https://allenz.net/tags/security/Recent content in Security on Allen ZiegenfusHugoen-usSat, 16 May 2026 00:00:00 +0000https://allenz.net/writing/environment-stable-table-ownership-surviving-cross-environment-restore-with-iam-database-auth/Sat, 16 May 2026 00:00:00 +0000https://allenz.net/writing/environment-stable-table-ownership-surviving-cross-environment-restore-with-iam-database-auth/Cloud SQL IAM database auth breaks cross-environment restores because table ownership encodes a per-environment service account. Make ownership environment-independent by owning every table as cloudsqlsuperuser.https://allenz.net/writing/test-your-guardrails-policy-as-code-that-you-actually-verify/Mon, 11 May 2026 00:00:00 +0000https://allenz.net/writing/test-your-guardrails-policy-as-code-that-you-actually-verify/Policy-as-code that’s never tested usually fails open — it waves violations through and no one notices. How to test guardrails so they both deny when they must and pass when they must.https://allenz.net/writing/use-gke-connect-gateway-to-protect-your-private-control-plane/Tue, 21 Apr 2026 00:00:00 +0000https://allenz.net/writing/use-gke-connect-gateway-to-protect-your-private-control-plane/Reach a private GKE cluster’s API server without a bastion or authorized-networks — using the GKE-native Connect Gateway, with GCP IAM outside the gateway and Kubernetes RBAC inside.https://allenz.net/writing/one-github-app-two-auth-models-repo-credentials-webhooks-and-sso-for-argo-cd/Fri, 20 Mar 2026 00:00:00 +0000https://allenz.net/writing/one-github-app-two-auth-models-repo-credentials-webhooks-and-sso-for-argo-cd/Argo CD needs three different things from GitHub — repo reads, webhook delivery, and human SSO. How a single GitHub App covers all three with short-lived installation tokens instead of a leak-prone PAT.