The post has a lot of facets, so I am just going to pick #1 and #2. Number 3 is a matter of taste and skills - you should be able to run it with docker or kubernetes. Though, let me ask: what makes you think that docker would not be suited for that task? If the websites are running on the same docker host, then there is no guaranty that a breach would not affect another container - it realy depends how you do things and if you use rootless docker, or at least user namespace remapping, and if you run privliged containers which are not secure at all (but also not less secure than running the same process as a native process on the host) .
#1 I haven’t used either one of those, I used keycloak as I am used to if from work.
If your target appication supports oidc v3 or saml, keycloak is a good option, as the target container will forward to keycloak for the authentification if not done already. If the target container doesn’t provide an integration you usualy can put some sort of gateway container in front of it that takes care of the oidc flow. I image Authelia and Teleport are working quite simlar.
#2 it realy depends on your usecase. Depending on the usecase mutual-TLS is an excellent option, if applicable. Appart from that, I feel 2FA using a yubikey or a virtual authenticator device is fine - of couse you could secure the virtual authenticatore device (usaly a mobile app) additionaly with biometrics.
The only reason why is to think of the future. As I know there is no High-Availability and many more things would speak for Kubernetes, even if it’s more complicated. I have no problem spending a lot of time learning all the things I need. The only thing right now why I don’t go with Kubernetes is, that currently, i can only afford 1 Server/Host for this project (The Server mentioned in the network plan). and as far as i read, if you have just 1 host you should go with Docker. I’m still an apprentice so in the future when i can afford 300-400 Euro a month i would migrate to Kubernetes
I just thought running Docker inside Docker and on the “Inside Docker” the websites would be secure…
And right now I only using 3FA (TOTP-Authentification) for almost anything if possible.
I will take some time and try to figure out if that would work for the application I use.
One single node, you realy don’t want to use kuberentes, as it’s idle ressource drain is much higher that the one of docker or even docker swarm. Some distributions like k3s or RKE2 have a smaller footprint on the ressources.
Docker inside Docker? You mean Docker in Docker or Docker on Docker? For day to day operations, I would use neither one of those. Docker in Docker is just a way to use the host’s docker engine from the docker dli inside a container - that’s fine for tools that need to interact with the docker engine, but the container’s are still created on the host’s docker engine. Docker on Docker realy is a matter of taste and when I remember correct has limitations when it commes to the usable storage drivers. personaly I would run lxd or kvm vm’s with docker (vm’s provide a stronger isolation than containers).
That would be at least as secure as running those on a “normal” host or VM correct? And i know that it will never be 100% secure, sure it can affect the other Containers running a few Instances higher (Container on docker itself) but the chance is pretty low, right? These are all "normal Websites with 80-110 visits a day (each Website)
Or would it make more sense to just use an extra Server just for hosting these websites? Is that better in point of security?
forgive me, If I am not going to read that guide. You have to decide yourself, if you want to use a platform that uses the host kernel, or has it’s own kernel - the later has the stronger possible isolation.
There is nothing to argue that running the websites on individual extra servers would be more secure. Personaly I would run everything in containers. In “playground” environment I would even run datbases in container, which I would never do in production.