From bbb1791c4f573a034a4b5bf6f088eaf98502b800 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Mon, 13 Sep 2021 12:14:36 -0500 Subject: [PATCH 1/3] chore: add shared security responsibility doc --- guides/admin/share-security.md | 87 ++++++++++++++++++++++++++++++++++ manifest.json | 3 ++ 2 files changed, 90 insertions(+) create mode 100644 guides/admin/share-security.md diff --git a/guides/admin/share-security.md b/guides/admin/share-security.md new file mode 100644 index 000000000..d7c77ff96 --- /dev/null +++ b/guides/admin/share-security.md @@ -0,0 +1,87 @@ +--- +title: Shared security responsibility +description: + Learn how Coder and its users carry security-related responsibilities. +--- + +To guarantee the security of the Coder workspace, which includes the entire +ecosystem of components needed to support the developer's user experience, +several parties must carry different responsibilities. While this is not an +exhaustive list, this article lists the security responsibilities for both Coder +and its users (specifically the site admin/site managers). + +There are two categories of integration points for a Coder workspace: + +1. Kubernetes and networking +1. External tie-ins (authentication, container registries, Git providers, etc.) + +## Kubernetes and networking + +Like most software, Coder depends on the system on which it is installed to +provide some security boundaries. Coder is installed onto Kubernetes clusters +and includes expectations of how to cluster is configured. As such, changes to +the following aspects of your cluster may impact Coder's security and +performance: + +- Storage + - Quotas + - Encryption + - Cloud access to volumes + - Depletion as denial of service + - PVC + - Ephemeral + - Networking + - Encryption (mTLS) + - Certificates + - TLS certificates presented by `coderd` + - TLS certificats presented by the applications with which Coder + interacts + - Boundaries (e.g., network policies) + - External interactions (ingress and egress) + - IP address depletion as denial of service + - Each workspace gets an IP address in the `pod` subset + - Each dev URL gets an IP address in the `services` subnet + - Kubernetes roles + - Service accounts for Coder to create pods + - Cluster admins (use of cluster admins can pose a security risk) + - Cloud access to the control plane + - Node security + - Upgrades to keep up with Kubernetes + - Access to node user accounts + - Cloud access to nodes + +### Recommendations + +We recommend that you **deploy Coder to its own cluster**. With this option, the +security boundary is around the cluster, so things like PVC access, password +resets, and database access are clearly actions taken against Coder. Cluster +admins can perform any necessary action, while all others are constrained by +their Coder role. + +Though you can deploy Coder to a shared cluster, the security boundary is +threaded through the components mentioned in the section above due to the +multiple applications present in the cluster. + +## External tie-ins + +Coder makes assumptions about how the following tie-ins are configured when +deploying security controls: + +- Authentication provider + - Changing the authentication provider settings can render Coder insecure + - Site admins could convert a user authenticating via OIDC to built-in, + allowing the admin to impersonate the user +- Container registry + - The registry account used to add the registry should be a specific + Coder-only account so that Coder users can only pull approved images + - CVMs can only pull unauthenticated containers, which means that any user can + reference any container within the registry +- Git provider + - OAuth linkage allows Coder admins to perform actions as the linked Git user + - SSH keys generated by Coder and added to workspaces can be used to + facilitate 2FA to Coder via GitLab + - Git integration request both SSH and HTTPS access to function + - Access to all user repos must be added to a Coder workspace to clone private + dotfiles repos + - Coder doesn't allow the linking of multiple Git providers of the same type + - Disabling the OAuth linking account may cause a denial of service diff --git a/manifest.json b/manifest.json index 973fdfbf5..aabf16b13 100644 --- a/manifest.json +++ b/manifest.json @@ -326,6 +326,9 @@ { "path": "./guides/admin/oidc-okta.md" }, + { + "path": "./guides/admin/shared-security.md" + }, { "path": "./guides/admin/usage-monitoring.md" } From 065903922789c7e5b45c771bcdb922990f2d1ee5 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Tue, 14 Sep 2021 08:37:36 -0500 Subject: [PATCH 2/3] fix URL --- guides/admin/{share-security.md => shared-security.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename guides/admin/{share-security.md => shared-security.md} (100%) diff --git a/guides/admin/share-security.md b/guides/admin/shared-security.md similarity index 100% rename from guides/admin/share-security.md rename to guides/admin/shared-security.md From 01bed0442079b03051a7089ea575d7a76f9cb300 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Wed, 13 Oct 2021 08:04:01 -0500 Subject: [PATCH 3/3] apply changes due to review --- guides/admin/shared-security.md | 42 ++++++++++++++++----------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/guides/admin/shared-security.md b/guides/admin/shared-security.md index d7c77ff96..4d434a498 100644 --- a/guides/admin/shared-security.md +++ b/guides/admin/shared-security.md @@ -30,25 +30,25 @@ performance: - Depletion as denial of service - PVC - Ephemeral - - Networking - - Encryption (mTLS) - - Certificates - - TLS certificates presented by `coderd` - - TLS certificats presented by the applications with which Coder - interacts - - Boundaries (e.g., network policies) - - External interactions (ingress and egress) - - IP address depletion as denial of service - - Each workspace gets an IP address in the `pod` subset - - Each dev URL gets an IP address in the `services` subnet - - Kubernetes roles - - Service accounts for Coder to create pods - - Cluster admins (use of cluster admins can pose a security risk) - - Cloud access to the control plane - - Node security - - Upgrades to keep up with Kubernetes - - Access to node user accounts - - Cloud access to nodes +- Networking + - Encryption (mTLS) + - Certificates + - TLS certificates presented by `coderd` + - TLS certificats presented by the applications with which Coder + interacts + - Boundaries (e.g., network policies) + - External interactions (ingress and egress) + - IP address depletion as denial of service + - Each workspace gets an IP address in the `pod` subset + - Each dev URL gets an IP address in the `services` subnet +- Kubernetes roles + - Service accounts for Coder to create pods + - Cluster admins (use of cluster admins can pose a security risk) + - Cloud access to the control plane +- Node security + - Upgrades to keep up with Kubernetes + - Access to node user accounts + - Cloud access to nodes ### Recommendations @@ -72,14 +72,14 @@ deploying security controls: - Site admins could convert a user authenticating via OIDC to built-in, allowing the admin to impersonate the user - Container registry - - The registry account used to add the registry should be a specific + - The registry account used to access images should be a specific Coder-only account so that Coder users can only pull approved images - CVMs can only pull unauthenticated containers, which means that any user can reference any container within the registry - Git provider - OAuth linkage allows Coder admins to perform actions as the linked Git user - SSH keys generated by Coder and added to workspaces can be used to - facilitate 2FA to Coder via GitLab + circumvent 2FA to GitLab via Coder - Git integration request both SSH and HTTPS access to function - Access to all user repos must be added to a Coder workspace to clone private dotfiles repos