IBM Cloud Docs
Code Engine and security

Code Engine and security

The IBM Cloud® Code Engine architecture is built with a security-first mindset. Code Engine components are managed and owned by IBM. Customers and their workloads are isolated from each other by using projects, which are based on Kubernetes namespaces. Role-based access controls are performed on a resource level to allow only authorized users to perform certain operations on project resources. User access is controlled by Cloud Identity and Access Management (IAM). Deployed apps are exposed through HTTPS and Code Engine creates and manages the underlying TLS certifications automatically for you. Code Engine provides immediate DDoS protection for your application. Code Engine's DDoS protection is provided by Cloud Internet Services (CIS) at no additional cost to you.

Code Engine jobs cannot be accessed externally by definition. Jobs can still make external requests, though, and they can call Code Engine applications internally. For an example of a job that calls an application internally, see the Samples for Code Engine GitHub repository.

You can use the following security features to enhance your security.

Table 1. Security features
Security feature Description
Authorize access with IAM Grant access to other users for Code Engine by using Cloud Identity and Access Management (IAM). IBM Cloud IAM provides secure authentication with the IBM Cloud platform, Code Engine, and all the resources in your account. Setting up proper user roles and permissions is key to limit who can access your resources. See Managing user access.
Disable external endpoints Deploy your application with a disabled external endpoint that is not exposed to external traffic by using the --visibility=private or visibility=project option. See Options for visibility for a Code Engine application.
Store images in private image registries Set up a private image registry, such as the one provided by IBM Cloud Container Registry, to control access to the registry and the images that can be deployed in Code Engine. Scan your images automatically with the IBM Cloud Container Registry Vulnerability Advisor. You can also add access to your own custom private registry. See Accessing container registries.
Build code from a private repository Store your source code in a private repository and then build to IBM Cloud Container Registry. See Accessing private code repositories.
Use secrets to store sensitive information You can store information, such as passwords and SSH keys in a secret. For more information, see Working with secrets.
Add authentication and authorization capabilities If you are exposing your application or function in Code Engine on a public API or website, you might want to restrict access to certain users or locations (IP address ranges). While Code Engine provides capabilities to restrict access for APIs that you can use to manage Code Engine projects and its entities, it is the responsibility of the owner of the code source to add proper authentication and authorization capabilities to protect the code that runs when reaching the endpoints. For example, you can use IBM Cloud App ID to add authentication and authorization capabilities for your code.
Rotate TLS certificates regularly If you are using custom domain mappings to expose your applications or functions, you must ensure that your TLS certificates have an expiry date; for example 90 days. You must periodically rotate your certificate with an updated certificate (that has its own expiry date). Ideally, use automation to rotate the certificates. For example, you can use a Code Engine job that is triggered by a cron subscription to rotate the certificate. If you store secrets in IBM Cloud Secrets Manager, consider using IBM Cloud Event Notifications so that your Code Engine project is aware of certificate rotations. You can find a sample app that uses event notifications by visiting our Code Engine samples repository on GitHub.

Supported TLS versions and cipher suites

The Code Engine API and application endpoints support transport layer security (TLS) 1.2 (or higher) and the following cipher suites.

TLS cipher suites

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305

DDoS protection

Code Engine provides immediate DDoS protection for your application. Code Engine's DDoS protection is provided by Cloud Internet Services (CIS) at no additional cost to you.

DDoS protection covers System Interconnection (OSI) Layer 3 and Layer 4 (TCP/IP) protocol attacks, but not Layer 7 (HTTP) attacks.

To address Layer 7 attacks, you can take the following steps so that your traffic runs through a secure route using your custom domain and is no longer available to the public internet through the Code Engine provided domain.

  1. Obtain your custom domain.
  2. In Code Engine, create a custom domain mapping for your app.
  3. Set up an instance of Cloud Internet Services (CIS) to manage your custom domain.
  4. Add the custom domain to the CIS instance.
  5. Configure a global load balancer in CIS.
  6. Enable the HTTP proxy mode for the load balancer in CIS. This activates DDoS protection on Layer 7 and other CIS security features.
  7. In Code Engine, turn off the public system provided domain mappings of your application. Go to your application, from the Domain mappings tab for your app, select No external system domain mapping.
  8. Click Create to save the application revision.

For more information about DDoS in CIS, see Dealing with Distributed Denial of Service attacks in CIS. For more ways to address Layer 7 attacks, see Mitigating Layer 7 attacks in CIS.