The documentation here explains how the http.send() method can be used to make GET requests to external data sources. However for calls to internal sources the request would require a token of some kind to be supplied.
Is there a way of doing this in a secure manner such that the token is not hard-coded into the body of the policy? For instance calling on it when the policy is called to check against a request.
As I am using Gatekeeper from a Kubernetes environment, my idea was of mounting a file containing the secret to the pod running Gatekeeper, but that seems a bit overkill and still prone to breaches so wanted to see if there is a better way of handling things?