From 59f3422d3e64cf898aa1c23737d5263918aafce1 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 6 Apr 2026 10:35:13 -0700
Subject: [PATCH] Review compensating control: tailscale-network-isolation

Verified: tailscale serve status shows only svc:k8s, ACLs restrict
tag:flyio-target to port 443 with admin/operator ownership only,
indri has no flyio-target tag. All 10 muted findings remain valid.

Noted gap: no automated alerting on new flyio-target devices.
Tracked in Todoist as MC4 (Manual Compliance Control Check CronJob).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 compensating-controls.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/compensating-controls.yaml b/compensating-controls.yaml
index b90da40..6b0af70 100644
--- a/compensating-controls.yaml
+++ b/compensating-controls.yaml
@@ -31,7 +31,7 @@ controls:
       identity with ACL enforcement. Profiling endpoints, debug ports,
       and control-plane APIs are unreachable from the public internet.
     created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-04-06
     notes: >-
       Verify with 'tailscale serve status --json' on indri and review
       Tailscale ACLs in pulumi/tailscale/. Only tag:flyio-target services