Some Questions about my containerisation. Suggestions?

Questions

  1. Authelia or Teleport as Authenticator? Or any suggestions for other Applications? (As Secure as possible even if it’s complicated or not user-friendly)
  2. Which authentification method would you recommend and why? MFA (2FA,3FA…), Certificate-based auth., Biometric auth. or Token-based auth?
  3. Docker compose or Kubernetes? Which would you recommend in points of security AND PRIVACY? AND WHY?
  4. Which Docker Container are you running? Any suggestions for my Network plan below?
  5. Is it possible to seal the 3 Websites, so that if there get compromised the rest is still really secure? Like a DMZ

Thanks in advance :wink:

Red= important Container
Blue= not deployed yet

The post has a lot of facets, so I am just going to pick #1 and #2. Number 3 is a matter of taste and skills - you should be able to run it with docker or kubernetes. Though, let me ask: what makes you think that docker would not be suited for that task? If the websites are running on the same docker host, then there is no guaranty that a breach would not affect another container - it realy depends how you do things and if you use rootless docker, or at least user namespace remapping, and if you run privliged containers which are not secure at all (but also not less secure than running the same process as a native process on the host) .

#1 I haven’t used either one of those, I used keycloak as I am used to if from work.
If your target appication supports oidc v3 or saml, keycloak is a good option, as the target container will forward to keycloak for the authentification if not done already. If the target container doesn’t provide an integration you usualy can put some sort of gateway container in front of it that takes care of the oidc flow. I image Authelia and Teleport are working quite simlar.

#2 it realy depends on your usecase. Depending on the usecase mutual-TLS is an excellent option, if applicable. Appart from that, I feel 2FA using a yubikey or a virtual authenticator device is fine - of couse you could secure the virtual authenticatore device (usaly a mobile app) additionaly with biometrics.

The only reason why is to think of the future. As I know there is no High-Availability and many more things would speak for Kubernetes, even if it’s more complicated. I have no problem spending a lot of time learning all the things I need. The only thing right now why I don’t go with Kubernetes is, that currently, i can only afford 1 Server/Host for this project (The Server mentioned in the network plan). and as far as i read, if you have just 1 host you should go with Docker. I’m still an apprentice so in the future when i can afford 300-400 Euro a month i would migrate to Kubernetes


I just thought running Docker inside Docker and on the “Inside Docker” the websites would be secure…


And right now I only using 3FA (TOTP-Authentification) for almost anything if possible.

I will take some time and try to figure out if that would work for the application I use.

I really appreciate that you helped me :smile:

One single node, you realy don’t want to use kuberentes, as it’s idle ressource drain is much higher that the one of docker or even docker swarm. Some distributions like k3s or RKE2 have a smaller footprint on the ressources.

Docker inside Docker? You mean Docker in Docker or Docker on Docker? For day to day operations, I would use neither one of those. Docker in Docker is just a way to use the host’s docker engine from the docker dli inside a container - that’s fine for tools that need to interact with the docker engine, but the container’s are still created on the host’s docker engine. Docker on Docker realy is a matter of taste and when I remember correct has limitations when it commes to the usable storage drivers. personaly I would run lxd or kvm vm’s with docker (vm’s provide a stronger isolation than containers).

Yes

So that would be the best solution for hosting the websites on/in Docker…

Docker → LXD or KVM → Container1, Container 2 and Container 3 running one website each correct?

Simular to this…
Guide for this

That would be at least as secure as running those on a “normal” host or VM correct? And i know that it will never be 100% secure, sure it can affect the other Containers running a few Instances higher (Container on docker itself) but the chance is pretty low, right? These are all "normal Websites with 80-110 visits a day (each Website)

Or would it make more sense to just use an extra Server just for hosting these websites? Is that better in point of security?

… to which part?

forgive me, If I am not going to read that guide. You have to decide yourself, if you want to use a platform that uses the host kernel, or has it’s own kernel - the later has the stronger possible isolation.

There is nothing to argue that running the websites on individual extra servers would be more secure. Personaly I would run everything in containers. In “playground” environment I would even run datbases in container, which I would never do in production.

To the Docker in Docker part


mhh… Maybe running the websites on a cloud server inside a container, LXD or so is better than on such an important Server, where a small chance of infecting the other container is given.


The Problem is that its production so maybe i will host the websites without containers, especially the Mediawiki

Thank you this thread is now “done” for me…