Skip to content

Commit ffd2837

Browse files
EdwardAngertspikecurtis
EdwardAngert
and
spikecurtis
authored
Apply suggestions from code review
Co-authored-by: Spike Curtis <spike@coder.com>
1 parent 65561f7 commit ffd2837

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

docs/tutorials/best-practices/security-best-practices.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ requests to cluster/cloud APIs.
128128

129129
If one of those credentials is compromised, the potential severity of the
130130
compromise depends on the permissions granted to the credentials, but will
131-
almost certainly include code execution inside the cluster since the whole
131+
almost certainly include code execution inside the cluster/cloud since the whole
132132
purpose of Coder is to deploy workspaces in the cluster/cloud that can run
133133
developer code.
134134

@@ -184,7 +184,7 @@ the specific cluster/cloud they are for. This ensures that compromise of one
184184
Provisioner Daemon does not compromise all clusters/clouds.
185185

186186
Deploy the provisioner daemon to the cloud and leverage infrastructure-provided
187-
credentials:
187+
credentials, if available:
188188

189189
- [Service account tokens on Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
190190
- [IAM roles for EC2 on AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
@@ -376,7 +376,7 @@ Example constraints include:
376376
- Monitoring and/or auditing for suspicious activity such as cryptomining or
377377
exfiltration
378378

379-
## Outbound network access
379+
### Outbound network access
380380

381381
Identify network assets like production systems or highly confidential
382382
datastores and configure the network to limit access from Coder workspaces.
@@ -410,14 +410,14 @@ A non-exclusive list of network assets to consider:
410410
personally identifiable information)
411411
- Access to other clusters/clouds
412412

413-
## Inbound network access
413+
### Inbound network access
414414

415415
Coder manages inbound network access to your workspaces via a set of Wireguard
416416
encrypted tunnels. These tunnels are established by sending outbound packets, so
417417
on stateful firewalls, disable inbound connections to workspaces to ensure
418418
inbound connections are handled exclusively by the encrypted tunnels.
419419

420-
## DERP
420+
#### DERP
421421

422422
[DERP](https://tailscale.com/kb/1232/derp-servers) is a relay protocol developed
423423
by Tailscale.

0 commit comments

Comments
 (0)