#security-incidents — Today at 4:47 AM 🚨 @channel CRITICAL SECURITY INCIDENT Defender for Cloud detected cryptomining activity on aks-prod-eastus. Pod 'web-proxy-7f8d9' in namespace 'default' is communicating with known C2 server at 185.x.x.x. Containment in progress. #security-incidents — Today at 4:47 AM 🚨 @channel CRITICAL SECURITY INCIDENT Defender for Cloud detected cryptomining activity on aks-prod-eastus. Pod 'web-proxy-7f8d9' in namespace 'default' is communicating with known C2 server at 185.x.x.x. Containment in progress. #security-incidents — Today at 4:47 AM 🚨 @channel CRITICAL SECURITY INCIDENT Defender for Cloud detected cryptomining activity on aks-prod-eastus. Pod 'web-proxy-7f8d9' in namespace 'default' is communicating with known C2 server at 185.x.x.x. Containment in progress. Traditional: Code → Build → Test → ████ SECURITY GATE ████ → Deploy → 😱 (3-week bottleneck) DevSecOps: 🔒IDE 🔒PreCommit 🔒PR Gate 🔒Build 🔒Deploy 🔒Runtime Secret SAST Full SAST Container Admission WAF detection lint SCA scan image control Runtime in editor Dependency scanning Image protection audit SBOM signing Traditional: Code → Build → Test → ████ SECURITY GATE ████ → Deploy → 😱 (3-week bottleneck) DevSecOps: 🔒IDE 🔒PreCommit 🔒PR Gate 🔒Build 🔒Deploy 🔒Runtime Secret SAST Full SAST Container Admission WAF detection lint SCA scan image control Runtime in editor Dependency scanning Image protection audit SBOM signing Traditional: Code → Build → Test → ████ SECURITY GATE ████ → Deploy → 😱 (3-week bottleneck) DevSecOps: 🔒IDE 🔒PreCommit 🔒PR Gate 🔒Build 🔒Deploy 🔒Runtime Secret SAST Full SAST Container Admission WAF detection lint SCA scan image control Runtime in editor Dependency scanning Image protection audit SBOM signing 📦 SolarWinds (2020): Attackers compromised the BUILD SYSTEM. Backdoored code was part of the signed, legitimate update. 18,000 organizations affected. 📦 Codecov (2021): Attackers modified a bash uploader script. CI/CD pipelines sent environment variables (including secrets) to attacker's server. 📦 ua-parser-js (2021): Maintainer's npm account was compromised. Malicious version published to npm. Installed cryptominer and password stealer. 7M+ weekly downloads affected. 📦 Log4Shell (2021): CVE in Log4j library. Remote code execution via a LOG MESSAGE. If your app logged user input (almost all do) → instant remote access. 📦 SolarWinds (2020): Attackers compromised the BUILD SYSTEM. Backdoored code was part of the signed, legitimate update. 18,000 organizations affected. 📦 Codecov (2021): Attackers modified a bash uploader script. CI/CD pipelines sent environment variables (including secrets) to attacker's server. 📦 ua-parser-js (2021): Maintainer's npm account was compromised. Malicious version published to npm. Installed cryptominer and password stealer. 7M+ weekly downloads affected. 📦 Log4Shell (2021): CVE in Log4j library. Remote code execution via a LOG MESSAGE. If your app logged user input (almost all do) → instant remote access. 📦 SolarWinds (2020): Attackers compromised the BUILD SYSTEM. Backdoored code was part of the signed, legitimate update. 18,000 organizations affected. 📦 Codecov (2021): Attackers modified a bash uploader script. CI/CD pipelines sent environment variables (including secrets) to attacker's server. 📦 ua-parser-js (2021): Maintainer's npm account was compromised. Malicious version published to npm. Installed cryptominer and password stealer. 7M+ weekly downloads affected. 📦 Log4Shell (2021): CVE in Log4j library. Remote code execution via a LOG MESSAGE. If your app logged user input (almost all do) → instant remote access. Source Code Build Process Dependencies │ │ │ ▼ ▼ ▼ Attack: Attack: Attack: Unauthorized Tampered build Malicious package code change Compromised runner Typosquatting Dependency confusion │ │ │ ▼ ▼ ▼ Defense: Defense: Defense: Signed commits Ephemeral runners Lock files (always) Branch protection Reproducible builds Dependabot / Snyk PR reviews Provenance Private registry CODEOWNERS attestation Version pinning Source Code Build Process Dependencies │ │ │ ▼ ▼ ▼ Attack: Attack: Attack: Unauthorized Tampered build Malicious package code change Compromised runner Typosquatting Dependency confusion │ │ │ ▼ ▼ ▼ Defense: Defense: Defense: Signed commits Ephemeral runners Lock files (always) Branch protection Reproducible builds Dependabot / Snyk PR reviews Provenance Private registry CODEOWNERS attestation Version pinning Source Code Build Process Dependencies │ │ │ ▼ ▼ ▼ Attack: Attack: Attack: Unauthorized Tampered build Malicious package code change Compromised runner Typosquatting Dependency confusion │ │ │ ▼ ▼ ▼ Defense: Defense: Defense: Signed commits Ephemeral runners Lock files (always) Branch protection Reproducible builds Dependabot / Snyk PR reviews Provenance Private registry CODEOWNERS attestation Version pinning # 1. Always use scoped packages with registry mapping echo "@company:registry=https://company.pkgs.dev.azure.com/_packaging/feed/npm/registry/" > .npmrc # 2. Use npm audit and lockfile-lint npx lockfile-lint --path package-lock.json --type npm \ --allowed-hosts npm company.pkgs.dev.azure.com # 3. Enable upstream source restrictions in Azure Artifacts # Only allow specific public packages, not everything # 1. Always use scoped packages with registry mapping echo "@company:registry=https://company.pkgs.dev.azure.com/_packaging/feed/npm/registry/" > .npmrc # 2. Use npm audit and lockfile-lint npx lockfile-lint --path package-lock.json --type npm \ --allowed-hosts npm company.pkgs.dev.azure.com # 3. Enable upstream source restrictions in Azure Artifacts # Only allow specific public packages, not everything # 1. Always use scoped packages with registry mapping echo "@company:registry=https://company.pkgs.dev.azure.com/_packaging/feed/npm/registry/" > .npmrc # 2. Use npm audit and lockfile-lint npx lockfile-lint --path package-lock.json --type npm \ --allowed-hosts npm company.pkgs.dev.azure.com # 3. Enable upstream source restrictions in Azure Artifacts # Only allow specific public packages, not everything App → Azure Resource? Use MANAGED IDENTITY "Hey Azure, I'm this VM. Give me access to that SQL database." "OK, you're registered. Here's a short-lived token." → No password stored anywhere. Ever. K8s Pod → Azure Resource? Use WORKLOAD IDENTITY "Hey Azure, I'm this Kubernetes service account." "OK, your identity is federated. Here's a token." → No secret in the pod. No secret in Key Vault. Nothing to rotate. CI/CD → Azure? Use OIDC FEDERATION "Hey Azure, I'm this GitHub Actions workflow." "OK, your repo and branch are verified. Here's a token." → No client secret. Token lives for minutes. App → Azure Resource? Use MANAGED IDENTITY "Hey Azure, I'm this VM. Give me access to that SQL database." "OK, you're registered. Here's a short-lived token." → No password stored anywhere. Ever. K8s Pod → Azure Resource? Use WORKLOAD IDENTITY "Hey Azure, I'm this Kubernetes service account." "OK, your identity is federated. Here's a token." → No secret in the pod. No secret in Key Vault. Nothing to rotate. CI/CD → Azure? Use OIDC FEDERATION "Hey Azure, I'm this GitHub Actions workflow." "OK, your repo and branch are verified. Here's a token." → No client secret. Token lives for minutes. App → Azure Resource? Use MANAGED IDENTITY "Hey Azure, I'm this VM. Give me access to that SQL database." "OK, you're registered. Here's a short-lived token." → No password stored anywhere. Ever. K8s Pod → Azure Resource? Use WORKLOAD IDENTITY "Hey Azure, I'm this Kubernetes service account." "OK, your identity is federated. Here's a token." → No secret in the pod. No secret in Key Vault. Nothing to rotate. CI/CD → Azure? Use OIDC FEDERATION "Hey Azure, I'm this GitHub Actions workflow." "OK, your repo and branch are verified. Here's a token." → No client secret. Token lives for minutes. Azure Key Vault Configuration (non-negotiable settings): ✅ Soft delete: Enabled (30 day retention) ✅ Purge protection: Enabled (can't permanently delete) ✅ Network access: Private Endpoint ONLY (no public) ✅ Access model: RBAC (not access policies) ✅ Diagnostics: All logs → Log Analytics ✅ Rotation: Automated where possible Azure Key Vault Configuration (non-negotiable settings): ✅ Soft delete: Enabled (30 day retention) ✅ Purge protection: Enabled (can't permanently delete) ✅ Network access: Private Endpoint ONLY (no public) ✅ Access model: RBAC (not access policies) ✅ Diagnostics: All logs → Log Analytics ✅ Rotation: Automated where possible Azure Key Vault Configuration (non-negotiable settings): ✅ Soft delete: Enabled (30 day retention) ✅ Purge protection: Enabled (can't permanently delete) ✅ Network access: Private Endpoint ONLY (no public) ✅ Access model: RBAC (not access policies) ✅ Diagnostics: All logs → Log Analytics ✅ Rotation: Automated where possible # Better: Secrets Store CSI Driver (mounts Key Vault secrets as files) apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-kv-secrets spec: provider: azure parameters: keyvaultName: "kv-prod-eastus" objects: | array: - | objectName: db-connection-string objectType: secret tenantId: "xxx" secretObjects: # Also sync to K8s secret (if needed by app) - secretName: db-secret type: Opaque data: - objectName: db-connection-string key: connectionString # Better: Secrets Store CSI Driver (mounts Key Vault secrets as files) apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-kv-secrets spec: provider: azure parameters: keyvaultName: "kv-prod-eastus" objects: | array: - | objectName: db-connection-string objectType: secret tenantId: "xxx" secretObjects: # Also sync to K8s secret (if needed by app) - secretName: db-secret type: Opaque data: - objectName: db-connection-string key: connectionString # Better: Secrets Store CSI Driver (mounts Key Vault secrets as files) apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-kv-secrets spec: provider: azure parameters: keyvaultName: "kv-prod-eastus" objects: | array: - | objectName: db-connection-string objectType: secret tenantId: "xxx" secretObjects: # Also sync to K8s secret (if needed by app) - secretName: db-secret type: Opaque data: - objectName: db-connection-string key: connectionString commit a1b2c3d Author: [email protected] Message: "add database config" +DATABASE_URL=postgresql://admin:SuperSecretP@[email protected]:5432/payments commit a1b2c3d Author: [email protected] Message: "add database config" +DATABASE_URL=postgresql://admin:SuperSecretP@[email protected]:5432/payments commit a1b2c3d Author: [email protected] Message: "add database config" +DATABASE_URL=postgresql://admin:SuperSecretP@[email protected]:5432/payments # Prevention Layer 1: Pre-commit hooks # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks # Prevention Layer 2: GitHub Secret Scanning (free!) # Settings → Code security → Secret scanning → Enable # Prevention Layer 3: Pipeline check - name: Scan for secrets run: | gitleaks detect --source . --verbose if [ $? -ne 0 ]; then echo "🚨 Secrets detected in code! Fix before merging." exit 1 fi # Prevention Layer 1: Pre-commit hooks # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks # Prevention Layer 2: GitHub Secret Scanning (free!) # Settings → Code security → Secret scanning → Enable # Prevention Layer 3: Pipeline check - name: Scan for secrets run: | gitleaks detect --source . --verbose if [ $? -ne 0 ]; then echo "🚨 Secrets detected in code! Fix before merging." exit 1 fi # Prevention Layer 1: Pre-commit hooks # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks # Prevention Layer 2: GitHub Secret Scanning (free!) # Settings → Code security → Secret scanning → Enable # Prevention Layer 3: Pipeline check - name: Scan for secrets run: | gitleaks detect --source . --verbose if [ $? -ne 0 ]; then echo "🚨 Secrets detected in code! Fix before merging." exit 1 fi $ trivy image myapp:latest myapp:latest (debian 12.4) ═══════════════════════════════════════ Total: 142 (CRITICAL: 3, HIGH: 28, MEDIUM: 67, LOW: 44) ┌──────────────┬──────────────────┬──────────┬────────────────────┐ │ Library │ Vulnerability │ Severity │ Fixed Version │ ├──────────────┼──────────────────┼──────────┼────────────────────┤ │ libssl3 │ CVE-2024-XXXX │ CRITICAL │ 3.0.13-1 │ │ libcurl4 │ CVE-2024-YYYY │ CRITICAL │ 7.88.1-10+deb12u5 │ │ zlib1g │ CVE-2024-ZZZZ │ HIGH │ 1.2.13+dfsg-1 │ └──────────────┴──────────────────┴──────────┴────────────────────┘ $ trivy image myapp:latest myapp:latest (debian 12.4) ═══════════════════════════════════════ Total: 142 (CRITICAL: 3, HIGH: 28, MEDIUM: 67, LOW: 44) ┌──────────────┬──────────────────┬──────────┬────────────────────┐ │ Library │ Vulnerability │ Severity │ Fixed Version │ ├──────────────┼──────────────────┼──────────┼────────────────────┤ │ libssl3 │ CVE-2024-XXXX │ CRITICAL │ 3.0.13-1 │ │ libcurl4 │ CVE-2024-YYYY │ CRITICAL │ 7.88.1-10+deb12u5 │ │ zlib1g │ CVE-2024-ZZZZ │ HIGH │ 1.2.13+dfsg-1 │ └──────────────┴──────────────────┴──────────┴────────────────────┘ $ trivy image myapp:latest myapp:latest (debian 12.4) ═══════════════════════════════════════ Total: 142 (CRITICAL: 3, HIGH: 28, MEDIUM: 67, LOW: 44) ┌──────────────┬──────────────────┬──────────┬────────────────────┐ │ Library │ Vulnerability │ Severity │ Fixed Version │ ├──────────────┼──────────────────┼──────────┼────────────────────┤ │ libssl3 │ CVE-2024-XXXX │ CRITICAL │ 3.0.13-1 │ │ libcurl4 │ CVE-2024-YYYY │ CRITICAL │ 7.88.1-10+deb12u5 │ │ zlib1g │ CVE-2024-ZZZZ │ HIGH │ 1.2.13+dfsg-1 │ └──────────────┴──────────────────┴──────────┴────────────────────┘ # 1. Use minimal base images FROM node:20-alpine # ✅ Alpine = ~5MB base # NOT FROM node:20 # ❌ Full Debian = ~350MB + 200 CVEs # 2. Don't run as root RUN addgroup -S app && adduser -S app -G app USER app # ✅ Run as non-root user # 3. Multi-stage builds (don't ship build tools) FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:20-alpine AS runtime COPY --from=builder /app/dist /app/dist COPY --from=builder /app/node_modules /app/node_modules USER 1000 # Non-root EXPOSE 8080 CMD ["node", "/app/dist/index.js"] # 4. Pin versions and use digests in production FROM node:20.11.1-alpine3.19@sha256:abc123... # Immutable reference # 1. Use minimal base images FROM node:20-alpine # ✅ Alpine = ~5MB base # NOT FROM node:20 # ❌ Full Debian = ~350MB + 200 CVEs # 2. Don't run as root RUN addgroup -S app && adduser -S app -G app USER app # ✅ Run as non-root user # 3. Multi-stage builds (don't ship build tools) FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:20-alpine AS runtime COPY --from=builder /app/dist /app/dist COPY --from=builder /app/node_modules /app/node_modules USER 1000 # Non-root EXPOSE 8080 CMD ["node", "/app/dist/index.js"] # 4. Pin versions and use digests in production FROM node:20.11.1-alpine3.19@sha256:abc123... # Immutable reference # 1. Use minimal base images FROM node:20-alpine # ✅ Alpine = ~5MB base # NOT FROM node:20 # ❌ Full Debian = ~350MB + 200 CVEs # 2. Don't run as root RUN addgroup -S app && adduser -S app -G app USER app # ✅ Run as non-root user # 3. Multi-stage builds (don't ship build tools) FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:20-alpine AS runtime COPY --from=builder /app/dist /app/dist COPY --from=builder /app/node_modules /app/node_modules USER 1000 # Non-root EXPOSE 8080 CMD ["node", "/app/dist/index.js"] # 4. Pin versions and use digests in production FROM node:20.11.1-alpine3.19@sha256:abc123... # Immutable reference Hour 0: CVE published Hour 2: Exploit code on GitHub Hour 6: Mass scanning across the internet Hour 12: "Is our app vulnerable?" "Uh... we don't know" Hour 24: Still manually checking every service Hour 48: "We THINK we found all instances..." Hour 72: Third-party vendor says they were affected too Hour 0: CVE published Hour 2: Exploit code on GitHub Hour 6: Mass scanning across the internet Hour 12: "Is our app vulnerable?" "Uh... we don't know" Hour 24: Still manually checking every service Hour 48: "We THINK we found all instances..." Hour 72: Third-party vendor says they were affected too Hour 0: CVE published Hour 2: Exploit code on GitHub Hour 6: Mass scanning across the internet Hour 12: "Is our app vulnerable?" "Uh... we don't know" Hour 24: Still manually checking every service Hour 48: "We THINK we found all instances..." Hour 72: Third-party vendor says they were affected too # Automated scan found it in 30 minutes $ trivy image payment-service:v2.1.0 payment-service:v2.1.0 (java) ┌───────────────┬─────────────────┬──────────┐ │ Library │ Vulnerability │ Severity │ ├───────────────┼─────────────────┼──────────┤ │ log4j-core │ CVE-2021-44228 │ CRITICAL │ │ 2.14.1 │ │ │ └───────────────┴─────────────────┴──────────┘ # SBOM showed exactly which services used Log4j $ grype sbom:payment-service.spdx.json → payment-service: AFFECTED → user-service: NOT affected → notification-service: AFFECTED (transitive dependency!) # Automated scan found it in 30 minutes $ trivy image payment-service:v2.1.0 payment-service:v2.1.0 (java) ┌───────────────┬─────────────────┬──────────┐ │ Library │ Vulnerability │ Severity │ ├───────────────┼─────────────────┼──────────┤ │ log4j-core │ CVE-2021-44228 │ CRITICAL │ │ 2.14.1 │ │ │ └───────────────┴─────────────────┴──────────┘ # SBOM showed exactly which services used Log4j $ grype sbom:payment-service.spdx.json → payment-service: AFFECTED → user-service: NOT affected → notification-service: AFFECTED (transitive dependency!) # Automated scan found it in 30 minutes $ trivy image payment-service:v2.1.0 payment-service:v2.1.0 (java) ┌───────────────┬─────────────────┬──────────┐ │ Library │ Vulnerability │ Severity │ ├───────────────┼─────────────────┼──────────┤ │ log4j-core │ CVE-2021-44228 │ CRITICAL │ │ 2.14.1 │ │ │ └───────────────┴─────────────────┴──────────┘ # SBOM showed exactly which services used Log4j $ grype sbom:payment-service.spdx.json → payment-service: AFFECTED → user-service: NOT affected → notification-service: AFFECTED (transitive dependency!) # Generate SBOM during build syft myapp:latest -o spdx-json > sbom.spdx.json # Attach SBOM to container image as attestation cosign attest --predicate sbom.spdx.json myacr.azurecr.io/myapp:v2.1.0 # Later: scan the SBOM for vulnerabilities grype sbom:sbom.spdx.json # Generate SBOM during build syft myapp:latest -o spdx-json > sbom.spdx.json # Attach SBOM to container image as attestation cosign attest --predicate sbom.spdx.json myacr.azurecr.io/myapp:v2.1.0 # Later: scan the SBOM for vulnerabilities grype sbom:sbom.spdx.json # Generate SBOM during build syft myapp:latest -o spdx-json > sbom.spdx.json # Attach SBOM to container image as attestation cosign attest --predicate sbom.spdx.json myacr.azurecr.io/myapp:v2.1.0 # Later: scan the SBOM for vulnerabilities grype sbom:sbom.spdx.json Traditional model: Outside firewall = untrusted 🔴 Inside firewall = trusted 🟢 ← This assumption kills you Zero-trust model: Everything = untrusted 🔴 Every request = verified ✅ Even internal services must authenticate and be authorized Traditional model: Outside firewall = untrusted 🔴 Inside firewall = trusted 🟢 ← This assumption kills you Zero-trust model: Everything = untrusted 🔴 Every request = verified ✅ Even internal services must authenticate and be authorized Traditional model: Outside firewall = untrusted 🔴 Inside firewall = trusted 🟢 ← This assumption kills you Zero-trust model: Everything = untrusted 🔴 Every request = verified ✅ Even internal services must authenticate and be authorized # Step 1: Default deny ALL traffic in namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: payments spec: podSelector: {} policyTypes: [Ingress, Egress] # Step 2: Explicitly allow only what's needed apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-payments namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Ingress] ingress: - from: - namespaceSelector: matchLabels: name: api-gateway ports: - protocol: TCP port: 8080 # Step 3: Allow egress only to known destinations apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: payment-egress namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Egress] egress: - to: - namespaceSelector: matchLabels: name: databases ports: - protocol: TCP port: 5432 # PostgreSQL only - to: # Allow DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53 # Step 1: Default deny ALL traffic in namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: payments spec: podSelector: {} policyTypes: [Ingress, Egress] # Step 2: Explicitly allow only what's needed apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-payments namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Ingress] ingress: - from: - namespaceSelector: matchLabels: name: api-gateway ports: - protocol: TCP port: 8080 # Step 3: Allow egress only to known destinations apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: payment-egress namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Egress] egress: - to: - namespaceSelector: matchLabels: name: databases ports: - protocol: TCP port: 5432 # PostgreSQL only - to: # Allow DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53 # Step 1: Default deny ALL traffic in namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: payments spec: podSelector: {} policyTypes: [Ingress, Egress] # Step 2: Explicitly allow only what's needed apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-payments namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Ingress] ingress: - from: - namespaceSelector: matchLabels: name: api-gateway ports: - protocol: TCP port: 8080 # Step 3: Allow egress only to known destinations apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: payment-egress namespace: payments spec: podSelector: matchLabels: app: payment-service policyTypes: [Egress] egress: - to: - namespaceSelector: matchLabels: name: databases ports: - protocol: TCP port: 5432 # PostgreSQL only - to: # Allow DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - protocol: UDP port: 53 # Kyverno policy: Block containers running as root apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: Enforce rules: - name: check-non-root match: any: - resources: kinds: ["Pod"] validate: message: "Containers must not run as root. Set runAsNonRoot: true" pattern: spec: containers: - securityContext: runAsNonRoot: true # Kyverno policy: Block containers running as root apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: Enforce rules: - name: check-non-root match: any: - resources: kinds: ["Pod"] validate: message: "Containers must not run as root. Set runAsNonRoot: true" pattern: spec: containers: - securityContext: runAsNonRoot: true # Kyverno policy: Block containers running as root apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: Enforce rules: - name: check-non-root match: any: - resources: kinds: ["Pod"] validate: message: "Containers must not run as root. Set runAsNonRoot: true" pattern: spec: containers: - securityContext: runAsNonRoot: true What happens when you try to deploy as root: $ kubectl apply -f bad-deployment.yaml Error from server: admission webhook "validate.kyverno.svc-fail" denied the request: resource Deployment/default/bad-app was blocked due to the following policies: require-non-root: check-non-root: 'Containers must not run as root. Set runAsNonRoot: true' # THE GATE HELD. 🛡️ What happens when you try to deploy as root: $ kubectl apply -f bad-deployment.yaml Error from server: admission webhook "validate.kyverno.svc-fail" denied the request: resource Deployment/default/bad-app was blocked due to the following policies: require-non-root: check-non-root: 'Containers must not run as root. Set runAsNonRoot: true' # THE GATE HELD. 🛡️ What happens when you try to deploy as root: $ kubectl apply -f bad-deployment.yaml Error from server: admission webhook "validate.kyverno.svc-fail" denied the request: resource Deployment/default/bad-app was blocked due to the following policies: require-non-root: check-non-root: 'Containers must not run as root. Set runAsNonRoot: true' # THE GATE HELD. 🛡️ - Developer commits connection string with password to Git - Code review misses it (reviewer focused on logic, not config) - PR merged to main - 6 months later, company enables GitHub's public visibility for the repo (for open-sourcing) - Bot scrapes public GitHub repos for credentials → finds the password - Database compromised within 4 hours - Rotate the secret immediately (change the password) - Revoke the old secret (disable old connection string) - Audit access logs (did anyone use the leaked credential?) - Rewrite Git history (the commit is forever in history otherwise) - Supply chain attacks are the new frontier — SBOMs, image signing, and dependency pinning aren't optional - Eliminate secrets first (Managed Identity, OIDC), vault them second, never commit them - Container images are attack surface — minimal base images, non-root, scan everything - Network Policies = micro-segmentation — default deny, explicit allow - Shift-left doesn't mean dump security on developers — automate it in the pipeline - Pre-commit hooks catch secrets BEFORE they're in Git history — where they live forever - Run gitleaks detect --source . on your repo right now. Fix what you find. - Run trivy image <your-production-image> — count the CRITICAL vulnerabilities. - Check if your production Kubernetes namespaces have Network Policies: kubectl get networkpolicies -A - Find one service using service principal + client secret. Replace it with Managed Identity.