Skip to main content

Security Best Practices

In addition to the out-of-the-box security capabilities provides by App Platform, it is a responsibility of Teams to keep their applications safe from bad actors. Here is a list of security best-practices Teams should implement:

  1. Use secrets to secure sensitive data and use a secretKeyRef to map an environment variable to the secret data.

  2. Drop ALL or specific capabilities in the Pod or container SecurityContext to ensure all (unused) capabilities are disabled.

  3. Make sure containers are running with a read-only root file system by setting the readOnlyRootFilesystem to true in the Pod or container SecurityContext.

  4. Prevent pods from sharing the host’s IPC or network namespace by setting the hostNetwork parameter to false.

  5. Avoid running containers in privileged mode by setting the allowPrivilegeEscalation parameter to false in the Pod or container SecurityContext.

  6. Identify and mitigate threats in running containers. See the Detect threats in running containers hands-on lab for more information.

  7. Scan running container for vulnerabilities. See the Scan running containers for vulnerabilities hands-on lab for more information.

  8. Scan images pushed to the Team's private container registry in Harbor for vulnerabilities. See the Scan images for vulnerabilities hands-on lab for more information.