Security is a key feature of any SaaS system. Our Playground enforces some security mechanisms to protect each customer account from interactions with others. Additionally, some restrictions apply related to the privileges available on the containers:
- Priviledged containers are not allowed to avoid privilege escalation and undesired interaction with the cluster infrastructure.
- Adding extra Linux capabilities is not permitted.
- Additionally, some Kubernetes operations such as creating new namespaces and cluster-level entities are not allowed.
Our recommendations for packaging applications for Kubernetes are:
- Use a non root user to launch your application with. In the Dockerfile, use
USERto specify the user that will execute the processes. Use
runAsUserto launch your container with another user.
- Do not use reserved ports such as 80, Kubernetes services can be attached to any port, as routing is done through other layers such as load balancers or ingresses.
For more information, take a look to the Docker best practices on how to create Dockerfiles.
If you have a security issue that you would like to disclose confidentially please send an email to security and our engineering team will read and contact you in five days. Please provide as much context and information as possible so we can reproduce the issue and identify the best fix.