1. Basic Concepts
1.1 What is Virtualization
Virtualization is a concept by which we can run multiple operating systems to share single hardware resources. It is mainly used to utilize the maximum hardware resources efficiently by deploying the application in virtual machines (VMs) with their own operating systems. An application can run independently on top of a server’s OS which is a dedicated virtual machine for that application. OS/Guest OS lies on top of the hypervisor software. That might be VMware esx, Microsoft Hyper V, Kvm, Xen.
1.2 What is Container?
Before we talk about container, let’s understand the following use case
A developer in our team has written an application code on his machine and it’s working perfectly fine on his machine, but once we deploy the same code on the development server, the application breaks or code does not work properly.
This is due to the difference in developer’s machine and development server’s configurations or software versions are not same. For instance, he/she coded the application code in PHP 5.3, and the development server has PHP 7.3, now he/she will have to write the same code again to make it compatible with the development server PHP version.
Another Use Case?
Now let’s say developer rewrote the code and deployed it on the development server, where it is working as per the expectation. Now when he/she moves the code to UAT or production server, the code does not work again because some libraries are missing to run the application.
This is a major problem that’s why we need a solution to make the application run any environment or any machine. To overcome this problem the concept of a container (containerization) was introduced.
A container is a lightweight virtualization technology alternative of hypervisor virtualization. An application can be bundled in a container that can run without any worries about dependencies, libraries, and binaries. The container creates an isolated environment with all the dependencies for the application. You can build a package and ship it to any environment and the application will run without any issues.
1.3 What is Docker?
Docker is an open-source platform tool designed to manage the containers, which allow us to build the application in a container with required libraries, binaries, and dependencies to run the application, ship the container, and run it anywhere.
Docker has become immensely popular because of the way of building, shipping, and running applications. Nowadays, we don’t have to rely on server configuration and other external factors. Just build your application using Docker once and run it anywhere.
Advantages of Docker
- Portability: An application can be bundled into a single unit and the same unit can be deployed to various environments such as dev, stage, and live server without making any changes to the container.
- Light Weight: Docker containers are very lightweight that’s why it provides a smaller footprint of the operating system via containers.
- Fast Delivery and Scalable: Since Docker containers are lightweight, so they can be deployed faster, and they are also very easily scalable.
- Continuous Deployment and Testing: Docker user can do the continuous deployment and testing, with the help of container, it becomes easier for teams across different units, such as development, QA and operations to work seamlessly across applications.
- Isolated OS: Docker also provides us the ability to run multiple isolated OS on a single host.
- Resource Optimization: Docker enables you to utilize the maximum resources and reduce the resource wastage of your hardware.
1.4 What is Kubernetes?
Kubernetes is an open-source container orchestration tool, it was originally developed by Google in 2015 and is now maintained by the CNCF (Cloud Native Computing Foundation).
Kubernetes enables us to make the potential of container technology an operational reality by automating and simplifying your daily container workflow. It automates deploying, scaling, and managing containerized applications on a group (cluster) of servers. Kubernetes also lets you automatically handle networking, storage, logs, alerting, etc. for all your containers.
Kubernetes is supported by all the major cloud platforms providers like AWS, Microsoft Azure, GCP, Red Hat Open Shift, Docker EE, and IBM Cloud.
Advantages of Kubernetes
- Save Cost: Kubernetes significantly reduces the cost of Infrastructure. We can run multiple containers on the same server and network connection.
- Save Time: Kubernetes leads to decreased time-to-market by virtue of increased productivity due to faster application deployment.
- Scalability: Kubernetes makes it easy to horizontally scale the number of containers in use depending on the needs of the application. You can change this number from the command line, or you can use the Horizontal Pod Autoscaler to change the number of containers based on usage metrics.
- Automate Deployment: A common integration for Kubernetes is setting up a continuous integration/continuous delivery (CI/CD) pipeline. Kubernetes offers the predictability of containers with the ease of service discovery to test, build, and deploy quickly.
- High Availability: Kubernetes is designed to tackle the availability of both applications and infrastructure, making it indispensable when deploying containers in production.
- Version Control of Infrastructure: Infrastructure resources in the cluster are declared in code, we can track changes to that code over time in version control systems like Git.
- Microservices Architecture: Kubernetes’ advantages very advantageous when you manage wide-scale deployments, especially at the scale of a banking app, mobile game, or a media streaming website. We can manage resources, distribute hosting across different regions, and even use other technologies
2. Security Aspects of Kubernetes
2.1 Security Survey
A survey conducted by StackRox Inc about the security aspect of container and Kubernetes environments during the last 12 months. There were more the 540 IT and security professionals participated in that survey, following is the survey result:
A total 94% of respondents have experienced a security incident in their environments during the last 12 months. Data breaches and exposures often result from human error. Not surprisingly, 69% of respondents have experienced a misconfiguration incident, 27% reported a runtime incident, and 24% have had a major vulnerability to remediate.
2.2 Is Kubernetes Secure for Production?
Kubernetes enables enterprises to automate many aspects of the application, providing tremendous business benefits. But these new deployments are just as vulnerable to attacks and exploits from hackers and insiders as traditional environments like the Tesla incident in Feb 2018. Kubernetes provides rich configuration options, but the default option is usually the least secure. Kubernetes provides a rich set of controls that can be used to effectively secure clusters and applications.
Building effective Kubernetes security requires extra measures, we must take care of the following potential security risks:
- Least-privilege access control: Although Kubernetes has a framework for access control, not all access-control features are typically turned on by default. They may also not be configured to enforce least-privilege policies. For this reason, you should perform audits and compliance checks to enforce proper security configurations within Kubernetes.
- Pod-to-pod communications: Default Kubernetes configurations should be checked to minimize the risk that an attack within one workload (or pod, in Kubernetes parlance) will spread to other pods. Locking down network communications and requiring authentication in Kubernetes are important steps for this purpose.
- Container runtime: A container runtime is a special application, such as Docker, that executes containers. Kubernetes does nothing to harden the runtime against attack or detect intrusions after they occur. You’ll need third-party tools to do that.
- Container images: Detecting malicious code inside a container image requires a container image scanner, which is not a feature of Kubernetes.
- Host security: Kubernetes takes the servers assigned to it and runs containers on them. Since it doesn’t do anything to secure those servers, you need to use other tools and processes to harden them and monitor them for security problems.
2.3 Healthcare Security and Compliance Concern:
Healthcare organizations need a new way to innovate and analyze at speed while improving customer satisfaction rapidly and without losing security and compliance concerns. Kubernetes is the leading platform for managing and orchestrating containerized workloads and services. Cloud computing service providers offer Kubernetes as a service mentioned on their website that “this service is HIPAA as well as PHI compliance”. For example:
Kubernetes is vulnerable to attacks and exploits from hackers as traditional software, but it enables us to automate the application deployment, providing tremendous business benefits. If an organization’s IT team periodically monitors and takes care of Kubernetes security updates/challenges and other infrastructure-related security updates/challenges, then we can overcome the security risks.
“Kubernetes is a container orchestration tool. It’s not a security tool, however, it has basic security measures.”
3.2 For Mid-level Company
Especially for the healthcare or banking sector, there are lots of compliances that need to be followed. From our point of view, it’s better to outsource (Amazon, GCP, Microsoft) such kind of implementation unless we have gained the expertise to take care of security measures along with Kubernetes Implementation.