Kubernetes Security¶

API Access Protection¶

Teleport Access Control¶

• (2021) goteleport.com: Kubernetes API Access Security Hardening [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Assesses security postures for Kube-API exposure, outlining standard secure practices including zero-trust access, bastions, detailed telemetry streams, and short-lived credentials.

Architecture¶

Microservices¶

Application Lifecycle¶

• (2022) itnext.io: Journey Of A Microservice Application In The Kubernetes World 🌟 [COMMUNITY-TOOL] — Traces the structural lifecycle of a containerized microservice traversing deployment pipelines, service routing, and load balancing configurations. Provides practical insights into configuring readiness/liveness probes, autoscaling parameters, and ingress rules. Essential reference for microservice platform standardization.

CKS Certification Study Guides¶

Cluster Lifecycle Security¶

• (2020) github.com/stackrox: Certified Kubernetes Security Specialist Study Guide' 🌟 ⭐ 429 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A comprehensive community study handbook for the Linux Foundation CKS exam, detailing system hardening, threat mitigation, microservice security policies, and runtime compliance enforcement.

CNI Network Vulnerabilities¶

Network Penetration Testing¶

• (2020) cyberark.com: Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Delves into how container network interfaces (CNIs) and underlying network configurations can be targets for spoofing, route injection, and MITM attacks within shared Kubernetes clusters.

CVE Analysis¶

Network Vulnerabilities¶

• (2020) empresas.blogthinkbig.com: Descubierta una vulnerabilidad en Kubernetes que permite acceso a redes restringidas (CVE-2020-8562) [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyzes CVE-2020-8562, a vulnerability allowing path-traversal/access bypass to internal restricted subnets through the Kubernetes API server, discussing standard mitigation strategies.

Case Studies¶

Historical Exploit Analysis¶

• (2021) thenewstack.io: Kubernetes: An Examination of Major Attacks 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Conducts retrospective post-mortems on major real-world Kubernetes security incidents, tracing malicious lateral movements, coin-miner deployments, and critical data breaches back to root posture issues.

Cloud Native Networking¶

Network Policies¶

Calico and Tigera Security¶

• (2020) tigera.io: Kubernetes security policy design: 10 critical best practices 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A strategic framework for designing cluster-wide network policies, using tiered structures, explicit default-deny states, and labeling schemas to scale security dynamically.

Secure CNI Implementation¶

• (2021) itnext.io: How-To: Kubernetes Cluster Network Security 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A practical tutorial covering secure network policy design. Guides readers through limiting pod egress/ingress, utilizing global network policies, and implementing namespaces as security perimeters.

Cloud Native Security¶

The 4Cs of Cloud Native Security¶

• (2020) kubernetes.io: Cloud native security for your clusters [N/A CONTENT] [COMMUNITY-TOOL] — An authoritative review of the '4C's of Cloud Native Security' (Cloud, Cluster, Container, Code). Explains how defense-in-depth principles apply across all layers of the cloud-native application stack.

Cluster Hardening¶

Infrastructural Protection¶

• (2020) containerjournal.com: How to Secure Your Kubernetes Cluster 🌟 [N/A CONTENT] [LEGACY] — Evaluates cluster configurations across storage, networking, and deployment lifecycles. Discusses the replacement of deprecated Pod Security Policies with built-in Pod Security Standards and third-party policy engines.

Network Policies (1)¶

• (2019) Kubernetes Security Best Practices 🌟 ⭐ 2712 [MARKDOWN CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A curated GitHub repository delineating hardened configurations for Kubernetes API servers, Kubelets, and network boundaries. It details port-level access rules, ingress/egress filtering, and cluster isolation tactics to defend against pivot attacks.

Operational Security¶

• (2020) codeburst.io: 7 Kubernetes Security Best Practices You Must Follow [N/A CONTENT] [COMMUNITY-TOOL] — Outlines fundamental security practices for Kubernetes workloads, focusing on enabling RBAC, using namespaces for boundary control, managing secrets securely, and upgrading Kubernetes control planes to address known CVEs.

Runtime Secrets Scanning¶

• (2021) blog.gitguardian.com: Hardening Your Kubernetes Cluster - Guidelines (Pt. 2) 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — The second part of a structural security guide detailing advanced settings such as RBAC limitations, audit logging targets, container engine isolation, and secrets scanning policies.

Cluster Lifecycle Security (1)¶

Operating System Paradigm¶

• (2020) thenewstack.io: How to Secure Kubernetes, the OS of the Cloud [N/A CONTENT] [COMMUNITY-TOOL] — Examines the concept of Kubernetes operating as a cloud-native OS, presenting strategies for securing core services, container communication, and control plane boundaries.

Cluster Misconfigurations¶

Common Mistakes¶

• (2021) fairwinds.com: Discover the Top 5 Kubernetes Security Mistakes You're (Probably) Making [N/A CONTENT] [COMMUNITY-TOOL] — Identifies common configuration mistakes like neglected CPU/memory limits, running containers as root, and using unvalidated base images, offering immediate structural remedies.

Defense in Depth¶

Cluster Hardening (1)¶

• (2020) thenewstack.io: Defend the Core: Kubernetes Security at Every Layer [N/A CONTENT] [COMMUNITY-TOOL] — Provides an architectural approach to layered container defense. Examines the integration of secure hardware baselines, API rate limiting, network-level firewalls, and runtime analysis agents.

Identity and Access Management¶

SSO and OIDC Configuration¶

• (2020) talkingquickly.co.uk: Kubernetes Single Sign On - A detailed guide 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API access with external identity providers (OIDC) to enable secure Single Sign-On (SSO) and unify role assignments across developers.

Industry Reports¶

Archived Market Trends¶

• (2021) redhat.com: State of Kubernetes Security Report - Spring 2021 (PDF) 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — A comprehensive market study from Spring 2021 highlighting systemic security incidents and detailing key threat factors, infrastructure risks, and tooling choices among enterprise development teams.

Enterprise Security Trends¶

• (2021) redhat.com: The State of Kubernetes Security [N/A CONTENT] [COMMUNITY-TOOL] — Red Hat's analysis of container security threats, identifying key issues such as misconfigurations, unpatched vulnerabilities, and integration friction in cloud-native operational environments.

Kubernetes Platform Engine¶

Cluster Installation and Hardening¶

Infrastructure Provisioning¶

• (2020) thenewstack.io: Best Practices for Securely Setting up a Kubernetes Cluster [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Breaks down secure cluster bootstrapping steps, including encrypting secrets at rest in etcd, enabling control plane mutual TLS (mTLS), and minimizing public API endpoint exposure.

Container Runtimes¶

Runtime Isolation¶

• (2020) thenewstack.io: A Security Comparison of Docker, CRI-O and Containerd 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Compares the security architecture and attack surfaces of primary container runtimes: Docker, CRI-O, and Containerd. Discusses rootless execution, sandboxed runtimes (Kata, gVisor), and syscall filtering.

Networking¶

CNI¶

Cilium¶

• (2026) cilium.io 🌟 [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — The main website for Cilium, the industry-standard networking, security, and observability engine powered by eBPF. Eliminates routing performance penalties and delivers deep API metrics.

Observability and Monitoring¶

Runtime Security¶

Falco and K3s Audit Logging¶

• (2021) Analyze Kubernetes Audit logs using Falco 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Demonstrates how to pipe Lightweight Kubernetes (K3s) API server audit logs directly into CNCF Falco. Perfect for resource-constrained edges and automated home lab deployments.

Security Industry Analysis¶

• (2021) infoworld.com: The race to secure Kubernetes at run time [N/A CONTENT] [COMMUNITY-TOOL] — Documents the evolution of runtime threat defense in cloud-native platforms, discussing the industry shift toward kernel-level security telemetry leveraging eBPF technology.

Sysdig and Falco Audit Integration¶

• (2020) sysdig.com: Getting started with Kubernetes audit logs and Falco 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Explains how to integrate Kubernetes API audit logs with CNCF Falco to capture real-time control plane actions and alert on malicious requests, credential abuse, or abnormal operational API traffic.

eBPF Runtime Enforcement¶

Tetragon Platform¶

• (2022) Tetragon (Cilium) ⭐ 4749 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An eBPF-powered security observability and runtime enforcement platform. It monitors and blocks system events at the kernel level, providing granular process execution, network activity, and file system audit streams with zero container overhead.

Penetration Testing¶

Security Operations¶

• (2020) youtube: Kubernetes Security: Attacking and Defending K8s Clusters - by Magno Logan [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A practical, demonstration-heavy guide outlining attack-and-defend methodologies for production clusters. Demonstrates common configuration exploits and dynamic remediation.

Pod Privilege Escalation¶

Vulnerability Exploitation¶

• (2020) labs.bishopfox.com: Bad Pods: Kubernetes Pod Privilege Escalation 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A highly cited technical analysis demonstrating how misconfigured container host namespaces, capabilities, and volume mounts can be exploited to escape container boundaries and gain full host-level access.

Policy-as-Code¶

Kyverno Administration¶

• (2020) kyverno.io 🌟 [GO CONTENT] [COMMUNITY-TOOL] — Kyverno is a declarative Kubernetes-native policy engine. Designed specifically for Kubernetes, it simplifies policy management by allowing administrators to validate, mutate, and generate resources without writing complex Rego code.

Kyverno Rules and Policies¶

• (2020) kyverno.io/policies 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — The official catalog of Kyverno policies, providing ready-to-deploy manifests for Pod Security standards, multi-tenant workspace isolation, label validation, and compliance auto-generation.

RBAC and Authorization¶

Privilege Escalation¶

• (2020) jeffgeerling.com: Everyone might be a cluster-admin in your Kubernetes cluster [N/A CONTENT] [COMMUNITY-TOOL] — Investigates RBAC misconfigurations and overly permissive default service accounts that elevate microservice workloads to cluster-admin privileges. It provides actionable remediation strategies for locking down namespace-bound credentials.

Risk Analysis and Auditing¶

Threat Vector Modeling¶

• (2020) tldrsec.com: Risk8s Business: Risk Analysis of Kubernetes Clusters 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A comprehensive vulnerability catalog and risk analysis guide highlighting exploitation pathways in typical cluster deployments. Highlights the security impacts of insecure volume mounts and metadata service access.

Secrets Management¶

HashiCorp Vault Integration¶

• (2020) learn.hashicorp.com: Integrate a Kubernetes Cluster with an External Vault 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — A practical implementation guide showcasing how to leverage the HashiCorp Vault Agent Injector sidecar to dynamically inject secrets directly into application pods via in-memory tmpfs mounts.

Security¶

Application Security¶

Client Security¶

• (2022) curity.io: Client Security [COMMUNITY-TOOL] — Focuses on security patterns when structuring application clients that interface with identity ecosystems. Covers patterns like Token Handlers and Backend-for-Frontend (BFF) to safely abstract tokens away from client browsers or apps. Reduces target exposures to common cross-site scripting risks.

IAM¶

SSO¶

• (2022) dev.to/gabrielbiasi: Automatic SSO in Kubernetes workloads using a sidecar container [COMMUNITY-TOOL] — Outlines an automated SSO sidecar integration pattern inside Kubernetes pods, abstracting authentication logic away from application-level containers. Details OAuth token management and redirect intercept strategies executed transparently at the pod level. Simplifies identity integration across multiple microservices.

Identity and Access¶

Authentication¶

Legacy Tools¶

• (2020) github.com/dvob/k8s-s2s-auth: Kubernetes Service Accounts 🌟 [GO CONTENT] [LEGACY] — Curator Insight: Demonstrates internal service-to-service auth patterns utilizing raw Service Account tokens. Live Grounding: The repository has seen no recent development and is considered legacy. It is superseded by modern ephemeral TokenRequest APIs and service mesh mTLS integrations.

Microservice Identities¶

• (2023) learnk8s.io: Authentication between microservices using Kubernetes identities 🌟 [ADVANCED LEVEL] [COMMUNITY-TOOL] — A specialized guide analyzing how service-to-service communication can be secured natively. It demonstrates using Kubernetes ServiceAccount tokens as cryptographic identities to authenticate microservices without external overhead. This pattern reduces dependencies on heavy service meshes for simpler deployments.

OIDC¶

OAuth2 Proxy¶

• (2021) geek-cookbook.funkypenguin.co.nz: Using OAuth2 proxy for Kubernetes Dashboard [COMMUNITY-TOOL] [GUIDE] — A configuration guide describing how to wrap the Kubernetes Dashboard and sensitive internal APIs with oauth2-proxy, enabling secure OIDC integrations and SSO workflows.

Workload Identity¶

• (2021) linkerd.io: Using Kubernetes's new Bound Service Account Tokens for secure workload identity [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines Linkerd's transition to Kubernetes Bound Service Account Tokens (TokenRequest API). Explains the security benefits of using tokens containing specific audiences, node bindings, and short lifetimes to mitigate credential leakage risks.

Identity and Access Management (1)¶

Access Control¶

• thenewstack.io: Cloud Native Identity and Access Management in Kubernetes [EN CONTENT] [ADVANCED LEVEL] [ENTERPRISE-STABLE] — Examines identity federation, user access management, and internal service-to-service authentication models. Curator insight details mapping cluster roles directly to organizational single sign-on identities. Live grounding indicates that decentralized identity and modern authentication are critical to maintaining least privilege in high-scale infrastructure.

Kubernetes Security (1)¶

Secrets Management (1)¶

• (2021) Hands on your first Kubernetes secrets 🌟 [COMMUNITY-TOOL] [GUIDE] — This hands-on tutorial guides developers through creating, decoding, and mounting native Kubernetes Secret resources within applications. It highlights base64 encoding limitations and advises on key architectural alternatives, such as HashiCorp Vault integration, Sealed Secrets, or CSI secret store drivers for production environments.

Policy and Admission Control¶

Validating Webhooks¶

• (2022) trstringer.com: Create a Basic Kubernetes Validating Webhook [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — Step-by-step technical guide for writing a custom validating admission controller webhook. Focuses on processing API requests, writing validation criteria in Go, and configuring TLS certificate pathways between the API server and the webhook pod.

Secrets Management (2)¶

HashiCorp Vault¶

• (2021) itnext.io: Vault cluster with auto unseal on Kubernetes [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed structural guide for configuring an enterprise-grade, highly available HashiCorp Vault cluster in Kubernetes. Features automated unsealing integrations using cloud KMS systems (AWS KMS/GCP KMS) to remove manual keys dependencies.

OWASP¶

• (2022) itnext.io: Kubernetes OWASP Top 10: Secrets Management [COMMUNITY-TOOL] — Addresses Secrets Management under the OWASP Kubernetes threat framework. Details vulnerabilities of default etcd storage parameters and details using External Secrets Operator or HashiCorp Vault. Prevents secrets exposure via repository check-ins or pod environment parameters.

Security Training and Playgrounds¶

Kubernetes Goat Lab¶

• (2020) Kubernetes Goat 🌟 [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An intentionally vulnerable cluster environment designed for hands-on cybersecurity training. Includes self-contained scenarios exploring SSRF, container escape, secrets leakage, and misconfigured RBAC roles.

Supply Chain Security¶

Signature Verification and Ratify¶

• (2021) infoworld.com: Securing the Kubernetes software supply chain with Microsoft's Ratify [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Focuses on utilizing Ratify as an admission controller to verify container metadata, secure supply-chain signatures (via Cosign/Notation), and enforce strict provenance validation before execution.

Threat Modeling¶

MITRE ATTandCK Adaptation¶

• (2021) microsoft.com: Secure containerized environments with updated threat matrix for Kubernetes [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Discusses updates to Microsoft's threat matrix for Kubernetes, refining mapped attack vectors based on modern production compromise telemetry. Covers control plane compromises and cloud identity integrations.

MITRE ATTandCK Framework¶

• (2020) Microsoft.com: Attack matrix for Kubernetes 🌟 [N/A CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Microsoft's systematic adaptation of the MITRE ATT&CK framework mapping out K8s attack vectors from initial access to execution, persistence, privilege escalation, and impact. Helps security operators assess risks in orchestration configurations.

Vulnerability Assessment Tools¶

Kubestriker Scanner¶

• (2021) helpnetsecurity.com: Kubestriker: A security auditing tool for Kubernetes clusters 🌟 [N/A CONTENT] [COMMUNITY-TOOL] — Reviews Kubestriker, a lightweight, agentless open-source security scanner that audits Kubernetes control plane configurations, insecure ports, and IAM roles for vulnerabilities.

Workload Hardening¶

Identity and Access Management (2)¶

• (2020) thenewstack.io: Laying the Groundwork for Kubernetes Security, Across Workloads, Pods and Users [N/A CONTENT] [COMMUNITY-TOOL] — Analyzes the multi-dimensional security layers required for modern Kubernetes deployments, addressing workload isolation, Pod Security Standards (PSS), and secure developer workflow patterns.

Pod Security Context¶

• (2020) snyk.io: 10 Kubernetes Security Context settings you should understand [N/A CONTENT] [COMMUNITY-TOOL] — Detailed documentation of essential Security Context settings (e.g., allowPrivilegeEscalation, readOnlyRootFilesystem, and runAsNonRoot) used to harden workload runtimes.

Pod Specifications¶

• (2021) blog.gitguardian.com: Kubernetes Hardening Tutorial Part 1: Pods [N/A CONTENT] [COMMUNITY-TOOL] — Part one of GitGuardian's workload security tutorial, targeting critical pod configurations such as root user restrictions, secure namespaces, and minimizing host-level network sharing.

💡 Explore Related: Securityascode | Ansible | Devsecops

🔗 See Also: About | Postman