This week's articles
Diving Deeply into IAM Policy Evaluation
#aws, #explain, #iam
A post going through confounding conditions, double and triple negatives, and principals matched and unmatched to explain a more accurate model of how IAM evaluates permissions internally.
What your scanner doesn't know **can** hurt you
This post explains how most vulnerability scanners for containers work, and highlights a few challenges this approach has that can lead to blind spots in your infrastructure.
Kubernetes 1.25: alpha support for running Pods with user namespaces
This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from other pods running on the same system.