This guide should be treated as the baseline which must be taken in account rather than a checklist for perfect security.
Measures that tighten the security of the services running in Rahti can be roughly divided in two categories.
Enable the TLS encryption of routes. If the DNS name of your service is under
coolservice.rahtiapp.fi), the default
wildcard TLS certificate provided by Rahti can be used directly. Otherwise,
you need to add your certificate data in the route object.
Access to the services should be limited to selected networks with whitelists whenever applicable (See the chapter Routes). This is relevant whenever access can be restricted in terms of IP addresses.
Secure routes thwart eavesdropping attacks that target e.g. service passwords and usernames, and other critical data sent over the internet.
Outdated container images are prone to exploits via security vulnerabilities, and unfamiliar images may contain malicious code. For these reasons, a given container image should be used only if:
- It is from a known and trusted source so that the known security vulnerabilities are patched and you can trust it not to contain malicious code.
- You have reviewed its Dockerfile build configuration and the base layer satisfies Rule #1 or #2.
Other things to keep in mind:
- Use curated images.
- Prefer images that regularly receive security updates.
- Use static container image analysis tools if available. For support, ask your local IT support.
- The smaller the image, the less "surface area" there is for attacks:
- Utilize the builder pattern in your images if you use compiled languages: Build the binary in a different image from where the application is deployed. In Docker, this can be achieved with multi-stage builds, and in OpenShift, directories of other images may be mounted during the build process by chaining builds. This way, only essential pieces of the software are present in the final image.
- If the application is written in an interpreted language, use language
based images. Instead of installing Node.js on top of the Debian image, use