This week's articles
Supply Chain Attack as Code
TL;DR: Limit the use of third party Terraform modules and if you do use them, use the "Verified" ones.
#attack
#supply-chain
#terraform
Auditing GKE operations? Configure Data Access audit logs
The GKE Admin Activity logs are missing "get" operations on Secret objects by default. So for example, if you store a service account password in your cluster as a Kubernetes secret, a "kubectl get secret service_account_password -o yaml" will get an attacker the entire secret without logging a single line into the audit logs.
#gcp
#kubernetes
#monitor
How to Make Package Signing Useful
The benefits and limitations of signing an open source package, using a private key to create a unique digital signature, are a surprisingly contentious topic.
#containers
#supply-chain
Dynamic Policy Composition for OPA
How to compose policies based on dynamic attributes provided with the request when querying Open Policy Agent (OPA) for decisions.
#explain
#opa
|