Posts

Discussing some ways kubeconfig files can bite

Recreating a vulnerability in log streaming via the Kubelet on Windows nodes

Exploring edge-case in Kubernetes mirror pods and the Kubelet’s static manifests

How we compromised a CTF platform to get flags without solving the challenges

Anyone who’s spoken to me for any period of time about Kubernetes, or had the misfortune of being vaguely near me when I’m ranting about it, probably knows my feelings on the setup. It does work, and work effectively, but there are a plethora of sharp edges and unexpected behaviours. A number of these are documented here. This post details my most recent addition to this list. RBAC does not claim to solve all security problems in Kubernetes, and indeed it is only one arrow in the proverbial quiver....

This is a post I’ve been meaning to write for a while. It’s not going to be a definitive guide, more a ramble through some of the resources available to those looking to start down this path. Huge thanks to everyone who attended the DevSecCon London meetup last week to participate in our CTF, for reminding me to write this. There’s a lot of information out there around Container Security, and none of it is going to be enough to make you an expert in isolation....

Making Kubernetes handle homelab networking and DNS.

I need to read docs better. This post is to give myself a nice copy-paste for next time I want to do the thing I spent today doing, without reading again.

A home automation post about remote controls that spin me right round, baby, right round.

Originally posted by NCC Group at https://research.nccgroup.com/2023/04/17/public-report-kubernetes-1-24-security-audit/ NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted in the identification of findings in terms of secure design of Kubernetes. The team also performed dynamic native application pen tests, including source code and cryptographic review which found vulnerabilities in multiple components....