Containerization allows development teams to move fast, deploy software efficiently, and operate at an unprecedented scale. As enterprises create more containerized workloads, security must be integrated at each stage of the build and deploy lifecycle. Learn how to secure your container environment on GCP in three critical areas.
Infrastructure security means that your container management platform provides the right security features. Kubernetes includes security features to protect your identities, secrets, and network, and Kubernetes Engine uses native GCP functionality, like Cloud IAM, Cloud Audit Logging, and Virtual Private Clouds to bring the best of Google security to your workloads.
Software supply chain
Securing the software supply chain means that container images are safe to deploy. This is how you make sure your container images are vulnerability free and that the images you build aren't modified before they're deployed.
Runtime security allows you to identify a container acting maliciously in production and take action to protect your workload.
Running containers allows you to adopt a fundamentally different security model
Simpler patch management and immutability
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.
Smaller surface of attack
Containers are meant to run on a much smaller host OS than for a VM, as more is packaged into the application directly. This minimal host OS reduces the potential surface of attack for your workload.
Resource and workload isolation
Containers provide an easy way to isolate resources, such as storage volumes, to certain processes using cgroups and namespaces. With technologies like gVisor, you can logically isolate workloads in a sub-VM sandbox, separate from other applications.
Container infrastructure security is about ensuring that your developers have the tools they need to securely build containerized services. These capabilities are typically built into the container orchestrator, like Kubernetes. If you use Kubernetes Engine, this functionality is surfaced natively, in addition to other features of Google Cloud.
Identity and authorization
In Kubernetes, API audit logs are automatically captured. On Kubernetes Engine, Cloud Audit Logging records API audit logs automatically for you.
Kubernetes Engine features many compliance certifications, including ISO 27001, ISO 27017, ISO 27108, HIPAA, and PCI-DSS.
Minimal host OS
Kubernetes Engine uses Container-Optimized OS (COS) by default, an OS purpose-built and optimized for running containers. COS is maintained by Google in open source.
On Kubernetes Engine, masters are automatically patched to the latest Kubernetes version, and you can use node auto-upgrade for your nodes.
Software supply chain
Software supply chain is about knowing exactly what’s being deployed in your environment: that you control your applications, from code to image to deployment. These capabilities are typically built into your CI/CD pipeline, your container registry — such as Google Container Registry, and as an admission check before you deploy containers into production.
Secure base images
On Kubernetes Engine, use Binary Authorization to limit what you deploy into your environment based on an image’s attestations.
Containers can be rebuilt and redeployed regularly, so you can benefit from the latest patches that are gradually rolled out to your environment.
Container runtime security is about ensuring that your security response team can detect and respond to security threats to containers running in your environment. These capabilities are typically built into your security operations tooling.
Anomalous activity detection
Prevent one malicious container from affecting another one. Use gVisor, a container runtime sandbox, to provide stronger security isolation of containers.
Explore more information specific to container security.
Kubernetes Engine security overview
Kubernetes Engine hardening guide
Container security blog series
NIST SP 800-190: Application Container Security Guide
KubeCon 2017 talk: Shipping in pirate-infested waters
Learn and build
New to GCP? Get started with any GCP product for free with a $300 credit.
Need more help?
Our experts will help you build the right solution or find the right partner for your needs.