Understanding container security

Securing a containerized application relies on multiple levels of security:

  • Container security begins with a trusted base container image and continues through the container build process as it moves through your CI/CD pipeline.

    Image streams by default do not automatically update. This default behavior might create a security issue because security updates to images referenced by an image stream do not automatically occur. For information about how to override this default behavior, see Configuring periodic importing of imagestreamtags.

  • When a container is deployed, its security depends on it running on secure operating systems and networks, and establishing firm boundaries between the container itself and the users and hosts that interact with it.

  • Continued security relies on being able to scan container images for vulnerabilities and having an efficient way to correct and replace vulnerable images.

Beyond what a platform such as OKD offers out of the box, your organization will likely have its own security demands. Some level of compliance verification might be needed before you can even bring OKD into your data center.

Likewise, you may need to add your own agents, specialized hardware drivers, or encryption features to OKD, before it can meet your organization’s security standards.

This guide provides a high-level walkthrough of the container security measures available in OKD, including solutions for the host layer, the container and orchestration layer, and the build and application layer. It then points you to specific OKD documentation to help you achieve those security measures.

This guide contains the following information:

  • Why container security is important and how it compares with existing security standards.

  • Which container security measures are provided by the host (FCOS and Fedora) layer and which are provided by OKD.

  • How to evaluate your container content and sources for vulnerabilities.

  • How to design your build and deployment process to proactively check container content.

  • How to control access to containers through authentication and authorization.

  • How networking and attached storage are secured in OKD.

  • Containerized solutions for API management and SSO.

The goal of this guide is to understand the incredible security benefits of using OKD for your containerized workloads and how the entire Red Hat ecosystem plays a part in making and keeping containers secure. It will also help you understand how you can engage with the OKD to achieve your organization’s security goals.

What are containers?

Containers package an application and all its dependencies into a single image that can be promoted from development, to test, to production, without change. A container might be part of a larger application that works closely with other containers.

Containers provide consistency across environments and multiple deployment targets: physical servers, virtual machines (VMs), and private or public cloud.

Some of the benefits of using containers include:

InfrastructureApplications

Sandboxed application processes on a shared Linux operating system kernel

Package my application and all of its dependencies

Simpler, lighter, and denser than virtual machines

Deploy to any environment in seconds and enable CI/CD

Portable across different environments

Easily access and share containerized components

See Understanding Linux containers from the Red Hat Customer Portal to find out more about Linux containers. To learn about RHEL container tools, see Building, running, and managing containers in the RHEL product documentation.

What is OKD?

Automating how containerized applications are deployed, run, and managed is the job of a platform such as OKD. At its core, OKD relies on the Kubernetes project to provide the engine for orchestrating containers across many nodes in scalable data centers.

Kubernetes is a project, which can run using different operating systems and add-on components that offer no guarantees of supportability from the project. As a result, the security of different Kubernetes platforms can vary.

OKD is designed to lock down Kubernetes security and integrate the platform with a variety of extended components. To do this, OKD draws on the extensive Red Hat ecosystem of open source technologies that include the operating systems, authentication, storage, networking, development tools, base container images, and many other components.

OKD can leverage Red Hat’s experience in uncovering and rapidly deploying fixes for vulnerabilities in the platform itself as well as the containerized applications running on the platform. Red Hat’s experience also extends to efficiently integrating new components with OKD as they become available and adapting technologies to individual customer needs.

Additional resources