This week's articles
Amazon EKS Distro
#aws, #k8s, #build
EKS Distro is a distribution of the same version of Kubernetes deployed by Amazon EKS, which you can use to manually create your own Kubernetes clusters anywhere you choose.
Kubernetes Audits Introduction
#k8s, #explain
Blog post going over Kubernetes audits: What are they exactly? How are they constructed? Where do they originate? How and to where do they go?.
The revenge of system:masters, return of the AKS
#azure, #k8s, #attack
A couple of takeaways if your organization is planning to use Azure AKS. First up if your clusters are AAD enabled, be very careful with who has rights to use the "--admin" switch on the "get-credentials" command. Secondly, do not expose your clusters directly on the Internet to reduce the likely impact of this.
|
|
Tools
s3_objects_check
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
opstrace
Opstrace deploys secure, horizontally-scalable open source observability in your own cloud account, combining open APIs with the simple user experience of a large service provider.
audit2rbac
audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
connaisseur
Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed. Comes with a related blog post.
|
|
From the cloud providers
Expanding our commitment to secure Internet routing
Google sharing details about steps they have taken to protect Google's network against vulnerabilities in the internet routing system, how they are moving forward, and the importance of collaborating with the wider community.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! π If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|