Skip to content

Managed

GKE

References

Link Notes
GKE best practices
The Unofficial GKE Security Guide Guide which aims to help prioritize and implement a security posture that meets your organization's needs while taking advantage of all the benefits of GKE
Private clusters
Exposing GKE applications through Ingress and Services Walk through of the different factors that should be considered when exposing applications on GKE, explain how they impact application exposure, and highlight which networking solutions each requirement will drive you toward
Consuming Google Secret Manager secrets in GKE 5 options to integrate GKE and GSM

IAM

Link Notes
Introducing Workload Identity: Better authentication for your GKE applications The new, and now recommended, way for GKE applications to authenticate to and consume other Google Cloud services
Making Sense of Kubernetes RBAC and IAM Roles on GKE Relationship between Google Cloud IAM and Kubernetes RBAC
Kubernetes Bound Service Account Tokens
  • Bound service account tokens are becoming the default format in Kubernetes 1.21
  • This will ultimately enhance the authentication layer, but you may need to modify your applications to take advantage of the new security capabilities

Federation

Link Notes
Authenticating to GKE without gcloud How to authenticate to GKE and deploying to it from headless environments like CI/CD
Securely Access AWS Services from Google Kubernetes Engine (GKE) Challenges and potential solutions for cross-cloud access
Groups-GKE
  • Google Groups for GKE
  • Allows to grant roles to the members of a GSuite Google Group
rbacsync
  • Automatically sync groups into Kubernetes RBAC (blog post)
  • Provides a Kubernetes controller to synchronize RoleBindings and ClusterRoleBindings, used in Kubernetes RBAC, from group membership sources using consolidated configuration objects
  • The provided configuration objects allow you to define "virtual" groups that result in the creation of RoleBindings and ClusterRoleBindings that directly reference all users in the group

EKS

References

Link Notes
Amazon EKS Best Practices Guide for Security Best practices guide for day 2 operations, including operational excellence, security, reliability, performance efficiency, and cost optimization
Amazon EKS Workshop Workshop exploring multiple ways to configure VPC, ALB, and EC2 Kubernetes workers
AWS Controllers for Kubernetes (ACK) ACK lets you directly manage AWS services from Kubernetes
Kubernetes multi tenancy with Amazon EKS: Best practices and considerations Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging How small misconfigurations or unwanted side-effects may put clusters at risk
Opinionated guides
How to create a pipeline for hardening Amazon EKS nodes and automate updates How to enhance the security of managed node groups using a CIS Amazon Linux benchmark for Amazon Linux 2 and Amazon Linux 2023

IAM

Link Notes
EKS Pod Identity
EKS Cluster Access Management
AWS EKS Access Management & Permissions
  • aws-auth (2018)
  • IRSA (IAM Roles for Service Accounts) (2019)
  • EKS Pod Identities (2023)
  • EKS Cluster Access Management (2023)
EKS Service Accounts Explained
IAM roles for Kubernetes service accounts - deep dive How IAM and Kubernetes work together tallowing you to callg AWS services from your pods with no hussle
iam-service-account-controller Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
aws-iam-authenticator Use AWS IAM credentials to authenticate to a Kubernetes cluster
Attacking and securing cloud identities in managed Kubernetes A deep dive into how Amazon EKS IAM works, and several attack vectors to pivot from an EKS cluster to an AWS environment
IAM-EKS
  • Fine-Grained IAM Roles for Service Accounts for EKS
  • AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods
  • By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level
aws-iam-authenticator Use AWS IAM credentials to authenticate to a Kubernetes cluster
guard Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.

AKS

Link Notes
Monitoring Azure Kubernetes Service (AKS) with Azure Sentinel How to use Azure Sentinel to monitor AKS clusters for security incidents
Secure pods with Azure Policy You can deny requests based on pod capabilities and audit for runtime violations
Baseline architecture for an Azure Kubernetes Service (AKS) cluster Recommendations for networking, security, identity, management, and monitoring of AKS clusters based on an organization's business requirements
Runtime security in Azure Kubernetes Service How to secure containers on Microsoft Azure Kubernetes Service (AKS) with open source Falco