By Jean S. Bozman
As containers gain wider adoption to run enterprise applications in the hybrid cloud, customers are increasingly looking for approaches that ensure container security.
There are many dimensions to this concern about container security – but the most pressing is the “immutability” of container contents. That is, all of the software that allows a given application to run is inside the container. All of that content, once certified, will run in exactly the same way no matter where it is deployed. Errors that compromise security, such as root access, will be spread wherever the container is deployed.
Today, customers are exploring multiple ways to ensure container security, as discussed during the OpenStack Vancouver panel that I moderated on May 23, 2018: “Engineering Container Security: Addressing the Unique Security Challenges of Containers at Scale in a Multi-Cloud World.”
These approaches include:
- Scanning or auditing of container content, prior to deployment
- Use of secure image registries to populate container content
- Leveraging key management and data-encryption
- Certification of containers, prior to deployment.
- Working with DevOps to increase awareness of container security
The panelists, Maya Kaczorowski of Google’s Security and Privacy business unit; Scott McCarty of Red Hat product management; Gou Rao, CTO of Portworx; and Robert Starmer of Kumulus Technologies, discussed all of these approaches to container security. The discussion uncovered a basic truth: that IT organizations cannot avoid studying many approaches to container security – and adopting technologies along with best practices to achieve the best results.
Announcement of Kata Containers
Attention should be paid to the announcement of Kata Containers at the OpenStack Vancouver conference, May 21-24, 2018. The Kata Container technology — developed by Intel Corp. and Hyper.sh – working within an OpenStack project, combines virtualization code with container open-source code. The Kata Containers 1.0 release contains the fully integrated code bases from two technologies: Intel Clear Containers and the runV technology from Hyper.sh. Kata Containers 1.0 will be offered via an Apache 2.0 license, as is other OpenStack software.
For the next release, more vendors have said they will provide financial support for future development for the Kata Containers project, including ARM, Canonical (provider of the Ubuntu Linux distribution), Dell EMC, Intel and Red Hat. Other supporters of the project are 99cloud, AWcloud, China Mobile, City Network, CoreOS, EasyStack, Fiberhome, Google, Huawei, JD.com, Mirantis, NetApp, SUSE, Tencent, Ucloud and UnitedStack – all of which are active in the OpenStack community.
The expansion of companies working on this technology demonstrates OpenStack’s role as an umbrella organization under which many companies – including competitors – can contribute open-source code.
The Kata Containers 1.0 release at OpenStack Vancouver follows an initial early launch of the Kata Containers project in December, 2017 – and a presentation at KubeCon in Copenhagen in May.
The Bottom Line on Kata Containers
Kata Containers 1.0 is designed to be hardware-agnostic, allowing customers to deploy it across an enterprise data center, a private cloud, or a hybrid cloud (combining private and public clouds). It is compatible with the Open Container Initiative (OCI) specification and the container runtime interface (CRI) for Kubernetes orchestration.
The design goal: to provide secure, light, fast and agile container management technology across stacks and platforms. Suggested use cases include: containers for highly regulated applications; deploying containers to isolate untrusted code; deployments for hybrid cloud, containers-as-a-service and Edge computing.
The Kata Containers software combines container technology with virtualization for isolation – which is typified by virtual machines (VMs). Up to now, the combination of VMs and containers – shipped together – has been unwieldy, because the virtualization layer slowed down application performance when used in concert with containers.
In this case, Kata containers use “light” virtualization to reduce impact on overall performance. Kata Containers 1.0 has a micro-virtual machine (VM) layer that has less code than traditional VMs. Each light-weight VM has its own Linux kernel – clearly a technical alternative to having each tenant within the container using a slice of a shared Linux kernel.
This virtualization isolation is being leveraged to help with multi-tenant container deployments – a condition in which one tenant within the container can interfere with another. Inclusion of the VM introduces an additional safeguard that protects against multi-tenant interference – a known threat that compromises container security.
Because we are in the early stages of container deployment in the world’s hybrid clouds (linking private and public clouds), it is likely that Kata Containers will be an important step forward in container security over the next few years. But it is unlikely to be the only one, as container technology evolves – and more implementations are introduced.
IT organizations must work to change the culture of DevOps, regarding the need to “build in” security from the very start of container development. It is much more difficult to add security later on in the container lifecycle. Rather, security needs to be a foundation on which the entire container is built, deployed and maintained.
We saw this phenomenon before in the enterprise data center: we have seen, since the 1990s, that Unix and Linux applications benefit by starting life as secure entities to which access can be granted to specific user groups, according their role in the business organization. Trying to close up security gaps later on is usually a recipe for future security attacks.
The proliferation of hybrid clouds in 2018 makes the how-tos of container security an essential discussion about the deployment of enterprise workloads throughout organizations and businesses. The Kata Containers release is an important step along that path. Over time, we expect OpenStack contributors to work to evolve this technology, adding features, but placing value on lightweight additions and performance.
As we said before, Kata Containers will not be the only approach to improving container security. Other technologies addressing different aspects of container security are sure to emerge, driven by customer demand for secure container operations. To achieve better container security for hybrid clouds, we must take a 360-degree look around the landscape of containers, VMs and security best practices in order to close up security vulnerabilities—and to avoid future waves of cyber attacks.