@@ -128,7 +128,7 @@ requests to cluster/cloud APIs.
128
128
129
129
If one of those credentials is compromised, the potential severity of the
130
130
compromise depends on the permissions granted to the credentials, but will
131
- almost certainly include code execution inside the cluster since the whole
131
+ almost certainly include code execution inside the cluster/cloud since the whole
132
132
purpose of Coder is to deploy workspaces in the cluster/cloud that can run
133
133
developer code.
134
134
@@ -184,7 +184,7 @@ the specific cluster/cloud they are for. This ensures that compromise of one
184
184
Provisioner Daemon does not compromise all clusters/clouds.
185
185
186
186
Deploy the provisioner daemon to the cloud and leverage infrastructure-provided
187
- credentials:
187
+ credentials, if available :
188
188
189
189
- [ Service account tokens on Kubernetes] ( https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ )
190
190
- [ IAM roles for EC2 on AWS] ( https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html )
@@ -376,7 +376,7 @@ Example constraints include:
376
376
- Monitoring and/or auditing for suspicious activity such as cryptomining or
377
377
exfiltration
378
378
379
- ## Outbound network access
379
+ ### Outbound network access
380
380
381
381
Identify network assets like production systems or highly confidential
382
382
datastores and configure the network to limit access from Coder workspaces.
@@ -410,14 +410,14 @@ A non-exclusive list of network assets to consider:
410
410
personally identifiable information)
411
411
- Access to other clusters/clouds
412
412
413
- ## Inbound network access
413
+ ### Inbound network access
414
414
415
415
Coder manages inbound network access to your workspaces via a set of Wireguard
416
416
encrypted tunnels. These tunnels are established by sending outbound packets, so
417
417
on stateful firewalls, disable inbound connections to workspaces to ensure
418
418
inbound connections are handled exclusively by the encrypted tunnels.
419
419
420
- ## DERP
420
+ #### DERP
421
421
422
422
[ DERP] ( https://tailscale.com/kb/1232/derp-servers ) is a relay protocol developed
423
423
by Tailscale.
0 commit comments