canada-ca · bzarboni1 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml
@@ -24,17 +24,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/cache@v3
+      - uses: actions/setup-node@v4
         with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
+          node-version: 23
+
+      - uses: actions/checkout@v4
 
       - name: Install Dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
         run: npm ci
 
       - name: Run link checks

diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
@@ -24,17 +24,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/cache@v3
+      - uses: actions/setup-node@v4
         with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
+          node-version: 23
+
+      - uses: actions/checkout@v4
 
       - name: Install Dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
         run: npm ci
 
       - name: Run Markdownlint

diff --git a/.gitignore b/.gitignore
@@ -1,72 +1,7 @@
-.DS_Store
-
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules/
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variables file
-.env
-
-# next.js build output
-.next
-
-# local bundler files
-.bundle
-Gemfile.lock
-vendor
-
-# local Jekyll files
 _site
+.sass-cache
+.jekyll-cache
 .jekyll-metadata
+vendor
+node_modules
+Gemfile.lock
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -1,6 +1,6 @@
 {
   "default": true,
   "MD013": false,
-  "MD041": false,
-  "MD045": false
+  "MD033": false,
+  "MD041": false
 }
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -1,6 +1,6 @@
 # Contributor Covenant Code of Conduct for the [`project_name`] project
 
-([Français](#Code-de-conduite-pour-le-projet-nom-du-projet))
+([Français](#code-de-conduite-pour-le-projet-nom-du-projet))
 
 Contributors to repositories hosted in [`project_name`] are expected to follow the Contributor Covenant Code of Conduct, and those working within Government are also expected to follow the Values and Ethics Code for the Public Sector
 
@@ -65,7 +65,7 @@ This Code of Conduct is also inspired by GDS' `alphagov` [Code of conduct](https
 # Code de conduite pour le projet [`nom du projet`]
 <!--markdownlint-enable MD025-->
 
-([English](#Contributor-Covenant-Code-of-Conduct-for-the-projectname-project))
+([English](#contributor-covenant-code-of-conduct-for-the-project_name-project))
 
 Les contributeurs aux dépôts hébergés dans [`nom du projet`] sont tenus de respecter le Code de conduite du Pacte des contributeurs, et ceux qui travaillent au sein du gouvernement sont également tenus de respecter le Code de valeurs et d'éthique du secteur public.
 

diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,34 @@
+source "https://rubygems.org"
+# Hello! This is where you manage which Jekyll version is used to run.
+# When you want to use a different version, change it below, save the
+# file and run `bundle install`. Run Jekyll with `bundle exec`, like so:
+#
+#     bundle exec jekyll serve
+#
+# This will help ensure the proper Jekyll version is running.
+# Happy Jekylling!
+#gem "jekyll", "~> 4.3.4"
+# This is the default theme for new Jekyll sites. You may change this to anything you like.
+#gem "jekyll-theme-minimal"
+# If you want to use GitHub Pages, remove the "gem "jekyll"" above and
+# uncomment the line below. To upgrade, run `bundle update github-pages`.
+gem "github-pages", group: :jekyll_plugins
+# If you have any plugins, put them here!
+group :jekyll_plugins do
+  gem "jekyll-feed", "~> 0.12"
+  gem "jekyll-titles-from-headings", "~> 0.5"
+end
+
+# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem
+# and associated library.
+platforms :mingw, :x64_mingw, :mswin, :jruby do
+  gem "tzinfo", ">= 1", "< 3"
+  gem "tzinfo-data"
+end
+
+# Performance-booster for watching directories on Windows
+gem "wdm", "~> 0.2", :platforms => [:mingw, :x64_mingw, :mswin]
+
+# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem
+# do not have a Java counterpart.
+gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
diff --git a/README.md b/README.md
@@ -2,9 +2,13 @@
 
 ([Français](#gabarit-pour-dépôts-de-code-source-ouvert-du-gouvernement-du-canada))
 
-With the introduction of cloud services and the adoption of “continuous deployment” of software services, the movement of applications from one environment to another and within an environment is required to be agile and predictable. Container technology (OS virtualization) enables software to deploy quickly and run predictably when moved from one environment to another. Further, microservices are established when a set of containers work together to compose an application. While this approach improves flexibility and scalability for application development and simplifies functionality, it adds another layer of abstraction that must be secured.
+*Microservices* are established when a set of functional components work together to compose an application. While this approach improves flexibility and scalability for application development and simplifies functionality, it adds another layer of abstraction that must be secured.
 
-This guidance provides recommendations to secure containers and microservices when deploying Government of Canada (GC) services. It highlights the controls, configuration and tools to secure GC workloads running in containers and orchestrators and recommendations for compliance verification.
+*Container* technology (OS virtualization) enables software to be deployed quickly and run predictably when moved from one environment to another. In modern deployments, containers are often orchestrated by a container orchestration tool, such as Kubernetes (K8s) or a cloud provider, to manage the lifecycle of the containers.
+
+*Microservices* are often deployed in *containers* to take advantage of the benefits of both technologies.
+
+This guidance provides recommendations to secure *containers* and *microservices* when deploying Government of Canada (GC) services. It highlights the controls, configuration and tools to secure GC workloads running in *containers* and orchestrators and recommendations for compliance verification.
 
 ## Table of Contents
 
@@ -19,14 +23,14 @@ This guidance provides recommendations to secure containers and microservices wh
   - [2.3 Containers](en/2_Context.md/#23-containers)
   - [2.4 Container Security](en/2_Context.md/#24-container-security)
   - [2.5 Microservices](en/2_Context.md/#25-microservices)
-    - [2.5.1 The Ten Commandments of Microservices](en/2_Context.md/#251-the-ten-commandments-of-microservices)
-    - [2.5.2 Service Mesh](en/2_Context.md/#252-service-mesh)
-  - [2.6 Functions as a Service](en/2_Context.md/#26-functions-as-a-service)
+  - [2.6 Orchestration](en/2_Context.md/#26-orchestration)
+    - [2.6.1 Service Mesh](en/2_Context.md/#261-service-mesh)
+  - [2.7 Functions as a Service](en/2_Context.md/#26-functions-as-a-service)
 - [3. Threat Environment](en/3_Threat-Environment.md)
 - [4. Implementation Recommendations](en/4_Implementation-Recommendations.md)
   - [4.1 Host Recommendations](en/4_Implementation-Recommendations.md/#41-host-recommendations)
   - [4.2 Image Builds](en/4_Implementation-Recommendations.md/#42-image-builds)
-  - [4.3 Container Security Brokers](en/4_Implementation-Recommendations.md/#43-container-security-brokers)
+  - [4.3 Container Deployment Security](en/4_Implementation-Recommendations.md/#43-container-deployment-security)
   - [4.4 Orchestration - Kubernetes](en/4_Implementation-Recommendations.md/#44-orchestration---kubernetes)
 - [5. Additional Microservices and Container Security Guidelines](en/5_Microservice_Security.md)
   - [5.1 Securing Platform](en/5_Microservice_Security.md#51-securing-platform)
@@ -39,51 +43,49 @@ This guidance provides recommendations to secure containers and microservices wh
   - [5.8 Secrets Management](en/5_Microservice_Security.md#58-secrets-management)
   - [5.9 Continuous Integration/Continuous Deployment (CI/CD)](en/5_Microservice_Security.md#59-continuous-integrationcontinuous-deployment-cicd)
   - [5.10 Infrastructure as Code](en/5_Microservice_Security.md#510-infrastructure-as-code)
-- [6. References](en/6_References.md)
-
-## List of Tables
-
-- [Table 2‑1 Virtualization and Container Quality Attributes](en/2_Context.md/#23-containers)
 
 ## List of Figures
 
-- [Figure 2‑1 Monolithic versus Microservice \[1\]](en/2_Context.md/#21-definitions)
-- [Figure 2‑2 High-level overview of VM's, containers, and serverless \[3\]](en/2_Context.md/#21-definitions)
-- [Figure 2‑3 Shared Responsibility Model with Containers](en/2_Context.md/#21-definitions)
-- [Figure 2‑4 Container Technologies](en/2_Context.md/#23-containers)
-- [Figure ‎2‑5 Microservices Architecture (MSA)](en/2_Context.md/#25-microservices)
-- [Figure ‎2‑6 Example service mesh (CNCF Project Istio) \[12\]](en/2_Context.md/#252-service-mesh)
+- [Figure 2‑1 Monolithic versus Microservice](en/2_Context.md#figure-2-1)
+- [Figure 2‑2 High-level overview of VMs, containers, and serverless](en/2_Context.md#figure-2-2)
+- [Figure 2‑3 Shared Responsibility Model with Containers](en/2_Context.md#figure-2-3)
+- [Figure 2‑4 Container Technologies](en/2_Context.md#figure-2-4)
+- [Figure 2‑5 Microservices Architecture (MSA)](en/2_Context.md#figure-2-5)
+- [Figure 5-1 VMs vs Containers](en/5_Microservice_Security.md#figure-5-1)
+- [Figure 5-2 Kubernetes Attack Surface](en/5_Microservice_Security.md#figure-5-2)
+- [Figure 5-3 RBAC in Kubernetes](en/5_Microservice_Security.md#figure-5-3)
+- [Figure 5-4 Service Mesh](en/5_Microservice_Security.md#figure-5-4)
+- [Figure 5-5 API Gateway with OPA](en/5_Microservice_Security.md#figure-5-5)
+- [Figure 5-6 Securing Container Images](en/5_Microservice_Security.md#figure-5-6)
 
 ## List of Abbreviations and Acronyms
 
 | Abbreviation | Definition                                         |
 | ------------ | -------------------------------------------------- |
-| CIRT         | Computer Incident Response Team                    |
-| CONOPS       | Concept of Operations                              |
-| CSE          | Communications Security Establishment              |
-| CS EMP       | Cyber Security Event Management Plan               |
+| CaaS         | Containers as a service                            |
 | CSP          | Cloud Service Provider                             |
-| FedRAMP      | Federal Risk and Authorization Management Program  |
+| FaaS         | Functions as a service                             |
 | GC           | Government of Canada                               |
-| GSRM         | Government of Canada Strategic Reference Model     |
 | IaaS         | Infrastructure as a Service                        |
-| IPC          | Information Protection Centre                      |
+| IaC          | Infrastructure as code                             |
+| IDS          | Intrusion Detection System                         |
 | IT           | Information Technology                             |
-| ITSG         | Information Technology Security Guidance           |
-| LAN          | Local Area Network                                 |
+| JSON         | JavaScript Object Notation                         |
+| JWT          | JSON Web Tokens                                    |
+| K8s          | Kubernetes                                         |
+| MSA          | Microservices Architecture                         |
+| mTLS         | Mutual Transport Layer Security                    |
 | NIST         | National Institute of Standard and Technology      |
-| PAA          | Program Alignment Architecture                     |
+| OAuth        | Open Authentication                                |
+| OS           | Operating system                                   |
 | PaaS         | Platform as a Service                              |
 | PBMM         | Protected B, Medium Integrity, Medium Availability |
-| PIA          | Privacy Impact Assessment                          |
-| PoAM         | Plan of Actions and Milestones                     |
-| RACI         | Responsible, Accountable, Consulted, Informed      |
+| RBAC         | Role-base Access Control                           |
 | SaaS         | Software as a Service                              |
-| SDLC         | System Development Lifecycle                       |
-| SLA          | Service Level Agreement                            |
-| SSC          | Shared Services Canada                             |
+| SSH          | Secure Shell                                       |
 | TBS          | Treasury Board of Canada Secretariat               |
-| ULL          | Unclassified, Low Integrity, Low Availability      |
+| TLS          | Transport Layer Security                           |
+| VM           | Virtual Machine                                    |
 
 ### How to Contribute
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,4 +1,4 @@
-([Français](#sécurité))
+([Français](#signalement-des-problèmes-de-sécurité))
 
 # Reporting Security Issues
 
@@ -7,6 +7,8 @@ To report a security issue, email [[email protected]](mailto:zztbscybers
 The TBS team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
 ______________________
 
+([English](#reporting-security-issues))
+
 ## Signalement des problèmes de sécurité
 
 Pour signaler un problème de sécurité, envoyez un courriel à [[email protected]](mailto:[email protected]) et ajoutez le mot « SÉCURITÉ » à la ligne d’objet.

diff --git a/_config.yml b/_config.yml
@@ -1,11 +1,13 @@
 remote_theme: wet-boew/gcweb-jekyll
+title: Guidance on Secure Containers and Microservices
 global:
   lang: en
 defaults:
   - scope:
       path: "" # Ensure it's applied to all pages
     values:
       layout: default
+markdown: gfm
 plugins:
   - jekyll-titles-from-headings
 titles_from_headings:

diff --git a/_layouts/core.html b/_layouts/core.html
@@ -0,0 +1,30 @@
+{%- include variable-core.liquid -%}
+{%- capture page-title -%}
+	{%- if page.title -%}
+		{{ page.title }}
+	{%- else -%}
+		Page untitled
+	{%- endif -%}
+{%- endcapture -%}
+<!DOCTYPE html>
+<html class="no-js" lang="{{ i18nText-lang | default: 'en' }}" dir="{{ i18nText-langDir | default: 'ltr' }}">
+<head>
+<meta charset="utf-8">
+{% include license.html %}
+<title>{{ page-title }} - {{ i18nText-siteTitle }}</title>
+<meta content="width=device-width, initial-scale=1" name="viewport">
+<link rel="stylesheet" href="/assets/css/style.css">
+{% include metadata.html %}
+{% include resources-inc/head.html %}
+</head>
+<body {% if page.pageclass %}class="{{ page.pageclass }}" {% endif %}vocab="http://schema.org/" typeof="WebPage">
+{%- if page.archived -%}
+	{% include headers-includes/archive.html %}
+{%- endif -%}
+{% include skiplinks/skiplinks.html %}
+{% include header/header.html %}
+{{ content }}
+{% include footers/footer.html %}
+{% include resources-inc/footer.html %}
+</body>
+</html>
diff --git a/assets/css/style.scss b/assets/css/style.scss
@@ -0,0 +1,41 @@
+---
+---
+table {
+  width: 100%;
+  border-collapse: collapse;
+  margin-bottom: 2em;
+}
+
+h1, h2, h3 {
+  margin: 1em 0 2em 0 !important;
+}
+
+tbody tr:first-child td {
+  padding-top: 0.8em !important;
+}
+
+th {
+  border-bottom: solid #ddd .18em;
+  padding: 0.3em 0.8em 0.3em 0.2em !important;
+}
+
+td {
+  padding: 0 0.8em 0.6em 0 !important;
+}
+
+td em, td b, td strong {
+  color: #037A8C;
+  background-color: #f9f2f4;
+  border-radius: 0.2em;
+  padding: 2px 4px;
+  font-weight: normal;
+}
+
+p {
+  margin: 1em 0 !important;
+}
+
+img {
+  display: block;
+  clear: both;
+}