Technical Discovery: Serverless use cases
Problem to solve
Users with serverless applications leveraging Knative are still exposed to security vulnerabilities but traditional security approaches primarily focus on classical, server focused use cases, rather than serverless. This means that users with serverless applications have to choose between using updating their app to a classic, server architecture to use security tools or use their serverless architecture without security tools in place.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
In the future, GitLab will offer similar security capabilities, such as WAF, Threat Detection, and others, for serverless applications, much as we do for traditional Kubernetes applications.
Proposal
Serverless use cases and technologies are relatively new, so this issue is proposing technical discovery for the team to learn about this space and identify next steps in terms of what we'll need to learn more about and how our security capabilities will relate to serverless use cases.
Specifically, this discovery should explore:
-
How would an app be deployed on serverless with GitLab & Knative? -
What differences are there in using Knative compared with the traditional clusters GitLab has today? -
Are our existing security tools, like WAF, Threat Detection, and NetworkPolicy
objects able to be directly used with serverless use cases?-
If not, why can't they be used? Is there a reasonable path to adapting them? Do the problems they solve not apply in the serverless use case?
-
-
Add other questions here organically
Follow-up issues should be created for each of these areas as necessary.
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
- Answers to the questions above and technical decisions made
- Follow-on issues created where necessary
What is the type of buyer?
Links / references
- Snyk 10 serverless best practices. Ones that jump out as specific to serverless (isolated function parameters, deploy functions in minimal granularity)
- awesome-serverless-security
- Serverless GOAT OWASP
- Puresec: Puresec functionshield / Puresec blog / serverless days Youtube
- Newbies guide to serverless security
- 6 serverless design patterns- Usenix paper
- Knative the Security Platypus - Kubecon 2019 Talk