Tsuru acts as a PaaS control plane over container/orchestrator infrastructure. Hardening should focus on API authentication, app isolation, secure deployment pipelines, and Kubernetes backend security.
¶ 1) Secure Tsuru API and Authentication
- Enforce HTTPS: Require TLS for all Tsuru API and dashboard endpoints
- API authentication: Integrate with centralized identity (OAuth, SAML, LDAP)
- Token management: Use short-lived tokens with automatic expiration
- Rate limiting: Configure API rate limits to prevent abuse
# Example auth configuration in tsuru.conf
auth:
user-registration: false # Disable open registration
session-timeout: 24h # Session expiration
api-token-expiry: 1h # API token lifetime
auth-scheme: oauth
oauth:
client-id: <your-client-id>
client-secret: <your-secret>
- Role-based access: Define roles with minimum required permissions
- Team isolation: Enforce strict team boundaries for app access
- Admin token protection: Restrict admin token to secure vault
- Audit API access: Log all API requests with user context
# Check Tsuru API endpoint
tsuru api-info
# Review listening ports
sudo ss -tulpn | grep -E ':8080|:443'
# Verify TLS configuration
openssl s_client -connect tsuru-api.example.com:443 -tls1_2 </dev/null 2>/dev/null | head -10
- Restrict API endpoints: Use network policies to limit API access
- Firewall rules: Allow API access from trusted networks only
- Load balancer TLS: Terminate TLS at load balancer with strong ciphers
- Internal API isolation: Keep internal API off public networks
¶ 2) Harden App and Team Isolation
- Strict team permissions: Use team-based access control
- App ownership: Assign apps to specific teams only
- Cross-team access: Require explicit grants for cross-team access
- Audit team changes: Log team membership modifications
# Check Kubernetes namespace isolation
kubectl get namespaces | grep tsuru
# Review network policies
kubectl get networkpolicy --all-namespaces
# Check pod security policies
kubectl get psp 2>/dev/null || kubectl get podsecuritypolicy 2>/dev/null
- Dedicated namespaces: Isolate apps in separate Kubernetes namespaces
- Network policies: Apply default-deny network policies per namespace
- Resource quotas: Set CPU/memory limits per team namespace
- RBAC isolation: Restrict Kubernetes access per team
- Container security context: Run containers as non-root
- Read-only filesystems: Use read-only root filesystem where possible
- Drop capabilities: Remove unnecessary Linux capabilities
- Seccomp profiles: Apply restrictive seccomp policies
# Review app environment variables (admin only)
tsuru env get --app <app-name>
# Set secrets securely
tsuru env set SECRET_KEY=secret --app <app-name>
- Encrypt sensitive env vars: Use Tsuru secrets or external vault
- Audit env var changes: Log environment variable modifications
- Restrict env var access: Limit who can view/set environment variables
- Avoid secrets in code: Use Tsuru env vars instead of hardcoded secrets
¶ 3) Protect Build and Deployment Supply Chain
- Trusted base images: Use approved base images from internal registry
- Image scanning: Scan images for vulnerabilities before deployment
- Image signing: Sign and verify images with cosign or similar
- Block latest tags: Require specific image versions or digests
# Check deployment history
tsuru app-info --app <app-name>
# Review deploy hooks
tsuru deploy --help
# Audit recent deployments
tsuru event list -k deploy --limit 20
- Restrict deploy permissions: Limit who can deploy to production
- CI/CD integration: Use service accounts for automated deploys
- Deploy hooks review: Audit custom deploy hooks for security
- Rollback procedures: Maintain secure rollback capabilities
- Private registry: Use internal Docker registry with authentication
- Registry scanning: Enable vulnerability scanning in registry
- Access control: Restrict registry push/pull permissions
- Image retention: Implement image retention policies
- Isolated build environments: Run builds in isolated containers
- Build log protection: Restrict access to build logs
- Dependency scanning: Scan dependencies for vulnerabilities
- Reproducible builds: Enable reproducible build processes
# Check cluster status
kubectl cluster-info
# Review node status
kubectl get nodes
# Check for privileged pods
kubectl get pods --all-namespaces -o jsonpath='{range .items[?(@.spec.containers[*].securityContext.privileged==true)]} {.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}'
- Secure kubeconfig: Protect kubeconfig with strict permissions
- API server auth: Enable authentication and authorization on API server
- etcd encryption: Encrypt etcd data at rest
- Node security: Harden Kubernetes worker nodes
- Tsuru API pods: Run with minimal privileges
- Tsuru workers: Isolate worker processes
- Database security: Protect MongoDB with authentication and TLS
- Redis security: Secure Redis with authentication
# Review service accounts
kubectl get serviceaccounts --namespace tsuru
# Check service account tokens
kubectl get secrets --namespace tsuru | grep token
# Audit RBAC bindings
kubectl get rolebindings,clusterrolebindings --namespace tsuru
- Dedicated service accounts: Use separate accounts per component
- Token expiration: Enable bound service account tokens
- Minimal permissions: Grant least privilege required
- Regular rotation: Rotate service account tokens
¶ 5) Monitoring and Incident Response
- Centralized logging: Forward logs to ELK, Loki, or similar
- Structured logs: Use JSON format for easier analysis
- Log retention: Define retention policies for compliance
- Audit logging: Log all administrative actions
# Review Tsuru events
tsuru event list --limit 50
# Check for failed logins
tsuru event list -k login --limit 20
# Monitor app restarts
tsuru app list
- Alert on auth failures: Detect brute force attempts
- Monitor resource usage: Alert on unusual resource consumption
- Track deployment changes: Audit all deployment events
- Watch for privilege escalation: Detect unauthorized access
- Document procedures: Create runbooks for security incidents
- Isolation procedures: Know how to isolate compromised apps
- Credential rotation: Have emergency rotation procedures
- Backup and recovery: Maintain secure backups
¶ Verification Commands
# Check Tsuru version
tsuru version 2>/dev/null || tsurud version
# Review configuration
grep -R "auth\|token\|tls\|api" /etc/tsuru /opt/tsuru 2>/dev/null | head -30
# Check listening ports
sudo ss -tulpn | grep -E ':8080|:443|:2379|:6443'
# Verify Kubernetes backend
kubectl get pods -n tsuru
# Check MongoDB connection (if local)
mongo --eval "db.auth('admin', 'password')" 2>/dev/null || echo "MongoDB not local or auth required"
# Review Tsuru events
tsuru event list --limit 20
# Check app isolation
kubectl get namespaces | grep tsuru
# Audit API access
tsuru event list -k "app\|deploy\|team" --limit 30
- Tsuru Documentation: https://docs.tsuru.io/stable/
- Tsuru Security Advisories: https://github.com/tsuru/tsuru/security
- Tsuru Source Repository: https://github.com/tsuru/tsuru
- Kubernetes Security: https://kubernetes.io/docs/concepts/security/
- CNCF Security: https://www.cncf.io/projects/
- Container Security Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html