...
The VM runs Google’s Container Optimized OS (COS), which is a hardened, minimal OS optimized for deploying individual docker containers on GCP. GCP also builds its GKE (Kubernetes) offering and other container-based offerings on COS.
The VM is firewalled to only publicly expose a non-standard SSHD port.
The container runs SSHD and nothing else
The container runs SSHD as a non-root user
SSHD is configured to lock down what SSH features and services it offers
In addition to being run as a non-root user, it disallows is configured to disallow root logins and it disables to disable password-based authentication entirely
It disables all SSH sub-services except for remote/reverse port forwarding
It only allows authorized keys to authenticate
It restricts each authorized key to disable running commands, and to disable all services except reverse port forwarding
Each authorized key is granted a single port that it can open that SSHD will listen on to receive traffic meant for the proxy running in the client
The SSHD server’s private key is kept out of source code. Instead, it is protected using GCP’s Secrets Manager, and it is only accessed in order to deploy it to the VM and provide it to the container.
The proxy ports are only accessible to a VPC that is restricted to the security scanner components of Data Theorem’s analyzer engine that need to make use of traffic to originate from a static IP address, or that may need to go through the private-network-proxy
The VM is hosted on a GCP project separate from any other Data Theorem services, providing granular access to Data Theorem employees.services, isolating it from other services, and making it easier to manage who has internal access