github.com/misfo/deis@v1.0.1-0.20141111224634-e0eee0392b8a/docs/managing_deis/security_considerations.rst (about)

     1  :title: Security considerations
     2  :description: Security considerations for Deis.
     3  
     4  .. _security_considerations:
     5  
     6  Security considerations
     7  ========================
     8  
     9  .. important::
    10  
    11      Deis is not suitable for multi-tenant environments
    12      or hosting untrusted code.
    13  
    14  A major goal of Deis is to be operationally secure and trusted by operations engineers in every deployed
    15  environment. There are, however, two notable security-related considerations to be aware of
    16  when deploying Deis.
    17  
    18  
    19  Access to etcd
    20  --------------
    21  Since all Deis configuration settings are stored in etcd (including passwords, keys, etc.), any access
    22  to the etcd cluster compromises the security of the entire Deis installation. The various provision
    23  scripts configure the etcd daemon to only listen on the private network interface, but any host or
    24  container with access to the private network has full access to etcd. This also includes deployed
    25  application containers, which cannot be trusted.
    26  
    27  The planned approach is to configure iptables on the machines to prevent unauthorized access from
    28  containers. Some requirements include:
    29  
    30  * Containers must be able to access the outside world
    31  * Containers must be able to access other containers
    32  * Containers cannot access the CoreOS host (SSH, etcd, etc)
    33  
    34  In practice, this is really only a concern when clusters are running untrusted applications.
    35  Further discussion about this approach is appreciated in GitHub issue `#986`_.
    36  
    37  Application runtime segregation
    38  -------------------------------
    39  Users of Deis often want to deploy their applications to separate environments
    40  (commonly: development, staging, and production). Typically, physical network isolation isn't
    41  the goal, but rather segregation of application environments - if a development app goes haywire,
    42  it shouldn't affect production applications that are running in the cluster.
    43  
    44  In Deis, deployed applications can be segregated by using the ```deis tags``` command. This
    45  enables you to tag machines in your cluster with arbitrary metadata, then configure your applications
    46  to be scheduled to machines which match the metadata.
    47  
    48  For example, if some machines in your cluster are tagged with ```environment=production``` and some
    49  with ```environment=staging```, you can configure an application to be deployed to the production
    50  environment by using ```deis tags set environment=production```. Deis will pass this configuration
    51  along to the scheduler, and your applications in different environments on running on separate
    52  hardware.
    53  
    54  .. _`#986`: https://github.com/deis/deis/issues/986