RBAC Wizard is a simple web UI that visualises your RBAC configurations in Kubernetes. Here’s what this tool offers:
* See all your RBACs listed in a table with customisable columns.
* Search your objects by typing their names and filter them by kind; view a manifest you need.
* Navigate through a map of your existing RBAC resources.
* Install it via Homebrew or
* Be ready for the new features ahead since this project is ultimately new, with its v0.0.1 released just last month.
▶️ GitHub repo: https://github.com/pehlicd/rbac-wizard
#tools #security
* See all your RBACs listed in a table with customisable columns.
* Search your objects by typing their names and filter them by kind; view a manifest you need.
* Navigate through a map of your existing RBAC resources.
* Install it via Homebrew or
go install.* Be ready for the new features ahead since this project is ultimately new, with its v0.0.1 released just last month.
▶️ GitHub repo: https://github.com/pehlicd/rbac-wizard
#tools #security
👍5
Looking for a practical way to learn Kubernetes security? You might be interested in this project!
Kubernetes Goat provides you with a cluster that is “vulnerable by design". After deploying it, you’re getting easy-to-use access to 20+ scenarios covering various security aspects. Accompanied by guides, you can follow these scenarios to validate your knowledge and get new practical skills. Here are some of the techniques and technologies they cover:
- DIND exploitation and container escape;
- getting access to internal and non-exposed services;
- exploiting the misconfigured/overly permissive permissions;
- Docker & Kubernetes CIS benchmarks;
- kubeaudit for auditing Kubernetes clusters;
- Falco for detecting security issues;
- Cilium Tetragon for performing runtime security monitoring;
- Kyverno policy engine.
▶️ GitHub repo
#tools #security
Kubernetes Goat provides you with a cluster that is “vulnerable by design". After deploying it, you’re getting easy-to-use access to 20+ scenarios covering various security aspects. Accompanied by guides, you can follow these scenarios to validate your knowledge and get new practical skills. Here are some of the techniques and technologies they cover:
- DIND exploitation and container escape;
- getting access to internal and non-exposed services;
- exploiting the misconfigured/overly permissive permissions;
- Docker & Kubernetes CIS benchmarks;
- kubeaudit for auditing Kubernetes clusters;
- Falco for detecting security issues;
- Cilium Tetragon for performing runtime security monitoring;
- Kyverno policy engine.
▶️ GitHub repo
#tools #security
👍5❤4
Open Policy Agent tops the list of the most used Open Source tools for Kubernetes security, according to the 2024 edition of “The state of Kubernetes security report” unveiled by Red Hat last month (source). These results are based on a survey of 600 DevOps, engineering, and security professionals worldwide.
#tools #reports #security
#tools #reports #security
Struggling with network policies in Kubernetes? This tool helps manage them using CLI or Web UI.
netfetch aims to “demystify network policies” in Kubernetes. To do so, it scans your cluster, visualises the network, and helps you improve the network policies. Here are its main features:
- Command-line (CLI) and dashboard (Web UI) interfaces, which vary a bit in their functionality.
- Scan a cluster, detect the Pods without network policies, and evaluate a security score.
- Build an interactive network map or save scan output as a text file.
- Improve network policies by creating default deny rules and suggesting new network policies for existing workloads.
- Network policy editing and previewing in Web UI.
- Written in Go and Vue. Installable via Helm, Homebrew (for Mac), or binaries.
▶️ GitHub repo
#tools #networking #security
netfetch aims to “demystify network policies” in Kubernetes. To do so, it scans your cluster, visualises the network, and helps you improve the network policies. Here are its main features:
- Command-line (CLI) and dashboard (Web UI) interfaces, which vary a bit in their functionality.
- Scan a cluster, detect the Pods without network policies, and evaluate a security score.
- Build an interactive network map or save scan output as a text file.
- Improve network policies by creating default deny rules and suggesting new network policies for existing workloads.
- Network policy editing and previewing in Web UI.
- Written in Go and Vue. Installable via Helm, Homebrew (for Mac), or binaries.
▶️ GitHub repo
#tools #networking #security
👍3
A new tool is announced for those who use Falco to detect suspicious events and lack a convenient way of reacting to them: Falco Talon.
Thomas Labarussias, the author of Falcosidekick, calls his new project a missing piece for Falco users. Falco Talon is a response engine for managing threats in Kubernetes clusters. It provides you with a simple, no-code solution to react to events from Falco by creating simple rules in YAML. Its features available with the first GA release (v0.1.0) include:
- Numerous ready-to-use actions to perform (
- Writing artifacts resulting from actions to local files, AWS S3, or MinIO S3;
- Various notifiers to forward action results, including Kubernetes events, Loki, Slack, webhooks, etc.;
- Structured logs, metrics (Prometheus and OTEL formats), and OTEL traces.
▶️ GitHub repo
📢 Project announcement
#tools #security #news
Thomas Labarussias, the author of Falcosidekick, calls his new project a missing piece for Falco users. Falco Talon is a response engine for managing threats in Kubernetes clusters. It provides you with a simple, no-code solution to react to events from Falco by creating simple rules in YAML. Its features available with the first GA release (v0.1.0) include:
- Numerous ready-to-use actions to perform (
actionners), such as kubernetes:exec, kubernetes:log, aws:lambda, cilium:networkpolicy, and more;- Writing artifacts resulting from actions to local files, AWS S3, or MinIO S3;
- Various notifiers to forward action results, including Kubernetes events, Loki, Slack, webhooks, etc.;
- Structured logs, metrics (Prometheus and OTEL formats), and OTEL traces.
▶️ GitHub repo
📢 Project announcement
#tools #security #news
❤3👍2
Ever heard of a DevSecOps software bundle for air-gapped environments? Here’s a project showcasing what that might be.
Zarf is a tool that implements secure and continuous software delivery on systems not connected to the Internet. To make this possible, various well-known software projects are combined to automate software deployment to Kubernetes. It covers:
- Building, publishing, pulling, and deploying so-called Zarf packages;
- Creating and verifying package signatures (with cosign);
- Generating SBOMs (with Syft);
- Automating performing specific actions against packages during their lifecycle;
- Using various built-in tools, such as Helm, yq, Docker registry, Gitea, and K9s.
P.S. Zarf is an OpenSSF Sandbox project.
Language: Go | License: Apache 2.0 | 1413 ⭐️
▶️ GitHub repo
#tools #security
Zarf is a tool that implements secure and continuous software delivery on systems not connected to the Internet. To make this possible, various well-known software projects are combined to automate software deployment to Kubernetes. It covers:
- Building, publishing, pulling, and deploying so-called Zarf packages;
- Creating and verifying package signatures (with cosign);
- Generating SBOMs (with Syft);
- Automating performing specific actions against packages during their lifecycle;
- Using various built-in tools, such as Helm, yq, Docker registry, Gitea, and K9s.
P.S. Zarf is an OpenSSF Sandbox project.
Language: Go | License: Apache 2.0 | 1413 ⭐️
▶️ GitHub repo
#tools #security
👍4❤1
Wireshark Foundation has introduced Stratoshark created by Sysdig and advertised as "Wireshark for the Cloud".
Stratoshark is a tool that provides deep visibility into application-level behaviour by analysing cloud system calls and logs. It is built on the legacy of Wireshark and Falco, designed for Cloud Native environments, and supports the same file format as Falco and Sysdig CLI.
- Website
- LinkedIn announcement
- “Troubleshooting CrashLoopBackOff with Stratoshark”
#news #tools #security #observability
Stratoshark is a tool that provides deep visibility into application-level behaviour by analysing cloud system calls and logs. It is built on the legacy of Wireshark and Falco, designed for Cloud Native environments, and supports the same file format as Falco and Sysdig CLI.
- Website
- LinkedIn announcement
- “Troubleshooting CrashLoopBackOff with Stratoshark”
#news #tools #security #observability
👍5❤4
Kubescape became a CNCF incubating project
Created in ARMO, Kubescape is a security platform for Kubernetes that offers hardening, posture management, and runtime security capabilities. It scans clusters, YAML files, and Helm charts and detects various misconfigurations. In December 2022, CNCF accepted it as a Sandbox project; last month, the CNCF TOC voted to move it to the incubating level.
More details: official announcement; incubation issue.
#news #security #cncfprojects
Created in ARMO, Kubescape is a security platform for Kubernetes that offers hardening, posture management, and runtime security capabilities. It scans clusters, YAML files, and Helm charts and detects various misconfigurations. In December 2022, CNCF accepted it as a Sandbox project; last month, the CNCF TOC voted to move it to the incubating level.
More details: official announcement; incubation issue.
#news #security #cncfprojects
👍8❤4
Don’t miss the news regarding five recent critical vulnerabilities in ingress-nginx, including CVE-2025-1974 scored at 9.8 CVSS!
The Kubernetes blog post states that over 40% of Kubernetes administrators rely on ingress-nginx and should take action immediately. Otherwise, a malicious user with no credentials can take over your Kubernetes cluster by exploiting configuration injection vulnerabilities via the Validating Admission Controller.
The latest ingress-nginx releases, v1.12.1 and v1.11.5, are already available with all five vulnerabilities fixed.
Find more details in this post from the Kubernetes Security Response Committee and this detailed article from Wiz.
#news #security
The Kubernetes blog post states that over 40% of Kubernetes administrators rely on ingress-nginx and should take action immediately. Otherwise, a malicious user with no credentials can take over your Kubernetes cluster by exploiting configuration injection vulnerabilities via the Validating Admission Controller.
The latest ingress-nginx releases, v1.12.1 and v1.11.5, are already available with all five vulnerabilities fixed.
Find more details in this post from the Kubernetes Security Response Committee and this detailed article from Wiz.
#news #security
👍4❤1
GitHub Dependabot now supports Helm. By leveraging the Dependabot version updates, you can ensure the Helm dependencies of your app hosted on GitHub are up to date.
Currently, it works only with image updates in
Find more details in the formal announcement and this issue.
#news #security
Currently, it works only with image updates in
values.yaml, yet a support for the kustomization.yaml files might be added later.Find more details in the formal announcement and this issue.
#news #security
👍4
Launched in November 2024, the GitHub Secure Open Source Fund aims to secure the supply chain at scale. This Fund conducted two educational, collaborative sessions on security, bringing together 125 maintainers from 71 Open Source projects. They remediated 1100+ vulnerabilities, issued 50+ new CVEs, revealed 176 leaked secrets, and prevented 92 new secrets from being leaked.
Those sessions covered such Open Source projects as Flux, bootc, nixpkgs, Oh My Zsh, Ollama, and many more. The next session is scheduled for September. Find more details in this blog post.
#news #security #GitHub
Those sessions covered such Open Source projects as Flux, bootc, nixpkgs, Oh My Zsh, Ollama, and many more. The next session is scheduled for September. Find more details in this blog post.
#news #security #GitHub
🔥1
PodCertificateRequests is a new API (introduced in Kubernetes v1.34 as alpha) that enables the provisioning of certificates to workloads running as Pods within a cluster. Here’s a controller to simplify leveraging this new feature.Pod-certificate-signer is a controller that creates
PodCertificateRequest for your Pods with a custom x509 signer. This tool:- signs TLS/mTLS certificates for Pods (or denies issuing them based on the relevant configuration);
- allows you to use Pod annotations for certificate configurations;
- validates requests by checking whether the CA-provided or mounted files exist and ensuring that the CA is valid;
- logs all decisions and errors.
Language: Go | License: Apache 2.0 | 1 ⭐️
▶️ GitHub repo
#tools #security
👍4❤2
Kyverno became a CNCF Graduated project
Kyverno, a Kubernetes-native policy engine originally developed in Nirmata, has become the latest addition to the list of CNCF Graduated projects. About 6 hours ago, the CNCF Technical Oversight Committee completed the relevant voting process for this project.
Today’s Kyverno adopters include Vodafone, Deutsche Telekom, Saxo Bank, LinkedIn, Spotify, US DoD Platform One, OVHcloud, and many other well-known organisations worldwide.
#cncfprojects #news #security
Kyverno, a Kubernetes-native policy engine originally developed in Nirmata, has become the latest addition to the list of CNCF Graduated projects. About 6 hours ago, the CNCF Technical Oversight Committee completed the relevant voting process for this project.
Today’s Kyverno adopters include Vodafone, Deutsche Telekom, Saxo Bank, LinkedIn, Spotify, US DoD Platform One, OVHcloud, and many other well-known organisations worldwide.
#cncfprojects #news #security
🔥22