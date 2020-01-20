advertisement

Software development is difficult. Even the largest and most successful companies may encounter problems when developing new applications. First, you need to develop dozens of libraries, packages, and other software components, and then make sure your software stacks are up-to-date and running smoothly, scalable to business needs, and so on. For many years, the leading method for isolating and organizing applications and their dependencies has been to place each application in its own virtual machine. Virtual machines can run multiple applications on the same physical hardware, while minimizing conflicts between software components and competition for hardware resources.

However, virtual machines are very large – they are usually gigabytes in size. They don’t really solve problems like portability, software updates, or continuous integration and deployment. To address these issues, companies have taken over Docker containers.

Use a container

Containers make it possible to isolate applications in small, compact execution environments that share the operating system kernel. Containers are usually specified in megabytes and consume far fewer resources than virtual machines. You will start almost immediately. They can be packed much more densely on the same hardware and flung up and down in bulk with much less effort and overhead.

The old method of deploying applications was to install the applications on a host using the operating system’s package manager. This had the disadvantage that the executables, the configuration, the libraries and the life cycles of the applications were intertwined with each other and with the host operating system. You could create immutable images of virtual machines to achieve predictable rollouts and rollbacks – but VMs are heavy and not portable. The new way is to provide containers based on operating system virtualization rather than hardware virtualization. These containers are isolated from each other and from the host – they have their own file systems, they cannot see each other’s processes, and their use of computing resources can be limited. They are easier to create than VMs, and because they are decoupled from the underlying infrastructure and host file system, they can be transferred across clouds and operating system distributions.

Containers are small and fast, so an application can be packed into any container image. This one-to-one relationship between application and image fully exploits the advantages of containers. For containers, immutable container images can be created at the time they are created / published and not at the time of deployment because each application does not have to be assembled with the rest of the application stack or connected to the production infrastructure environment. By generating container images at the time of creation / approval, a consistent environment can be transferred from development to production. Containers are also much more transparent than VMs, which makes monitoring and administration easier. This applies in particular if the process life cycles of the containers are managed by the infrastructure and are not hidden in the container by a person responsible for the process. Finally, managing the containers with a single application per container is equivalent to managing the deployment of the application.

Enter kubernetes

Kubernetes is an open source container orchestration system for automating the provisioning, scaling and management of containerized applications. It was originally developed by Google and is now managed by the Cloud Native Computing Foundation. The goal is to provide a platform for automating the deployment, scaling, and operation of application containers across host clusters. Kubernetes is basically a system for running and coordinating containerized applications in a cluster of machines. It is a platform designed to manage the life cycle of containerized applications and services using methods that offer predictability, scalability, and high availability. The need to move to the cloud due to scalability and availability has fueled the need for containerized development technologies to further improve the aforementioned need for scalability and availability, which in turn has led to the spectacular growth and acceptance of Kubernetes as a supporting platform.

The central component of Kubernetes is the cluster. A cluster consists of many virtual or physical machines, each of which performs a specific function either as a master or as a node. Each node hosts groups of one or more containers (containing your applications), and the master communicates with the nodes about when to create or destroy containers. At the same time, the nodes are informed how the traffic should be redirected based on new container orientations. As a Kubernetes user, you can choose how your applications should run and how they should interact with other applications or the outside world. You can scale your services up or down, perform proper updates, and switch traffic between different versions of your applications to test functionality or reset problematic deployments. Kubernetes offers interfaces and composable platform primitives with which you can define and manage your applications with a high degree of flexibility, performance and reliability.

safety

Such spectacular innovation growth, however, exceeds current security measures and controls and makes existing security solutions ineffective. Cloud-native apps require a new approach. When considering the environment in which attempts are made to secure all of these containers in the cloud, there is a lack of security knowledge among the software developers. Indeed, vulnerabilities can be introduced at any point in the development lifecycle, while unsecured or unchecked code can easily be made available in production, putting applications and data at risk. Ultimately, these containers are publicly accessible because they contain all types of sensitive data and comply with data protection regulations. The legal framework requires a portfolio of security tools that can be used to manage DevOps compliance. This new paradigm can be further formulated with the new term DevSecOps and again emphasizes the need for security to converge with the various phases of software development and the release lifecycle. The best way to do this is to provide a full Kubernetes security platform that monitors clusters for anomalies and protects the developed applications against all types of known and unknown attacks.

Security and DevOps teams need continuous security for every Kubernetes infrastructure to protect their growing deployments.

Dr. Eduardo Rocha, pre-sales engineer, GlobalDots

