Guidance on Secure Containers and Microservices

(Français)

Microservices are established when a set of functional components work together to compose an application. While this approach improves flexibility and scalability for application development and simplifies functionality, it adds another layer of abstraction that must be secured.

Container technology (OS virtualization) enables software to be deployed quickly and run predictably when moved from one environment to another. In modern deployments, containers are often orchestrated by a container orchestration tool, such as Kubernetes (K8s) or a cloud provider, to manage the lifecycle of the containers.

Microservices are often deployed in containers to take advantage of the benefits of both technologies.

This guidance provides recommendations to secure containers and microservices when deploying Government of Canada (GC) services. It highlights the controls, configuration and tools to secure GC workloads running in containers and orchestrators and recommendations for compliance verification.

Table of Contents

• 1. Introduction
  • 1.1 Background
  • 1.2 Document Purpose and Scope
  • 1.3 Audience
  • 1.4 Document Overview
• 2. Context
  • 2.1 Definitions
  • 2.2 Infrastructure
  • 2.3 Containers
  • 2.4 Container Security
  • 2.5 Microservices
  • 2.6 Orchestration
    • 2.6.1 Service Mesh
  • 2.7 Functions as a Service
• 3. Threat Environment
• 4. Implementation Recommendations
  • 4.1 Host Recommendations
  • 4.2 Image Builds
  • 4.3 Container Deployment Security
  • 4.4 Orchestration - Kubernetes
• 5. Additional Microservices and Container Security Guidelines
  • 5.1 Securing Platform
  • 5.2 Securing Container Runtime
  • 5.3 Securing Traffic
  • 5.4 Securing Coding Practices
  • 5.5 Architecting Your Application for Cloud
  • 5.6 Securing Container Images
  • 5.7 Observability
  • 5.8 Secrets Management
  • 5.9 Continuous Integration/Continuous Deployment (CI/CD)
  • 5.10 Infrastructure as Code

List of Figures

• Figure 2‑1 Monolithic versus Microservice
• Figure 2‑2 High-level overview of VMs, containers, and serverless
• Figure 2‑3 Shared Responsibility Model with Containers
• Figure 2‑4 Container Technologies
• Figure 2‑5 Microservices Architecture (MSA)
• Figure 5-1 VMs vs Containers
• Figure 5-2 Kubernetes Attack Surface
• Figure 5-3 RBAC in Kubernetes
• Figure 5-4 Service Mesh
• Figure 5-5 API Gateway with OPA
• Figure 5-6 Securing Container Images

List of Abbreviations and Acronyms

How to Contribute

See CONTRIBUTING.md

License

Unless otherwise noted, the source code of this project is covered under Crown Copyright, Government of Canada, and is distributed under the MIT License.

The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see Federal identity requirements.

Gabarit pour dépôts de code source ouvert du gouvernement du Canada

• Quel est ce projet?
• Comment ça marche?
• Qui utilisera ce projet?
• Quel est le but de ce projet?

Comment contribuer

Voir CONTRIBUTING.md

Licence

Sauf indication contraire, le code source de ce projet est protégé par le droit d'auteur de la Couronne du gouvernement du Canada et distribué sous la licence MIT.

Le mot-symbole « Canada » et les éléments graphiques connexes liés à cette distribution sont protégés en vertu des lois portant sur les marques de commerce et le droit d'auteur. Aucune autorisation n'est accordée pour leur utilisation à l'extérieur des paramètres du programme de coordination de l'image de marque du gouvernement du Canada. Pour obtenir davantage de renseignements à ce sujet, veuillez consulter les Exigences pour l'image de marque.