docs
/
Go to coder.comRequest Support
docs
/
Home
About
Comparison
Feedback
Getting started
Workspaces
Getting started
Lifecycle
Applications
Autostart
Dev URLs
Docker in workspaces
Editors and IDEs
Environment variables
Personalization
Preferences
Progressive web apps
SSH access
Workspace parameters
Workspace templates
Workspace templates
Workspace template code completion
Images
Import
Tags
Custom image creation
Configure script
Structure
TLS certificates
Deprecate
Embeddable button
Command line
Installation and setup
Remote terminal
File sync
Workspace management
Setup
Architecture
Requirements
Kubernetes
Local preview
K3s
Amazon Elastic Kubernetes Service
Azure Kubernetes Service
Google Kubernetes Engine
Red Hat OpenShift
Installation
Configuration
Licensing
Updating
Update considerations
Air-gapped deployment
Network setup
Coder for Docker
Admin
Access control
User roles
Organization roles
Password reset
User management
Organizations
Org management
Registries
Default registry
Amazon Elastic Container Registry
Google Container Registry
Satellites
Manage satellites
Migrate to satellite deployments
Workspace management
Docker in workspaces
Cluster setup
Images
Management
Extensions
GPU acceleration
IDE installation
Memory provisioning
CPU provisioning
Self-contained workspace builds
Shutdown
SSH configuration
Workspace providers
Deployment
EC2
Kubernetes
Workspace provider management
Access URL
Account dormancy
Appearance
Audit
Browser security
Dev URLs
Git integration
Direct workspace connections
Telemetry
Templates
Usage metrics
Guides
Admin
Compute resources
Database migration
Helm charts
Image tag names
Logging
OpenID Connect with Azure AD
OpenID Connect with Google
OpenID Connect with Okta
Shared security responsibility
Storage
Usage monitoring
Customization
Git configuration
GPG forwarding
macOS keybindings
Node.js Projects
Tailscale
VNC
Deployment
Coder installation from an archive
Managed code-server Workspaces
PostgreSQL
SAML 2.0 identity brokering
Teardown
Terraform
TLS certificates
Azure DNS
Google Cloud DNS
Cloudflare
Route 53
Hosted beta
Mobile development
Public API
Troubleshooting
Admin password reset
Docker
GitHub OAuth integration
Image registry
inotify watcher limit problems
TypeError: Failed to fetch
Changelog
1.25.0
1.24.0
1.23.0
1.23.1
1.22.0
1.22.1
1.22.2
1.22.3
Home
/
Guides
/
Admin

Shared security responsibility

3 min read

Learn how Coder and its users carry security-related responsibilities.

To guarantee the security of the Coder workspace, which includes the entire ecosystem of components needed to support the developer's user experience, several parties must carry different responsibilities. While this is not an exhaustive list, this article lists the security responsibilities for both Coder and its users (specifically the site admin/site managers).

There are two categories of integration points for a Coder workspace:

  1. Kubernetes and networking
  2. External tie-ins (authentication, container registries, Git providers, etc.)

Kubernetes and networking

Like most software, Coder depends on the system on which it is installed to provide some security boundaries. Coder is installed onto Kubernetes clusters and includes expectations of how to cluster is configured. As such, changes to the following aspects of your cluster may impact Coder's security and performance:

  • Storage
    • Quotas
    • Encryption
    • Cloud access to volumes
    • Depletion as denial of service
      • PVC
      • Ephemeral
  • Networking
    • Encryption (mTLS)
      • Certificates
        • TLS certificates presented by coderd
        • TLS certificats presented by the applications with which Coder interacts
    • Boundaries (e.g., network policies)
    • External interactions (ingress and egress)
    • IP address depletion as denial of service
      • Each workspace gets an IP address in the pod subset
      • Each dev URL gets an IP address in the services subnet
  • Kubernetes roles
    • Service accounts for Coder to create pods
    • Cluster admins (use of cluster admins can pose a security risk)
    • Cloud access to the control plane
  • Node security
    • Upgrades to keep up with Kubernetes
    • Access to node user accounts
    • Cloud access to nodes

Recommendations

We recommend that you deploy Coder to its own cluster. With this option, the security boundary is around the cluster, so things like PVC access, password resets, and database access are clearly actions taken against Coder. Cluster admins can perform any necessary action, while all others are constrained by their Coder role.

Though you can deploy Coder to a shared cluster, the security boundary is threaded through the components mentioned in the section above due to the multiple applications present in the cluster.

External tie-ins

Coder makes assumptions about how the following tie-ins are configured when deploying security controls:

  • Authentication provider
    • Changing the authentication provider settings can render Coder insecure
    • Site admins could convert a user authenticating via OIDC to built-in, allowing the admin to impersonate the user
  • Container registry
    • The registry account used to access images should be a specific Coder-only account so that Coder users can only pull approved images
    • CVMs can only pull unauthenticated containers, which means that any user can reference any container within the registry
  • Git provider
    • OAuth linkage allows Coder admins to perform actions as the linked Git user
    • SSH keys generated by Coder and added to workspaces can be used to circumvent 2FA to GitLab via Coder
    • Git integration request both SSH and HTTPS access to function
    • Access to all user repos must be added to a Coder workspace to clone private dotfiles repos
    • Coder doesn't allow the linking of multiple Git providers of the same type
    • Disabling the OAuth linking account may cause a denial of service

See an opportunity to improve our docs? Make an edit.

Go to coder.comGitHub