|
| 1 | +:_content-type: CONCEPT |
| 2 | +:description: Security best practices |
| 3 | +:keywords: security, best practices |
| 4 | +:navtitle: Security best practices |
| 5 | +//:page-aliases: |
| 6 | + |
| 7 | +[id="security-best-practices"] |
| 8 | += Security best practices for {prod} |
| 9 | + |
| 10 | +Get an overview of key best security practices for {prod} that can help you |
| 11 | +foster a more resilient development environment. |
| 12 | + |
| 13 | +{prod} runs on top of OpenShift, which provides the platform, and the foundation for the products functioning on top of it. OpenShift documentation is the entry point for security hardening. |
| 14 | + |
| 15 | +.Project isolation in OpenShift |
| 16 | + |
| 17 | +In OpenShift, project isolation is similar to {namespace} isolation in {kubernetes} but is achieved through the concept of projects. A project in OpenShift is a top-level organizational unit that provides isolation and collaboration between different applications, teams, or workloads within a cluster. |
| 18 | + |
| 19 | +By default, {prod-short} provisions a unique `<username>-devspaces` project for each user. Alternatively, the cluster administrator can disable project self-provisioning on the OpenShift level, and turn off automatic {namespace} provisioning in the CheCluster custom resource: |
| 20 | + |
| 21 | +[source, yaml] |
| 22 | +---- |
| 23 | +devEnvironments: |
| 24 | + defaultNamespace: |
| 25 | + autoProvision: false |
| 26 | +---- |
| 27 | +include::example$snip_curated-access-to-che.adoc[] |
| 28 | + |
| 29 | +.Role-based access control (RBAC) |
| 30 | + |
| 31 | +By default, the {prod-short} operator creates the following ClusterRoles: |
| 32 | + |
| 33 | +* `<namespace>-cheworkspaces-clusterrole` |
| 34 | +* `<namespace>-cheworkspaces-devworkspace-clusterrole` |
| 35 | + |
| 36 | +[NOTE] |
| 37 | +==== |
| 38 | +The `<namespace>` prefix corresponds to the project name where the {prod} CheCluster CR is located. |
| 39 | +==== |
| 40 | + |
| 41 | +The first time a user accesses {prod}, the corresponding RoleBinding is created in the `<username>-devspaces` project. |
| 42 | + |
| 43 | +All resources and actions you can grant users permission to use in their {namespace} is listed below. |
| 44 | + |
| 45 | +.Overview of resources and actions available in a user's {namespace}. |
| 46 | +[cols="1,1"] |
| 47 | +|=== |
| 48 | +|Resources |Actions |
| 49 | + |
| 50 | +|pods |
| 51 | +|"get", "list", "watch", "create", "delete", "update", "patch" |
| 52 | + |
| 53 | +|pods/exec |
| 54 | +|"get", "create" |
| 55 | + |
| 56 | +|pods/log |
| 57 | +|"get", "list", "watch" |
| 58 | + |
| 59 | +|pods/portforward |
| 60 | +|"get", "list", "create" |
| 61 | + |
| 62 | +|configmaps |
| 63 | +|“get", "list", "create", "update", "patch", "delete" |
| 64 | + |
| 65 | +|events |
| 66 | +|“watch” |
| 67 | + |
| 68 | +|secrets |
| 69 | +|"get", "list", "create", "update", "patch", "delete" |
| 70 | + |
| 71 | +|services |
| 72 | +|"get", "list", "create", "delete", "update", "patch" |
| 73 | + |
| 74 | +|routes |
| 75 | +|”get", "list", "create", "delete" |
| 76 | + |
| 77 | +|persistentvolumeclaims |
| 78 | +|“get", "list", "watch", "create", "delete", "update", "patch" |
| 79 | + |
| 80 | +|apps/deployments |
| 81 | +|"get", "list", "watch", "create", "patch", "delete" |
| 82 | + |
| 83 | +|apps/replicasets |
| 84 | +|"get", "list", "patch", "delete" |
| 85 | + |
| 86 | +|namespaces |
| 87 | +|"get", "list" |
| 88 | + |
| 89 | +|projects |
| 90 | +|“get” |
| 91 | + |
| 92 | +|devworkspace |
| 93 | +|"get", "create", "delete", "list", "update", "patch", "watch" |
| 94 | + |
| 95 | +|devworkspacetemplates |
| 96 | +|"get", "create", "delete", "list", "update", "patch", "watch" |
| 97 | +|=== |
| 98 | + |
| 99 | +include::example$snip_che-user-granted-permission.adoc[] |
| 100 | + |
| 101 | + |
| 102 | +.Dev environment isolation |
| 103 | + |
| 104 | +Isolation of the development environments is implemented using OpenShift projects. |
| 105 | +Every developer has a project in which the following objects are created and managed: |
| 106 | + |
| 107 | +* Cloud Development Environment (CDE) Pods, including the IDE server. |
| 108 | +* Secrets containing developer credentials, such as a Git token, SSH keys, and a Kubernetes token. |
| 109 | +* ConfigMaps with developer-specific configuration, such as the Git name and email. |
| 110 | +* Volumes that persist data such as the source code, even when the CDE Pod is stopped. |
| 111 | + |
| 112 | +[IMPORTANT] |
| 113 | +==== |
| 114 | +Access to the resources in a namespace must be limited to the developer owning it. Granting read access to another developer is equivalent to sharing the developer credentials and should be avoided. |
| 115 | +==== |
| 116 | + |
| 117 | +.Enhanced authorization |
| 118 | + |
| 119 | +The current trend is |
| 120 | +to split an infrastructure into several "fit for purpose" clusters |
| 121 | +instead of having a gigantic monolith OpenShift cluster. |
| 122 | +However, administrators might still want to provide granular access, |
| 123 | +and restrict the availability of certain functionalities to particular users. |
| 124 | + |
| 125 | +[NOTE] |
| 126 | +==== |
| 127 | +A "fit for purpose" OpenShift cluster refers to a cluster that is specifically designed |
| 128 | +and configured to meet the requirements and goals of a particular use case or workload. |
| 129 | +It is tailored to optimize performance, resource utilization, |
| 130 | +and other factors based on the characteristics of the workloads it will be managing. |
| 131 | +For {prod}, it is recommended to have this type of cluster provisioned. |
| 132 | +==== |
| 133 | + |
| 134 | +For this purpose, |
| 135 | +optional properties that you can use to set up granular access for different groups and users are available in the CheCluster Custom Resource: |
| 136 | + |
| 137 | +* `allowUsers` |
| 138 | +* `allowGroups` |
| 139 | +* `denyUsers` |
| 140 | +* `denyGroups` |
| 141 | + |
| 142 | +Below is an example of access configuration: |
| 143 | + |
| 144 | +[source, code] |
| 145 | +---- |
| 146 | + networking: |
| 147 | + auth: |
| 148 | + advancedAuthorization: |
| 149 | + allowUsers: |
| 150 | + - user-a |
| 151 | + - user-b |
| 152 | + denyUsers: |
| 153 | + - user-c |
| 154 | + allowGroups: |
| 155 | + - openshift-group-a |
| 156 | + - openshift-group-b |
| 157 | + denyGroups: |
| 158 | + - openshift-group-c |
| 159 | +---- |
| 160 | + |
| 161 | +[NOTE] |
| 162 | +==== |
| 163 | +Users in the `denyUsers` and `denyGroup` categories will not be able to use {prod} and will see a warning when trying to access the User Dashboard. |
| 164 | +==== |
| 165 | + |
| 166 | +.Authentication |
| 167 | + |
| 168 | +Only authenticated OpenShift users can access {prod}. |
| 169 | +The Gateway Pod uses a role-based access control (RBAC) subsystem |
| 170 | +to determine whether a developer is authorized to access a Cloud Development Environment (CDE) or not. |
| 171 | + |
| 172 | +The CDE Gateway container checks the developer's {kubernetes} roles. |
| 173 | +If their roles allow access to the CDE Pod, the connection to the development environment is allowed. |
| 174 | +By default, only the owner of the {namespace} has access to the CDE Pod. |
| 175 | + |
| 176 | +[IMPORTANT] |
| 177 | +==== |
| 178 | +Access to the resources in a namespace must be limited to the developer owning it. Granting `read` access to another developer is equivalent to sharing the developer credentials and should be avoided. |
| 179 | +==== |
| 180 | + |
| 181 | +.Security context and security context constraint |
| 182 | + |
| 183 | +{prod} adds `SETGID` and `SETUID` capabilities to the specification of the CDE Pod container security context: |
| 184 | + |
| 185 | +[source, code] |
| 186 | +---- |
| 187 | +"spec": { |
| 188 | + "containers": [ |
| 189 | + "securityContext": { |
| 190 | + "allowPrivilegeEscalation": true, |
| 191 | + "capabilities": { |
| 192 | + "add": ["SETGID", "SETUID"], |
| 193 | + "drop": ["ALL","KILL","MKNOD"] |
| 194 | + }, |
| 195 | + "readOnlyRootFilesystem": false, |
| 196 | + "runAsNonRoot": true, |
| 197 | + "runAsUser": 1001110000 |
| 198 | + } |
| 199 | + ] |
| 200 | + } |
| 201 | +---- |
| 202 | + |
| 203 | +This provides the ability for users to build container images from within a CDE. |
| 204 | + |
| 205 | +By default, {prod} assigns a specific `SecurityContextConstraint` (SCC) to the users that allows them to start a Pod with such capabilities. This SCC grants more capabilities to the users compared to the default `restricted` SCC but less capability compared to the `anyuid` SCC. This default SCC is pre-created in the {prod-short} namespace and named `container-build`. |
| 206 | + |
| 207 | +Setting the following property in the CheCluster Custom Resource prevents assigning extra capabilities and SCC to users: |
| 208 | + |
| 209 | +[source, code] |
| 210 | +---- |
| 211 | +spec: |
| 212 | + devEnvironments: |
| 213 | + disableContainerBuildCapabilities: true |
| 214 | +---- |
| 215 | + |
| 216 | +.Resource Quotas and Limit Ranges |
| 217 | + |
| 218 | +Resource Quotas and Limit Ranges are {kubernetes} features you can use to help prevent bad actors or resource abuse within a cluster. |
| 219 | +They help in controlling and managing resource consumption by pods and containers. |
| 220 | +By combining Resource Quotas and Limit Ranges, |
| 221 | +you can enforce project-specific policies to prevent bad actors from consuming excessive resources. |
| 222 | + |
| 223 | +These mechanisms contribute to better resource management, stability, and fairness within an OpenShift cluster. |
| 224 | +More details about link:https://docs.openshift.com/container-platform/4.14/applications/quotas/quotas-setting-per-project.html[Resource Quotas] and link:https://docs.openshift.com/container-platform/4.14/nodes/clusters/nodes-cluster-limit-ranges.html[Limit Ranges] are available in the OpenShift documentation. |
| 225 | + |
| 226 | +.Disconnected environment |
| 227 | + |
| 228 | +An air-gapped OpenShift disconnected cluster refers to an OpenShift cluster |
| 229 | +isolated from the internet or any external network. |
| 230 | +This isolation is often done for security reasons, |
| 231 | +to protect sensitive or critical systems from potential cyber threats. |
| 232 | +In an air-gapped environment, |
| 233 | +the cluster cannot access external repositories or registries to download container images, updates, or dependencies. |
| 234 | + |
| 235 | +{prod} is supported and can be installed in a restricted environment. |
| 236 | +include::example$snip_che-installation-instructions.adoc[] |
| 237 | + |
| 238 | +.Managing extensions |
| 239 | + |
| 240 | +By default, {prod} |
| 241 | +includes the embedded Open VSX registry |
| 242 | +which contains a limited set of extensions used by Microsoft Visual Studio Code - |
| 243 | +Open Source editor. |
| 244 | +Alternatively, cluster administrators can specify a different plugin registry in the Custom Resource, e.g. |
| 245 | +https://open-vsx.org that contains thousands of extensions. |
| 246 | +They can also build a custom Open VSX registry. |
| 247 | +include::example$snip_che-managing-extensions.adoc[] |
| 248 | + |
| 249 | +[IMPORTANT] |
| 250 | +==== |
| 251 | +Installing extra extensions increases potential risks. To minimize these risks, make sure to only install extensions from reliable sources and regularly update them. |
| 252 | +==== |
| 253 | + |
| 254 | +.Secrets |
| 255 | + |
| 256 | +Keep sensitive data stored as {kubernetes} secrets in the users’ |
| 257 | +namespaces confidential (e.g. Personal Access Tokens (PAT), and SSH keys). |
| 258 | + |
| 259 | +.Git repositories |
| 260 | + |
| 261 | +It is crucial to operate within Git repositories that you are familiar with and that you trust. Before incorporating new dependencies into the repository, verify that they are well-maintained and regularly release updates to address any identified security vulnerabilities in their code. |
| 262 | + |
| 263 | + |
| 264 | + |
| 265 | + |
0 commit comments