#security (2023-09)

Archive: https://archive.sweetops.com/security/


venkata.mutyala avatar
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows

Action pinning doesn’t always offer security. Understand risks stemming from the GitHub Actions ecosystem and learn how to avoid compromise of CI/CD pipeline.


Sean avatar

Q: For access to Kubernetes APIs (for kubectl, helmfile, k9s, …) do you allow access direct from your engineers local machines (laptops) or do you require them to jump into a bastion or other host (via SSH, SSM, InstanceConnect, …)?

david avatar

I lean towards don’t grant any access and rely on your dashboarding, logging, gitops, other visibility tools so they don’t need kubectl access.

For those that absolutely need it, some sort of jump makes sense (our EKS control planes are private). So SSM, tailscale, other zero trust app would be best.

Ayman avatar

I echo the above.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


Allan Swanepoel avatar
Allan Swanepoel

+1 for teleport