OpenFaaS exposes function APIs and controls build/deploy pipelines. Security should focus on gateway protection, function invocation authorization, and hardened Kubernetes runtime policies.
¶ 1) Protect the gateway and control plane
- Expose gateway only via HTTPS with trusted certificates.
- Require authentication for gateway/API access and disable anonymous access paths.
- Restrict dashboard/gateway endpoints to trusted networks.
- Rotate gateway credentials and API tokens regularly.
¶ 2) Enforce function-level auth and policy
- Use function authentication/authorization controls for sensitive endpoints.
- Keep function handlers free of embedded long-lived secrets.
- Restrict async and public function invocation routes.
- Apply per-function resource quotas and concurrency limits.
- Run functions as non-root and drop unnecessary capabilities.
- Deny privileged pods and host mounts for functions.
- Isolate namespaces for tenant/workload separation.
- Audit deployments and invocation logs for abuse patterns.
- OpenFaaS docs: https://docs.openfaas.com/
- OpenFaaS REST API and TLS notes: https://docs.openfaas.com/reference/rest-api/
- OpenFaaS function auth overview: https://www.openfaas.com/blog/built-in-function-authentication/
- OpenFaaS source repositories: https://github.com/openfaas
Any questions?
Feel free to contact us. Find all contact information on our contact page.