rvlsoft - Fotolia
Container security tools have pinned their hopes on service mesh, as the microservices networking stack gains altitude among cloud-native app developers.
Service meshes such as Linkerd, Istio and others offer granular security management and monitoring features, but only for areas of the infrastructure where service mesh sidecar container proxies are deployed. Meanwhile, defense in depth for container security environments is a hot topic, as vulnerabilities such as this week's disclosure of a runC flaw illustrate.
Enter container security tools, which offer a comprehensive view into container environments inside and outside of the purview of service mesh, as well as security management for service mesh deployments themselves.
"Third-party container security tools can provide coverage for things the mesh doesn't do," said Fernando Montenegro, analyst at 451 Research. The Istio service mesh, for example, is focused primarily on application security monitoring at Layer 7, while container security tools can offer in-depth Layer 2 and 3 monitoring.
It's also a matter of convenience, he said. Third-party tools, such as NeuVector, Twistlock and Aqua Security, offer a complete view of the environment that's easy to configure, as opposed to Kubernetes network policies, which still require command-line interface and JSON expertise.
Container security tool reinforces service mesh security
Some early service mesh adopters take wide-reaching security considerations into account as they head to production with Kubernetes and tools such as Linkerd 2.
"NeuVector lets us dig down to the port level, where containers talk to each other," said Christian Hüning, systems architect at Figo.io, a fintech startup in Hamburg, Germany, that plans to put Linkerd 2, Kubernetes and NeuVector into production this month.
Fernando Montenegroanalyst, 451 Research
The company plans to use service mesh integration NeuVector added this week that allows the container security tool to see and manage traffic encrypted within the service mesh with mutual TLS. This will give Figo container security policy enforcement for its entire Kubernetes environment.
"NeuVector sees packets as network traffic hits the container host and forwards them or drops them before they reach the container," Hüning said. As an added defense, Figo forwards NeuVector's syslog data to broader security information and event management tools for centralized IT security monitoring.
"Even if someone manages to bring in a compromised container image and start a pod for it, our container security policies would block it from executing network calls," Hüning said.
NeuVector entered the market in 2017 focused on container runtime monitoring, but added container image scanning with version 2.0 in April 2018. That release also added integration that combines image scanning data with information about application artifact dependencies supplied by the JFrog Artifactory repository Figo uses. This combination broadens Figo's container security posture to include parts of the CI/CD pipeline that are well beyond the scope of service mesh security.
However, Hüning said he hopes NeuVector will expand its list of integration partners to include GitLab.
"In our dev cluster, we've had to tell NeuVector to ignore the GitLab namespace, because it was going wild with every change," he said.
Better GitLab integration is on the roadmap for this year, a NeuVector spokesperson said.