Безопасность Kubernetes: полный гайд для начинающих или как не повторить ошибку Tesla

Kubernetes взламывают не «эксплойтом века», а банальностями: открытый доступ, cluster-admin «на время», default serviceAccount, секреты в манифестах (да, base64 не защита). Дальше сценарий предсказуемый — от тихого майнинга до утечки ключей, как в истории с Tesla. В статье разберу три базовых опоры k8s-безопасности: минимизация прав через RBAC, нормальная работа с секретами и изоляция workload’ов через securityContext и политики — с типовыми ошибками и практиками, которые реально внедрить.

https://habr.com/ru/companies/otus/articles/994136/

#kubernetes #безопасность #devsecops #rbac #секреты #pod_security #checkov #kyverno

Kubernetes multi-tenant governance: managing multi-tenant Kubernetes clusters

https://jorijn.com/en/blog/kubernetes-multi-tenant-governance-managing-multi-tenant-clusters/

#Kubernetes #Kyverno #Governance

Anyone using #kyverno? I’m migrating a couple current unmaintained mutating web hooks to kyverno this week. There’s a good amount of crds and a couple controllers, once you sort of disable a load of features it’s fairly light.

Any tips or anecdotes about using it and managing policies, etc, would be welcomed.

#devops #kubernetes

Just dropped a quick guide on how to build better Kyverno alerts using Loki. 🔍

The main challenge was that Kyverno logs originate from its namespace, but I needed the alert to reflect the target namespace (where the policy violation actually occurred).

I used LogQL's label_format to rewrite namespace_extracted → namespace before aggregation to get actionable alerts.

Check it out here: https://wael.nasreddine.com/kubernetes/alert-kyverno-policy-validatio.html

#Kubernetes #SRE #Loki #Kyverno #Observability #DevOps #LogQL #socialmedia

Was Kyverno bzw. eine Kubernetes-native Policy-Engine ist, und welches Problem es in Kubernetes löst?

https://andreas-moor.de/was-kyverno-bzw-eine-kubernetes-native-policy-engine-ist-und-welches-problem-es-in-kubernetes-lost/

Today's lesson: Using #kyverno you can configure cluster policies to replicate secrets from a reference namespace to any set of arbitrary destination namespaces.

However, one needs to ensure that the proper events are used to trigger the policy - we don't just want to copy secrets on namespace creation, but also when namespaces are updated, and for any eligible namespace at the time the policy was created. We also want to ensure that destinations secrets are updated when the source secret changes.

Kyverno makes this simple with a few features:

* The `synchronize: true` parameter for its cluster policy will create secrets for new eligible namespaces, and update secrets when the source secret changes.
* With `generateExisting: true`, a background job is created when the policy is instantiated to retroactively make it apply to existing namespaces.

Finally, with the recently released Kyverno version 1.15, new CEL-based policy types are available that are even more flexible and powerful.

https://kyverno.io/docs/policy-types/cluster-policy/generate/#clone-examples

https://kyverno.io/docs/policy-types/cluster-policy/generate/#generate-for-existing-resources

https://kyverno.io/docs/policy-types/generating-policy/

#k8s #kubernetes #AdmissionControl

Tomorrow on 'You Choose!', Viktor Farcic and I will discuss Policies and State Synchronization with Kyverno and Argo CD—CNCF tools you’ve already chosen in past seasons. ♫

Join us as we continue building an Internal Developer Platform!
fun fun fun

Don’t miss it! Click ‘Notify Me’:

https://youtu.be/mWbOpe4CktY

#CNCF #Kyverno #ArgoCD #Kubernetes #InternalDeveloperPlatform

for those among us who prefer kustomize, i made the kyverno community policies available as such

https://github.com/xyhhx/kyverno-policies-kustomize

#kubernetes #k8s #kyverno #kustomize