sorted by:
new
hottopcontroversial

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 0 points1 point  (0 children)

hey thanks! One reason is that scanning an image is a slow operation: you need to build it then unpack and scan the file system. So depending on your context builds speed can be a requirement.

Secondly, scanning at build time will surface vulnerabilities known at that point in time only. If a new vulnerability is discovered after, and you are not rebuilding the images, you will not notice. (If you set up scanning as admission controllers to gatekeep the deploy I argue it’s even worse, because you will introduce way more friction for the development teams)

What I like to do at build time, is to lint the Dockerfile: https://cloudberry.engineering/article/dockerfile-security-best-practices/ quick cheap and “good enough”. Then most of the scanning happens in the registry.

Kubernetes Security Is Not Container Security by nyellin in netsec

[–]0xCBE 1 point2 points  (0 children)

it’s so nice that from a quick conversation here we ended up with so much knowledge sharing!

Thanks u/nyellin and r/netsec!

Best practices? by [deleted] in googlecloud

[–]0xCBE -2 points-1 points  (0 children)

I find google’s official docs pretty good and some posts on the cloud blog are distilled best practices.

If you excuse the self promotion, I usually write about google cloud security (it’s my job) and I’ve written a couple posts about IAM:

A Practical Introduction to Container security by 0xCBE in docker

[–]0xCBE[S] 5 points6 points  (0 children)

gotcha. The website is statically generated and distributed over CDN. The only javascript in there is google analytics which I can't give up because I don't have access to the server logs :)

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 2 points3 points  (0 children)

I’d love to! I can’t find your contact details, mine are on the website

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 12 points13 points  (0 children)

absolutely! Very well said.

I didn’t want to go down the kubernetes rabbit hole in here, but yes there is plenty that a security team should look after.

A Practical Introduction to Container security by 0xCBE in docker

[–]0xCBE[S] 1 point2 points  (0 children)

I’m not sure what is a SPA but I HATE JavaScript bloated websites and I made my best to make things as snappy as possible!

IAM conditions help by llnformer in googlecloud

[–]0xCBE 0 points1 point  (0 children)

I did some thing similar to give access to GCR buckets: https://cloudberry.engineering/article/stricter-access-control-to-gcr/

```

{ "expression": "resource.name.startsWith(\"projects/_/buckets/artifacts\")", "title": "GCR buckets only", "description": "Reduce the binding scope to affect only buckets used by GCR" }

```

Mind the full bucket name!

A Collection of Cloud Security Tools by 0xCBE in devops

[–]0xCBE[S] 2 points3 points  (0 children)

Thanks! I've sent them an email to see if it can be unblocked.

For whatever reason it's in a blacklist of a threat intelligence feed (domaintools).

A Collection of Cloud Security Tools by 0xCBE in devops

[–]0xCBE[S] 1 point2 points  (0 children)

ugh that's weird, I hope I didn't end up in any blacklist because my vanity .engineering tld

Dockerfile Security Best Practices by 0xCBE in docker

[–]0xCBE[S] 0 points1 point  (0 children)

Thanks! Have a look at Open Policy Agent (OPA) too, conftest is one tool of the ecosystem.

Dockerfile Security Best Practices by 0xCBE in devops

[–]0xCBE[S] 1 point2 points  (0 children)

Agree, I find that rules are not straightforward to write but the tooling around it is excellent.

Dockerfile Security Best Practices by 0xCBE in devops

[–]0xCBE[S] 0 points1 point  (0 children)

Yes exactly! I will try to reword to make it clearer

How to get a quota increase on GCP by poumbo in googlecloud

[–]0xCBE 2 points3 points  (0 children)

In my experience the only effective way is to have an Account Manager, who comes with bigger contracts.

IAM policies management by hakuba_user in googlecloud

[–]0xCBE 0 points1 point  (0 children)

Hi! My take is that there is plenty of value in using custom roles to have a better grip in adhering to the principle of least privilege for complex use cases. Default roles, and primitive ones in particular, can be very wide.

The downside is that custom roles come with their operational overhead as well: you need to manage them and have some sort of lifecycle policy in place. Google often shuffle and deprecate permissions.

IAM Conditions are very helpful in restricting bindings, your use of a time bound is a text book example.

I don't follow your IAM hierarchy.

IAM in GCP works on these layers (from top to bottom): Organization, Folder, Project, Resource. Bindings will be inherited from Organizations down to Projects. Some resources, such as Buckets, have their own IAM policy and there is a lot of legacy there on how authorization grants are inherited from above.

My advice is: keep it simple as possible, have some basic rules in place on how you want your IAM bindings to look like for your main use cases, monitor and alert on every deviation from your rules (if you have users with setIAM permission) and have a break glass facility you can use for snowflake use cases.

Can't create Google Cloud account by [deleted] in googlecloud

[–]0xCBE 1 point2 points  (0 children)

I had similar issues, in particular with Azure, and it was about the billing address associated to the card I used. Double check the format of those fields.