cutimage - Fotolia

Kubernetes roadmap to address container security, complexity concerns

The next Kubernetes update will offer role-based access control, while users wait for other portions of the Kubernetes roadmap to address setup and upgrade complexity.

The Kubernetes roadmap will offer sought-after setup features for IT pros working with containers via the orchestration...

tool, while an update this week catches it up with Docker swarm mode in container security.

Kubernetes version 1.6, slated for release March 22, will support role-based access control (RBAC) to the container infrastructure by default. This will not only address container security concerns that hold the technology back from enterprise production environments, but it also will level the playing field with Docker swarm mode, the native Docker container orchestration technology, which now has RBAC and secrets management enabled by default.

"It's definitely going to be a more secure release," said Joe Beda, CTO of Heptio, a Kubernetes development startup created by ex-Google IT pros in Seattle, in an interview last week. "We've locked down all the unsecured end points across the entire platform, so, even if you have access to the master node, you'd have to have permissions to the right keys to be able to run and modify things."

Role-based access control had been implemented unevenly across the various modules that make up Kubernetes, so better integration is welcome news to customers. "[RBAC] wasn't particularly straightforward or well-documented before, but 1.6 will incorporate that by default, which will be a huge advantage," said Rob Scott, vice president of software architecture at Spire Labs, a startup in Chattanooga, Tenn., that runs employee wellness and digital health social networks for corporations.

Kubernetes users seek smoother operations

Kubernetes users report widely varied experiences with Kubernetes setup and upgrades in public cloud environments.

First, there are almost as many ways to set up Kubernetes clusters as there are deployments in the world. OpenStack players, such as Mirantis, are bringing their setup methods to the project, while Red Hat's OpenShift has its own method. Other users choose to go it alone with open source tools, such as Kubernetes Operations (kops); configuration management tools, such as Ansible; or infrastructure provisioning utilities, such as HashiCorp's Terraform.

Kops confers an advantage in Amazon Web Services (AWS) environments, Scott said. For one thing, kops makes it easy and more cost-effective than previous VM-based setups to configure high availability in multiple Amazon Availability Zones. This prevented downtime for Spire in the recent Amazon Simple Storage Service (S3) outage that rocked much of the web.

But there's a price to pay for these benefits, Scott noted. While upgrades with kops can be a challenge, not upgrading could leave his organization vulnerable to security concerns.

"One of the frustrations with Kubernetes -- and I don't think it's particularly unique to us -- is that it can be difficult to update," Scott said. "There are various people trying to tackle this [in the Kubernetes roadmap], but, at the end of the day, it's still a pain point."

For example, Spire's IT team spends a significant amount of time to monitor common vulnerabilities and exposures and ensure Kubernetes systems are patched. A recent version of kops does enable unattended upgrades on server images, though this doesn't catch every vulnerability, Scott said.

"The last time we did our update, we just spun up new clusters -- we didn't even try to update in place," he said. "That was actually relatively painless, but you still have to spin up new infrastructure, and it took a couple days. If that's one of the best ways to update your system, that's not great."

Look back on the Kubernetes 1.5 release, which added support for Windows Server 2016 and Windows Containers, among other updates. The alpha excited enterprises looking for production-ready container deployment toolchains, although work remained on the Kubernetes roadmap.

Kubernetes roadmap takes on setup, upgrade complexity

A solution for upgrade problems is under discussion among Kubernetes coders in the form of a utility, called kubeadm, which was created under the auspices of a Kubernetes special interest group, called sig-cluster-lifecycle. In a nutshell, kubeadm is expected to bring the advantages of kops to a wider array of Kubernetes environments outside of AWS.

"Because kops makes the assumption it's running in AWS, it has some dependencies that make it easier to get up and running," Beda said. Kops assumes it has access to an S3 repository of configuration files, for example. Kubeadm aims to make the kops setup experience portable between clouds and on-premises data centers, as well, without dependencies on AWS-specific services.

[Kubernetes] can be difficult to update ... There are various people trying to tackle this, but, at the end of the day, it's still a pain point.
Rob Scottvice president of software architecture, Spire Labs

A January Kubernetes blog post outlined goals for kubeadm in Kubernetes 1.6 that included a new modular setup process that's easier to manage and more transparent to the user -- features that users say are sorely needed.

"The danger with tools like that is that when they break, they're kind of a black box," said Cole Calistra, CTO of Kairos AR Inc., a Miami-based provider of human facial recognition and analytics algorithms for developers. Calistra uses Ansible and Terraform to install and configure Kubernetes hosts. "If there's a failure and you don't know what they're doing under the covers, you really have no way to recover from it."

However, many kubeadm goals outlined in the blog post remain on the Kubernetes roadmap, Beda said. The ability to invoke the various phases of kubeadm separately, for example, is in alpha with this release. But a self-hosting feature that is a prerequisite for truly seamless Kubernetes updates is not supported yet.

"Upgrades are still more manual than we really want them to be," Beda said.

Another item on the agenda for future releases is that kubeadm will perform high-availability and push-button upgrades. So far, Heptio, Weaveworks and Apprenda have been the major contributors to kubeadm.

Further out in the Kubernetes roadmap, plans include more modular support for public cloud provider infrastructures. Currently, these must be merged into the Kubernetes master code repository, which users say creates an unduly complex and lengthy process to support new clouds. Modular cloud provider plug-ins are slated for version 1.9, but inclusion will depend on ongoing discussions in the open source community, Beda said.

"Time frames with open source are a difficult thing," he said. "We'll see who else actually shows up to roll up their sleeves and get some code in."

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

Containers offer portability across various platforms, including multiple cloud providers. However, IT shops cannot expect instant portability benefits when adopting Docker -- if that portability is even of use with their workloads and IT strategy.

Dig Deeper on Managing Cloud-Native Applications