Our platform team lead Tom Whiston offered in-depth insight regarding container security, resource usage and best practices in the Netzwoche special «Cloud & Managed Services 2019» (German only). Learn in this interview how containers can contribute to cloud security, what container technology means for resource usage and why everyone should be concerned about it.
How can containers improve security in the cloud?
Container security is an absolutely huge topic and many things contribute to it, but in a nutshell, the general design and architecture of containers and container platforms supports many of the modern best practices in application and infrastructure design and deployment. By supporting patterns such as treating your infrastructure as code, and treating the runtime as immutable, it makes everything auditable and all changes trackable. It is possible to guarantee container state through features such as CRI-O’s read-only mode which only allows writing to external volumes and specific tmpfs mounts.
Kubernetes in particular implements a number of API objects which also help support security, such as Role Based Access Control for granular user permissions or Secrets, which allows you to store encrypted data and insert it into containers. The NetworkPolicy object is also important in security, as it allows you to define what traffic is allowed to flow between pods.
Managing all of these security features and configurations requires a lot of YAML-wrangling, and although this can be daunting to learn I believe that standardising all of these important aspects of your application environment around a single interface, the Kubernetes API, makes security and change processes far more transparent and trackable than in classic infrastructure.
It is also worth mentioning that due to the CI/CD processes that most often accompany the use of containers, it is possible to deploy security fixes to applications in a much faster and more automated way.
«As always, security is everyone's responsibility,
regardless if they are using containers.»
How do containers influence resource usage in the infrastructure?
As containers do not need to start a whole VM around them, they have far less overhead than traditional virtualisation, which allows more of your metal to be used for the application itself. Most container platforms also do most of their work - such as handling calls to the API - on different machines from the ones your containers run on, which makes it easier to calculate the resources available and less likely that potential platform issues affect applications.
Due to container platforms having a system of resource allocation, you are not only able to quickly change what is allocated to your application when needed, but you are also able to tightly control the usage profile, which is important to ensure that everything can be scheduled, and no container uses all of the available hardware resources. This of course means that you need to learn a bit more about the resource limits of your software to set these values correctly!
Who should deal with container security?
As always, security is everyone's responsibility, regardless if they are using containers. Real security comes from not only the runtime environment but, for example, from building fault tolerant applications, planning for service unavailability, auditing third party libraries, securing the configuration of your infrastructure, running penetration tests, etc... So you need to think about security early and often. I would highly encourage people to read about the “DevSecOps” movement, and look at tools such as Chaos Monkey or Chaos Toolkit to get some exciting ideas about how you can use direct action and automation for security testing.
Would you like to know more about container technology and cloud computing?
Subscribe to our blog posts: