CNCF deep-dive series on how to use Open Policy Agent to unify security policy enforcement across your entire set of Kubernetes clusters.

New post on attacking AzureAD Service Principals, Intune, and documenting an Azure Logic App primitive. Also introducing the complete re-write of PowerZure.

Post explaining what Hybrid Azure Join is, target enumeration, and how to abuse Intune/Endpoint Manager to execute code as SYSTEM on target systems.

How to setup Terraform Cloud Agent and how to run configurations in on-prem environments without any firewall rule modifications.

Article going through two popular stacks - EFK (Elasticsearch) and PLG (Loki) - and understand their architecture and differences.

Tutorial proposing a way to "mimic" group memberships using stock Kubernetes authorization features.

How to monitor AWS Lambda by leveraging existing Prometheus ingestion with Sysdig.

How to authenticate an application running in a Kubernetes cluster to Azure resources through Managed Service Identities (MSI), without having to pass around any secret data.

If you're using Google Kubernetes Engine and deploying to it from headless environments like CI/CD, you're probably installing the gcloud command-line tool (perhaps every time) you run a build. This post shows that there's way to authenticate to GKE clusters without the gcloud CLI!

How to dump memory, before the "OOMKilled" signal, with docker-preoomkiller.

HashiCorp Learn has been redesigned to improve performance and provide better tools for navigation and content discovery, which includes reorganizing content from simple learning tracks to more flexible collections, with their own landing pages.

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them.

SkyArk focuses on mitigating the new threat of Cloud Shadow Admins in AWS and Azure, and helps organizations to discover, assess and protect cloud privileged entities.

Collection of Rego policies.

A lightweight and ultra-fast router for building observability pipelines. Compared to Logstash and friends, Vector improves throughput by ~10X while significantly reducing CPU and memory usage.

Dragonfly is an open source intelligent P2P based image and file distribution system. Its goal is to tackle distribution problems in cloud native scenarios.

An anti-DESYNC rust library developed at AWS, designed to analyze HTTP requests to prevent HTTP Desync attacks, balancing security and availability. It classifies requests into different categories and provides recommendations on how each tier should be handled.

Auto-configuration of Fluentd daemon-set based on Kubernetes metadata.

AWS Controllers for Kubernetes (ACK) is a new tool that lets you directly manage AWS services from Kubernetes. ACK makes it simple to build scalable and highly-available Kubernetes applications that utilize AWS services. ACK is available as a developer preview on GitHub.

How you can use attribute-based access controls (ABAC) in AWS to help provision simple, maintainable access controls to different projects, teams, and workloads as your organization grows.

AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports sharing a Private CA with any AWS account or within your organization. This eliminates the need to provision duplicate resources in every account in a multi-account environment, reducing the cost and complexity of managing those resources in every account.

This post will help you make privacy-conscious cloud migration decisions by mapping the National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (NIST Privacy Framework) to the AWS Cloud Adoption Framework (AWS CAF).

Introducing GKE Dataplane V2, a dataplane that harnesses the power of eBPF and Cilium, an open source project that makes the Linux kernel Kubernetes-aware using eBPF.

Recommendations and best practices to help the applications running on your GKE cluster to stay happy and healthy.

InSpec-GCP version 1.0 is now generally available, and two new Chef InSpec profiles have been released, containing controls for GCP CIS Benchmark version 1.1.0 and the PCI DSS version 3.2.1.

Google added 21 new features to Cloud Operations, the observability suite launched earlier this year, which gives you access to operations capabilities directly from the Google Cloud Console.

Under the hood look at how IP addressing works in GKE, some common IP addressing problems and GKE features to help solve them.