🚀 New! Kestra raises $3 million to grow Learn more

Java security

By default, Kestra uses a shared worker to handle workloads. This is fine for most use cases, but when you are using a shared Kestra instance between multiple teams, since the worker shares the same file system, this can allow people to access temporary files created by Kestra with powerful tasks like Groovy, Jython, etc...

You can use the following to opt-in to real isolation of file systems using advanced Kestra EE Java security:

yaml
kestra:
  ee:
    java-security:
      enabled: true
      forbidden-paths:
        - /etc/
      authorized-class-prefix:
        - io.kestra.core.tasks
        - io.kestra.plugin.gcp

kestra.ee.java-security.forbidden-paths

This is a list of paths on the file system that the Kestra Worker will be forbidden to read or write to. This can be useful to protect Kestra configuration files for example.

kestra.ee.java-security.authorized-class-prefix

This is a list of classes that can access the file system or create threads. Most of the plugins will never need access to the file system (except on temporary directories created and isolated for each task and whitelisted by default). Here you can set a list of prefixes (namespace) classes that will be allowed. All others will be refused.

For example, GCP plugins will need to create a thread in order to reach the GCP api. Since this whole plugin is deemed safe, you can whitelist it.

Scripting isolation

For Bash tasks and other script tasks in the core, we advise you to force DOCKER isolation and to configure global cluster taskDefaults:

yaml
kestra:
  tasks:
    defaults:
      - type: io.kestra.core.tasks.scripts.Bash
        forced: true
        values:
          dockerOptions:
            image: ubuntu
          runner: DOCKER