This guide should be treated as the baseline which must be taken in account rather than a checklist for perfect security.
Measures that tighten the security of the services running in Rahti can be roughly divided in two categories.
Enable the TLS encryption of routes. If the DNS name of your service is under
coolservice.rahtiapp.fi), the default
wildcard TLS certificate provided by Rahti can be used directly. Otherwise,
you need to add your certificate data in the route object.
Access to the services should be limited to selected networks with whitelists whenever applicable (See the chapter Routes). This is relevant whenever access can be restricted in terms of IP addresses.
Secure routes thwart eavesdropping attacks that target e.g. service passwords and usernames, and other critical data sent over the internet.
Outdated container images are prone to exploits via security vulnerabilities, and unfamiliar images may contain malicious code. For these reasons, a given container image should be used only if:
- It is from a known and trusted source so that the known security vulnerabilities are patched and you can trust it not to contain malicious code.
- You have reviewed its Dockerfile build configuration and the base layer satisfies Rule #1 or #2.
Other things to keep in mind:
- Use curated images.
- Prefer images that regularly receive security updates.
- Use static container image analysis tools if available. For support, ask your local IT support.
- The smaller the image, the less "surface area" there is for attacks:
- Utilize the builder pattern in your images if you use compiled languages: Build the binary in a different image from where the application is deployed. In Docker, this can be achieved with multi-stage builds, and in OpenShift, directories of other images may be mounted during the build process by chaining builds. This way, only essential pieces of the software are present in the final image.
- If the application is written in an interpreted language, use language
based images. Instead of installing Node.js on top of the Debian image, use
IP addresses for firewall openings
The IP for all outgoing customer traffic is
126.96.36.199. By opening a firewall to this IP, you will let in all traffic coming from any Rahti project. It is advised to not solely rely in IP filtering for security, but use this a secondary measure, like for example an OAuth authentication system.
There is no plan to change this IP, but it is not possible to give a 100% assurance that an unforeseeable event will ever force us to change it. If this IP ever changes, it will be properly announced in advance.