VSHN.timer #142: Kubernetes Under Attack

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about the next frontier for Kubernetes clusters: hardened security.

1. Red Hat recently published the 2022 State of Kubernetes Security report, where 93% of respondents experienced at least one security incident in the last year. What are the risks and which preventive measures could DevOps engineers apply? Paul Krill from InfoWorld tells us more.

https://www.infoworld.com/article/3663734/kubernetes-users-struggle-with-security-red-hat-survey-says.html

2. The Shadowserver Foundation has recently started scanning for accessible Kubernetes API instances returning a 200 OK HTTP response to their probes… and out of 450’000 identified instances, 380’000 happily replied back. Oooops.

https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/

3. Kubernetes Secrets are just base64-encoded strings stored in etcd. How secure is this approach? Mac Chaffee evaluated it against a threat model, and provided some perspective.

https://www.macchaffee.com/blog/2022/k8s-secrets/

4. What options have DevOps engineers to store secrets in GitOps-enabled clusters using Argo CD? Daniel Hoang enumerates the most popular options: sealed secrets, the Argo CD Vault plugin, SOPS, and more.

https://akuity.io/blog/how-to-manage-kubernetes-secrets-gitops/

5. The VSHN.timer tool of the week is Download Kubernetes, a website only showing the download links to the latest versions in every architecture of each piece of the Kubernetes puzzle.

https://www.downloadkubernetes.com/

How do you manage your Kubernetes secrets? What security measures have you implemented in your cluster? Would you like to share some Kubernetes security tips and tricks with the community? Get in touch with us, and see you next week for another edition of VSHN.timer.

PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.

PS²: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.

PS³: check out our previous VSHN.timer editions about Kubernetes: #4, #8, #11, #14, #16, #19, #23, #37, #46, #49, #59, #64, #74, #82, #97, #99, #102, #109, #118, and #126; and about Security: #8, #17, #22, #27, #32, #44, #54, #62, #76, #84, #93, #106, #117, and #128.