This week's articles
Supply Chain Attack as Code
#attack, #supply-chain, #terraform
TL;DR: Limit the use of third party Terraform modules and if you do use them, use the "Verified" ones.
Auditing GKE operations? Configure Data Access audit logs
#gcp, #kubernetes, #monitor
The GKE Admin Activity logs are missing "get" operations on Secret objects by default. So for example, if you store a service account password in your cluster as a Kubernetes secret, a "kubectl get secret service_account_password -o yaml" will get an attacker the entire secret without logging a single line into the audit logs.
How to Make Package Signing Useful
The benefits and limitations of signing an open source package, using a private key to create a unique digital signature, are a surprisingly contentious topic.
Dynamic Policy Composition for OPA
How to compose policies based on dynamic attributes provided with the request when querying Open Policy Agent (OPA) for decisions.