A container is a software that packages codes and all its dependencies in order to run the application quickly and reliably from one computing environment to another. Linux containers are application packaging and delivering technology and in which all the files that are necessary to run are given by distinct images.
We can secure the containers by:
- Securing the container’s pipeline and applications.
- Securing the container deploying environment and infrastructure.
- Integrating containers with enterprise security tools and enhancing existing security features.
The main layers of container security are ;
Container host operating system and multi-tenancy
We can secure containers by dropping privileges like using users (non-root) for running containers. By using Namespaces, cgroups, SELinux we can secure containers.
- Linux Namespaces
The kernel provides separate namespaces for containers and hence the namespace makes it appear to the processes within the Namespace that they have their own instance of global resources. It provides container isolation.
- Control Groups(cgroups)
The kernel provides cgroups to group processes for several purposes of the system’s resource management (like CPU, Memory, I/O Network) of a collection of processes.
It is a security feature to isolate containers from each other and from the host. It act like a protection wall by stopping us if we break out the namespace abstraction accidentally or by any purpose.
Use container components from trusted sources
We are mostly composing applications and other infrastructures in containers from easily available sources. But there may be a chance to getting vulnerabilities from there and it will affect container security.
So that we should use the components from only trusted sources and it can be done by using container scanning tools in order to check the vulnerabilities when using container images from other sources.
We can secure access to the container images by storing container images in private registries.
When we are downloading new container images or the deployed one may behave the chance of getting some type of vulnerabilities. In order to avoid that we should implement some features that can find vulnerabilities like that. (Eg: OpenShift, Red Hat Cloud forms Smart State analysis) For Red Hat it uses;
Red Hat Container Registry – Local and secure with Role-Based Access Control (RBAC)
The software-build process in the container environment is the application code integrated with run time libraries. We have to maintain the container well. We should have separated control in each one;
- Operation team – Manages the base images.
- Architects – Manages the middleware, runtimes, databases.
- Developers – They focus on application layer and just write codes.
Control deployment in a cluster
If an image is deployed into a container, if there any type of vulnerability inspected then we can rebuild the image. Once the rebuild is completed the image is pushed into the container’s platform’s internal registry.
Then it checks the changes that occurred and all these help to integrate the container security into our continuous integration and continuous development (CI/ CD) process and pipelines. Hence we can prevent images from running when they shouldn’t.
Container orchestration platform
It helps to secure containers by ;
- secrets managing
- Image signing
- Role-based access controls with LDAP and OAuth2 integration
- security ecosystem
- storage plugins
Using Network Namespace isolation
- Each group of containers (known as a pod) gets its own IP and port range to bind to.
- Isolate applications from others within the cluster.
- Isolate environments like (Dev / Prod/ Test) from other environments within a cluster.
- It secures the cluster communication with IPsec.
Securing storage can be done by using;
- Secure mount point for Persistent Volume(PV).
- Using SELinux access controls.
- Supplemental group ID’s to the shared storage like NFS, Ceph, Gluster, etc.
In order to secure the applications in the container, it will include managing application and API authentication and authorization.
This can be done by;
- End-point access control
- LDAP Integration
- API Management tool
- Rate Limiting
- Authentication and authorization
Cluster federation – role and access management
This is one of the best features involving Kubernetes. In July 2016 Kubernetes 1.3 introduced Kubernetes Federated Clusters.
It can be used to manage multiple clusters across data centers or environments. Securing the cluster federation;
- Federated Secrets
- Federated Namespaces
- API endpoints
- Authentication and authorization
Hence we can conclude that Containers are the best platform for developers and operators. So it should be secured in order to improve the performance.