| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2022-05-05 |
code engine security, security, security features for code engine, code engine security features, code engine iam |
codeengine |
{{site.data.keyword.attribute-definition-list}}
{: #secure}
The {{site.data.keyword.codeenginefull}} architecture is built with a security-first mindset. {{site.data.keyword.codeengineshort}} components are managed and owned by IBM. Customers and their workloads are isolated from each other by using projects, which are based on Kubernetes namespaces. Role-based access controls are performed on a resource level to allow only authorized users to perform certain operations on project resources. User access is controlled by {{site.data.keyword.iamshort}} (IAM). Deployed apps are exposed through HTTPS and {{site.data.keyword.codeengineshort}} creates and manages the underlying TLS certifications automatically for you. {{site.data.keyword.codeengineshort}} provides out-of-the-box DDOS protection for your application. {{site.data.keyword.codeengineshort}}'s DDOS protection is provided by {{site.data.keyword.cis_short}} at no additional cost to you.
{: shortdesc}
{{site.data.keyword.codeengineshort}} jobs cannot be accessed externally by definition. Jobs can still make external requests, though, and they can call {{site.data.keyword.codeengineshort}} applications internally. For an example of a job that calls an application internally, see the Samples for {{site.data.keyword.codeengineshort}} GitHub repository{: external}. {: note}
You can use the following security features to enhance your security.
| Security feature | Description |
|---|---|
| Authorize access with IAM | Grant access to other users for {{site.data.keyword.codeengineshort}} by using {{site.data.keyword.iamshort}} (IAM). {{site.data.keyword.cloud_notm}} IAM provides secure authentication with the {{site.data.keyword.cloud_notm}} platform, {{site.data.keyword.codeengineshort}}, and all the resources in your account. Setting up proper user roles and permissions is key to limit who can access your resources. See Managing user access. |
| Disable external endpoints | Deploy your application with a disabled external endpoint that is not exposed to external traffic by using the --visibility=private or visibility=project option. See Options for visibility for a Code Engine application. |
| Store images in private image registries | Set up a private image registry, such as the one provided by {{site.data.keyword.registrylong_notm}}, to control access to the registry and the images that can be deployed in {{site.data.keyword.codeengineshort}}. Scan your images automatically with the {{site.data.keyword.registrylong_notm}} Vulnerability Advisor. You can also add access to your own custom private registry. See Accessing container registries. |
| Build code from a private repository | Store your source code in a private repository and then build to {{site.data.keyword.registrylong_notm}}. See Accessing private code repositories. |
| Use secrets to store sensitive information | You can store information, such as passwords and SSH keys in a secret. For more information, see Setting up and using secrets and configmaps. |
| {: caption="Table 1. Security features" caption-side="top"} |