Task 4

Bring even more security

Level 1

  1. Ensure that the app doesn’t run as a root user
  2. The service should try to automatically fix vulnerabilities in the dependencies by creating a Pull/Merge Request

Level 2

  1. Add a scanning service for the source code of the app
  2. Ensure that each Pod MUST in selected namespaces run a container on non-root user
  3. Ensure that the traffic from and to the app is restricted
    1. Forbid traffic from other namespaces
    2. Explicitly allow traffic between the app instances and the database

Level 3

  1. Ensure that a trusted TLS certificate is used to provide the https access
  2. Minimize the syscalls used by the app with a custom syscomp profile
  3. Monitor each time when someone execs into the app container and send a mail notification
  4. Ensure that the whole network traffic is encrypted within the cluster