within Kubernetes clusters.

How an attacker can break out of a container and gain control over the host system in Kubernetes.

How attackers exploit Kubernetes default group merging behavior to inject unauthorized supplemental group IDs from container images into running pod processes.

How to use supplementalGroupsPolicy: Strict to prevent container images from injecting unauthorized supplemental group IDs into Kubernetes pod processes.

Cosign is a container signing and verification tool used to secure container images and enforce supply chain integrity.

Learn strategies to mitigate Distributed Denial-of-Service (DDoS) attacks in Kubernetes clusters.

Deepfence ThreatMapper is a runtime vulnerability scanner that discovers threats across Kubernetes clusters, VMs, containers, and serverless environments.

How attackers exploit Kubernetes resources to exhaust system capacity, disrupt workloads, and cause service outages.

Protect CoreDNS from spoofing, cache poisoning, DNS tunneling, and unauthorized modifications to enhance Kubernetes cluster security.

How to configure Linux capabilities in Kubernetes pod security contexts to prevent privilege escalation and reduce the container attack surface.

Restrict and monitor outbound traffic from Kubernetes workloads to prevent data exfiltration, command-and-control communication, and unauthorized external access.

How attackers abuse kubectl debug and ephemeral containers to inject debugging tools, access process namespaces, and compromise Kubernetes workloads.

Attack scenario demonstrating how kubectl exec and attach commands can be abused to steal credentials and sensitive data from running containers.

How an exposed Kubelet API can be exploited to execute commands on nodes and compromise Kubernetes clusters.

Falco is a runtime security tool for Kubernetes that detects abnormal behavior and threats based on system call monitoring and security rules.

How to use KubeletFineGrainedAuthz (GA in Kubernetes v1.36) to grant least-privilege access to specific kubelet API endpoints without the broad nodes/proxy permission.

Step-by-step guide on generating and issuing a certificate for a Kubernetes user, including creating roles and configuring kubeconfig.

Attack scenario demonstrating how attackers extract image pull secrets to gain unauthorized access to private container registries.

How attackers exploit insecure Container Storage Interface (CSI) drivers to gain unauthorized access to persistent volumes and sensitive data.

How overly permissive Kubernetes RBAC configurations enable privilege escalation and full cluster compromise.

Understanding the risks of insecure secrets management in Kubernetes and how it can lead to sensitive data exposure.

Best practices to prevent the exposure of sensitive data in Kubernetes through secure secrets management techniques and external secret stores.

KBOM (Kubernetes Bill of Materials) Toolkit generates comprehensive inventories of Kubernetes clusters, including components, images, and configurations.

kube-psp-advisor generates Pod Security Policies and Pod Security Standards based on the actual security requirements of running workloads.

kube-scan is a Kubernetes risk assessment tool that calculates risk scores for workloads based on their security configurations and potential attack impact.

kubectl-bindrole finds all Kubernetes roles and cluster roles bound to a specified ServiceAccount, User, or Group, helping audit RBAC configurations.

kubectl-dig provides deep visibility into Kubernetes cluster activity using eBPF-based tracing, enabling real-time analysis of system calls and network traffic.

kubectl-kubesec is a kubectl plugin that scans Kubernetes resources using kubesec.io to identify security risks and provide hardening recommendations.

kubectl-who-can shows which subjects have RBAC permissions to perform specific actions on Kubernetes resources, helping identify privilege distribution.

Kubei is a Kubernetes runtime vulnerability scanner that identifies vulnerabilities in container images across your cluster in real-time.

How attackers exploit kubelet anonymous authentication to execute commands, read pod logs, and access sensitive data on Kubernetes nodes.

Overview of Kubernetes Kubelet security covering authentication, authorization, TLS, resource limits, and hardening best practices.

Comprehensive guide to Kubernetes attack vectors including container escapes, privilege escalation, RBAC exploitation, and cluster compromise techniques.

How to configure Kubernetes audit logging to record API server activity for security monitoring, incident detection, and compliance requirements.

Kubernetes External Secrets Operator synchronizes secrets from external providers like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault into Kubernetes.

kubernetes-rbac-audit is an auditing tool that analyzes RBAC configurations to identify risky permissions and potential security misconfigurations.

How missing Kubernetes Network Policies enable lateral movement and data exfiltration by attackers.

How attackers exploit misconfigured Kubernetes admission controllers and insecure webhooks to bypass security policies.

netchecks validates network connectivity assumptions in Kubernetes clusters by running declarative network tests to verify policies and connectivity.

Explore how Network Policies in Kubernetes control traffic flow and enhance security.

How attackers exploit misconfigured PersistentVolumes to access sensitive data from other workloads or previously deleted pods in Kubernetes.

Learn how Kubernetes Pod Security Standards (PSS) enforce security controls for workloads and replace the deprecated Pod Security Policies (PSP).

How attackers exploit overly privileged Kubernetes Service Accounts to gain cluster-wide access and escalate privileges.

rakkess displays an access matrix showing which Kubernetes resources a user, group, or service account can access, providing a comprehensive RBAC overview.

rback generates visual diagrams of Kubernetes RBAC configurations, making it easier to understand and audit complex permission structures.

Why the gitRepo volume driver was removed in Kubernetes v1.36, and how to migrate existing workloads to the init container pattern recommended by kubernetes.io.

How to restrict anonymous access to the Kubernetes API server to specific endpoints using AuthenticationConfiguration, stable since Kubernetes 1.34.

Learn how Role-Based Access Control (RBAC) in Kubernetes manages authorization and improves security.

How to control ephemeral container and kubectl debug access through RBAC, Pod Security Standards, and admission control in Kubernetes.

How to disable kubelet anonymous authentication, configure certificate-based authentication, and implement proper authorization to protect Kubernetes nodes.

How to protect Kubernetes PersistentVolumes from unauthorized access, data exposure, and cross-namespace attacks through proper configuration and RBAC.

Best practices for protecting the Kubernetes API server against unauthorized access and exploitation.

Learn the security risks of exposing Kubernetes Dashboard publicly and how attackers exploit misconfigured dashboards for full cluster compromise.

Attack scenario demonstrating exploitation of service account tokens with excessive permissions or long lifetimes.

Learn how Kubernetes Service Accounts provide authentication for pods and how to securely configure them using RBAC.

Improve Kubernetes security by implementing mutual TLS (mTLS), zero-trust networking, and policy-based access control using service meshes like Istio, Linkerd, and Cilium.

Steampipe enables SQL-based querying of Kubernetes resources and compliance scanning using the steampipe-kubernetes plugin and compliance mod.

How attackers compromise container images, dependencies, CI/CD pipelines, and Helm charts to infiltrate Kubernetes clusters.

How to safely configure kernel parameters via sysctls in Kubernetes pods, distinguish safe from unsafe sysctls, and enforce restrictions using Pod Security Standards.

How attackers manipulate Kubernetes network traffic to intercept, redirect, or disrupt communication between workloads.

Overview, usage, and best practices for using Trivy to scan container images, file systems, and Kubernetes resources for vulnerabilities.

Trivy Operator provides Kubernetes-native security scanning by automatically scanning workloads for vulnerabilities, misconfigurations, secrets, and RBAC issues.

An overview of potential attack vectors in Kubernetes and strategies to mitigate security risks.

How attackers exploit unrestricted access to etcd to retrieve Kubernetes secrets and take control of the cluster.

How attackers exploit unrestricted hostPath mounts to gain access to the host filesystem and escalate privileges.

How to use Linux user namespaces in Kubernetes pods to isolate container UIDs from the host and reduce the blast radius of container escapes.

Vault Secrets Operator is HashiCorp's official Kubernetes operator for synchronizing secrets from Vault into Kubernetes Secrets.