Kubernetes Security - bobbae/gcp GitHub Wiki
https://kubernetes.io/docs/concepts/security/overview/
Kubernetes Security Issues
https://www.vmware.com/topics/glossary/content/kubernetes-security
Kubernetes security is important throughout the container lifecycle due to the distributed, dynamic nature of a Kubernetes cluster. Different security approaches are required for each of the three phases of an application lifecycle: build, deploy, and runtime.
https://techbeacon.com/security/how-track-security-problems-your-kubernetes-deployments
Hardening GKE workload
Using Google-managed SSL certificates
https://www.infracloud.io/blogs/secure-containers-cosign-distroless-images
RBAC
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
Workload identity for GKE
https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
Implement Workload identity on GKE
Tools
OPA
https://www.openpolicyagent.org/
https://github.com/open-policy-agent/opa
Kubernetes cluster outage due to misconfigured OPA Gatekeeper
https://dev.to/fourstepper/dealing-with-a-google-kubernetes-engine-cluster-outage-2kf1
TerraScan
https://github.com/accurics/terrascan
Falco
https://github.com/falcosecurity/falco
Kube Linter
https://github.com/stackrox/kube-linter
SigStore
Distroless
"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
https://github.com/GoogleContainerTools/distroless
CoSign
Container Signing, Verification and Storage in an OCI registry.
https://github.com/sigstore/cosign
Cloud Build CoSign
https://security.googleblog.com/2021/05/making-internet-more-secure-one-signed.html
CoSign and distroless images
https://www.infracloud.io/blogs/secure-containers-cosign-distroless-images
Clair
Checkov
https://github.com/bridgecrewio/checkov
Admission Controllers
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
Validating Webhooks
https://kmitevski.com/writing-a-kubernetes-validating-webhook-using-python/
StackRox
https://www.stackrox.io/blog/kubernetes-security-101/
StackRox provides full life cycle security across build, deploy, and runtime phases for your Google Kubernetes Engine (GKE), Google Compute Engine (GCE), or Anthos environments.
StackRox can be used to enforce security policies for GKE with Cloud Run.
Encrypt Secrets at rest
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#encrypt-secrets-at-rest
Aqua
https://www.aquasec.com/products/kubernetes-security/
Kubescape
https://github.com/armosec/kubescape
Kube bench
https://github.com/aquasecurity/kube-bench
Kube hunter
https://github.com/aquasecurity/kube-hunter
Kube audit
https://github.com/Shopify/kubeaudit
NeuVector
Audit2RBAC
https://github.com/liggitt/audit2rbac
Illuminatio
https://github.com/inovex/illuminatio
Prisma
https://www.paloaltonetworks.com/prisma/cloud/cloud-workload-protection-platform/container-security