Kubesploit
@kubesploit.io
News and links on Kubernetes security curated by the @Learnk8s.io team
More K8s news, events, jobs → https://kube.today
More K8s news, events, jobs → https://kube.today
This tool automates the issuance and renewal of TLS certificates inside Kubernetes by introducing custom resources like `Certificate` and `Issuer`
➜ https://ku.bz/dcDQCrkPn
➜ https://ku.bz/dcDQCrkPn
October 30, 2025 at 6:06 PM
This tool automates the issuance and renewal of TLS certificates inside Kubernetes by introducing custom resources like `Certificate` and `Issuer`
➜ https://ku.bz/dcDQCrkPn
➜ https://ku.bz/dcDQCrkPn
This project builds a low-code honeypot using LLMs behind the scenes to mimic realistic interactions while staying safe
It supports SSH, HTTP, TCP, Prometheus metrics, Kubernetes deployment, and YAML config
➜ https://ku.bz/5665x_NRr
It supports SSH, HTTP, TCP, Prometheus metrics, Kubernetes deployment, and YAML config
➜ https://ku.bz/5665x_NRr
October 24, 2025 at 6:06 PM
This project builds a low-code honeypot using LLMs behind the scenes to mimic realistic interactions while staying safe
It supports SSH, HTTP, TCP, Prometheus metrics, Kubernetes deployment, and YAML config
➜ https://ku.bz/5665x_NRr
It supports SSH, HTTP, TCP, Prometheus metrics, Kubernetes deployment, and YAML config
➜ https://ku.bz/5665x_NRr
Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➤ https://ku.bz/1cZxMK7Ck
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➤ https://ku.bz/1cZxMK7Ck
October 18, 2025 at 6:06 PM
Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➤ https://ku.bz/1cZxMK7Ck
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➤ https://ku.bz/1cZxMK7Ck
This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments
➤ https://ku.bz/ttgXTYdrZ
➤ https://ku.bz/ttgXTYdrZ
October 16, 2025 at 6:06 PM
This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments
➤ https://ku.bz/ttgXTYdrZ
➤ https://ku.bz/ttgXTYdrZ
kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in `kube-prometheus-stack` by deploying a secure Prometheus Agent as a DaemonSet
➤ https://ku.bz/jtT5DjB6h
➤ https://ku.bz/jtT5DjB6h
October 15, 2025 at 6:06 PM
kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in `kube-prometheus-stack` by deploying a secure Prometheus Agent as a DaemonSet
➤ https://ku.bz/jtT5DjB6h
➤ https://ku.bz/jtT5DjB6h
This tutorial teaches how to install and configure Falco on GKE for runtime security, test default rules, create alerts in Google Cloud Monitoring, and add custom rules
➤ https://ku.bz/zFRVy94dl
➤ https://ku.bz/zFRVy94dl
September 20, 2025 at 6:06 PM
This tutorial teaches how to install and configure Falco on GKE for runtime security, test default rules, create alerts in Google Cloud Monitoring, and add custom rules
➤ https://ku.bz/zFRVy94dl
➤ https://ku.bz/zFRVy94dl
Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➜ https://ku.bz/1cZxMK7Ck
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➜ https://ku.bz/1cZxMK7Ck
September 18, 2025 at 6:06 PM
Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➜ https://ku.bz/1cZxMK7Ck
It integrates eBPF via Aya and manages routing logic via Kube-RS
It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only
➜ https://ku.bz/1cZxMK7Ck
This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments
➜ https://ku.bz/ttgXTYdrZ
➜ https://ku.bz/ttgXTYdrZ
September 16, 2025 at 6:06 PM
This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments
➜ https://ku.bz/ttgXTYdrZ
➜ https://ku.bz/ttgXTYdrZ
kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in `kube-prometheus-stack` by deploying a secure Prometheus Agent as a DaemonSet
➜ https://ku.bz/jtT5DjB6h
➜ https://ku.bz/jtT5DjB6h
September 15, 2025 at 6:11 PM
kps-zeroexposure is a helm chart that fixes unhealthy or missing control-plane metrics targets in `kube-prometheus-stack` by deploying a secure Prometheus Agent as a DaemonSet
➜ https://ku.bz/jtT5DjB6h
➜ https://ku.bz/jtT5DjB6h
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks
➤ https://ku.bz/WVcV9HKN7
➤ https://ku.bz/WVcV9HKN7
September 8, 2025 at 6:11 PM
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks
➤ https://ku.bz/WVcV9HKN7
➤ https://ku.bz/WVcV9HKN7
This tutorial covers east-west routing configuration utilizing CoreDNS, Traefik, cert-manager, and trust-manager for domain resolution and secure certificate management
➤ https://ku.bz/QfzB7zPcf
➤ https://ku.bz/QfzB7zPcf
August 29, 2025 at 6:11 PM
This tutorial covers east-west routing configuration utilizing CoreDNS, Traefik, cert-manager, and trust-manager for domain resolution and secure certificate management
➤ https://ku.bz/QfzB7zPcf
➤ https://ku.bz/QfzB7zPcf
This tutorial teaches how to install and configure Falco on GKE for runtime security, test default rules, create alerts in Google Cloud Monitoring, and add custom rules
➜ https://ku.bz/zFRVy94dl
➜ https://ku.bz/zFRVy94dl
August 20, 2025 at 6:06 PM
This tutorial teaches how to install and configure Falco on GKE for runtime security, test default rules, create alerts in Google Cloud Monitoring, and add custom rules
➜ https://ku.bz/zFRVy94dl
➜ https://ku.bz/zFRVy94dl
Gatekeeper's `k8sallowedrepos` can be bypassed if repo entries lack a trailing `/`
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➤ https://ku.bz/fYQfsmHt-
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➤ https://ku.bz/fYQfsmHt-
August 10, 2025 at 6:06 PM
Gatekeeper's `k8sallowedrepos` can be bypassed if repo entries lack a trailing `/`
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➤ https://ku.bz/fYQfsmHt-
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➤ https://ku.bz/fYQfsmHt-
Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➤ https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➤ https://ku.bz/W4M7dx2xy
August 8, 2025 at 6:11 PM
Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➤ https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➤ https://ku.bz/W4M7dx2xy
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks
➜ https://ku.bz/WVcV9HKN7
➜ https://ku.bz/WVcV9HKN7
August 8, 2025 at 6:06 PM
kube-advisor.io runs an agent in your cluster to auto-detect misconfigs and best practice violations in real time; supports Kyverno for custom checks
➜ https://ku.bz/WVcV9HKN7
➜ https://ku.bz/WVcV9HKN7
This tutorial covers east-west routing configuration utilizing CoreDNS, Traefik, cert-manager, and trust-manager for domain resolution and secure certificate management
➜ https://ku.bz/QfzB7zPcf
➜ https://ku.bz/QfzB7zPcf
July 29, 2025 at 6:07 PM
This tutorial covers east-west routing configuration utilizing CoreDNS, Traefik, cert-manager, and trust-manager for domain resolution and secure certificate management
➜ https://ku.bz/QfzB7zPcf
➜ https://ku.bz/QfzB7zPcf
The Kubeconfig Operator generates restricted kubeconfig files with granular permissions for Kubernetes clusters
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts
➤ https://ku.bz/X5WpY7QD8
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts
➤ https://ku.bz/X5WpY7QD8
July 23, 2025 at 6:11 PM
The Kubeconfig Operator generates restricted kubeconfig files with granular permissions for Kubernetes clusters
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts
➤ https://ku.bz/X5WpY7QD8
Define specific RBAC rules at cluster and namespace levels, set expiration times, and automatically manage service accounts
➤ https://ku.bz/X5WpY7QD8
This diagram maps core Kubernetes security concepts—from RBAC, PodSecurity, and audit logging to container isolation—helping teams visualize enforcement points
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews
➤ https://ku.bz/4JP4Yvlmt
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews
➤ https://ku.bz/4JP4Yvlmt
July 17, 2025 at 6:11 PM
This diagram maps core Kubernetes security concepts—from RBAC, PodSecurity, and audit logging to container isolation—helping teams visualize enforcement points
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews
➤ https://ku.bz/4JP4Yvlmt
Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews
➤ https://ku.bz/4JP4Yvlmt
This guide shows how to detect Kubernetes runtime threats (e.g. sudo misuse, suspicious file access) using Falco + eBPF, forward logs with Fluent Bit, and route them to Parseable log streams like `falcowarn` or `falconotice`
➤ https://ku.bz/zTdnws-Fd
➤ https://ku.bz/zTdnws-Fd
July 13, 2025 at 6:06 PM
This guide shows how to detect Kubernetes runtime threats (e.g. sudo misuse, suspicious file access) using Falco + eBPF, forward logs with Fluent Bit, and route them to Parseable log streams like `falcowarn` or `falconotice`
➤ https://ku.bz/zTdnws-Fd
➤ https://ku.bz/zTdnws-Fd
kpatch enables runtime kernel function patching by injecting precompiled replacement functions directly into the live kernel
It's built on the `CONFIG_LIVEPATCH` infrastructure and uses `ftrace` to reroute function calls at runtime
➤ https://ku.bz/-mXRJ9kzM
It's built on the `CONFIG_LIVEPATCH` infrastructure and uses `ftrace` to reroute function calls at runtime
➤ https://ku.bz/-mXRJ9kzM
July 11, 2025 at 6:11 PM
kpatch enables runtime kernel function patching by injecting precompiled replacement functions directly into the live kernel
It's built on the `CONFIG_LIVEPATCH` infrastructure and uses `ftrace` to reroute function calls at runtime
➤ https://ku.bz/-mXRJ9kzM
It's built on the `CONFIG_LIVEPATCH` infrastructure and uses `ftrace` to reroute function calls at runtime
➤ https://ku.bz/-mXRJ9kzM
Gatekeeper's `k8sallowedrepos` can be bypassed if repo entries lack a trailing `/`
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➜ https://ku.bz/fYQfsmHt-
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➜ https://ku.bz/fYQfsmHt-
July 10, 2025 at 6:11 PM
Gatekeeper's `k8sallowedrepos` can be bypassed if repo entries lack a trailing `/`
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➜ https://ku.bz/fYQfsmHt-
Attackers exploit prefix matching to pull images from fake subdomains like `myrepo.io.attacker.com`. Aqua shows real examples, a fixed v2 policy, and Trivy detection
➜ https://ku.bz/fYQfsmHt-
Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➜ https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➜ https://ku.bz/W4M7dx2xy
July 8, 2025 at 6:06 PM
Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➜ https://ku.bz/W4M7dx2xy
It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd
➜ https://ku.bz/W4M7dx2xy
Kubewarden deploys as an admission controller, loading user-defined WebAssembly policies that inspect and validate API requests in real time
It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide
➤ https://ku.bz/C4jG7w4J6
It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide
➤ https://ku.bz/C4jG7w4J6
July 5, 2025 at 6:06 PM
Kubewarden deploys as an admission controller, loading user-defined WebAssembly policies that inspect and validate API requests in real time
It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide
➤ https://ku.bz/C4jG7w4J6
It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide
➤ https://ku.bz/C4jG7w4J6
Overlock is a Kubernetes controller that continuously scans cluster resources and events using custom policies
It generates alerts or triggers webhooks on violations, enabling automated, real-time detection of misconfigurations and security issues
➤ https://ku.bz/4fssS2nJP
It generates alerts or triggers webhooks on violations, enabling automated, real-time detection of misconfigurations and security issues
➤ https://ku.bz/4fssS2nJP
July 3, 2025 at 6:11 PM
Overlock is a Kubernetes controller that continuously scans cluster resources and events using custom policies
It generates alerts or triggers webhooks on violations, enabling automated, real-time detection of misconfigurations and security issues
➤ https://ku.bz/4fssS2nJP
It generates alerts or triggers webhooks on violations, enabling automated, real-time detection of misconfigurations and security issues
➤ https://ku.bz/4fssS2nJP
Security research exposes critical OPA Gatekeeper vulnerabilities: Attackers can bypass misconfigured repository policies through subdomain manipulation, enabling unauthorized container image deployments across cloud environments
➤ https://ku.bz/8hr1BhMf3
➤ https://ku.bz/8hr1BhMf3
June 29, 2025 at 6:06 PM
Security research exposes critical OPA Gatekeeper vulnerabilities: Attackers can bypass misconfigured repository policies through subdomain manipulation, enabling unauthorized container image deployments across cloud environments
➤ https://ku.bz/8hr1BhMf3
➤ https://ku.bz/8hr1BhMf3