How to organize security and compliance when migrating from IBM Cloud Foundry to IBM Cloud Code Engine.

Over the past year, I have moved most of my deployed solutions from IBM Cloud Foundry to IBM Cloud Code Engine. I shared my experience in a series of blog posts. In the first article, I talked about how to bind cloud services to the apps or microservices and what to consider in terms of code changes (if any). Then, I discussed various DevOps aspects and how to build, deploy and scale your app on Code Engine (and how it differs from Cloud Foundry)

Today, I am going to compare Cloud Foundry and Code Engine security and how to organize your project. I’ll also take a look at compliance topics and point out how Code Engine integrates with related standard components of IBM Cloud. The bottom line is that Code Engine is based on common container technology like IBM Cloud Kubernetes Service and integrates with standard security and compliance services of IBM Cloud. Thus, for me, there were no surprises when migrating solutions from Cloud Foundry to Code Engine.

Organize it: Moving from space to project

With Cloud Foundry, you have learned to organize resources in organizations and spaces and to assign roles to users (i.e., RBAC — role-based access control). With Code Engine, you can continue in a similar way:

The (regular) integration of Code Engine with IBM Cloud IAM provides the benefits of IBM Cloud identity and access management for all. Foremost, I would like to point out that you can (and should) use service IDs to decouple DevOps pipelines with Code Engine app deployments from personal accounts and user IDs. Access groups allow you to easily define a set of privileges once, then assign them by adding users, service IDs and trusted profiles to the access group.

The screenshot below shows the defined access policies within such an access group. That access group grants the necessary privileges to push a newly built container image to the private container registry and then update the deployed Code Engine app. The privileges are scoped to a Code Engine project, a specific resource group and region:

IAM access group to assign privileges for Code Engine and container operations.

Often, when following the 12-factor app and cloud-native approach, a solution consists of multiple microservices. Each microservice could be managed and deployed as app within the same Code Engine project. It allows you to share credentials for code repository, container registry access, and more. To tighten security, you should make use of the visibility settings for Code Engine apps. They allow you to do the following:

  • Make the app publicly accessible (e.g., the web app). 
  • Keep the app private to the IBM Cloud network (e.g., an app/microservice to be accessed from other compute options or cloud services).
  • Restrict access to the project itself. I recommend this for solution-internal microservices.

Using the org/space to resource group/project mapping and the related IAM roles and then adding network security on top, it is easy to keep or even enhance the security when moving from Cloud Foundry to Code Engine.

Control it: Utilize logging, monitoring and governance services

To control and govern my deployed apps on Code Engine, I used the IBM Cloud standard services. The Code Engine documentation provides details on each integration and how to get started:

Depending on the type of solution or app, you may want to utilize all or just few of them. To me, what made it simple was that they are standard services on IBM Cloud, and I use them independent of Code Engine:

IBM Log Analysis showing console output of a Code Engine app.


In my series of blog posts on migrating solutions from IBM Cloud Foundry to IBM Cloud Code Engine, I touched on service bindings and possibly required code changes and on building, deploying and scaling apps. Today, I discussed security and compliance topics, and how to organize privileges for your development project and make use of existing services to look into security, quality and performance issues.

I provided many links in this blog post. If you only want to bookmark few, I recommend these:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn


More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…