To facilitate scalability and resilience, many organizations are running applications in cloud-native environments, with make use of containers and orchestration. Recently, most organizations are using application containers to run their business applications in systems such as Kubernetes and Docker. In an application container, it is possible to run immutable containers with as little code as is necessary to run the application.
An orchestrator automates the process of running different workloads in a cluster of machines. Because Kubernetes workloads run in containers, this book is relevant to Kubernetes security, but it is not a comprehensive treatment of everything related to securing Kubernetes or cloud-native deployments
How to Run Containers
For many people, their main (perhaps only) experience of running containers directly is with Docker. Docker democratized the use of containers by providing a set of tools that developers generally found easy to use. From a terminal, you manipulate containers and container images using the docker command.
Kubernetes uses an interface called the Container Runtime Interface (CRI) beneath which users can opt for a container runtime of their choice. The most commonly used options today are the aforementioned containerd and CRI-O
The main concerns while securing containers are:
- Container network traffic
- The container host security
- Protecting your container management stack
- Anomalous behavior within your application
- The foundation layers of your application
- The build pipeline integrity
- Your application security within the container
Securing containers is a continuous process. This could be integrated into your development process, automated to take off the count of manual touchpoints. Then extended into the maintenance and operation of the underlying infrastructure which results in protecting your build pipeline container images and runtime host, platform, and application layers. Implementing security incorporated with the continuous delivery life cycle will mitigate risk and reduce vulnerabilities across an ever-growing attack surface in your business.