|
1 | 1 | # Security Considerations |
2 | 2 |
|
3 | | -TODO (bacongobbler): rewrite for v2 |
| 3 | +!!! important |
| 4 | + Workflow is not suitable for multi-tenant environments or hosting untrusted code. |
| 5 | + |
| 6 | +A major goal of Workflow is to be operationally secure and trusted by operations engineers in every |
| 7 | +deployed environment. There are, however, two notable security-related considerations to be aware |
| 8 | +of when deploying Workflow. |
| 9 | + |
| 10 | +# Application Runtime Segregation |
| 11 | + |
| 12 | +Users of Workflow often want to deploy their applications to separate environments. Typically, |
| 13 | +physical network isolation isn’t the goal, but rather segregation of application environments - if a |
| 14 | +region goes haywire, it shouldn’t affect applications that are running in a separate region. |
| 15 | + |
| 16 | +In Workflow, deployed applications can be segregated by using the `deis tags` command. This enables |
| 17 | +you to tag machines in your cluster with arbitrary metadata, then configure your applications to be |
| 18 | +scheduled to machines which match the metadata. |
| 19 | + |
| 20 | +For example, if some machines in your cluster are tagged with `region=us-west-1` and some |
| 21 | +with `region=us-east-1`, you can configure an application to be deployed to us-west-1 |
| 22 | +by using `deis tags set region=us-west-1`. Workflow will pass this configuration |
| 23 | +along to Kubernetes, which will schedule your application in different regions. |
| 24 | + |
| 25 | +# Running Workflow on Public Clouds |
| 26 | + |
| 27 | +If you are running on a public cloud without security group features, you will have to set up |
| 28 | +security groups yourself through either `iptables` or a similar tool. The only ports on worker |
| 29 | +nodes that should be exposed to the public are: |
| 30 | + |
| 31 | + - 22: (optional) for remote SSH |
| 32 | + - 80: for the routers |
| 33 | + - 443: (optional) routers w/ SSL enabled |
| 34 | + - 2222: for the routers proxying TCP to the builder |
| 35 | + - 9090: for the routers' health check |
| 36 | + |
| 37 | +# IP Whitelist |
| 38 | + |
| 39 | +Enforcing a cluster-wide IP whitelist may be advisable for routers governing ingress to a cluster |
| 40 | +that hosts applications intended for a limited audience-- e.g. applications for internal use within |
| 41 | +an organization. You can enforce cluster-wide IP whitelisting by enabling whitelists, then |
| 42 | +attaching an annotation to the router: |
| 43 | + |
| 44 | +$ kubectl --namespace=deis annotate replicationcontroller deis-router router.deis.io/nginx.enforceWhitelists=true |
| 45 | +$ kubectl --namespace=deis annotate replicationcontroller deis-router router.deis.io/nginx.defaultWhitelist="0.0.0.0/0" |
| 46 | + |
| 47 | +The format is the same for the controller whitelist but you need to specify the whitelist directly |
| 48 | +to the controller's service. For example: |
| 49 | + |
| 50 | +$ kubectl --namespace=deis annotate service deis-controller router.deis.io/whitelist="10.0.1.0/24:office_intranet,121.212.121.212:dev_jenkins" |
| 51 | + |
| 52 | +And the same applies to applications. For example, to apply a whitelist to an application named |
| 53 | +`example`: |
| 54 | + |
| 55 | +$ kubectl --namespace=example annotate service example-web router.deis.io/whitelist="10.0.1.0/24:office_intranet,121.212.121.212:dev_jenkins" |
0 commit comments