What are Containers?
A container is a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.
Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud.
Figure 1:Container Evolution. Source: Kubernetes
Put simply, a container consists of an entire runtime environment: an application, plus all its dependencies, libraries and other binaries, and configuration files needed to run it—bundled into one package. By containerizing the application platform and its dependencies, differences in OS distributions and underlying infrastructure are abstracted away.
Containers are similar to Virtual Machines (VM), but they have relaxed isolation properties to share the Operating System (OS) among the applications. Therefore, containers are considered lightweight. Similar to a VM, a container has its own filesystem, CPU, memory, process space, and more. As they are decoupled from the underlying infrastructure, they are portable across clouds and OS distributions.
Benefits of Containers and Kubernetes
Containers, especially when orchestrated using Kubernetes, have become popular because they provide a handful of benefits, including:
- Agile application creation and deployment: increased ease and efficiency of container image creation compared to VM image use.
- Declarative configuration that enables security as code.
- Continuous development, integration, and deployment: reliable and frequent container image build and deployment with quick and easy rollbacks (due to image immutability).
- Dev and Ops separation of concerns: create application container images at build/release time rather than deployment time, thereby decoupling applications from infrastructure.
- Environmental consistency across development, testing, and production: Runs the same on a laptop as it does in the cloud.
- Cloud and OS distribution portability: Runs on Ubuntu, RHEL, CoreOS, on-premises, on major public clouds, and anywhere else.
- Robust open source developer community with support from large and small companies
Security Risks of Containers
Despite their obvious benefit, containers and Kubernetes introduce several new security considerations that make that security mission more challenging.
Containers are numerous and everywhere creating security blind spots and increasing the attack surface. As more containers are deployed, maintaining adequate visibility into your critical cloud-native infrastructure components becomes more difficult.
Further, containers need to talk to each other within the deployment as well as to other endpoints to properly function. As a result, we must monitor both north-south and east-west traffic. If a container is breached, the attack surface is directly related to how broadly it can communicate with other containers and pods.
In addition, Kubernetes offers rich configuration options, but default settings are usually the least secure. In keeping with DevOps principles, Kubernetes is designed to speed application development, not to isolate its components. Another configuration risk relates to how secrets such as cryptographic keys are stored and accessed, a discipline called secrets management. IT security teams must ensure that secrets are not being loaded as environment variables but are instead mounted into read-only volumes in the containers.
Finally, while the continuous improvement and continuous delivery (CI/CD) model enabled by containers and Kubernetes is a core benefit of the cloud-native stack, this model also introduces challenges in complying with internal policies, best practices, and external policy frameworks.
Adding certificates to the mix creates additional challenges. Certificate renewal happens on a different cadence than application updates. New software versions may be released on a monthly or quarterly basis, but certificates need renewal annually. When application development ceases, certificate renewal still must occur for as long as the application is being used.
In addition, certificates are managed by different parties. Certificates may be purchased from public certificate authorities or may be issued from an internal private Public Key Infrastructure (PKI); in either case, the people responsible for acquisition or issuance are typically not the developers and may not be the IT operations folks.
Certificates and Kubernetes
As DevOps and virtualization continue to grow, we need to consider the security and integrity of these fast-moving environments. Specifically, when it comes to containers such as Kubernetes, businesses are increasingly challenged to secure use cases that leverage this technology. This includes ensuring strong identity for management of containers and general cryptography i.e., TLS sessions or encryption.
Although several methods employ container identity (and security), leveraging digital certificates as machine identities is the best possible method to secure these virtual environments. However, the fast, elastic nature of containers makes them unfeasible for manual certificate management methods. Therefore, certificate services teams charged with securing virtual, containerized systems should use machine identity solutions with built-in integrations to secure these environments.
As DevOps dramatically increases the number of machines (including virtual machines, service mesh and containers), the need for a standardized approach to certificates becomes essential. When DevOps teams use inconsistent solutions for certificates, it increases complexity and creates lock-in to DevOps tooling and cloud providers. This often results in the use of rogue certificates, unauthorized certificate authorities (CAs) and application downtime caused by poorly configured or expired certificates.
Until now, the process of incorporating trusted certificates into DevOps environments has been relatively slow and complicated. As a result, organizations adopting cloud services and containers have increasingly had to choose between agility and security. Developers spend valuable time either creating security infrastructure or waiting for certificates, both of which delay innovation.
Accelerate Kubernetes Certificates
The solution to overcome many of these challenges is to employ a common service for certificates via an API that is integrated with DevOps tooling. A solution such as Venafi’s TLS Protect for Kubernetes, would improve security and availability, ensure compliance, and accelerate software development by reducing complexity. In addition, it would define and enforce enterprise security policy for issuance and use of certificates-as-code with prebuilt DevOps tooling and cloud provider integrations.
Such a solution is easy for the development teams to adopt and use since it uses prebuilt open source integrations for the modern application stack, scales certificate issuance as part of CI/CD pipelines and secures Kubernetes containers to harden applications in zero-trust environments with prebuilt integrations. In addition, it allows the request of policy-compliant certificates from third-party CAs and built-in CA with native integration with Kubernetes through the open source solution, cert-manager.
Container Certificate Protection is a “Must-Have”
As dependence on machine identities increases, so does the impact of an operations or security incident. Security leaders can increase operational efficiency and security by using full life cycle management for complex environments such as Kubernetes containers.
Investment in machine identity management that covers the full certificate life cycle, such as that provided by Venafi, is no longer a “nice-to-have” rather a “must-have.” This is especially true in especially in multiple-certificate-based enterprise use cases such as containers.
How well are you managing machine identities for your organization’s containers?