Kubernetes: Master Post

我有几篇关于Kubernetes的文章即将发布，本文将作为主索引文章提供相关主题的参考资料。如果我遗漏了任何博客文章或有用的资源，请通过此处或Twitter联系我。

值得观看的Kubernetes相关演讲：

Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman
https://www.youtube.com/watch?v=vTgQLzeBfRU
https://github.com/bgeesaman/
https://github.com/bgeesaman/hhkbe [上述演讲的演示代码]
https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf [幻灯片]

Perfect Storm Taking the Helm of Kubernetes - Ian Coldwater
https://www.youtube.com/watch?v=1k-GIDXgfLw

A Hacker’s Guide to Kubernetes and the Cloud - Rory McCune
https://www.youtube.com/watch?v=dxKpCO2dAy8

Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
https://www.youtube.com/watch?v=ohTq0no0ZVU

他人撰写的博客文章：

https://techbeacon.com/hackers-guide-kubernetes-security
https://elweb.co/the-security-footgun-in-etcd/
https://www.4armed.com/blog/hacking-kubelet-on-gke/
https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/
https://www.4armed.com/blog/hacking-digitalocean-kubernetes/
https://github.com/freach/kubernetes-security-best-practice
https://neuvector.com/container-security/kubernetes-security-guide/
https://medium.com/@pczarkowski/the-kubernetes-api-call-is-coming-from-inside-the-cluster-f1a115bd2066
https://blog.intothesymmetry.com/2018/12/persistent-xsrf-on-kubernetes-dashboard.html
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/
https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/
https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/
https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/
https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

审计工具：

https://github.com/Shopify/kubeaudit
https://github.com/aquasecurity/kube-bench
https://github.com/aquasecurity/kube-hunter

CVE-2018-1002105 相关资源：

https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/gravitational/cve-2018-1002105
https://github.com/evict/poc_CVE-2018-1002105

CG 文章：

开放 Etcd：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html
使用 kube-hunter 检测 Etcd：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html
cAdvisor：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-cadvisor.html

Kubernetes 端口列表：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html
Kubernetes 仪表板：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html
Kubelet 10255：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html
Kubelet 10250
     - 容器日志：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html
     - 获取 shell 方法1：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html
     - 获取 shell 方法2：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html

云元数据URL与Kubernetes

• 将在发布后更新