(Français)
With the introduction of cloud services and the adoption of “continuous deployment” of software services, the movement of applications from one environment to another and within an environment is required to be agile and predictable. Container technology (OS virtualization) enables software to deploy quickly and run predictably when moved from one environment to another. Further, microservices are established when a set of containers work together to compose an application. While this approach improves flexibility and scalability for application development and simplifies functionality, it adds another layer of abstraction that must be secured.
This guidance provides recommendations to secure containers and microservices when deploying Government of Canada (GC) services. It highlights the controls, configuration and tools to secure GC workloads running in containers and orchestrators and recommendations for compliance verification.
- 1. Introduction
- 2. Context
- 3. Threat Environment
- 4. Implementation Recommendations
- 5. Additional Microservices and Container Security Guidelines
- 5.1 Securing Platform
- 5.2 Securing Container Runtime
- 5.3 Securing Traffic
- 5.4 Securing Coding Practices
- 5.5 Architecting Your Application for Cloud
- 5.6 Securing Container Images
- 5.7 Observability
- 5.8 Secrets Management
- 5.9 Continuous Integration/Continuous Deployment (CI/CD)
- 5.10 Infrastructure as Code
- 6. References
- Figure 2‑1 Monolithic versus Microservice [1]
- Figure 2‑2 High-level overview of VM's, containers, and serverless [3]
- Figure 2‑3 Shared Responsibility Model with Containers
- Figure 2‑4 Container Technologies
- Figure 2‑5 Microservices Architecture (MSA)
- Figure 2‑6 Example service mesh (CNCF Project Istio) [12]
| Abbreviation | Definition |
|---|---|
| CIRT | Computer Incident Response Team |
| CONOPS | Concept of Operations |
| CSE | Communications Security Establishment |
| CS EMP | Cyber Security Event Management Plan |
| CSP | Cloud Service Provider |
| FedRAMP | Federal Risk and Authorization Management Program |
| GC | Government of Canada |
| GSRM | Government of Canada Strategic Reference Model |
| IaaS | Infrastructure as a Service |
| IPC | Information Protection Centre |
| IT | Information Technology |
| ITSG | Information Technology Security Guidance |
| LAN | Local Area Network |
| NIST | National Institute of Standard and Technology |
| PAA | Program Alignment Architecture |
| PaaS | Platform as a Service |
| PBMM | Protected B, Medium Integrity, Medium Availability |
| PIA | Privacy Impact Assessment |
| PoAM | Plan of Actions and Milestones |
| RACI | Responsible, Accountable, Consulted, Informed |
| SaaS | Software as a Service |
| SDLC | System Development Lifecycle |
| SLA | Service Level Agreement |
| SSC | Shared Services Canada |
| TBS | Treasury Board of Canada Secretariat |
| ULL | Unclassified, Low Integrity, Low Availability |
See CONTRIBUTING.md
Unless otherwise noted, the source code of this project is covered under Crown Copyright, Government of Canada, and is distributed under the MIT License.
The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see Federal identity requirements.
- Quel est ce projet?
- Comment ça marche?
- Qui utilisera ce projet?
- Quel est le but de ce projet?
Voir CONTRIBUTING.md
Sauf indication contraire, le code source de ce projet est protégé par le droit d'auteur de la Couronne du gouvernement du Canada et distribué sous la licence MIT.
Le mot-symbole « Canada » et les éléments graphiques connexes liés à cette distribution sont protégés en vertu des lois portant sur les marques de commerce et le droit d'auteur. Aucune autorisation n'est accordée pour leur utilisation à l'extérieur des paramètres du programme de coordination de l'image de marque du gouvernement du Canada. Pour obtenir davantage de renseignements à ce sujet, veuillez consulter les Exigences pour l'image de marque.