As a relatively new technology, Docker containers may seem like a risk when it comes to security — and it’s true that, in some ways, Docker creates new security challenges. But if implemented in a secure way, containers can actually help to make your entire environment more secure overall than it would be if you stuck with legacy infrastructure technologies.
This article builds on existing container security resources, like Security for your Container, to explain how a secured containerized environment can harden your entire infrastructure against attack.
Some Background on Container Security
When you’re thinking about containers and security, it’s always good to have some history on why containers work the way they do and what that means for security. Aqua Security, one of the firms that specializes in container security, offers A Brief History of Containers to provide some context.
As is visible in the evolution from chroot to Docker and the Open Container Initiative, it is obvious that isolation between services coexisting on shared servers was always the leading goal—not necessarily well thought-out, hardened security practices. Isolation is a good counter-measure, but, as shown in this Security for your Container article, there are a lot more things that can and should be done.
Here are three examples of easy first steps that can be taken use containers to make your environment more secure: Read more
Modern microservices applications span multiple containers, and sometimes a single app may use thousands of containers. When operating at this scale, you need a container orchestration tool to manage all of those containers. Managing them by hand is simply not feasible.
This is where Kubernetes comes in. Kubernetes manages Docker containers that are used to package applications at scale. Since its launch in 2014, Kubernetes has enjoyed widespread adoption within the container ecosystem. It is fast becoming the de facto tool for orchestrating containers at scale.
What are the reasons for the meteoric rise of Kubernetes, and what are the factors that will shape its future? Let’s take a look by examining the major milestones in Kubernetes’ history. Read more
Your storage system should be locked down with all security and access control tools available to you as well. That is true whether the storage serves containers or any other type of application environment.
How do you secure containers? That may sound like a simple question, but it actually has a six- or seven-part answer.
That’s because securing containers doesn’t involve just deploying one tool or paying careful attention to one area where vulnerabilities can exist. Because a containerized software stack involves so many different components, you need to secure many different layers. The tools designed to help you harden one part of your environment won’t protect other segments.
Commercial security tools do exist, and are designed to provide relatively comprehensive security or container environments. They are good tools, and they can certainly be useful parts of a container security strategy, but they have their limitations. To be truly secure, you need to analyze each of the layers in your stack, and be sure that they are covered adequately by the security tools or processes you put in place.
This post helps you plan a complete container security strategy by outlining all of the layers you need to secure, and explaining the primary considerations to keep in mind when securing each one. Read more
If you’re going to successfully deploy containers in production, you need more than just container orchestration
Kubernetes is a valuable tool
Kubernetes is an open-source container orchestrator for deploying and managing containerized applications. Building on 15 years of experience running production workloads at Google, it provides the advantages inherent to containers, while enabling DevOps teams to build container-ready environments which are customized to their needs.
The Kubernetes architecture is comprised of loosely coupled components combined with a rich set of APIs, making Kubernetes well-suited for running highly distributed application architectures, including microservices, monolithic web applications and batch applications. In production, these applications typically span multiple containers across multiple server hosts, which are networked together to form a cluster.
Kubernetes provides the orchestration and management capabilities required to deploy containers for distributed application workloads. It enables users to build multi-container application services and schedule the containers across a cluster, as well as manage the health of the containers. Because these operational tasks are automated, DevOps team can now do many of the same things that other application platforms enable them to do, but using containers.
But configuring and deploying Kubernetes can be hard
It’s commonly believed that Kubernetes is the key to successfully operationalizing containers at scale. This may be true if you are running a single Kubernetes cluster in the cloud or have reasonably homogenous infrastructure. However, many organizations have a diverse application portfolio and user requirements, and therefore have more expansive and diverse needs. Read more
DevOps can now efficiently and securely deploy containers for enterprise applications
As more enterprises move to a container-based application deployment model, DevOps teams are discovering the need for management and orchestration tools to automate container deployments. At the same time, production deployments of containers for business critical applications require specialized container-intelligent security tools.
To address this, Rancher Labs and NeuVector today announced that they have partnered to make container security as easy to deploy as application containers. You can now easily deploy the NeuVector container network security solution with the Rancher container management platform. The first and only container network security solution in the Rancher application catalog, the addition of NeuVector provides simple deployment of the NeuVector containers into an enterprise container environment. Read more