#security (2023-09)

Archive: https://archive.sweetops.com/security/

2023-09-18

venkata.mutyala avatar
venkata.mutyala
05:29:09 AM

https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/

Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows

Action pinning doesn’t always offer security. Understand risks stemming from the GitHub Actions ecosystem and learn how to avoid compromise of CI/CD pipeline.

2023-09-19

Sean avatar
Sean
09:29:25 PM

Q: For access to Kubernetes APIs (for kubectl, helmfile, k9s, …) do you allow access direct from your engineers local machines (laptops) or do you require them to jump into a bastion or other host (via SSH, SSM, InstanceConnect, …)?

david avatar
david
10:57:25 PM

I lean towards don’t grant any access and rely on your dashboarding, logging, gitops, other visibility tools so they don’t need kubectl access.

For those that absolutely need it, some sort of jump makes sense (our EKS control planes are private). So SSM, tailscale, other zero trust app would be best.

Ayman avatar
Ayman
07:13:42 PM

I echo the above.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:27:17 PM

Teleport

1
Alanis Swanepoel avatar
Alanis Swanepoel
04:38:33 PM

+1 for teleport

2023-09-21

    keyboard_arrow_up