CI/CD Pipeline Security
OIDC authentication, secrets management, SLSA provenance, minimal permissions, supply chain security
1What is OIDC (OpenID Connect) in the context of CI/CD pipelines?
What is OIDC (OpenID Connect) in the context of CI/CD pipelines?
回答
OIDC is an authentication protocol that allows CI/CD pipelines to authenticate with cloud providers without using static secrets. Instead of storing long-lived credentials, the pipeline exchanges a signed JWT token for temporary credentials. This approach eliminates risks associated with storing and rotating secrets, while providing better traceability through token claims that precisely identify the workflow and repository.
2What is the main advantage of External Secrets Operator in Kubernetes?
What is the main advantage of External Secrets Operator in Kubernetes?
回答
External Secrets Operator automatically synchronizes secrets from external managers (Vault, AWS Secrets Manager, Azure Key Vault) into native Kubernetes Secrets. This approach centralizes secret management in a dedicated system while allowing applications to consume secrets in a standard way. It also facilitates automatic secret rotation and avoids storing sensitive credentials directly in Kubernetes manifests or Git repositories.
3What does the principle of least privilege mean in the context of CI/CD pipelines?
What does the principle of least privilege mean in the context of CI/CD pipelines?
回答
The principle of least privilege consists of granting pipelines only the permissions strictly necessary to accomplish their tasks. For example, a build pipeline should only have read rights on source code, while a deployment pipeline would only access resources in the target environment. This approach limits damage in case of pipeline compromise and reduces the overall attack surface of the infrastructure.
What is an SBOM (Software Bill of Materials)?
Why use HashiCorp Vault rather than environment variables to store secrets?
+17 面接問題