offsec notes
登录以解锁更多功能。
* Complications of talking about Kubernetes security
* Managed and unmanaged Kubernetes distributions
* Areas of discussion
* Kubernetes components and ports
- Unmanaged Kubernetes
- Managed Kubernetes
* Securing Kubernetes APIs
* Kubernetes authentication principles
- Internal Kubernetes authentication methods
- Static token authentication
- Bootstrap tokens
- X.509 client certificates
- Service account tokens
* External authentication methods
- OpenID Connect (OIDC)
- Webhook token authentication
- Authenticating proxy
- Impersonating proxy
* Authentication for other Kubernetes components
- Kubelet
- Controller manager and scheduler
- Kube-proxy
- Etcd
* Kubernetes authorization principles
* Kubernetes authorization modules
- AlwaysAllow and AlwaysDeny
- Node Authorizer
- ABAC
- RBAC
- Webhook
* Authorization for other Kubernetes components
- Kubelet
- Scheduler and Controller Manager
* Admission control overview
- Internal admission controllers
- External admission controllers
* Risks of implementing external admission control
- Using admission control for pod security
* Network trust zones
* Introduction to CNI
* Managing network access in Kubernetes
* Securing the cluster network
* Conclusion
* Appendix - Setting up a demonstration environment
* Am I Testing Keycloak?
* Keycloak Version Information
* OpenID Configuration /SAML Descriptor
* Realms (Enumeration && Self-Registration Enabled)
* Client IDs
* Scopes
* Grants
* Identity Providers
* Roles
* User Email Enumeration
Reconnaissance
/realms/realm_name/)