https://github.com/openfaas/multi-tenant-tests
Basic multi-tenant-tests
https://github.com/openfaas/multi-tenant-tests
Last synced: 5 months ago
JSON representation
Basic multi-tenant-tests
- Host: GitHub
- URL: https://github.com/openfaas/multi-tenant-tests
- Owner: openfaas
- License: mit
- Created: 2024-07-31T15:26:43.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2024-07-31T15:28:24.000Z (almost 2 years ago)
- Last Synced: 2025-10-14T16:48:27.578Z (9 months ago)
- Language: JavaScript
- Size: 14.6 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
Exploratory functions for multi-tenant OpenFaaS clusters
========================================================
This repository contains functions designed to explore the security posture of multi-tenant OpenFaaS clusters. The functions are designed to be deployed to an OpenFaaS cluster and run as a function. The functions are designed to be run by a user with the appropriate permissions to deploy functions to the cluster.
* [core-services](core-services/) - This function written in Node.js checks connectivity to various OpenFaaS core services from the function namespace.
* [nats-sidechannel](nats-sidechannel/) - This function written in Python checks for the presence of a side-channel attack by publishing messages directly to the default shared queue in OpenFaaS, simulating an async message being published to the queue by the OpenFaaS gateway.
## Basic guidelines on multi-tenancy
The following guidelines are recommended for multi-tenant OpenFaaS clusters:
* Segregate tenants into namespaces
* Use network policies to restrict traffic between namespaces, so that:
* tenant namespaces cannot communicate with each other,
* and no tenant namespace can communicate with the OpenFaaS core services
* Set limit ranges for each tenant namespace
* Set resource quotas for each function when deployed via API for RAM/CPU. Limit RAM, and set a request for CPU
* Ensure the functions run as non-root, and that the appropriate settings are configured in the helm chart to prevent users from overriding this or from calling `setuid`
* Ensure that the OpenFaaS API has basic authentication or IAM-based authentication enabled, so that user code cannot be used to access the API