The New Stack Podcast

Refocusing On Container Application Security

Episode Summary

In the race to make this weird, wild world of distributed, containerized applications compatible with the virtualized infrastructure upon which most enterprises depend, perhaps no project has made more progress than Kata Containers.  The product of collaboration between the Hyper.sh project and Intel’s Clear Containers, Kata aims to pair individual containers with hypervisors, creating that direct link with the hardware that typifies first-generation virtualization, and isolating host Linux kernels from one another. Google’s recent gVisor project follows a similar path, creating a minimal Linux kernel for the container hosts that reduces the likelihood of exploit. Some folks contend these architectures may render many of the more aggressive security systems being conceived for containerized environments unnecessary or redundant.  But in a conversation for The New Stack Makers, Aqua Security co-founder and CTO Amir Jerbi told us he believes that even the mode of process isolation gVisor and Kata introduce, would carry with it into practice some security challenges.  Try orchestrating a microservices environment with isolated instances in a multi-tenant environment, he suggests, and see what happens.

Episode Notes

In the race to make this weird, wild world of distributed, containerized applications compatible with the virtualized infrastructure upon which most enterprises depend, perhaps no project has made more progress than Kata Containers.  The product of collaboration between the Hyper.sh project and Intel’s Clear Containers, Kata aims to pair individual containers with hypervisors, creating that direct link with the hardware that typifies first-generation virtualization, and isolating host Linux kernels from one another.

Google’s recent gVisor project follows a similar path, creating a minimal Linux kernel for the container hosts that reduces the likelihood of exploit.

Some folks contend these architectures may render many of the more aggressive security systems being conceived for containerized environments unnecessary or redundant.  But in a conversation for The New Stack Makers, Aqua Security co-founder and CTO Amir Jerbi told us he believes that even the mode of process isolation gVisor and Kata introduce, would carry with it into practice some security challenges.  Try orchestrating a microservices environment with isolated instances in a multi-tenant environment, he suggests, and see what happens.