Container security implications when using Iron vs VM vs cloud provider infrastructures
With the ever-growing popularity of containers, many service providers are coming forward to offer their services to run and manage container workloads. Most popular cloud providers like AWS, Azure and Google Cloud have managed Kubernetes services, namely EKS, AKS and GKE.
These managed services are easy to use, and clusters can be set up in a matter of a few clicks. Other infrastructure considerations to the use of containers include bare-metal servers and virtual machines.
Overview of infrastructures
Underlying hardware infrastructure is one of the critical areas of a container system’s design and implementation strategy. The discussion of choosing the environment for running containers presents the following options:
- Virtual machines
- Cloud providers
Bare-metal systems or virtual machines are one of the options to run containers. Running containers on bare-metal systems and virtual machines will have minimal functional differences, but the cost and performance will significantly vary. Virtual machines provide elasticity of infrastructure. When choosing Iron or virtual machines for running containers, we will also need to decide on an orchestration framework such as Docker Swarm or Kubernetes. This also means we will need to fully manage the chosen orchestration platform.
Cloud providers are another option to run containers. Running containers using cloud provider solutions comes with many functional and operational benefits. It is easy to use the managed services provided by cloud providers. Spinning up a new cluster is generally a few clicks away. In addition, running containers in a cloud provider’s environment has other benefits such as a highly available control plane, multi-region options and operational expertise.
Iron vs. VM vs. cloud providers
Let us discuss some of the security considerations when running containers in-house vs. cloud. When running containers in-house, aside from managing hardware and software resources (such as iron/os/virtual machines), the security of all the nodes where containers are running must be managed by us. Whereas cloud providers work some part of the cluster when run in the cloud. For instance, the master nodes are updated and patched by the cloud providers in a fully managed cluster.
Most of the cloud providers offer private image registries. Having a private image registry has the advantage of scanning for vulnerabilities by default. Private image repositories let us define specific policies and prevent the deployment of images that are not in line with the set policies. When running containers in-house, setting up a private registry is not enough. In addition to it, we must ensure that it is well secured, and features like image vulnerability scanning are included in addition to storing images.
Containers running in-house often run on virtual machines running with standard OS images such as Ubuntu or CentOS. Most cloud providers offer container-optimized operating system images for their nodes by default. This will benefit both from a performance standpoint as well as a security standpoint. Container-optimized operating system images can be free from unnecessary software, thus reducing the overall attack surface.
In addition to hardening and protecting the clusters and container workloads, security monitoring is another additional effort one has to put to monitor the containers (not just the host). One should consider monitoring clusters for attacks when running clusters in-house. Cloud providers usually offer to monitor containers as part of the clusters.
Choosing infrastructure for running containers
This article has provided an overview of various infrastructure options available when running containers. Running containers locally brings a lot of flexibility of what tools and platforms we may want to use, but it also comes with additional efforts, costs and complexities. Cloud providers share the operational as well as security responsibilities when running containers in the cloud. Every option comes with its pros and cons, and thus one should carefully review the benefits and drawbacks for use cases specific to them.
How to properly prep a container infrastructure, Search ITOperations
Deploying containers on VMs and MIGs, Google Cloud