Skip to main content

Kubernetes explained: are your containers safe?

(Image credit: Image source: Shutterstock/niroworld)

Developing software is hard. Even the largest, most successful companies can run into issues when developing new applications – first you have to develop dozens of libraries, packages and other software components and then you have to make sure your software stacks are up to date, that they're running smoothly, that they can be scaled according to business needs and so on. For many years now, the leading way to isolate and organise applications and their dependencies has been to place each application in its own virtual machine. Virtual machines make it possible to run multiple applications on the same physical hardware while keeping conflicts among software components and competition for hardware resources to a minimum.

But virtual machines are bulky—typically gigabytes in size. They don’t really solve problems like portability, software updates, or continuous integration and continuous delivery. To resolve these issues, organisations have adopted Docker containers.

Using containers

Containers make it possible to isolate applications into small, lightweight execution environments that share the operating system kernel. Typically measured in megabytes, containers use far fewer resources than virtual machines and start up almost immediately. They can be packed far more densely on the same hardware and spun up and down en masse with far less effort and overhead.

The old way to deploy applications was to install the applications on a host using the operating-system package manager. This had the disadvantage of entangling the applications’ executables, configuration, libraries and life cycles with each other and with the host OS. One could build immutable virtual-machine images in order to achieve predictable rollouts and rollbacks - but VMs are heavyweight and non-portable. The new way is to deploy containers based on operating-system-level virtualisation rather than hardware virtualisation. These containers are isolated from each other and from the host - they have their own file systems, they can’t see each others’ processes and their computational resource usage can be bounded. They are easier to build than VMs and because they are decoupled from the underlying infrastructure and from the host filesystem, they are portable across clouds and OS distributions.

Containers are small and fast, and therefore one application can be packed in each container image. This one-to-one application-to-image relationship unlocks the full benefits of containers. With containers, immutable container images can be created at build/release time rather than deployment time, since each application doesn’t need to be composed with the rest of the application stack, nor married to the production infrastructure environment. Generating container images at build/release time enables a consistent environment to be carried from development into production. Similarly, containers are vastly more transparent than VMs, which facilitates monitoring and management. This is especially true when the containers’ process life cycles are managed by the infrastructure rather than hidden by a process supervisor inside the container. Finally, with a single application per container, managing the containers becomes tantamount to managing deployment of the application.

Enter kubernetes

Kubernetes is an open-source container-orchestration system for automating deployment, scaling and management of containerised applications. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. It aims to provide a platform for automating deployment, scaling and operations of application containers across clusters of hosts. Kubernetes, at its basic level, is a system for running and coordinating containerised applications across a cluster of machines. It is a platform designed to completely manage the life cycle of containerised applications and services using methods that provide predictability, scalability and high availability. The need to move to the cloud for scalability and availability has spurred the need to use containerised development technologies for further enhancing the above-mentioned need of scalability and availability which in turn has witnessed the spectacular growth and adoption of Kubernetes as an enabling platform therein.

The central component of Kubernetes is the cluster. A cluster is made up of many virtual or physical machines that each serve a specialised function either as a master or as a node. Each node hosts groups of one or more containers (which contain your applications), and the master communicates with nodes about when to create or destroy containers. At the same time, it tells nodes how to re-route traffic based on new container alignments. As a Kubernetes user, you can define how your applications should run and the ways they should be able to interact with other applications or the outside world. You can scale your services up or down, perform graceful rolling updates, and switch traffic between different versions of your applications to test features or rollback problematic deployments. Kubernetes provides interfaces and composable platform primitives that allow you to define and manage your applications with high degrees of flexibility, power, and reliability.

Security

But such spectacular growth in innovation is outpacing current security measures and controls, rendering existing security solutions ineffective. Cloud-native apps require a new approach. There is an inherent lack of security knowledge by software developers when you consider the landscape of trying to secure all of these containers in the cloud. In fact, vulnerabilities can be introduced at any point of the development lifecycle while unsecured, or unreviewed, code can be easily deployed into production, leaving applications and data at risk. At the end of the day, these containers are public facing enclosing all types of sensitive data and compliance with privacy and the regulatory framework demands a portfolio of security tools that can help to manage compliance with DevOps. This new paradigm can be further formulated with the new term DevSecOps, once again highlighting the need of converging security with the several stages of the software development and release lifecycle. The best way to achieve this is to deploy an end-to-end Kubernetes security platform that monitors clusters for anomalies while securing the developed applications against all sorts of known and unknown attacks.

Kubernetes is an open-source container-orchestration system for automating deployment, scaling and management of containerised applications. It can give you complete control over container orchestration, enabling you to deploy, maintain and scale application containers across a cluster of hosts. Security and DevOps teams need to be empowered with continuous security for any Kubernetes infrastructure to protect their growing deployments.

Dr. Eduardo Rocha, Pre-Sales engineer, GlobalDots