This week's articles
Injecting Vault Secrets into Kubernetes Pods via a Sidecar
HashiCorp just released a new Kubernetes integration that enables applications with no native Vault logic built-in to leverage static and dynamic secrets sourced from Vault. This is powered by a new tool called vault-k8s
, which leverages the Kubernetes Mutating Admission Webhook to intercept and augment specifically annotated pod configuration for secrets injection using Init and Sidecar containers: "Applications need only concern themselves with finding a secret at a filesystem path, rather than managing tokens, connecting to an external API, or other mechanisms for direct interaction with Vault". In addition, anyone new to using Vault for secrets management, can refer to this step-by-step explanation
on fetching Dynamic Database Credentials using the new Vault + K8s agent sidecar injection feature.
Falco Security Audit
Another security audit funded by the CNCF has been published: this time around Falco. Overall the security audit discovered 3 potential vulnerabilities (1 Critical, 2 High) and 2 miscellaneous issues (Low). You can find the details of the audit and the vulnerabilities in the published report
Dracon: Security pipelines on Kubernetes
Built on top of Tekton Pipelines
, Dracon provides a native way of running arbitrary tools on Kubernetes clusters. Dracon allows to concurrently run multiple security scans (think at gosec, find-sec-bugs, etc.) on your codebase and to push vulnerability data to DefectDojo and Elasticsearch.
kube-score is a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
Inspired by @SummitRoute's tracking changes of AWS IAM policies, this project track changes in GCP predefined IAM roles.
Elastic Cloud on Kubernetes (ECK)
Elastic Cloud on Kubernetes automates the deployment, provisioning, management, and orchestration of Elasticsearch and Kibana on Kubernetes based on the operator pattern.
From the cloud providers
BeyondProd: How Google moved from perimeter-based to cloud-native security
Google released a whitepaper about BeyondProd, which explains the model for how they implemented cloud-native security. BeyondProd applies concepts like: mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance, and runtime sandboxing. Altogether, these controls mean that containers and the microservices running inside them can be deployed, communicate with one another, and run next to each other, securely, without burdening individual microservice developers with the security and implementation details of the underlying infrastructure.
Binary Authorization for Borg: how Google verifies code provenance and implements code identity
In this whitepaper Google describes its code review process, its provenance, and the need for enforcement mechanisms, with particular focus on the development of a specific enforcement check - Binary Authorization for Borg (BAB). The goal of BAB is to reduce insider risk by ensuring that production software deployed at Google is properly reviewed and authorized, particularly if that code has the ability to access user data.
Use third-party keys in the cloud with Cloud External Key Manager
, now available in beta, will let you achieve full separation between your data and your encryption keys. At its heart, Cloud EKM lets you protect data at rest in BigQuery and Compute Engine using encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. This approach offers several unique security benefits, like maintaining key provenance over your third-party keys, full control over who accesses your keys, and centralized key management.