Discover and read the best of Twitter Threads about #GKE

Most recents (2)

Mounting a #Kubernetes service account to a pod with permissions to deploy other pods implies that if your app has RCE, a threat actor will be able to infect other Services in the cluster (yes, even if you use strict PSPs) #KubernetesSecurity #k8s #aks #gke #eks
#DevSecOps
🧵 👇
Background:
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A pod with a label associated with a Service will become part of that Service automatically

Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
Read 6 tweets
Kubernetes and container security can be hard. We hear you. That's why #GKE now provides built in workload security posture management in public preview.
cloud.google.com/blog/products/…

🧵Let's dive in!
Once enabled for your clusters, GKE security posture scans your workloads on two dimensions:
- Misconfigurations (comparing against CNCF pod spec security standards
- OS level CVE vulnerabilities

These are surfaced in a snazzy dashboard with opinionated severity ratings Image
Drill down and slice and dice to find the concerns that matter most. Image
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!