feat: Boosting CDE Security on k8s cluster (#66)

* feat: Boosting CDE Security on k8s cluster

Signed-off-by: Anatolii Bazko <[email protected]>

* fix: Add images

Signed-off-by: Anatolii Bazko <[email protected]>

* Updates

Signed-off-by: Anatolii Bazko <[email protected]>

* Update _posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

Co-authored-by: David Kwon <[email protected]>

* Update _posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

Co-authored-by: David Kwon <[email protected]>

* Update _posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

Co-authored-by: David Kwon <[email protected]>

* Update _posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

Co-authored-by: David Kwon <[email protected]>

* Update _posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

Co-authored-by: David Kwon <[email protected]>

---------

Signed-off-by: Anatolii Bazko <[email protected]>
Co-authored-by: David Kwon <[email protected]>

_posts/2024-10-28-boosting-cde-security-on-kubernetes-cluster.adoc

@@ -0,0 +1,83 @@
+---
+title: "Boosting CDE Security in a Kubernetes cluster: A Guide to new features"
+layout: post
+author: Anatolii Bazko
+description: >-
+  Boosting CDE Security on Kubernetes cluster: A Guide to new features
+categories: []
+keywords: ['workspace', 'security', 'administrator']
+slug: /@tolusha/boosting-cde-security-on-kubernetes-cluster
+---
+
+== Introduction
+
+As organizations transition to cloud-native development, maintaining control, security, and flexibility in development environments becomes critical. Eclipse Che is a powerful Kubernetes-native IDE that offers administrators tools for ensuring security and resource efficiency. In this post, we'll look at three new Eclipse Che features that improve security and resource control in your development environments.
+
+== Limiting the Number of Simultaneous Workspaces
+
+Effective resource management is critical in cloud-based environments, as uncontrolled workspace development can quickly deplete resources and degrade system performance. To mitigate this risk, Eclipse Che now has a functionality that restricts the amount of running workspaces per cluster.
+
+Administrators can use this feature to limit the amount of workspaces that can run at the same time, reducing resource misuse, supporting fair allocation of resources among teams, and increasing overall efficiency.
+
+In the example below, we set the maximum number of running workspaces per cluster to 20:
+
+[source,shell]
+----
+kubectl patch checluster/eclipse-che \
+  --namespace eclipse-che \
+  --type='merge' -p \
+    '{"spec":
+        {"devEnvironments":
+          {"maxNumberOfRunningWorkspacesPerCluster": 20}
+        }
+     }'
+----
+
+If a user exceeds the workspace limit, they will receive a warning message during workspace startup: "Exceeded the cluster limit for running DevWorkspaces"
+
+image::/assets/img/boosting-cde-security-on-kubernetes-cluster/exceeded-the-cluster-limit-for-running-devworkspaces.png[Exceeded the cluster limit for running DevWorkspaces]
+{nbsp} +
+
+To learn more about configuring workspace limits, follow the link:https://eclipse.dev/che/docs/stable/administration-guide/limiting-the-number-of-workspaces-that-all-users-can-run-simultaneously[Eclipse Che documentation].
+
+== Untrusted Repository Warning
+
+It is not recommended to create workspaces from unknown or untrusted repositories automatically. When a user tries to create a workspace in Eclipse Che, a warning window appears on the dashboard, requesting confirmation that they trust the repository before proceeding.
+
+image::/assets/img/boosting-cde-security-on-kubernetes-cluster/do-you-trust-the-authors-of-this-repository.png[URL is not permitted for creating a workspace]
+{nbsp} +
+
+
+== Configuring Allowed URLs
+
+This feature ensures that developer workspaces can only be launched from pre-approved, secure URLs. Organizations can prevent workspaces from being started with unwanted URLs by creating a allowlist of trusted domains.
+
+In the example below, we configure the allowed URLs to only permit connections to GitLab:
+
+[source,shell]
+----
+kubectl patch checluster/eclipse-che \
+    --namespace eclipse-che \
+    --type='merge' \
+    -p \
+        '{
+           "spec": {
+             "devEnvironments": {
+               "allowedSources": {
+                 "urls": ["https://gitlab.com/*"]
+               }
+             }
+           }
+         }'
+----
+
+If a user attempts to create a workspace with a URL other than GitLab, they will receive an error message: "URL is not permitted for creating a workspace".
+
+image::/assets/img/boosting-cde-security-on-kubernetes-cluster/url-is-not-permitted-for-creating-a-workspace.png[URL is not permitted for creating a workspace]
+{nbsp} +
+
+To learn more about configuring allowed URLs, follow the link:https://eclipse.dev/che/docs/stable/administration-guide/configuring-allowed-urls-for-cloud-development-environments/[Eclipse Che documentation].
+
+== Conclusion
+
+Eclipse Che's new security features, such as limiting simultaneous workspaces and configuring allowed URLs, give administrators greater control over resource usage and workspace security in cloud-native environments. Implementing these updates allows organizations to improve the efficiency and safety of their development workflows, resulting in a secure and well-regulated workspace.