bluebay2014 - Fotolia

Kubernetes security updates appeal, but early versions must earn trust

Kubernetes 1.7 targets enterprises with added security features, but many of the updates are still too immature for production deployment.

Kubernetes continues to strike a chord with enterprise IT shops, even if some new bars aren't in full harmony.

The latest Kubernetes container orchestration platform, version 1.7, became available June 30, with improved security features useful to enterprise IT shops; although, some of them are not quite ready for production use.

One feature, Network Policy API, was promoted from beta to stable in the latest Kubernetes release. IT pros praise this feature's ability to control network traffic in a Kubernetes cluster on a pod-to-pod level, which helps improve segment security around individual microservices in environments such as Ocado's Kubermesh.

"We can say for each individual service what they can talk to and what they can be accessed by," said Mike Bryant, senior developer on the Kubermesh project for Ocado, based in Hatfield, U.K. "If someone managed to break into one service, they can now only talk to a few other things. This is security in depth, instead of a situation where if [an attacker] breaks through an outer shell, they have free rein."

Other Kubernetes security features that moved from alpha to beta release are a node authorizer and admission control plug-ins, which restrict access for the host-level Kubernetes agent -- kubelet -- to secrets, objects and other pods. Another feature still in alpha encrypts etcd secrets at rest.

Enterprise IT pros welcomed the features, but most won't rush to upgrade until they reach a stable release.

"We are looking at network policies and work with our [information security] people to make sure that area is well-thought-out and well-proven," said Paul MacKay, software engineer and architect for Ancestry in Lehi, Utah. "We are excited about the new features, but we're not involved with them in the production sense right now."

Kubernetes release a step forward, but only one step

Ancestry generally doesn't deploy any dot-zero release in production, let alone adopt such early versions of a feature.

"We usually wait until at least a [version 0.3 or 0.4] before we can say, 'OK, they've proven it enough that we won't be bleeding-edge guinea pigs,'" MacKay said. "It becomes a challenge, because there are such great features even in alpha that we want developers to utilize."

MacKay's team is eager for encryption of secrets at rest in etcd to become stable as soon as possible.

"That's been a big sore spot," he said. "I wish they had accelerated that earlier, and I hope that they'll have more and more integrations with AWS [Amazon Web Services] and other cloud providers to use their key and certificate stores."

Features tend to roll from alpha to beta to stable relatively quickly, given the size of the Kubernetes codebase, MacKay said. However, not every Kubernetes alpha feature makes it to the stable stage, and features are sometimes deprecated after they are battle-tested by the community.

For example, a new beta feature in Kubernetes 1.7, Custom Resource Definitions, is primarily used to store and retrieve structured data, according to Kubernetes documentation. Custom Resource Definitions replace Third-Party Resources, an alpha feature prior to 1.7 that has been deprecated and will be removed in version 1.8. Kubernetes users who deployed Third-Party Resources must migrate to Custom Resource Definitions before 1.8 to avoid losing data.

Mainstream enterprises are still new to container technology, and most have not yet reached the point where they sort out features between one release and the next. Though Kubernetes momentum has surged this year, conservative businesses, such as finance and insurance, are more familiar with Docker Swarm and Amazon's EC2 Container Service, said consultants who work on these projects.

"Right now, the customers we're working with are still debating [basic concepts]," said Chris Riley, director of solutions architecture at cPrime Inc., an Agile software development consulting firm in San Francisco. "I'm trying to educate them on the larger, deeper support of the Docker standard [available] through Kubernetes. But for some of them, it's still a proof-of-concept effort."

Kubernetes: The rising star in container orchestration?

Though Kubernetes and enterprise container adoption still have far to go, some industry analysts said the container orchestration market is Kubernetes' to lose.

"It's too early to call it the de facto standard, but Kubernetes has built a significant lead," said Gary Chen, an analyst with IDC. "It's not inconceivable something else could change the market, but at the moment, Kubernetes is the heir apparent and the one to beat."

Others are hesitant to declare a winner. "The starting gun for the race has just been fired," said Jay Lyman, analyst with 451 Research. Kubernetes leads among container orchestration platforms, which also include Docker Swarm, Mesos, HashiCorp's Nomad and Rancher, he said. Nevertheless, big cloud vendors' support for multiple container orchestration platforms signals the market is not yet mature enough to have a clear heir apparent, he said.

Kubernetes may be the leader right now, but it's not a winner-take-all field.
Jay Lymananalyst, 451 Research

"Enterprise systems management has always been about mixed use," Lyman said. "Kubernetes may be the leader right now, but it's not a winner-take-all field."

Lyman also stopped short of saying Kubernetes would capture enterprise market share with 1.7 features.

"Google appears to put things out in alpha pretty readily, which is juxtaposed against an enterprise IT industry that is often governed largely by inertia, especially when current VM tooling works well," he said. "However, around half of organization are embracing DevOps and realize the need to at least start getting their feet wet with Kubernetes to be able to attract and retain good tech talent."

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

Container orchestration engines enable hybrid cloud environments

Pivotal found opportunity in Kubernetes, Cloud Foundry integration

Kubernetes and Docker work together in multicloud production environment

Dig Deeper on Managing Virtual Containers