Kubernetes 1.4 Improves Container Security

The latest release of the open-source container orchestration technology adds new security features, including TLS bootstrap.


The open-source Kubernetes 1.4 release, which debuted Sept. 26, provides users with a host of enhanced security capabilities for container deployment and orchestration.

Kubernetes originated at Google and is now part of the Cloud Native Computing Foundation, benefiting from the contributions of multiple vendors.

Among the new features in Kubernetes 1.4 is TLS bootstrap, which is designed to improve the use of encryption for data in motion across a cluster. TLS (Transport Layer Security) is widely used on the internet today for encryption.

"The TLS bootstrapping work done in Kubernetes 1.4 is a step toward automating the addition of new hosts to the Kubernetes cluster," Clayton Coleman, Red Hat's lead architect for OpenShift, explained to eWEEK.

OpenShift is Red Hat's platform as a service (PaaS) and is based on Docker containers and Kubernetes. Coleman noted that Kubernetes 1.4 is already available in the OpenShift Origin upstream project. Later this fall, Red Hat's commercially supported OpenShift Container Platform 3.4 will be updated with Kubernetes 1.4. OpenShift Container Platform 3.3, based on Kubernetes 1.3, was released on Sept. 22.

CoreOS is also a leading contributor to Kubernetes and builds a commercially supported distribution of Kubernetes called Tectonic. Brandon Philips, CTO of CoreOS, explained that prior to Kubernetes 1.4, the communication channel between the kubelet (a core building block of Kubernetes and the primary node agent that runs on each node) and the API server was only secured in one direction without manual configuration.

"This change [TLS bootstrap] allows kubelets to request cryptographic assets [certificates] that identify them as approved members of the cluster when talking to the API server," Philips told eWEEK. "This sets the stage for a variety of security features based on strong kubelet identity."

Going forward, CoreOS hopes to expand the TLS bootstrap feature to allow other components of Kubernetes to request certificates, Philips said.

Another new capability in Kubernetes 1.4 is the image policy webhook that can help make sure malicious container images don't run on a cluster.

"An Admission Controller is configured with an Image Policy webhook that will contact a back-end service for verifying images," Philips said. "The back-end service needs to only understand how to respond to a request from an admission controller, which allows for a variety of possible back-end services."

hilips noted that one example could be a service collocated with CoreOS' Quay container image repository, which approves or rejects scheduling requests for containers based on the results of a Quay Security Scanner analysis. He added that today that system can notify users of potential issues via email, Slack or webhook but with this addition to Kubernetes a user will, in the future, be able to block known vulnerable images from ever running.

Work is also ongoing in Kubernetes with a Pod Security Policy, which Coleman said is the upstream Kubernetes equivalent of the Security Context Constraints that originally shipped with OpenShift v3.0 in June 2015.

"Pod Security Policy (and Security Context Constraints) provides a set of rules that match a user or group to allow security options on the pods they create—to limit users from running pods/containers that may not be secure," Coleman said.

Pod Security Policy is currently off by default in Kubernetes, he said. The current plan from Red Hat is to move the security policies that OpenShift provides out of the box, which range from restrictive to fully permissive, into Kubernetes in either the 1.5 or 1.6 releases.

Looking forward for Philips, one of the major efforts for CoreOS is helping to make rkt a first-class container runtime for Kubernetes. Rkt is a container runtime effort led by CoreOS that got started in December 2014.

"Our goal as community stewards for Kubernetes is to allow broad participation in the project while ensuring a healthy technical foundation for innovation," Philips said.

The top areas of improvement for the Kubernetes 1.5 release, according to Coleman, will include maturing the storage capabilities in Kubernetes with dynamic volume provisioning across a wide range of cloud providers and storage systems. In addition, there is a focus on continuing to
make performance and scale improvements to enable larger clusters.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.