nschonni / platform-security_securite-de-plateforme Goto Github PK

(Français)

Guidance on Secure Containers and Microservices

With the introduction of cloud services and the adoption of “continuous deployment” of software services, the movement of applications from one environment to another and within an environment is required to be agile and predictable. Container technology (OS virtualization) enables software to deploy quickly and run predictably when moved from one environment to another. Further, microservices are established when a set of containers work together to compose an application. While this approach improves flexibility and scalability for application development and simplifies functionality, it adds another layer of abstraction that must be secured.

This guidance provides recommendations to secure containers and microservices when deploying Government of Canada (GC) services. It highlights the controls, configuration and tools to secure GC workloads running in containers and orchestrators and recommendations for compliance verification.

Table of Contents

• 1. Introduction
  • 1.1 Background
  • 1.2 Document Purpose and Scope
  • 1.3 Audience
  • 1.4 Document Overview
• 2. Context
  • 2.1 Definitions
  • 2.2 Infrastructure
  • 2.3 Containers
  • 2.4 Container Security
  • 2.5 Microservices
    • 2.5.1 The Ten Commandments of Microservices
    • 2.5.2 Service Mesh
  • 2.6 Functions as a Service
• 3. Threat Environment
• 4. Implementation Recommendations
  • 4.1 Host Recommendations
  • 4.2 Image Builds
  • 4.3 Container Security Brokers
  • 4.4 Orchestration - Kubernetes
• 5. Additional Microservices and Container Security Guidelines
  • 5.1 Securing Platform
  • 5.2 Securing Container Runtime
  • 5.3 Securing Traffic
  • 5.4 Securing Coding Practices
  • 5.5 Architecting Your Application for Cloud
  • 5.6 Securing Container Images
  • 5.7 Observability
  • 5.8 Secrets Management
  • 5.9 Continuous Integration/Continuous Deployment (CI/CD)
  • 5.10 Infrastructure as Code
• 6. References

List of Tables

• Table 2‑1 Virtualization and Container Quality Attributes

List of Figures

• Figure 2‑1 Monolithic versus Microservice [1]
• Figure 2‑2 High-level overview of VM's, containers, and serverless [3]
• Figure 2‑3 Shared Responsibility Model with Containers
• Figure 2‑4 Container Technologies
• Figure ‎2‑5 Microservices Architecture (MSA)
• Figure ‎2‑6 Example service mesh (CNCF Project Istio) [12]

List of Abbreviations and Acronyms

How to Contribute

See CONTRIBUTING.md

License

Unless otherwise noted, the source code of this project is covered under Crown Copyright, Government of Canada, and is distributed under the MIT License.

The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see Federal identity requirements.

Gabarit pour dépôts de code source ouvert du gouvernement du Canada

• Quel est ce projet?
• Comment ça marche?
• Qui utilisera ce projet?
• Quel est le but de ce projet?

Comment contribuer

Voir CONTRIBUTING.md

Licence

Sauf indication contraire, le code source de ce projet est protégé par le droit d'auteur de la Couronne du gouvernement du Canada et distribué sous la licence MIT.

Le mot-symbole « Canada » et les éléments graphiques connexes liés à cette distribution sont protégés en vertu des lois portant sur les marques de commerce et le droit d'auteur. Aucune autorisation n'est accordée pour leur utilisation à l'extérieur des paramètres du programme de coordination de l'image de marque du gouvernement du Canada. Pour obtenir davantage de renseignements à ce sujet, veuillez consulter les Exigences pour l'image de marque.