Ideas for next time after 20241113

nicholasdille · nicholasdille · commit 0ec42d0aaf28 · 2024-11-13T16:47:22.000+01:00
diff --git a/120_kubernetes/rbac/mitigations.md b/120_kubernetes/rbac/mitigations.md
@@ -0,0 +1,13 @@
+## Mitigations
+
+### Enforce safe defaults
+
+XXX policy engine
+
+### Map users 1-to-1
+
+XXX OIDC
+
+### XXX
+
+XXX workload identity
diff --git a/2024-11-13_ContainerConf-RBAC.yaml b/2024-11-13_ContainerConf-RBAC.yaml
@@ -36,6 +36,7 @@ slides:
 - 120_kubernetes/rbac/risks.md
 - 120_kubernetes/rbac/impersonation.md
 - 120_kubernetes/rbac/service_account.md
+- 120_kubernetes/rbac/mitigations.md
 
 summary:
 - icon: user-shield
@@ -47,7 +48,7 @@ summary:
 - icon: magnifying-glass
   text: Service account tokens must be managed
 - icon: shield-check
-  text: Policy engines like Kyverno can help
+  text: Use policy engine, OIDC and workload identity
 
 events:
 - date: 2024-11-12
